Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE Keeps opening/ PC behaving oddly


  • This topic is locked This topic is locked
81 replies to this topic

#1 onemansgarbage

onemansgarbage

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 08 January 2011 - 02:40 PM

For the last 3 months or so my desktop PC has been infected by some type of malware. Internet Explorer opens random pages. Please help me clean it up and keep it safe.

Thanks


DDS (Ver_10-12-12.02) - NTFSx86
Run by David at 10:41:04.64 on Sat 01/08/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.999 [GMT -5:00]

AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe
C:\Program Files\Nero\Nero 7\Nero MediaHome\NMMediaServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyeBay&CurrentPage=MyeBaySummary&migrateVisitor=3
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with WordPerfect -
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249158527355
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\2qq9p9rr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1&_trksid=m37
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----


============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-11-20 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-11-20 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-11-20 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-11-20 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2010-11-20 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-20 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110107.002\IDSXpx86.sys [2011-1-7 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110107.037\NAVENG.SYS [2011-1-8 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110107.037\NAVEX15.SYS [2011-1-8 1360760]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-10-8 19056]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

=============== Created Last 30 ================

2011-01-08 00:33:11 -------- d-----w- c:\docume~1\david\locals~1\applic~1\Symantec
2011-01-08 00:33:03 24983 ----a-w- c:\windows\system32\033350041.dll
2011-01-02 21:00:26 29184 ----a-r- c:\docume~1\david\applic~1\microsoft\installer\{21ae04e8-ebf6-40db-9aa9-b7a80c5d057d}\Icon21AE04E8.exe
2011-01-02 21:00:23 -------- d-----w- c:\program files\mkv2vob
2011-01-02 20:59:47 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-01-02 15:49:06 709456 ----a-w- c:\windows\isRS-000.tmp
2010-12-15 17:18:32 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 17:16:47 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-20 19:04:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-20 19:04:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-11 13:51:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-04 14:50:50 197632 ----a-w- c:\program files\common files\OnlineFilesManager.dll
2004-10-01 23:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 10:41:56.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 13 January 2011 - 08:28 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 onemansgarbage

onemansgarbage
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 13 January 2011 - 10:11 PM

Hi. I'm here. Thank you.

Dave

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 14 January 2011 - 04:54 AM

Please run TDSSKiller to deal with a prolific rootkit which could be here

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 onemansgarbage

onemansgarbage
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 January 2011 - 08:34 AM

OK. TDSS Killer found a suspicious object. There were options to skip, delete, or copy to quarantine. There was no cure option. I chose to quarantine. Below is the report:

