Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4 Rootkit or bootkit and other malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 TKMA

TKMA

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 09 March 2011 - 03:20 PM

XP Service Pack 3 (32bit)
NOD32 ver.4 (removed upon corruption)
Norton AV 2011 installed temporarily since NOD32 will not reinstall.


I got a malware infection a few days ago that looked to be cleaned out by MalwareBytes but new and different threats emerge each day. The latest one being WhiteSmoke. I removed it with MB. I have repeatedly scanned with MB, Spybot S&D, SuperAntiSypware until things came up clean. But a day later or sometimes less new threats are detected.

I think a rootkit is the main cause. Based on the DDS log I think its a TDL4 bootkit. It corrupted my AV program NOD32 to the point where I had to uninstall it just to get windows to stop hanging. It also will not let me reinstall NOD32. Also often having the disappearing desktop icons and taskbar issue after reboot. This gets temporarily resolved by the F-Secure Shellfix registry fix. Running a new instance of explorer.exe was doing nothing. Still getting lots of lockups sometimes forcing reboots. Most of the website redirection seems to be gone since the initial scans with MB. No problems updating malware scanner definitions.

FWIW a friend of a friend who is allegedly good at removing malware had helped me this time and in the past to try to get rid of this stuff. I know for a fact she was using that Combofix application. From what I have read here it is dangerous and even possible she was running a fake version of it. Is that going to make this worse? I wish I had found this site first.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by parlapiano at 4:40:18.12 on Wed 03/09/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.965 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe
C:\Program Files\Sage\SIM\Client\Sage.Sim.Client.WindowsService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sage\SIM\Client\SimNotify.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\parlapiano\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\parlapiano\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\parlapiano\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\parlapiano\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\parlapiano\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080902
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\parlapiano\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [SimNotify.exe] c:\program files\sage\sim\client\SimNotify.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageechoworkstation\TimounterMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startp~1.lnk - c:\windows\installer\{0a3238d7-ab32-1030-b717-f3e3f18b4a8c}\WGE.14A03FCD_EA43_4130_A5C0_F02D38895A13.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222397346295
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {F6F92FFF-2BE5-498C-994E-B8E45FAD740E} = 192.168.50.12
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1205000.07d\SymDS.sys [2011-3-8 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1205000.07d\SymEFA.sys [2011-3-8 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.5.0.125\definitions\bashdefs\20110225.002\BHDrvx86.sys [2011-2-25 800376]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1205000.07d\Ironx86.sys [2011-3-8 136312]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-2-9 47640]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.5.0.125\ccSvcHst.exe [2011-3-8 130000]
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\common files\sage\ls1\servicehost\1.0\Sage.LS1.ServiceHost.exe [2010-4-7 107816]
R2 SageInstMgrClient;Sage Installation Manager Client;c:\program files\sage\sim\client\Sage.Sim.Client.WindowsService.exe [2010-4-14 15144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-3-8 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.5.0.125\definitions\ipsdefs\20110304.001\IDSXpx86.sys [2011-3-8 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.5.0.125\definitions\virusdefs\20110308.036\NAVENG.SYS [2011-3-9 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.5.0.125\definitions\virusdefs\20110308.036\NAVEX15.SYS [2011-3-9 1360760]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-1-23 42832]
S4 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-03-09 05:21:19 -------- d-----w- c:\docume~1\parlap~1\applic~1\SUPERAntiSpyware.com
2011-03-09 05:21:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-09 05:21:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-09 05:20:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-09 05:20:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-07 20:01:37 -------- d-----w- c:\program files\Drop Down Deals
2011-03-07 20:01:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-03-07 09:29:00 114 ----a-w- C:\shellfix.reg
2011-03-07 08:55:52 -------- d-s---w- C:\xit31008x
2011-03-07 08:36:50 -------- d-----w- C:\xit10288x
2011-03-07 08:23:04 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-07 08:23:02 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-07 08:23:01 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-07 08:21:59 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2011-03-07 08:20:58 222336 ----a-w- c:\windows\system32\dllcache\trid3dm.sys
2011-03-07 08:19:59 285760 ----a-w- c:\windows\system32\dllcache\stlnata.sys
2011-03-07 08:18:59 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2011-03-07 08:17:59 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2011-03-07 08:16:58 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2011-03-07 08:15:59 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2011-03-07 08:14:59 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-03-07 08:13:59 45632 ----a-w- c:\windows\system32\dllcache\ip5515.sys
2011-03-07 08:12:58 324608 ----a-w- c:\windows\system32\dllcache\hpojwia.dll
2011-03-07 08:11:59 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2011-03-07 08:10:59 86016 ----a-w- c:\windows\system32\dllcache\dc240usd.dll
2011-03-07 08:09:59 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2011-03-07 07:35:42 -------- d-----w- C:\xit14341x
2011-03-07 07:04:03 -------- d-----w- C:\xit
2011-03-03 23:42:13 -------- d-----w- C:\fcccsss
2011-03-02 21:36:02 -------- d-sha-r- C:\cmdcons
2011-02-23 13:16:22 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-02-09 21:30:23 -------- d-----w- c:\docume~1\parlap~1\locals~1\applic~1\LogMeIn
2011-02-09 21:30:20 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-02-09 21:30:20 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-02-09 21:30:20 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-02-09 21:30:20 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2011-02-09 21:30:20 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-02-09 21:30:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn
2011-02-09 21:30:13 -------- d-----w- c:\program files\LogMeIn
.
==================== Find3M ====================
.
2011-03-09 04:43:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD80 rev.04.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800HLFS-75G6U0____________________04.04V01#4&3286f775&1&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
.
============= FINISH: 4:46:51.83 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 TKMA

