Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I keep getting a "channel1reports.com" popup


  • This topic is locked This topic is locked
29 replies to this topic

#1 gr8acclaim

gr8acclaim

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 13 February 2011 - 11:17 PM

Hello!

My BLEEPing computer is having problems too. As stated in the topic heading I keep getting this popup for a site called: channel1reports.com. I don't know what it's about, all I know is that it shouldn't be happening.

I was running AVG's most recent free anti-virus program but it didn't find anything wrong.
I also ran SpyBot Search & Destroy and it found nothing wrong.
I used TrendMicro's Housecall online scanner, which actually pulled out one little weenie trojan, but nothing more and the problem continues to persist.
So I actually went out and purchased Norton Antivirus 2011 and that didn't find anything either, BUT it keeps popping up boxes telling me that my computer is being attacked from maybe half-a-dozen different addresses.

I also downloaded and installed TrendMicro's beta version RUBotted program which DID find a problem. It keeps saying I have a botnet malware on my computer, and calls it "HTTPS Malicious Certificate" but when I click on the info link it doesn't tell me any more than that, PLUS it says it's unable to remove it.
Ran the above anti-virus software again (except AVG which I deleted to replace with the Norton) and nothing is found, but I am still getting the popup, the Norton attack warnings, and the RUBotted warnings.

So that's where we are. When it feels like popping up, it does it (about every ten minutes or so), and it doesn't seem to matter where I am, so it's not associated with any particular website.

Oh, I also read your recommendation page on what to do before posting, so I did what I could.

I pulled down the defogger program and used that A-OK.

I pulled down the DDS.scr program and used that, but it hung up on me. It would open up the DOS-prompt-looking box, and would start to work, but it never produced any log files, and not only that, but it just kind of stayed there in that mode and I couldn't shut it down, even with the task manager. I couldn't even shut down or restart the computer. I finally just flipped the power off at the surge protector and restarted everything cold. The 2nd try yielded the same result.

Then I pulled down the GMER program and ran that just fine. I will slap the log file on the end of this post.

ou'll probably want to know the following as well. I'm using IE 7.0.5730.13, with XP Pro 5.1.2600 Service Pack 3 build 2600. I'm running on an old beater AMD processor machine that I don't know any real specs on except that it has a 2nd hard drive that came out of my old HP when the power supply burned out. I think that one was a Win98 setup, but I'm not sure now. I popped it in here as the slave drive and it ran just fine as that. It never seemed to use any of the old windows software that's on it (never caused a problem anyway) and it allowed me access to the files and stuff I needed off it. It's been in there for quite some time before this problem occurred, so I don't think it's at fault, but I'm mentioning it so if anything strange comes up in these scan logs, you'll know what went down with that. I always meant to get around to removing the unnecessary stuff, but never knew what I could safely remove and what I couldn't, etc (plus being lazy didn't help).

I hope that someone can help with this. I'm about bleeping tired of this bleeping problem with my bleeping computer... (Hope I used that right. Up until today I somehow thought that your site's name referred to a computer making a bleeping noise, instead of bleeping out all the loud expletives I was using.)

Anyway, thanks in advance! I'm sure you'll be of some help, and if not, you'll at least deserve thanks for trying and for having a swell website!

--gr8acclaim




Here's that GMER logfile as pasted from my saved log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-13 21:18:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800JB-00JJC0 rev.05.01C05
Running: gmer.exe; Driver: C:\DOCUME~1\Josh\LOCALS~1\Temp\afecrkoc.sys


---- System - GMER 1.0.15 ----

SSDT 864E7560 ZwAlertResumeThread
SSDT 864E2E68 ZwAlertThread
SSDT 86473940 ZwAllocateVirtualMemory
SSDT 864B0D90 ZwAssignProcessToJobObject
SSDT 863CA768 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF0C92720]
SSDT 865DA208 ZwCreateMutant
SSDT 8635F7B0 ZwCreateSymbolicLinkObject
SSDT 8648E1D8 ZwCreateThread
SSDT 864B0DC8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF0C929A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF0C92F00]
SSDT 864880C8 ZwDuplicateObject
SSDT 8661CCA0 ZwFreeVirtualMemory
SSDT 864C0218 ZwImpersonateAnonymousToken
SSDT 864EB808 ZwImpersonateThread
SSDT 863BAC80 ZwLoadDriver
SSDT 86461E28 ZwMapViewOfSection
SSDT 864BE040 ZwOpenEvent
SSDT 864B3AC0 ZwOpenProcess
SSDT 86520130 ZwOpenProcessToken
SSDT 864DEB60 ZwOpenSection
SSDT 863EB780 ZwOpenThread
SSDT 866317B0 ZwProtectVirtualMemory
SSDT 864C8410 ZwResumeThread
SSDT 864E13E0 ZwSetContextThread
SSDT 8662FB68 ZwSetInformationProcess
SSDT 864C1CF8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF0C93150]
SSDT 864BD278 ZwSuspendProcess
SSDT 864F6990 ZwSuspendThread
SSDT 8652F130 ZwTerminateProcess
SSDT 864F91F0 ZwTerminateThread
SSDT 864F0F00 ZwUnmapViewOfSection
SSDT 8693A008 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ACPI.sys F7640690 29 Bytes [5D, C3, CC, CC, CC, CC, CC, ...]
.text ACPI.sys F76406AE 270 Bytes [3B, F9, 89, 4D, F8, 8B, 18, ...]
.text ACPI.sys F76407BD 80 Bytes [00, 8B, 46, 04, 8B, 50, 24, ...]
.text ACPI.sys F764080E 41 Bytes [77, 10, FF, 75, 0C, FF, 75, ...]
.text ACPI.sys F7640838 125 Bytes [55, 8B, EC, 51, 53, 33, DB, ...]
.text ...
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CE000C
.text C:\WINDOWS\System32\svchost.exe[1064] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00D8000A
.text C:\WINDOWS\Explorer.EXE[1548] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1548] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[1548] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D6000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3527F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E352777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3527BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E352703 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E35273D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352831 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3529F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86977422
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86977422
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 86977422
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-18 86977422
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-20 86977422

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskWDC_WD800JB-00JJC0______________________05.01C05#5&196ebe00&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


Here's the same thing as an attachment because it sure looked funny above after pasting it...


Attached File  ark.txt   16.1KB   1 downloads

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:34 AM

Posted 19 February 2011 - 08:39 AM

Hi,

We're so sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 gr8acclaim

gr8acclaim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 21 February 2011 - 08:00 PM

Yes I do. Things are not going well. Sorry it took ME a couple of days to reply to your reply. I might have my settings wrong.

In the meantime, I have downloaded a copy of hijackthis, and here's the log off that if it's any help to you...


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:00:29 PM, on 2/21/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\EarthLink\ISP\ISP8300\Browser\Bartshel.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\PROGRA~1\EARTHL~1\ISP\ISP8300\Browser\PPShared.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\EARTHL~2\PRPL_I~1.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\IPS\IPSBHO.DLL
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\EarthLink\ISP\ISP8300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (BitDefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

--
End of file - 7067 bytes

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:34 AM

Posted 22 February 2011 - 06:04 AM

Hello and welcome to Bleeping Computer. :)

*Please enable topic reply notification, follow step # 4 -> Here.

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please do not attach logs unless instructed.

*You must reply within 5 days otherwise this topic will be closed.



=============================================


1. Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.