2011/01/14 08:28:27.0843 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/14 08:28:27.0843 ================================================================================
2011/01/14 08:28:27.0843 SystemInfo:
2011/01/14 08:28:27.0843
2011/01/14 08:28:27.0843 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/14 08:28:27.0843 Product type: Workstation
2011/01/14 08:28:27.0843 ComputerName: DOWNSTAIRS
2011/01/14 08:28:27.0843 UserName: David
2011/01/14 08:28:27.0843 Windows directory: C:\WINDOWS
2011/01/14 08:28:27.0843 System windows directory: C:\WINDOWS
2011/01/14 08:28:27.0843 Processor architecture: Intel x86
2011/01/14 08:28:27.0843 Number of processors: 2
2011/01/14 08:28:27.0843 Page size: 0x1000
2011/01/14 08:28:27.0843 Boot type: Normal boot
2011/01/14 08:28:27.0843 ================================================================================
2011/01/14 08:28:28.0937 Initialize success
2011/01/14 08:28:40.0671 ================================================================================
2011/01/14 08:28:40.0671 Scan started
2011/01/14 08:28:40.0671 Mode: Manual;
2011/01/14 08:28:40.0671 ================================================================================
2011/01/14 08:28:41.0750 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/14 08:28:41.0796 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/14 08:28:41.0859 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/14 08:28:41.0875 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/14 08:28:41.0968 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/14 08:28:42.0046 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/14 08:28:42.0062 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/14 08:28:42.0093 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/14 08:28:42.0125 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/14 08:28:42.0140 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/14 08:28:42.0343 BHDrvx86 (83a2fec59a0a0fc73bf6598e901b2fbd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys
2011/01/14 08:28:42.0531 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/14 08:28:42.0640 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys
2011/01/14 08:28:42.0671 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/14 08:28:42.0718 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/14 08:28:42.0750 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/14 08:28:42.0843 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/14 08:28:42.0890 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/14 08:28:42.0921 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/14 08:28:42.0937 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/14 08:28:42.0968 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/14 08:28:43.0015 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/14 08:28:43.0031 e1express (c477f783ed345ec9d739d58eff63a224) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/01/14 08:28:43.0125 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/01/14 08:28:43.0156 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/01/14 08:28:43.0187 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/14 08:28:43.0234 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/14 08:28:43.0265 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/14 08:28:43.0296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/14 08:28:43.0343 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/14 08:28:43.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/14 08:28:43.0406 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/14 08:28:43.0421 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/14 08:28:43.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/14 08:28:43.0468 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/14 08:28:43.0484 HECI (19e26d0402e6d29e67fa74650187567e) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/01/14 08:28:43.0515 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/14 08:28:43.0578 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/14 08:28:43.0625 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/14 08:28:43.0859 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110113.001\IDSxpx86.sys
2011/01/14 08:28:43.0890 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/14 08:28:43.0953 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/14 08:28:43.0968 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/14 08:28:44.0015 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/14 08:28:44.0046 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/14 08:28:44.0078 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/14 08:28:44.0093 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/14 08:28:44.0109 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/14 08:28:44.0156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/14 08:28:44.0187 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/14 08:28:44.0203 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/14 08:28:44.0250 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/14 08:28:44.0265 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/14 08:28:44.0343 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/14 08:28:44.0375 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/14 08:28:44.0406 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/14 08:28:44.0437 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/14 08:28:44.0437 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/14 08:28:44.0468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/14 08:28:44.0515 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/14 08:28:44.0546 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/14 08:28:44.0578 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/14 08:28:44.0593 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/14 08:28:44.0609 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/14 08:28:44.0640 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/14 08:28:44.0656 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/14 08:28:44.0703 NAL (16ea7d22102b952621ef4d4f87e3463b) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/01/14 08:28:44.0937 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110113.036\NAVENG.SYS
2011/01/14 08:28:45.0000 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110113.036\NAVEX15.SYS
2011/01/14 08:28:45.0062 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/14 08:28:45.0093 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/14 08:28:45.0109 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/14 08:28:45.0125 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/14 08:28:45.0156 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/14 08:28:45.0203 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/14 08:28:45.0234 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/14 08:28:45.0281 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/14 08:28:45.0312 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/01/14 08:28:45.0328 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/14 08:28:45.0359 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/14 08:28:45.0421 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/01/14 08:28:45.0437 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/14 08:28:45.0578 nv (5645072033c2e51386e91bc137c0beb5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/14 08:28:45.0687 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/14 08:28:45.0703 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/14 08:28:45.0734 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/14 08:28:45.0781 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/14 08:28:45.0796 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/14 08:28:45.0828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/14 08:28:45.0859 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/14 08:28:45.0890 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/14 08:28:45.0921 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/14 08:28:45.0968 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/01/14 08:28:46.0062 Point32 (5c71f7cdd1b4ba5f00b87ca05e414aea) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/01/14 08:28:46.0093 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/14 08:28:46.0125 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/14 08:28:46.0156 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
2011/01/14 08:28:46.0203 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/14 08:28:46.0250 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/14 08:28:46.0343 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/14 08:28:46.0359 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/14 08:28:46.0390 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/14 08:28:46.0406 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/14 08:28:46.0437 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/14 08:28:46.0468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/14 08:28:46.0500 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/14 08:28:46.0531 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/14 08:28:46.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/14 08:28:46.0656 SASDIFSV (bfbc4be8d6ac6d33ad93f3f5f2e11499) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/01/14 08:28:46.0687 SASENUM (e9c2d75c748c3f0a4c34d6cf2ae1d754) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2011/01/14 08:28:46.0718 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2011/01/14 08:28:46.0781 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2011/01/14 08:28:46.0828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/14 08:28:46.0859 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/14 08:28:46.0875 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/14 08:28:46.0906 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/14 08:28:46.0937 sfng32 (5fe18fff6fbcf218290042009eab023d) C:\WINDOWS\system32\drivers\sfng32.sys
2011/01/14 08:28:47.0000 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/14 08:28:47.0062 sptd (7f1b7c4d446cd3f926af45b8c48bd593) C:\WINDOWS\system32\Drivers\sptd.sys
2011/01/14 08:28:47.0062 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 7f1b7c4d446cd3f926af45b8c48bd593
2011/01/14 08:28:47.0062 sptd - detected Locked file (1)
2011/01/14 08:28:47.0078 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/14 08:28:47.0171 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS
2011/01/14 08:28:47.0250 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS
2011/01/14 08:28:47.0265 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/14 08:28:47.0328 STHDA (237ccbfc82b4c98435461972597f29d5) C:\WINDOWS\system32\drivers\sthda.sys
2011/01/14 08:28:47.0390 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/14 08:28:47.0406 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/14 08:28:47.0515 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\N360\0403000.005\SYMDS.SYS
2011/01/14 08:28:47.0546 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\N360\0403000.005\SYMEFA.SYS
2011/01/14 08:28:47.0578 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/01/14 08:28:47.0609 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS
2011/01/14 08:28:47.0656 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS
2011/01/14 08:28:47.0718 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/14 08:28:47.0765 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/14 08:28:47.0781 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/14 08:28:47.0812 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/14 08:28:47.0843 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/14 08:28:47.0875 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/14 08:28:47.0953 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/14 08:28:47.0984 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/14 08:28:48.0015 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/14 08:28:48.0046 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/14 08:28:48.0062 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/14 08:28:48.0078 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/14 08:28:48.0093 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/14 08:28:48.0125 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/14 08:28:48.0140 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/14 08:28:48.0156 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/14 08:28:48.0203 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/14 08:28:48.0250 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/14 08:28:48.0296 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/01/14 08:28:48.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/14 08:28:48.0390 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/01/14 08:28:48.0437 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/01/14 08:28:48.0500 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/14 08:28:48.0531 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/14 08:28:48.0671 ================================================================================
2011/01/14 08:28:48.0671 Scan finished
2011/01/14 08:28:48.0671 ================================================================================
2011/01/14 08:28:48.0687 Detected object count: 1
2011/01/14 08:29:54.0218 sptd (7f1b7c4d446cd3f926af45b8c48bd593) C:\WINDOWS\system32\Drivers\sptd.sys
2011/01/14 08:29:54.0218 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 7f1b7c4d446cd3f926af45b8c48bd593
2011/01/14 08:29:54.0234 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
2011/01/14 08:29:54.0250 Locked file(sptd) - User select action: Quarantine