2. We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 gr8acclaim

gr8acclaim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 22 February 2011 - 08:55 PM

Ok, I tried a couple times to put all three on here together, but either your site or my computer won't cooperate, so here's report #1, the TDSSKiller report:



2011/02/22 20:00:58.0281 0264 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08
2011/02/22 20:00:58.0609 0264 ================================================================================
2011/02/22 20:00:58.0609 0264 SystemInfo:
2011/02/22 20:00:58.0609 0264
2011/02/22 20:00:58.0609 0264 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/22 20:00:58.0609 0264 Product type: Workstation
2011/02/22 20:00:58.0609 0264 ComputerName: HOME-60FC3507F7
2011/02/22 20:00:58.0609 0264 UserName: Josh
2011/02/22 20:00:58.0609 0264 Windows directory: C:\WINDOWS
2011/02/22 20:00:58.0609 0264 System windows directory: C:\WINDOWS
2011/02/22 20:00:58.0609 0264 Processor architecture: Intel x86
2011/02/22 20:00:58.0609 0264 Number of processors: 1
2011/02/22 20:00:58.0609 0264 Page size: 0x1000
2011/02/22 20:00:58.0609 0264 Boot type: Normal boot
2011/02/22 20:00:58.0609 0264 ================================================================================
2011/02/22 20:00:59.0578 0264 Initialize success
2011/02/22 20:01:12.0218 4028 ================================================================================
2011/02/22 20:01:12.0218 4028 Scan started
2011/02/22 20:01:12.0218 4028 Mode: Manual;
2011/02/22 20:01:12.0218 4028 ================================================================================
2011/02/22 20:01:13.0578 4028 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/22 20:01:13.0765 4028 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/22 20:01:13.0968 4028 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/22 20:01:14.0031 4028 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/22 20:01:14.0375 4028 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/02/22 20:01:14.0703 4028 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/22 20:01:14.0765 4028 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/22 20:01:14.0937 4028 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/22 20:01:15.0062 4028 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/22 20:01:15.0171 4028 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/22 20:01:15.0390 4028 BHDrvx86 (83a2fec59a0a0fc73bf6598e901b2fbd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys
2011/02/22 20:01:15.0500 4028 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/22 20:01:15.0593 4028 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/02/22 20:01:15.0750 4028 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/22 20:01:15.0828 4028 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/22 20:01:15.0890 4028 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/22 20:01:15.0953 4028 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/02/22 20:01:16.0250 4028 cmuda (297cc8a257cbd3c46bbd675ec5e35cc2) C:\WINDOWS\system32\drivers\cmuda.sys
2011/02/22 20:01:16.0687 4028 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/22 20:01:16.0812 4028 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/22 20:01:17.0093 4028 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/22 20:01:17.0171 4028 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/22 20:01:17.0265 4028 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/22 20:01:17.0406 4028 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/22 20:01:17.0562 4028 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/02/22 20:01:17.0687 4028 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/02/22 20:01:17.0796 4028 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/22 20:01:17.0890 4028 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/22 20:01:17.0968 4028 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/02/22 20:01:18.0046 4028 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/22 20:01:18.0140 4028 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/22 20:01:18.0203 4028 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/22 20:01:18.0265 4028 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/22 20:01:18.0328 4028 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/22 20:01:18.0437 4028 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/22 20:01:18.0640 4028 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/22 20:01:18.0828 4028 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/22 20:01:19.0093 4028 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110218.003\IDSxpx86.sys
2011/02/22 20:01:19.0203 4028 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/22 20:01:19.0421 4028 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/22 20:01:19.0500 4028 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/22 20:01:19.0578 4028 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/22 20:01:19.0718 4028 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/22 20:01:19.0906 4028 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/22 20:01:19.0984 4028 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/22 20:01:20.0046 4028 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/22 20:01:20.0156 4028 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/22 20:01:20.0234 4028 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/22 20:01:20.0296 4028 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/22 20:01:20.0500 4028 ltmodem5 (3070246fba35aa2e0c2251d55f5848f8) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
2011/02/22 20:01:20.0625 4028 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/22 20:01:20.0750 4028 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/22 20:01:20.0812 4028 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/22 20:01:20.0890 4028 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/22 20:01:20.0968 4028 MR97310_VGA_DUAL_CAMERA (3da8a2a25269e53b1f3a214031864ef8) C:\WINDOWS\system32\DRIVERS\mr97310v.sys
2011/02/22 20:01:21.0140 4028 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/22 20:01:21.0250 4028 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/22 20:01:21.0343 4028 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/22 20:01:21.0406 4028 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/22 20:01:21.0453 4028 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/22 20:01:21.0500 4028 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/22 20:01:21.0578 4028 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/22 20:01:21.0687 4028 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/02/22 20:01:21.0718 4028 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/22 20:01:21.0796 4028 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/02/22 20:01:21.0968 4028 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110221.019\NAVENG.SYS
2011/02/22 20:01:22.0109 4028 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110221.019\NAVEX15.SYS
2011/02/22 20:01:22.0250 4028 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/22 20:01:22.0328 4028 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/02/22 20:01:22.0406 4028 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/22 20:01:22.0484 4028 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/22 20:01:22.0546 4028 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/22 20:01:22.0625 4028 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/22 20:01:22.0765 4028 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/22 20:01:22.0859 4028 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/22 20:01:23.0062 4028 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2011/02/22 20:01:23.0140 4028 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/22 20:01:23.0234 4028 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/22 20:01:23.0343 4028 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/22 20:01:23.0453 4028 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/22 20:01:23.0531 4028 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/22 20:01:23.0656 4028 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/22 20:01:23.0718 4028 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/22 20:01:23.0796 4028 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/22 20:01:23.0875 4028 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
2011/02/22 20:01:23.0953 4028 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/22 20:01:24.0125 4028 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/22 20:01:24.0562 4028 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/22 20:01:24.0609 4028 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/22 20:01:24.0796 4028 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/22 20:01:25.0000 4028 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/22 20:01:25.0296 4028 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/22 20:01:25.0359 4028 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/22 20:01:25.0390 4028 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/22 20:01:25.0453 4028 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/22 20:01:25.0515 4028 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/22 20:01:25.0562 4028 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/22 20:01:25.0687 4028 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/22 20:01:25.0796 4028 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/22 20:01:25.0937 4028 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/22 20:01:26.0171 4028 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/22 20:01:26.0265 4028 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/22 20:01:26.0359 4028 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/22 20:01:26.0468 4028 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/22 20:01:26.0625 4028 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/02/22 20:01:26.0750 4028 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/22 20:01:26.0796 4028 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/22 20:01:26.0921 4028 SRTSP (a7a104a61c4e30de9c58f8c372a5c209) C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SRTSP.SYS
2011/02/22 20:01:26.0984 4028 SRTSPX (2833445f786bd000bb14c84a9d91347a) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SRTSPX.SYS
2011/02/22 20:01:27.0078 4028 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/22 20:01:27.0218 4028 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/02/22 20:01:27.0281 4028 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/22 20:01:27.0343 4028 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/22 20:01:27.0500 4028 SymDS (bdf077b897b5f9f929b6bf0cfd436962) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMDS.SYS
2011/02/22 20:01:27.0609 4028 SymEFA (7732298ad2eddd364c1d4f439d99ae7c) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMEFA.SYS
2011/02/22 20:01:27.0750 4028 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/02/22 20:01:27.0828 4028 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NAV\1205000.07D\Ironx86.SYS
2011/02/22 20:01:27.0906 4028 SYMTDI (8c07683bf02b63ad71bcb2cf28af2d06) C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SYMTDI.SYS
2011/02/22 20:01:28.0078 4028 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/22 20:01:28.0171 4028 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/22 20:01:28.0250 4028 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/22 20:01:28.0312 4028 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/22 20:01:28.0375 4028 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/22 20:01:28.0546 4028 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/02/22 20:01:28.0625 4028 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/22 20:01:28.0781 4028 UMAXPCLS (931e8cafcaa536e8252cd7a375ff9794) C:\WINDOWS\system32\DRIVERS\umaxpcls.sys
2011/02/22 20:01:28.0921 4028 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/22 20:01:29.0015 4028 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/22 20:01:29.0078 4028 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/22 20:01:29.0171 4028 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/22 20:01:29.0234 4028 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/22 20:01:29.0296 4028 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/22 20:01:29.0343 4028 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/22 20:01:29.0437 4028 viagfx (3a6a626d349b5c3077dfcf4573db475d) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2011/02/22 20:01:29.0515 4028 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/22 20:01:29.0578 4028 viamraid (85e9421c8a99d1291b43b9b59a669ac3) C:\WINDOWS\system32\DRIVERS\viamraid.sys
2011/02/22 20:01:29.0640 4028 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/22 20:01:29.0765 4028 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/22 20:01:29.0875 4028 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/22 20:01:30.0093 4028 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/22 20:01:30.0234 4028 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/02/22 20:01:30.0312 4028 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/22 20:01:30.0421 4028 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/22 20:01:30.0609 4028 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/22 20:01:30.0625 4028 ================================================================================
2011/02/22 20:01:30.0625 4028 Scan finished
2011/02/22 20:01:30.0625 4028 ================================================================================
2011/02/22 20:01:30.0656 4020 Detected object count: 1
2011/02/22 20:01:51.0250 4020 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Skip

#6 gr8acclaim

gr8acclaim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 22 February 2011 - 08:56 PM