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 14 January 2011 - 11:39 AM

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 onemansgarbage

onemansgarbage
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 January 2011 - 01:28 PM

Here is the log file you requested:

ComboFix 11-01-14.01 - David 01/14/2011 13:16:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1410 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\comfix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1516329641.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-14 13:29 . 2011-01-14 13:29 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-08 00:33 . 2011-01-08 00:33 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Symantec
2011-01-02 21:00 . 2011-01-02 21:00 29184 ----a-r- c:\documents and settings\David\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2011-01-02 21:00 . 2011-01-05 17:52 -------- d-----w- c:\program files\mkv2vob
2011-01-02 20:59 . 2011-01-02 20:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-10-20 18:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-10-20 18:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 19:04 . 2007-04-18 20:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-20 19:04 . 2010-11-20 19:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 18:12 . 2007-01-19 18:26 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-11 13:51 . 2010-11-11 13:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-11 13:51 . 2010-11-11 13:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-29 16:58 . 2010-10-29 16:58 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-04 14:50 . 2010-09-04 14:50 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
2004-10-01 23:00 . 2007-01-19 19:12 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-20_16.25.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-12 08:23 . 2011-01-12 08:23 16384 c:\windows\Temp\Perflib_Perfdata_7f8.dat
+ 2011-01-12 08:22 . 2011-01-12 08:22 16384 c:\windows\Temp\Perflib_Perfdata_744.dat
+ 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
+ 2004-08-04 12:00 . 2010-11-20 21:03 86372 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 66560 c:\windows\system32\mshtmled.dll
+ 2006-11-08 01:03 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 01:03 . 2010-09-10 05:58 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
+ 2010-05-18 21:35 . 2010-05-18 21:35 75040 c:\windows\system32\jdns_sd.dll
+ 2010-07-07 14:05 . 2010-07-07 14:05 14904 c:\windows\system32\drivers\psi_mf.sys
+ 2010-11-20 22:24 . 2010-04-22 02:29 43696 c:\windows\system32\drivers\N360\0403000.005\srtspx.sys
+ 2010-05-18 21:35 . 2010-05-18 21:35 91424 c:\windows\system32\dnssd.dll
- 2009-06-09 17:39 . 2010-09-10 05:58 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-06-09 17:39 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2010-12-15 17:16 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
+ 2010-12-15 17:18 . 2010-11-02 15:17 40960 c:\windows\system32\dllcache\ndproxy.sys
+ 2004-08-04 12:00 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-08 18:52 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-08 18:52 . 2010-09-10 05:58 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-11-18 18:12 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
- 2009-10-29 01:27 . 2010-11-11 08:04 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-10-29 01:27 . 2011-01-12 08:02 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-10-29 01:27 . 2011-01-12 08:02 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-10-29 01:27 . 2011-01-12 08:02 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-08-22 14:35 . 2011-01-06 00:16 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-08-22 14:35 . 2010-09-29 07:01 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 12800 c:\windows\ie8updates\KB2416400-IE8\xpshims.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 66560 c:\windows\ie8updates\KB2416400-IE8\mshtmled.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 55296 c:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 43520 c:\windows\ie8updates\KB2416400-IE8\licmgr10.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 25600 c:\windows\ie8updates\KB2416400-IE8\jsproxy.dll
+ 2010-12-16 08:33 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2443105\update\spcustom.dll
+ 2010-12-16 08:33 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2443105\spmsg.dll
+ 2010-11-18 18:12 . 2010-11-18 18:12 81920 c:\windows\$hf_mig$\KB2443105\SP3QFE\isign32.dll
+ 2010-12-16 08:27 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB2436673\update\spcustom.dll
+ 2010-12-16 08:27 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB2436673\spmsg.dll
+ 2010-12-16 08:37 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB2296199\update\spcustom.dll
+ 2010-12-16 08:37 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB2296199\spmsg.dll
+ 2004-08-04 12:00 . 2010-11-20 21:03 482788 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 206848 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 611840 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
+ 2006-11-08 01:03 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
- 2006-11-08 01:03 . 2010-09-10 05:58 602112 c:\windows\system32\msfeeds.dll
+ 2010-11-20 18:54 . 2010-11-20 18:54 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_Plugin.exe
+ 2010-11-20 19:08 . 2010-11-20 19:08 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
+ 2010-11-20 19:08 . 2010-11-20 19:08 311248 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.dll
+ 2010-11-20 19:04 . 2010-11-20 19:04 153376 c:\windows\system32\javaws.exe
+ 2010-11-20 19:04 . 2010-11-20 19:04 145184 c:\windows\system32\javaw.exe
+ 2010-11-20 19:04 . 2010-11-20 19:04 145184 c:\windows\system32\java.exe
+ 2010-02-17 04:27 . 2009-12-22 18:39 922112 c:\windows\system32\imapi2fs.dll
+ 2010-02-17 04:27 . 2009-12-22 18:39 426496 c:\windows\system32\imapi2.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 184320 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
+ 2010-11-20 22:24 . 2010-05-06 04:01 339504 c:\windows\system32\drivers\N360\0403000.005\symtdiv.sys
+ 2010-11-20 22:24 . 2010-05-06 04:01 361904 c:\windows\system32\drivers\N360\0403000.005\symtdi.sys
+ 2010-11-20 22:24 . 2010-04-22 03:02 173104 c:\windows\system32\drivers\N360\0403000.005\symefa.sys
+ 2010-11-20 22:24 . 2009-10-15 03:50 328752 c:\windows\system32\drivers\N360\0403000.005\symds.sys
+ 2010-11-20 22:24 . 2010-04-22 02:29 325680 c:\windows\system32\drivers\N360\0403000.005\srtsp.sys
+ 2010-11-20 22:24 . 2010-04-29 05:03 116784 c:\windows\system32\drivers\N360\0403000.005\ironx86.sys
+ 2010-11-20 22:23 . 2010-02-26 00:22 501888 c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys
+ 2010-05-18 21:35 . 2010-05-18 21:35 197920 c:\windows\system32\dnssdX.dll
+ 2010-05-18 21:35 . 2010-05-18 21:35 107808 c:\windows\system32\dns-sd.exe
+ 2004-08-04 12:00 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 916480 c:\windows\system32\dllcache\wininet.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 611840 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll
- 2007-05-08 18:52 . 2010-09-10 05:58 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-05-08 18:52 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll
+ 2010-02-17 04:27 . 2009-12-22 18:39 922112 c:\windows\system32\dllcache\imapi2fs.dll
+ 2010-02-17 04:27 . 2009-12-22 18:39 426496 c:\windows\system32\dllcache\imapi2.dll
- 2009-06-09 17:39 . 2010-09-10 05:58 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-06-09 17:39 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-10 03:04 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-10 03:04 . 2010-09-10 05:58 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2011-01-02 21:00 . 2011-01-02 21:00 978432 c:\windows\Installer\a24baf2.msi
+ 2010-07-23 06:03 . 2010-07-23 06:03 338432 c:\windows\Installer\3b961efe.msp
+ 2010-11-20 19:04 . 2010-11-20 19:04 180224 c:\windows\Installer\37b874.msi
+ 2010-11-20 19:04 . 2010-11-20 19:04 677376 c:\windows\Installer\37b86e.msi
+ 2010-11-20 18:59 . 2010-11-20 18:59 807936 c:\windows\Installer\37b5c0.msi
+ 2009-10-29 01:27 . 2011-01-12 08:02 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-10-29 01:27 . 2011-01-12 08:02 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-10-29 01:27 . 2011-01-12 08:02 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-10-29 01:27 . 2011-01-12 08:02 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2009-10-29 01:27 . 2011-01-12 08:02 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2008-11-04 08:13 . 2008-11-04 08:13 118128 c:\windows\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6425\MSCONV97.DLL
+ 2010-12-16 08:30 . 2010-09-10 05:58 916480 c:\windows\ie8updates\KB2416400-IE8\wininet.dll
+ 2010-12-16 08:31 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll
+ 2010-12-16 08:31 . 2010-02-22 14:23 231288 c:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe
+ 2010-12-16 08:30 . 2010-09-10 05:58 206848 c:\windows\ie8updates\KB2416400-IE8\occache.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 611840 c:\windows\ie8updates\KB2416400-IE8\mstime.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 602112 c:\windows\ie8updates\KB2416400-IE8\msfeeds.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 247808 c:\windows\ie8updates\KB2416400-IE8\ieproxy.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 184320 c:\windows\ie8updates\KB2416400-IE8\iepeers.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 743424 c:\windows\ie8updates\KB2416400-IE8\iedvtool.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 387584 c:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll
+ 2010-12-16 08:30 . 2010-08-26 12:22 173056 c:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe
+ 2010-02-12 00:26 . 2010-02-12 00:26 403456 c:\windows\assembly\temp\8PI7SXMJ81\Intuit.Spc.Map.WindowsFirewallUtilities.dll
+ 2010-11-20 18:56 . 2009-12-22 18:39 379184 c:\windows\$NtUninstallKB952011$\spuninst\updspapi.dll
+ 2010-11-20 18:56 . 2009-12-22 18:39 221488 c:\windows\$NtUninstallKB952011$\spuninst\spuninst.exe
+ 2010-11-20 18:56 . 2008-05-02 13:25 465920 c:\windows\$NtUninstallKB952011$\imapi2fs.dll