Here's the first report from OTL:



OTL logfile created on: 2/22/2011 8:03:01 PM - Run 1
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Josh\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.00 Mb Total Physical Memory | 405.00 Mb Available Physical Memory | 41.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 54.13 Gb Free Space | 72.64% Space Free | Partition Type: NTFS
Drive E: | 19.00 Gb Total Space | 13.11 Gb Free Space | 69.01% Space Free | Partition Type: FAT32

Computer Name: HOME-60FC3507F7 | User Name: Josh | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/22 19:58:23 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
PRC - [2010/12/17 09:33:10 | 000,439,632 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
PRC - [2010/12/17 09:33:06 | 001,103,184 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
PRC - [2010/11/23 21:21:18 | 000,130,000 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe
PRC - [2010/09/01 19:05:10 | 000,181,056 | ---- | M] () -- C:\Program Files\EarthLink\ISP\ISP8300\Browser\BartShel.exe
PRC - [2010/07/30 16:20:04 | 000,086,848 | ---- | M] () -- C:\Program Files\EarthLink\ISP\ISP8300\Browser\PPShared.exe
PRC - [2009/11/15 15:59:11 | 000,158,752 | ---- | M] (Applian Technologies, Inc.) -- C:\Program Files\Freecorder\FLVSrvc.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/07/14 09:52:44 | 000,040,960 | ---- | M] (Agere Systems) -- C:\WINDOWS\ltmsg.exe


========== Modules (SafeList) ==========

MOD - [2011/02/22 19:58:23 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
MOD - [2011/02/22 19:50:50 | 000,012,800 | ---- | M] (Applian Technologies, Inc.) -- C:\Documents and Settings\Josh\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 04:42:08 | 000,250,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\sptip.dll
MOD - [2008/04/14 04:42:02 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2008/04/13 21:13:20 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\spgrmr.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/12/17 09:33:10 | 000,439,632 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe -- (RUBotSrv)
SRV - [2010/11/23 21:21:18 | 000,130,000 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe -- (NAV)
SRV - [2009/10/20 13:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)


========== Driver Services (SafeList) ==========

DRV - [2011/02/06 14:32:14 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110221.019\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/02/06 14:32:14 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/02/06 14:32:14 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110221.019\NAVENG.SYS -- (NAVENG)
DRV - [2011/02/06 14:10:29 | 000,126,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/12/01 00:24:00 | 000,368,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/11/22 23:08:31 | 000,509,560 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SRTSP.SYS -- (SRTSP)
DRV - [2010/11/22 23:08:31 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1205000.07D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/11/22 21:20:07 | 000,691,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/11/17 21:59:55 | 000,652,336 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMEFA.SYS -- (SymEFA)
DRV - [2010/11/15 20:45:33 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1205000.07D\Ironx86.SYS -- (SymIRON)
DRV - [2010/11/08 19:50:31 | 000,341,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110218.003\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/10/20 21:28:36 | 000,340,016 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMDS.SYS -- (SymDS)
DRV - [2010/08/13 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/10/20 13:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2006/07/10 11:44:18 | 000,099,840 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MR97310v.sys -- (MR97310_VGA_DUAL_CAMERA)
DRV - [2003/12/12 18:03:10 | 000,652,689 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2001/08/17 13:58:12 | 000,022,912 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\umaxpcls.sys -- (UMAXPCLS)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn\ [2011/02/06 14:38:40 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/02/06 19:48:00 | 000,416,107 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14365 more lines...
O2 - BHO: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll (Conduit Ltd.)
O2 - BHO: (ElnkPubBHO Class) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll (EarthLink, Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Accelerator Plugin) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink Accelerated\prpl_IePopupBlocker.dll (Propel Software Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (ElnkProtectionBHO Class) - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll (EarthLink, Inc.)
O2 - BHO: (ElnkLegacyUninstBHO Class) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll (EarthLink, Inc.)
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\..\Toolbar\WebBrowser: (Freecorder Toolbar) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - C:\Program Files\Freecorder\tbFree.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\..\Toolbar\WebBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll (EarthLink, Inc.)
O4 - HKLM..\Run: [Bart Station] C:\Program Files\EarthLink\ISP\ISP8300\BIN\PPCOLink.exe ()
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [Freecorder FLV Service] C:\Program Files\Freecorder\FLVSrvc.exe (Applian Technologies, Inc.)
O4 - HKLM..\Run: [LTMSG] C:\WINDOWS\ltmsg.exe (Agere Systems)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: EarthLink Google Search - C:\Program Files\EarthLink\Toolbar\SearchUI.dll (EarthLink, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} http://i.dell.com/images/global/js/scanner/SysProExe.cab (Scanner.SysScanner)
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab (BitDefender QuickScan Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/06 09:58:34 | 000,000,037 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/03/06 09:58:34 | 000,000,017 | ---- | M] () - C:\AUTOEXEC.OLD -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/02/22 20:00:01 | 000,000,000 | ---D | C] -- C:\tdsskiller
[2011/02/22 19:58:18 | 000,577,024 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
[2011/02/13 21:01:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Desktop\gmer
[2011/02/11 23:17:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2011/02/09 23:56:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/02/09 23:29:13 | 000,000,000 | ---D | C] -- C:\HijackThis
[2011/02/09 22:37:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/02/09 22:37:25 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/02/09 22:36:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro RUBotted
[2011/02/09 22:36:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/02/07 22:55:41 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2011/02/07 22:47:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/02/07 22:46:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/02/06 20:25:41 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2011/02/06 20:25:03 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2011/02/06 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Application Data\QuickScan
[2011/02/06 19:36:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/02/06 17:21:52 | 000,076,920 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SMR161.SYS
[2011/02/06 17:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Local Settings\Application Data\NPE
[2011/02/06 14:52:54 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/02/06 14:40:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Application Data\Tific
[2011/02/06 14:40:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Local Settings\Application Data\Symantec
[2011/02/06 14:31:57 | 000,330,360 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symtdiv.sys
[2011/02/06 14:31:56 | 000,652,336 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symefa.sys
[2011/02/06 14:31:56 | 000,509,560 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\srtsp.sys
[2011/02/06 14:31:56 | 000,368,248 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symtdi.sys
[2011/02/06 14:31:56 | 000,340,016 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symds.sys
[2011/02/06 14:31:56 | 000,295,032 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symnets.sys
[2011/02/06 14:31:56 | 000,136,312 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\ironx86.sys
[2011/02/06 14:31:56 | 000,050,168 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\srtspx.sys
[2011/02/06 14:31:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1205000.07D
[2011/02/06 14:10:29 | 000,126,512 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/02/06 14:10:29 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/02/06 14:10:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/02/06 14:10:29 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/02/06 14:09:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2011/02/06 14:09:50 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2011/02/06 14:09:50 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2011/02/06 14:09:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton AntiVirus
[2011/02/06 14:09:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2011/02/06 14:07:08 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2011/02/06 14:07:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2011/02/03 22:04:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/02/03 22:04:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/01/26 20:46:20 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll.prepare
[2011/01/25 18:05:27 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/01/25 17:52:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/01/25 17:26:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EarthLink Access Software
[2011/01/25 17:26:25 | 000,000,000 | ---D | C] -- C:\Program Files\EarthLink Accelerated
[2011/01/25 17:19:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Application Data\EarthLink
[2011/01/25 17:18:37 | 000,073,192 | ---- | C] (PeoplePC) -- C:\WINDOWS\System32\unPPC.exe
[2011/01/25 17:18:37 | 000,041,792 | ---- | C] (PeoplePC, Inc.) -- C:\WINDOWS\System32\ppcwebi.dll
[2011/01/25 17:18:37 | 000,000,000 | ---D | C] -- C:\Program Files\EarthLink
[2011/01/25 17:18:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\EarthLink
[2011/01/25 17:18:34 | 001,060,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MFC71.DLL
[2011/01/25 17:18:33 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ATL71.dll
[2011/01/25 17:18:33 | 000,084,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ATL70.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/22 20:01:35 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/22 19:58:23 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
[2011/02/22 19:57:45 | 001,257,772 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\tdsskiller.zip
[2011/02/22 19:51:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/22 19:50:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/20 03:54:49 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Microsoft Office PowerPoint 2003 (2).lnk
[2011/02/19 11:58:19 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Microsoft Office Excel 2003 (2).lnk
[2011/02/16 21:03:09 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/02/14 23:28:45 | 000,169,694 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\02.jpg
[2011/02/14 23:12:12 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Microsoft Office Word 2003 (2).lnk
[2011/02/14 21:50:08 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/13 22:14:42 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\dds.scr
[2011/02/13 20:32:23 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Josh\defogger_reenable
[2011/02/13 20:29:36 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\gmer.zip
[2011/02/13 20:27:08 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Defogger.exe
[2011/02/13 00:32:15 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\d3d9caps.dat
[2011/02/10 00:00:00 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/02/09 22:37:27 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2011/02/07 23:11:43 | 000,044,044 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\cc_20110207_231129.reg
[2011/02/07 22:55:46 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Speccy.lnk
[2011/02/06 19:48:00 | 000,416,107 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/02/06 18:28:14 | 000,000,235 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/02/06 17:46:11 | 000,000,478 | ---- | M] () -- C:\WINDOWS\System32\drivers\SMR161.dat
[2011/02/06 17:46:08 | 000,416,619 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2011/02/06 17:46:08 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.smr
[2011/02/06 17:35:52 | 000,076,920 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SMR161.SYS
[2011/02/06 17:25:01 | 007,384,375 | ---- | M] () -- C:\Documents and Settings\Josh\Application Data\SMRBackup161.dat
[2011/02/06 14:38:15 | 000,001,896 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2011/02/06 14:37:21 | 001,152,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\Cat.DB
[2011/02/06 14:10:29 | 000,126,512 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/02/06 14:10:29 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/02/06 14:10:29 | 000,007,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/02/06 14:10:29 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/02/04 23:50:20 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\prvlcl.dat
[2011/02/04 23:00:08 | 000,001,891 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/01/26 22:13:20 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/01/26 20:46:20 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll.prepare
[2011/01/25 18:06:00 | 001,152,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/01/25 17:52:26 | 000,513,032 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\sdasetup[1].exe
[2011/01/25 17:26:30 | 000,001,947 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EarthLink Help.LNK
[2011/01/25 17:26:30 | 000,001,912 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EarthLink Simple Switch.lnk
[2011/01/25 17:26:30 | 000,001,883 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EarthLink.LNK
[2011/01/25 17:26:30 | 000,001,881 | ---- | M] () -- C:\Documents and Settings\Josh\Application Data\Microsoft\Internet Explorer\Quick Launch\EarthLink Online.LNK
[2011/01/25 17:26:30 | 000,001,466 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Try Attack Shield.LNK
[2011/01/24 22:19:03 | 000,250,288 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/22 19:57:13 | 001,257,772 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\tdsskiller.zip
[2011/02/14 23:28:52 | 000,169,694 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\02.jpg
[2011/02/13 20:32:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josh\defogger_reenable
[2011/02/13 20:29:11 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\gmer.zip
[2011/02/13 20:27:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\Defogger.exe
[2011/02/13 20:25:13 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\dds.scr
[2011/02/13 00:32:15 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\d3d9caps.dat
[2011/02/09 22:37:27 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2011/02/07 23:11:40 | 000,044,044 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\cc_20110207_231129.reg
[2011/02/07 22:55:45 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Speccy.lnk
[2011/02/06 18:28:13 | 000,000,235 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/02/06 17:24:01 | 007,384,375 | ---- | C] () -- C:\Documents and Settings\Josh\Application Data\SMRBackup161.dat
[2011/02/06 17:21:53 | 000,000,478 | ---- | C] () -- C:\WINDOWS\System32\drivers\SMR161.dat
[2011/02/06 14:53:14 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/02/06 14:53:13 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/02/06 14:37:03 | 001,152,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\Cat.DB
[2011/02/06 14:31:56 | 000,007,877 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symnetv.cat
[2011/02/06 14:31:56 | 000,007,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\iron.cat
[2011/02/06 14:31:56 | 000,007,458 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symnet.cat
[2011/02/06 14:31:56 | 000,007,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symefa.cat
[2011/02/06 14:31:56 | 000,007,454 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\srtspx.cat
[2011/02/06 14:31:56 | 000,007,450 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symds.cat
[2011/02/06 14:31:56 | 000,007,450 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\srtsp.cat
[2011/02/06 14:31:56 | 000,003,374 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symefa.inf
[2011/02/06 14:31:56 | 000,002,792 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symds.inf
[2011/02/06 14:31:56 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symnetv.inf
[2011/02/06 14:31:56 | 000,001,446 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\symnet.inf
[2011/02/06 14:31:56 | 000,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\srtspx.inf
[2011/02/06 14:31:56 | 000,001,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\srtsp.inf
[2011/02/06 14:31:56 | 000,000,742 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\iron.inf
[2011/02/06 14:31:37 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1205000.07D\isolate.ini
[2011/02/06 14:10:29 | 000,007,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/02/06 14:10:29 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/02/06 14:10:21 | 000,001,896 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2011/01/26 22:13:20 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/01/25 18:05:52 | 001,152,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/01/25 17:52:29 | 000,513,032 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\sdasetup[1].exe
[2011/01/25 17:26:30 | 000,001,947 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EarthLink Help.LNK
[2011/01/25 17:26:30 | 000,001,912 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EarthLink Simple Switch.lnk
[2011/01/25 17:26:30 | 000,001,883 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EarthLink.LNK
[2011/01/25 17:26:30 | 000,001,881 | ---- | C] () -- C:\Documents and Settings\Josh\Application Data\Microsoft\Internet Explorer\Quick Launch\EarthLink Online.LNK
[2011/01/25 17:26:30 | 000,001,466 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Try Attack Shield.LNK
[2011/01/25 17:18:37 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\ppcpanel.cpl
[2011/01/25 17:18:37 | 000,069,440 | ---- | C] () -- C:\WINDOWS\System32\unPPC6000.exe
[2011/01/25 17:18:36 | 000,255,296 | ---- | C] () -- C:\WINDOWS\System32\PPCInfo.exe
[2011/01/25 17:18:36 | 000,066,880 | ---- | C] () -- C:\WINDOWS\System32\PPCOUNIN.exe
[2011/01/25 17:18:36 | 000,040,600 | ---- | C] () -- C:\WINDOWS\System32\PPCClean.exe
[2011/01/25 17:18:36 | 000,034,136 | ---- | C] () -- C:\WINDOWS\System32\RegHero.exe
[2010/03/06 10:05:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PRESTOPM.INI
[2010/03/06 10:03:04 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2010/03/06 09:58:46 | 000,001,356 | ---- | C] () -- C:\WINDOWS\VTWAIN.INI
[2010/03/06 09:58:46 | 000,000,163 | ---- | C] () -- C:\WINDOWS\UMAXDRV.INI
[2010/03/06 09:58:43 | 000,210,944 | ---- | C] () -- C:\WINDOWS\MSVCRT10.DLL
[2010/03/06 09:58:43 | 000,098,236 | ---- | C] () -- C:\WINDOWS\KCME1.DLL
[2010/03/06 09:58:43 | 000,096,256 | ---- | C] () -- C:\WINDOWS\KPAPI.DLL
[2010/03/06 09:58:43 | 000,093,184 | ---- | C] () -- C:\WINDOWS\KPAPI32.DLL
[2010/03/06 09:58:43 | 000,070,548 | ---- | C] () -- C:\WINDOWS\KPMON.DLL
[2010/03/06 09:58:43 | 000,056,832 | ---- | C] () -- C:\WINDOWS\UCM_16.DLL
[2010/03/06 09:58:43 | 000,050,176 | ---- | C] () -- C:\WINDOWS\KPCP.DLL
[2010/03/06 09:58:43 | 000,049,152 | ---- | C] () -- C:\WINDOWS\UCM_32.DLL
[2010/03/06 09:58:43 | 000,017,920 | ---- | C] () -- C:\WINDOWS\KCMS_SYS.DLL
[2010/03/06 09:58:42 | 000,462,336 | ---- | C] () -- C:\WINDOWS\VS32.DLL
[2010/03/06 09:58:42 | 000,131,264 | ---- | C] () -- C:\WINDOWS\KCME0.DLL
[2010/03/06 09:58:42 | 000,097,914 | ---- | C] () -- C:\WINDOWS\32KCME0.DLL
[2010/03/06 09:58:41 | 000,185,376 | ---- | C] () -- C:\WINDOWS\UDEPP32.DLL
[2010/03/06 09:58:41 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\drivers\UMAXDRV.SYS
[2010/03/06 09:58:41 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\UDNT.SYS
[2010/03/06 09:58:41 | 000,023,552 | ---- | C] () -- C:\WINDOWS\VSCLI32.DLL
[2010/03/06 09:57:56 | 000,000,107 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2010/03/06 09:56:05 | 000,000,173 | ---- | C] () -- C:\WINDOWS\vatwain.ini
[2010/03/06 09:54:35 | 000,000,035 | ---- | C] () -- C:\WINDOWS\ppdrv.ini
[2010/02/26 14:49:09 | 000,000,026 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2010/02/26 08:01:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2010/02/18 14:31:42 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\prvlcl.dat
[2009/10/22 07:29:06 | 000,000,125 | ---- | C] () -- C:\WINDOWS\FlashDecompiler.INI
[2009/10/20 13:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/09/09 11:49:03 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\xqpdrd.dll
[2009/07/22 13:26:51 | 000,462,848 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll
[2009/07/22 13:26:50 | 000,344,064 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll
[2009/07/10 08:38:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/07/08 09:02:24 | 000,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/07/08 09:02:24 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/07/08 08:56:52 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/07 02:15:11 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2009/07/06 23:22:05 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\housecall.guid.cache
[2009/07/04 12:46:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/02/18 17:26:28 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/10/12 10:58:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\mr310exd.dll
[2001/10/12 10:57:18 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\mr310exv.dll
[2000/12/07 10:13:58 | 000,015,164 | ---- | C] () -- C:\WINDOWS\Mr310twv.ini
[1997/10/13 08:19:06 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\PMSBFN32.DLL
[1997/09/05 04:49:54 | 000,005,772 | ---- | C] () -- C:\WINDOWS\IF40LE.INI
[1997/02/27 06:06:52 | 000,000,107 | ---- | C] () -- C:\WINDOWS\PEXPLORE.INI
[1996/09/26 05:20:22 | 000,000,245 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI

========== Files - Unicode (All) ==========
[2009/09/14 06:21:31 | 000,021,504 | ---- | M] ()(C:\Documents and Settings\Josh\My Documents\?????.doc) -- C:\Documents and Settings\Josh\My Documents\君のそばに.doc
[2009/09/14 05:38:27 | 000,021,504 | ---- | C] ()(C:\Documents and Settings\Josh\My Documents\?????.doc) -- C:\Documents and Settings\Josh\My Documents\君のそばに.doc
[2009/09/11 07:48:49 | 000,019,968 | ---- | M] ()(C:\Documents and Settings\Josh\My Documents\???????????.doc) -- C:\Documents and Settings\Josh\My Documents\いっしょおこれがないと.doc
[2009/09/09 09:30:50 | 000,019,968 | ---- | C] ()(C:\Documents and Settings\Josh\My Documents\???????????.doc) -- C:\Documents and Settings\Josh\My Documents\いっしょおこれがないと.doc
[2009/08/30 10:30:52 | 000,025,088 | ---- | M] ()(C:\Documents and Settings\Josh\My Documents\???????????.doc) -- C:\Documents and Settings\Josh\My Documents\堀江由衣の天使のたまご.doc
[2009/08/30 10:30:52 | 000,025,088 | ---- | C] ()(C:\Documents and Settings\Josh\My Documents\???????????.doc) -- C:\Documents and Settings\Josh\My Documents\堀江由衣の天使のたまご.doc

========== Alternate Data Streams ==========

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CA4D70
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

#7 gr8acclaim

gr8acclaim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 22 February 2011 - 09:16 PM

For some odd reason it won't let me paste the 2nd log from the OTL program (tried several times), so I stuck it on as an attachment, hopefully that will work...

Attached Files



#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:34 AM

Posted 23 February 2011 - 06:26 AM

Hi,

Please follow the instructions in the order that I have posted them.


1. Download ComboFix from one of these locations:

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



Posted Image


  • Download the file & save it as it's originally named.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image


  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image

  • At the next prompt, click 'No' to exit ComboFix.




2. Close all other running programs.
  • Please run TDSSKiller.exe again and start the scan.
  • Do not change any setting after the scan and let it Cure any infections found.
  • Follow the prompts and reboot the computer when ask.
  • Once completed.. It will generate a report located at C:\TDSSKiller.Version_Date_Time_log.txt.
  • Please post the contents of that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 gr8acclaim

gr8acclaim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 23 February 2011 - 09:05 PM

OK, after some time messing about and trying to get it all to cooperate with me, I managed to get it all done. I now have a new log file from that for you:



2011/02/24 00:01:43.0093 3020 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08
2011/02/24 00:01:43.0140 3020 ================================================================================
2011/02/24 00:01:43.0140 3020 SystemInfo:
2011/02/24 00:01:43.0140 3020
2011/02/24 00:01:43.0140 3020 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/24 00:01:43.0140 3020 Product type: Workstation
2011/02/24 00:01:43.0140 3020 ComputerName: HOME-60FC3507F7
2011/02/24 00:01:43.0140 3020 UserName: Josh
2011/02/24 00:01:43.0140 3020 Windows directory: C:\WINDOWS
2011/02/24 00:01:43.0140 3020 System windows directory: C:\WINDOWS
2011/02/24 00:01:43.0140 3020 Processor architecture: Intel x86
2011/02/24 00:01:43.0140 3020 Number of processors: 1
2011/02/24 00:01:43.0140 3020 Page size: 0x1000
2011/02/24 00:01:43.0140 3020 Boot type: Normal boot
2011/02/24 00:01:43.0140 3020 ================================================================================
2011/02/24 00:01:43.0687 3020 Initialize success
2011/02/24 00:01:49.0796 3052 ================================================================================
2011/02/24 00:01:49.0796 3052 Scan started
2011/02/24 00:01:49.0796 3052 Mode: Manual;
2011/02/24 00:01:49.0796 3052 ================================================================================
2011/02/24 00:01:50.0875 3052 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/24 00:01:50.0968 3052 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/24 00:01:51.0109 3052 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/24 00:01:51.0171 3052 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/24 00:01:51.0484 3052 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/02/24 00:01:51.0812 3052 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/24 00:01:51.0968 3052 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/24 00:01:52.0109 3052 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/24 00:01:52.0203 3052 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/24 00:01:52.0343 3052 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/24 00:01:52.0500 3052 BHDrvx86 (83a2fec59a0a0fc73bf6598e901b2fbd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys
2011/02/24 00:01:52.0718 3052 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/24 00:01:52.0828 3052 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/02/24 00:01:52.0953 3052 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/24 00:01:53.0015 3052 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/24 00:01:53.0078 3052 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/24 00:01:53.0171 3052 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/02/24 00:01:53.0406 3052 cmuda (297cc8a257cbd3c46bbd675ec5e35cc2) C:\WINDOWS\system32\drivers\cmuda.sys
2011/02/24 00:01:53.0750 3052 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/24 00:01:53.0843 3052 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/24 00:01:53.0953 3052 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/24 00:01:54.0000 3052 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/24 00:01:54.0093 3052 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/24 00:01:54.0218 3052 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/24 00:01:54.0328 3052 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/02/24 00:01:54.0406 3052 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/02/24 00:01:54.0531 3052 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/24 00:01:54.0625 3052 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/24 00:01:54.0703 3052 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/02/24 00:01:54.0796 3052 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/24 00:01:54.0859 3052 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/24 00:01:54.0906 3052 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/24 00:01:54.0968 3052 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/24 00:01:55.0031 3052 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/24 00:01:55.0093 3052 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/24 00:01:55.0281 3052 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/24 00:01:55.0500 3052 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/24 00:01:55.0671 3052 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110221.001\IDSxpx86.sys
2011/02/24 00:01:55.0781 3052 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/24 00:01:56.0015 3052 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/24 00:01:56.0078 3052 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/24 00:01:56.0156 3052 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/24 00:01:56.0265 3052 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/24 00:01:56.0328 3052 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/24 00:01:56.0390 3052 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/24 00:01:56.0484 3052 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/24 00:01:56.0546 3052 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/24 00:01:56.0625 3052 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/24 00:01:56.0734 3052 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/24 00:01:56.0937 3052 ltmodem5 (3070246fba35aa2e0c2251d55f5848f8) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
2011/02/24 00:01:57.0046 3052 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/24 00:01:57.0109 3052 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/24 00:01:57.0171 3052 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/24 00:01:57.0218 3052 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/24 00:01:57.0296 3052 MR97310_VGA_DUAL_CAMERA (3da8a2a25269e53b1f3a214031864ef8) C:\WINDOWS\system32\DRIVERS\mr97310v.sys
2011/02/24 00:01:57.0453 3052 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/24 00:01:57.0546 3052 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/24 00:01:57.0703 3052 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/24 00:01:57.0781 3052 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/24 00:01:57.0843 3052 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/24 00:01:57.0890 3052 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/24 00:01:57.0984 3052 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/24 00:01:58.0062 3052 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/02/24 00:01:58.0140 3052 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/24 00:01:58.0218 3052 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/02/24 00:01:58.0406 3052 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110223.002\NAVENG.SYS
2011/02/24 00:01:58.0531 3052 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110223.002\NAVEX15.SYS
2011/02/24 00:01:58.0687 3052 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/24 00:01:58.0812 3052 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/02/24 00:01:58.0890 3052 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/24 00:01:58.0968 3052 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/24 00:01:59.0046 3052 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/24 00:01:59.0125 3052 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/24 00:01:59.0187 3052 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/24 00:01:59.0250 3052 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/24 00:01:59.0421 3052 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2011/02/24 00:01:59.0484 3052 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/24 00:01:59.0546 3052 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/24 00:01:59.0656 3052 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/24 00:01:59.0750 3052 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/24 00:01:59.0812 3052 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/24 00:01:59.0906 3052 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/24 00:01:59.0968 3052 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/24 00:02:00.0031 3052 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/24 00:02:00.0093 3052 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
2011/02/24 00:02:00.0125 3052 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/24 00:02:00.0328 3052 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/24 00:02:00.0734 3052 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/24 00:02:00.0796 3052 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/24 00:02:00.0890 3052 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/24 00:02:00.0953 3052 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/24 00:02:01.0265 3052 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/24 00:02:01.0343 3052 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/24 00:02:01.0390 3052 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/24 00:02:01.0437 3052 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/24 00:02:01.0500 3052 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/24 00:02:01.0562 3052 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/24 00:02:01.0640 3052 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/24 00:02:01.0781 3052 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/24 00:02:01.0875 3052 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/24 00:02:02.0078 3052 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/24 00:02:02.0171 3052 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/24 00:02:02.0234 3052 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/24 00:02:02.0328 3052 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/24 00:02:02.0468 3052 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/02/24 00:02:02.0593 3052 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/24 00:02:02.0687 3052 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/24 00:02:02.0812 3052 SRTSP (a7a104a61c4e30de9c58f8c372a5c209) C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SRTSP.SYS
2011/02/24 00:02:02.0875 3052 SRTSPX (2833445f786bd000bb14c84a9d91347a) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SRTSPX.SYS
2011/02/24 00:02:02.0968 3052 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/24 00:02:03.0062 3052 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/02/24 00:02:03.0140 3052 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/24 00:02:03.0203 3052 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/24 00:02:03.0453 3052 SymDS (bdf077b897b5f9f929b6bf0cfd436962) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMDS.SYS
2011/02/24 00:02:03.0546 3052 SymEFA (7732298ad2eddd364c1d4f439d99ae7c) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMEFA.SYS
2011/02/24 00:02:03.0671 3052 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/02/24 00:02:03.0765 3052 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NAV\1205000.07D\Ironx86.SYS
2011/02/24 00:02:03.0859 3052 SYMTDI (8c07683bf02b63ad71bcb2cf28af2d06) C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SYMTDI.SYS
2011/02/24 00:02:04.0031 3052 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/24 00:02:04.0125 3052 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/24 00:02:04.0218 3052 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/24 00:02:04.0312 3052 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/24 00:02:04.0375 3052 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/24 00:02:04.0562 3052 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/02/24 00:02:04.0625 3052 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/24 00:02:04.0750 3052 UMAXPCLS (931e8cafcaa536e8252cd7a375ff9794) C:\WINDOWS\system32\DRIVERS\umaxpcls.sys
2011/02/24 00:02:04.0828 3052 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/24 00:02:04.0953 3052 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/24 00:02:05.0015 3052 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/24 00:02:05.0093 3052 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/24 00:02:05.0156 3052 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/24 00:02:05.0234 3052 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/24 00:02:05.0281 3052 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/24 00:02:05.0375 3052 viagfx (3a6a626d349b5c3077dfcf4573db475d) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2011/02/24 00:02:05.0453 3052 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/24 00:02:05.0515 3052 viamraid (85e9421c8a99d1291b43b9b59a669ac3) C:\WINDOWS\system32\DRIVERS\viamraid.sys
2011/02/24 00:02:05.0593 3052 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/24 00:02:05.0750 3052 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/24 00:02:05.0859 3052 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/24 00:02:06.0078 3052 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/24 00:02:06.0171 3052 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/02/24 00:02:06.0265 3052 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/24 00:02:06.0328 3052 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/24 00:02:06.0562 3052 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/24 00:02:06.0578 3052 ================================================================================
2011/02/24 00:02:06.0578 3052 Scan finished
2011/02/24 00:02:06.0578 3052 ================================================================================
2011/02/24 00:02:06.0625 3044 Detected object count: 1
2011/02/24 00:02:24.0578 3044 \HardDisk1 - copied to quarantine
2011/02/24 00:02:24.0640 3044 \HardDisk1\TDLFS\cfg.ini - copied to quarantine
2011/02/24 00:02:24.0656 3044 \HardDisk1\TDLFS\mbr - copied to quarantine
2011/02/24 00:02:24.0656 3044 \HardDisk1\TDLFS\bckfg.tmp - copied to quarantine
2011/02/24 00:02:24.0656 3044 \HardDisk1\TDLFS\cmd.dll - copied to quarantine
2011/02/24 00:02:24.0671 3044 \HardDisk1\TDLFS\ldr16 - copied to quarantine
2011/02/24 00:02:24.0671 3044 \HardDisk1\TDLFS\ldr32 - copied to quarantine
2011/02/24 00:02:24.0687 3044 \HardDisk1\TDLFS\ldr64 - copied to quarantine
2011/02/24 00:02:24.0687 3044 \HardDisk1\TDLFS\drv64 - copied to quarantine
2011/02/24 00:02:24.0703 3044 \HardDisk1\TDLFS\cmd64.dll - copied to quarantine
2011/02/24 00:02:24.0703 3044 \HardDisk1\TDLFS\drv32 - copied to quarantine
2011/02/24 00:02:24.0750 3044 \HardDisk1\TDLFS\dkmks.tmp - copied to quarantine
2011/02/24 00:02:24.0750 3044 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Quarantine
2011/02/24 00:02:32.0828 3068 ================================================================================
2011/02/24 00:02:32.0828 3068 Scan started
2011/02/24 00:02:32.0828 3068 Mode: Manual;
2011/02/24 00:02:32.0828 3068 ================================================================================
2011/02/24 00:02:33.0234 3068 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/24 00:02:33.0328 3068 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/24 00:02:33.0468 3068 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/24 00:02:33.0531 3068 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/24 00:02:33.0875 3068 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/02/24 00:02:34.0203 3068 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/24 00:02:34.0250 3068 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/24 00:02:34.0343 3068 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/24 00:02:34.0437 3068 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/24 00:02:34.0531 3068 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/24 00:02:34.0687 3068 BHDrvx86 (83a2fec59a0a0fc73bf6598e901b2fbd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys
2011/02/24 00:02:34.0921 3068 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/24 00:02:35.0000 3068 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/02/24 00:02:35.0125 3068 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/24 00:02:35.0203 3068 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/24 00:02:35.0281 3068 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/24 00:02:35.0390 3068 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/02/24 00:02:35.0625 3068 cmuda (297cc8a257cbd3c46bbd675ec5e35cc2) C:\WINDOWS\system32\drivers\cmuda.sys
2011/02/24 00:02:35.0921 3068 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/24 00:02:36.0000 3068 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/24 00:02:36.0078 3068 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/24 00:02:36.0140 3068 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/24 00:02:36.0187 3068 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/24 00:02:36.0250 3068 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/24 00:02:36.0390 3068 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/02/24 00:02:36.0453 3068 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/02/24 00:02:36.0515 3068 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/24 00:02:36.0593 3068 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/24 00:02:36.0656 3068 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/02/24 00:02:36.0734 3068 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/24 00:02:36.0796 3068 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/24 00:02:36.0859 3068 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/24 00:02:36.0937 3068 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/24 00:02:37.0031 3068 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/24 00:02:37.0109 3068 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/24 00:02:37.0265 3068 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/24 00:02:37.0500 3068 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/24 00:02:37.0812 3068 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110221.001\IDSxpx86.sys
2011/02/24 00:02:37.0953 3068 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/24 00:02:38.0203 3068 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/24 00:02:38.0265 3068 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/24 00:02:38.0312 3068 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/24 00:02:38.0390 3068 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/24 00:02:38.0437 3068 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/24 00:02:38.0515 3068 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/24 00:02:38.0640 3068 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/24 00:02:38.0765 3068 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/24 00:02:38.0921 3068 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/24 00:02:39.0000 3068 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/24 00:02:39.0203 3068 ltmodem5 (3070246fba35aa2e0c2251d55f5848f8) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
2011/02/24 00:02:39.0312 3068 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/24 00:02:39.0437 3068 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/24 00:02:39.0578 3068 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/24 00:02:39.0671 3068 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/24 00:02:39.0750 3068 MR97310_VGA_DUAL_CAMERA (3da8a2a25269e53b1f3a214031864ef8) C:\WINDOWS\system32\DRIVERS\mr97310v.sys
2011/02/24 00:02:39.0875 3068 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/24 00:02:39.0953 3068 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/24 00:02:40.0046 3068 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/24 00:02:40.0109 3068 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/24 00:02:40.0156 3068 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/24 00:02:40.0203 3068 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/24 00:02:40.0250 3068 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/24 00:02:40.0312 3068 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/02/24 00:02:40.0359 3068 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/24 00:02:40.0421 3068 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/02/24 00:02:40.0609 3068 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110223.002\NAVENG.SYS
2011/02/24 00:02:40.0718 3068 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110223.002\NAVEX15.SYS
2011/02/24 00:02:40.0828 3068 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/24 00:02:40.0921 3068 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/02/24 00:02:41.0015 3068 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/24 00:02:41.0078 3068 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/24 00:02:41.0140 3068 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/24 00:02:41.0171 3068 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/24 00:02:41.0234 3068 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/24 00:02:41.0296 3068 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/24 00:02:41.0453 3068 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2011/02/24 00:02:41.0515 3068 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/24 00:02:41.0562 3068 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/24 00:02:41.0687 3068 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/24 00:02:41.0765 3068 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/24 00:02:41.0828 3068 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/24 00:02:41.0921 3068 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/24 00:02:41.0953 3068 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/24 00:02:42.0015 3068 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/24 00:02:42.0109 3068 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
2011/02/24 00:02:42.0156 3068 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/24 00:02:42.0328 3068 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/24 00:02:42.0734 3068 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/24 00:02:42.0828 3068 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/24 00:02:42.0875 3068 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/24 00:02:42.0937 3068 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/24 00:02:43.0234 3068 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/24 00:02:43.0296 3068 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/24 00:02:43.0359 3068 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/24 00:02:43.0406 3068 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/24 00:02:43.0468 3068 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/24 00:02:43.0531 3068 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/24 00:02:43.0609 3068 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/24 00:02:43.0703 3068 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/24 00:02:43.0796 3068 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/24 00:02:44.0140 3068 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/24 00:02:44.0203 3068 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/24 00:02:44.0250 3068 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/24 00:02:44.0343 3068 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/24 00:02:44.0468 3068 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/02/24 00:02:44.0593 3068 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/24 00:02:44.0671 3068 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/24 00:02:44.0812 3068 SRTSP (a7a104a61c4e30de9c58f8c372a5c209) C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SRTSP.SYS
2011/02/24 00:02:44.0890 3068 SRTSPX (2833445f786bd000bb14c84a9d91347a) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SRTSPX.SYS
2011/02/24 00:02:44.0984 3068 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/24 00:02:45.0078 3068 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/02/24 00:02:45.0140 3068 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/24 00:02:45.0187 3068 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/24 00:02:45.0437 3068 SymDS (bdf077b897b5f9f929b6bf0cfd436962) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMDS.SYS
2011/02/24 00:02:45.0546 3068 SymEFA (7732298ad2eddd364c1d4f439d99ae7c) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMEFA.SYS
2011/02/24 00:02:45.0640 3068 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/02/24 00:02:45.0718 3068 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NAV\1205000.07D\Ironx86.SYS
2011/02/24 00:02:45.0796 3068 SYMTDI (8c07683bf02b63ad71bcb2cf28af2d06) C:\WINDOWS\System32\Drivers\NAV\1205000.07D\SYMTDI.SYS
2011/02/24 00:02:45.0984 3068 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/24 00:02:46.0109 3068 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/24 00:02:46.0187 3068 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/24 00:02:46.0265 3068 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/24 00:02:46.0328 3068 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/24 00:02:46.0484 3068 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/02/24 00:02:46.0546 3068 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/24 00:02:46.0671 3068 UMAXPCLS (931e8cafcaa536e8252cd7a375ff9794) C:\WINDOWS\system32\DRIVERS\umaxpcls.sys
2011/02/24 00:02:46.0781 3068 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/24 00:02:46.0906 3068 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/24 00:02:46.0953 3068 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/24 00:02:47.0046 3068 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/24 00:02:47.0234 3068 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/24 00:02:47.0390 3068 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/24 00:02:47.0437 3068 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/24 00:02:47.0515 3068 viagfx (3a6a626d349b5c3077dfcf4573db475d) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2011/02/24 00:02:47.0593 3068 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/24 00:02:47.0671 3068 viamraid (85e9421c8a99d1291b43b9b59a669ac3) C:\WINDOWS\system32\DRIVERS\viamraid.sys
2011/02/24 00:02:47.0734 3068 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/24 00:02:47.0843 3068 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/24 00:02:47.0968 3068 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/24 00:02:48.0203 3068 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/24 00:02:48.0312 3068 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/02/24 00:02:48.0437 3068 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/24 00:02:48.0515 3068 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/24 00:02:48.0750 3068 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/24 00:02:48.0750 3068 ================================================================================
2011/02/24 00:02:48.0750 3068 Scan finished
2011/02/24 00:02:48.0750 3068 ================================================================================
2011/02/24 00:02:48.0796 3060 Detected object count: 1
2011/02/24 00:02:58.0281 3060 \HardDisk1 - will be cured after reboot
2011/02/24 00:02:58.0281 3060 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/02/24 00:03:04.0859 3012 Deinitialize success