+ 2010-11-20 18:56 . 2008-05-02 13:25 317952 c:\windows\$NtUninstallKB952011$\imapi2.dll
+ 2010-12-16 08:33 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB2443105\update\updspapi.dll
+ 2010-12-16 08:33 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB2443105\update\update.exe
+ 2010-12-16 08:33 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2443105\spuninst.exe
+ 2010-12-16 08:27 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB2436673\update\updspapi.dll
+ 2010-12-16 08:27 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB2436673\update\update.exe
+ 2010-12-16 08:27 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB2436673\spuninst.exe
+ 2010-12-16 08:37 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB2296199\update\updspapi.dll
+ 2010-12-16 08:37 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB2296199\update\update.exe
+ 2010-12-16 08:37 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB2296199\spuninst.exe
+ 2010-10-28 13:08 . 2010-10-28 13:08 290048 c:\windows\$hf_mig$\KB2296199\SP3QFE\atmfd.dll
- 2004-08-04 12:00 . 2010-09-10 05:58 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 5959168 c:\windows\system32\mshtml.dll
+ 2010-01-27 01:07 . 2010-11-20 18:54 5971408 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2006-10-17 15:57 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
+ 2010-06-03 02:41 . 2010-06-03 02:41 3600384 c:\windows\system32\GPhotos.scr
+ 2007-01-19 10:18 . 2010-12-16 22:01 1567456 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-17 22:31 . 2010-10-26 13:25 1853312 c:\windows\system32\dllcache\win32k.sys
- 2004-08-04 12:00 . 2010-09-10 05:58 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 5959168 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-08 18:52 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2010-10-21 23:10 . 2010-10-21 23:10 3995136 c:\windows\Installer\3b961f2a.msp
+ 2010-11-21 04:35 . 2010-11-21 04:35 3359744 c:\windows\Installer\3b961f12.msp
+ 2010-11-20 19:06 . 2010-11-20 19:06 2209792 c:\windows\Installer\37b883.msi
+ 2010-11-20 19:06 . 2010-11-20 19:06 1984000 c:\windows\Installer\37b87f.msi
+ 2010-11-20 19:02 . 2010-11-20 19:02 9472000 c:\windows\Installer\37b866.msi
+ 2010-12-17 05:17 . 2010-12-17 05:17 3362304 c:\windows\Installer\120d156c.msp
+ 2009-10-29 01:27 . 2011-01-12 08:02 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-10-29 01:27 . 2011-01-12 08:02 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2009-10-29 01:27 . 2010-11-11 08:04 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-12-16 08:30 . 2010-09-10 05:58 1210880 c:\windows\ie8updates\KB2416400-IE8\urlmon.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 5957120 c:\windows\ie8updates\KB2416400-IE8\mshtml.dll
+ 2010-12-16 08:30 . 2010-09-10 05:58 1986560 c:\windows\ie8updates\KB2416400-IE8\iertutil.dll
+ 2010-10-26 13:27 . 2010-10-26 13:27 1862272 c:\windows\$hf_mig$\KB2436673\SP3QFE\win32k.sys
+ 2007-04-17 15:04 . 2011-01-12 08:02 37403080 c:\windows\system32\MRT.exe
+ 2006-11-08 01:03 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
+ 2007-05-08 18:52 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2010-10-09 03:07 . 2010-10-09 03:07 11559424 c:\windows\Installer\3b961eea.msp
+ 2011-01-06 00:15 . 2011-01-06 00:15 21360640 c:\windows\Installer\1a4a5b71.msp
+ 2010-12-04 07:31 . 2010-12-04 07:31 12891648 c:\windows\Installer\1a4a5b66.msp
+ 2010-12-21 18:06 . 2010-12-21 18:06 11570688 c:\windows\Installer\120d1558.msp
+ 2010-12-16 08:30 . 2010-09-10 05:58 11080192 c:\windows\ie8updates\KB2416400-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Online Files]
@="{B82655E9-B81D-4A97-8154-0D84A4C048E4}"
[HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}]
2010-09-04 14:50 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-25 160328]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-04-10 13:53 50520 ----a-w- c:\documents and settings\David\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 13:25 1998576 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Documents and Settings\\David\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero MediaHome\\NeroMediaHome.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero MediaHome\\NMMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/29/2008 6:24 PM 716272]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [11/20/2010 5:24 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [11/20/2010 5:24 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [11/20/2010 5:23 PM 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 10:33 AM 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [11/20/2010 5:24 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [11/20/2010 5:23 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/20/2010 1:57 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110113.001\IDSXpx86.sys [1/13/2011 9:00 PM 341944]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/8/2009 9:15 AM 19056]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 9:05 AM 14904]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 10:33 AM 7408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder

2011-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-18 c:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet3600----a-w-H38F1509YB9.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 22:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyeBay&CurrentPage=MyeBaySummary&migrateVisitor=3
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with WordPerfect -
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\2qq9p9rr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1&_trksid=m37
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 13:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-01-14 13:24:58
ComboFix-quarantined-files.txt 2011-01-14 18:24

Pre-Run: 109,613,596,672 bytes free
Post-Run: 109,612,224,512 bytes free

- - End Of File - - C7225641FC2AF9D5BDF53D945DC71983

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 14 January 2011 - 07:20 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Now please run ESET. It appears that TDSS hasn't bedded in too much on this evidence :)

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 onemansgarbage

onemansgarbage
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 15 January 2011 - 07:35 PM

No malware was found by ESET.

Here is the Combofix log report:

ComboFix 11-01-14.01 - David 01/15/2011 16:52:04.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1459 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\comfix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AUTOLNCH.REG
c:\windows\system32\21464245041.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
.

2011-01-14 13:29 . 2011-01-14 13:29 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-08 00:33 . 2011-01-08 00:33 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Symantec
2011-01-02 21:00 . 2011-01-02 21:00 29184 ----a-r- c:\documents and settings\David\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2011-01-02 21:00 . 2011-01-05 17:52 -------- d-----w- c:\program files\mkv2vob
2011-01-02 20:59 . 2011-01-02 20:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-10-20 18:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-10-20 18:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 19:04 . 2007-04-18 20:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-20 19:04 . 2010-11-20 19:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 18:12 . 2007-01-19 18:26 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-11 13:51 . 2010-11-11 13:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-11 13:51 . 2010-11-11 13:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-29 16:58 . 2010-10-29 16:58 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-04 14:50 . 2010-09-04 14:50 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
2004-10-01 23:00 . 2007-01-19 19:12 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot_2011-01-14_18.22.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-15 21:46 . 2011-01-15 21:46 16384 c:\windows\Temp\Perflib_Perfdata_7f0.dat
+ 2011-01-15 21:44 . 2011-01-15 21:44 16384 c:\windows\Temp\Perflib_Perfdata_744.dat
- 2011-01-12 08:22 . 2011-01-12 08:22 16384 c:\windows\Temp\Perflib_Perfdata_744.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Online Files]
@="{B82655E9-B81D-4A97-8154-0D84A4C048E4}"
[HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}]
2010-09-04 14:50 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-25 160328]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-04-10 13:53 50520 ----a-w- c:\documents and settings\David\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 13:25 1998576 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Documents and Settings\\David\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero MediaHome\\NeroMediaHome.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero MediaHome\\NMMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/29/2008 6:24 PM 716272]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [11/20/2010 5:24 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [11/20/2010 5:24 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [11/20/2010 5:23 PM 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 10:33 AM 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [11/20/2010 5:24 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [11/20/2010 5:23 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/20/2010 1:57 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110114.002\IDSXpx86.sys [1/14/2011 8:09 PM 341944]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 9:05 AM 14904]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 10:33 AM 7408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - pbfilter
.
Contents of the 'Scheduled Tasks' folder

2011-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-18 c:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet3600----a-w-H38F1509YB9.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 22:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyeBay&CurrentPage=MyeBaySummary&migrateVisitor=3
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with WordPerfect -
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\2qq9p9rr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1&_trksid=m37
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 17:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
Completion time: 2011-01-15 17:02:55
ComboFix-quarantined-files.txt 2011-01-15 22:02
ComboFix2.txt 2011-01-14 18:24

Pre-Run: 109,463,769,088 bytes free
Post-Run: 109,667,229,696 bytes free

- - End Of File - - C80DF933094068D54232F900D4F62C81

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 16 January 2011 - 11:12 AM

How is the PC running now?
Posted Image
m0le is a proud member of UNITE

#11 onemansgarbage

onemansgarbage
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 16 January 2011 - 03:43 PM

It seems the same. After several hours my desktop was cluttered with 48 open IE pages.

I also get warnings from Norton sometimes just before the IE pages open such as:

HTTP FakeAV Redirect Request 9.

The attack was resulted from \DEVICE\HARDDISKVOLUME1\WINDOWS\EXPLORER.EXE.

Dave

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 16 January 2011 - 08:22 PM

Infected system file, thanks Norton for making that easier. Good job for reporting it.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    explorer.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#13 onemansgarbage

onemansgarbage
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 16 January 2011 - 09:35 PM

OK. It sounds like your getting close.


SystemLook 04.09.10 by jpshortstuff
Log created at 21:32 on 16/01/2011 by David
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [12:00 04/08/2004] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1033216 bytes [22:31 18/08/2008] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c- 1032192 bytes [18:40 15/08/2007] [12:00 04/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [16:25 20/11/2010] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [13:27 17/08/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

-= EOF =-

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 17 January 2011 - 09:55 AM

OK. It sounds like your getting close.


Hmmm, not so sure now.

Please run the explorer.exe file below through the Jotti scanner

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\explorer.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#15 onemansgarbage

onemansgarbage
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 17 January 2011 - 11:51 AM

0 out of 19 scanners found nothing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users