Ran it again just for good measure, and it found nothing that 2nd time.

I have to say though, my computer is not quite normal yet. I've only been on a bit and haven't had any attacks yet, bu now at the start bar on the bottom it shows, not just the time, but also the day of the week, as in Thursday. Never saw that before... Can't imagine I did anything to cause that to happen... Perhaps something else has got in while we were trying to kill the current infection.

Anyway, that's where we're at, and I think we're making some progress!

Edited by gr8acclaim, 24 February 2011 - 12:44 AM.


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:34 AM

Posted 24 February 2011 - 08:39 AM

Hi,

OK, after some time messing about and trying to get it all to cooperate with me, I managed to get it all done

Would you mind if I ask how did you managed to get it all done? Anyway, that's a great initiative. :thumbup2:


=========================================


1. Download SREng
  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:

    Posted Image
  • Close SREng now.



2. Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    O4 - HKLM..\Run: [NWEReboot] File not found
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP] 
    [EMPTYFLASH] 
    [RESETHOSTS]
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.



3. Please delete your copy of combofix (do not uninstall) and run a new copy by following the instruction below.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 gr8acclaim

gr8acclaim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 24 February 2011 - 01:26 PM

Well, got online, read your post and set about downloading things as you told me to do. Then when I got to trying to run them, the computer wouldn't cooperate with anything at all. I guess that between reading your post, downloading ComboFix and the Recovery Console, and finally trying to run it, my browser picked up something else (I assume it was somehow sent by or associated with the original problem that we're fixing). Anyway, my Norton AV discovered it was happening and automatically 'fixed' it in the background. That 'fix' made it so that when I clicked on the ComboFix icon, it kept producing an error message saying, "Application not found." When I tried to re-open Internet Explorer to try and re-download it, THAT opened up a box that asked "What program do you want to use to read this file." Almost everything I tried to open either opened one or the other of those to windows.

Finally I figured out what had happened, and restored or unquarantined whatever it was that Norton had captured. Then things worked again and I was able to do as you requested in the post.

I hate to say it, but the initiative you admired involved basically re-infecting my browser with the virus or whatever that Norton had pulled out... (c;

Sorry if my terminology is vague or totally wrong in this post, as I'm at work and not on the home computer where the problem is. But in 4 or 5 hours I'll be back home and set about doing this next set of tasks you've outlined.

#12 gr8acclaim

gr8acclaim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 24 February 2011 - 10:51 PM

Right-O, I've followed the instructions again, and here's the reports you requested.

This is the OTL Report:



All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NWEReboot not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Josh\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Josh\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Josh
->Temp folder emptied: 1867 bytes
->Temporary Internet Files folder emptied: 8516130 bytes
->Java cache emptied: 15109214 bytes
->Flash cache emptied: 7318 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 622726 bytes
->Flash cache emptied: 2697 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 8570 bytes
->Flash cache emptied: 17856 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4281805 bytes

Total Files Cleaned = 29.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Josh
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.21.0 log created on 02242011_220417

Files\Folders moved on Reboot...
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\0VGHSGBD\page__pid__2146070[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_69c.dat not found!

Registry entries deleted on Reboot...





And next is the report from the ComboFix:




ComboFix 11-02-24.02 - Josh 02/24/2011 22:20:07.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.597 [GMT -5:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Josh\Local Settings\Application Data\jsq.exe
c:\documents and settings\Josh\Local Settings\Application Data\kbh.exe
c:\documents and settings\Josh\Local Settings\Application Data\png.exe
c:\documents and settings\Josh\Local Settings\Application Data\qha.exe
c:\documents and settings\Josh\Local Settings\Application Data\xsp.exe
c:\hijackthis\HijackThis.exe
c:\tdsskiller\tdsskiller.exe
c:\windows\system\ACTXPRXY.DLL
c:\windows\system\ASCTRLS.OCX
c:\windows\system\Axdist.exe
c:\windows\system\BINDFILE.DLL
c:\windows\system\BROWSELC.DLL
c:\windows\system\BROWSEUI.DLL
c:\windows\system\Bwcc32.dll
c:\windows\system\chsigfx.lrc
c:\windows\system\chtigfx.lrc
c:\windows\system\COMCTL32.DLL
c:\windows\system\danigfx.lrc
c:\windows\system\deuigfx.lrc
c:\windows\system\DKAAY2PI.EXE
c:\windows\system\EMDAZ32.DLL
c:\windows\system\EMLCNS32.DLL
c:\windows\system\engigfx.lrc
c:\windows\system\esmigfx.lrc
c:\windows\system\esnigfx.lrc
c:\windows\system\espigfx.lrc
c:\windows\system\finigfx.lrc
c:\windows\system\FPWPP.DLL
c:\windows\system\fraigfx.lrc
c:\windows\system\FRAMEBUF.DLL
c:\windows\system\frcigfx.lrc
c:\windows\system\HLINK.DLL
c:\windows\system\IEPEERS.DLL
c:\windows\system\IERNONCE.DLL
c:\windows\system\IMGUTIL.DLL
c:\windows\system\IMPLODE.DLL
c:\windows\system\INETCPL.CPL
c:\windows\system\INETCPLC.DLL
c:\windows\system\INSENG.DLL
c:\windows\system\itaigfx.lrc
c:\windows\system\itircl.dll
c:\windows\system\itss.dll
c:\windows\System\JGAW400.DLL
c:\windows\system\jpnigfx.lrc
c:\windows\system\korigfx.lrc
c:\windows\system\lexlog.dll
c:\windows\system\MFC42ENU.DLL
c:\windows\system\MLANG.DLL
c:\windows\system\mmctrl.dll
c:\windows\system\MSENCODE.DLL
c:\windows\system\MSHTML.DLL
c:\windows\system\MSHTMLED.DLL
c:\windows\system\MSHTMLER.DLL
c:\windows\system\msiosd32.dll
c:\windows\system\MSRATING.DLL

.
((((((((((((((((((((((((( Files Created from 2011-01-25 to 2011-02-25 )))))))))))))))))))))))))))))))
.

2011-02-25 03:04 . 2011-02-25 03:04 -------- d-----w- C:\_OTL
2011-02-24 05:02 . 2011-02-24 05:02 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-24 01:07 . 2011-02-24 01:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-23 01:00 . 2011-02-25 03:24 -------- d-----w- C:\tdsskiller
2011-02-12 04:17 . 2011-02-12 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-02-10 04:29 . 2011-02-25 03:24 -------- d-----w- C:\HijackThis
2011-02-10 03:37 . 2011-02-10 03:37 -------- d-----w- c:\program files\WinPcap
2011-02-10 03:36 . 2011-02-10 03:36 -------- d-----w- c:\program files\Trend Micro
2011-02-08 03:55 . 2011-02-08 03:55 -------- d-----w- c:\program files\Speccy
2011-02-07 01:25 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-02-07 01:25 . 2011-02-07 01:25 -------- d-----w- c:\program files\Panda Security
2011-02-07 01:16 . 2011-02-07 01:17 -------- d-----w- c:\documents and settings\Josh\Application Data\QuickScan
2011-02-07 00:36 . 2011-02-07 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-02-06 22:21 . 2011-02-06 22:46 478 ----a-w- c:\windows\system32\drivers\SMR161.dat
2011-02-06 19:07 . 2011-02-06 19:07 -------- d-----w- c:\program files\NortonInstaller
2011-02-06 18:17 . 2011-02-06 18:17 -------- d-----w- c:\documents and settings\Administrator
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-27 01:46 . 2011-01-27 01:46 12536 ----a-w- c:\windows\system32\avgrsstx.dll.prepare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2011-02-24_05.08.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-25 03:07 . 2011-02-25 03:07 16384 c:\windows\Temp\Perflib_Perfdata_784.dat
+ 2011-02-25 03:05 . 2011-02-25 03:05 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-11-09 23:38 2331672 ----a-w- c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"VTTimer"="VTTimer.exe" [2003-05-07 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-05 148888]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"Bart Station"="c:\program files\EarthLink\ISP\ISP8300\BIN\PPCOLink.exe" [2010-07-30 25920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/6/2011 8:25 PM 28552]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [2/6/2011 2:31 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [2/6/2011 2:31 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [2/6/2011 2:32 PM 691248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [2/6/2011 2:31 PM 136312]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [2/6/2011 2:31 PM 130000]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [2/9/2011 10:36 PM 439632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/6/2011 2:32 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110221.001\IDSXpx86.sys [2/22/2011 9:09 PM 341944]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\MR97310v.sys [7/10/2006 11:44 AM 99840]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\EarthLink\Toolbar\SearchUI.dll/search.html
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\cme.exe" -a "%1" %*
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-24 22:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-24 22:28:14
ComboFix-quarantined-files.txt 2011-02-25 03:28
ComboFix2.txt 2011-02-24 05:10

Pre-Run: 58,932,105,216 bytes free
Post-Run: 58,897,616,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 76922081FB2FEE48A0BC46A99D499965




There sure is a lot of stuff in these files, and I can't say I understand all of it, but I CAN say this. I have not seen the Norton 'under attack' windows popping up every 5-10 minutes today, and I haven't seen the pop-up popping up either, and lastly I don't see the little winky lights on my DSL modem flashing like they were before. They only seem to flash when I'm first connecting, and when I'm actively browsing pages. Otherwise they're just lit, whereas before they were almost constantly flashing as things happened in the background. Even if we haven't fixed everything there is yet, we're making some real headway! Thanks a bunch!

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:34 AM

Posted 25 February 2011 - 09:03 AM

Hi,

Did you previously used Panda Security? Can you confirm to me that you already uninstall it so we can remove the remaining files.

=====================================

1. Please download Malwarebytes' Anti-Malware from here:

MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




2. Please run OTL and click the quick scan button, it will produce a new log. Please post that log for my review.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 gr8acclaim

gr8acclaim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 25 February 2011 - 09:26 AM

Yes, I did use it for a short while, but no more. All I have now is the Norton that I paid for. You'll probably see leftovers from Panda & AVG and who knows what all. Had the computer for several years and it was given to me by my mother, who used CA Antivirus, I believe.

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:34 AM

Posted 25 February 2011 - 09:39 AM

Thank you for the confirmation, please proceed with the rest of my instructions. :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users