TKMA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 09 March 2011 - 09:00 PM

I just wanted to update this with two things I forgot in my first post.

First, I was and still am occasionally seeing Generic host process for Win32 errors, the most recent related to Svchost.exe and mshtml.dll

Second, I forgot to report when I did a Norton scan yesterday it picked up and quarantined something called Sportgame.class (Trojan horse)within the Java cache under my user profiles application data folder.

I have not done any new scans of any type since posting my logs. I hope I did that part right. I think I'm not supposed to change anything until instructed to do so. Thanks a lot in advance. I know how busy your volunteers are.

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:41 PM

Posted 09 March 2011 - 09:58 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 TKMA

TKMA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 10 March 2011 - 02:44 AM

Hi there Cat, thanks so much for the assist! Here's the CF log:



ComboFix 11-03-09.02 - parlapiano 03/10/2011 2:03.6.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1470 [GMT -5:00]
Running from: c:\documents and settings\parlapiano\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\program files\Drop Down Deals
c:\program files\Drop Down Deals\YontooIEClient.dll
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-10 06:50 . 2011-03-10 06:51 -------- d-----w- C:\32788R22FWJFW
2011-03-10 06:38 . 2011-03-10 06:38 -------- d-sh--w- c:\documents and settings\admin2\IETldCache
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\documents and settings\parlapiano\Application Data\SUPERAntiSpyware.com
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-09 05:20 . 2011-03-09 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-09 05:20 . 2011-03-09 05:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-09 04:43 . 2011-03-09 04:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-03-09 04:43 . 2011-03-09 04:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-03-09 04:43 . 2011-03-09 04:43 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Symantec
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\windows\system32\drivers\NAV
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Norton AntiVirus
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Windows Sidebar
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\NortonInstaller
2011-03-07 09:29 . 2011-03-07 08:33 114 ----a-w- C:\shellfix.reg
2011-03-07 09:25 . 2011-03-07 09:25 -------- d-----w- c:\documents and settings\tempadmin
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-07 08:23 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-07 08:23 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-07 08:23 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-07 08:21 . 2001-08-17 17:14 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2011-03-07 08:20 . 2001-08-17 17:51 222336 ----a-w- c:\windows\system32\dllcache\trid3dm.sys
2011-03-07 08:19 . 2001-08-17 17:18 285760 ----a-w- c:\windows\system32\dllcache\stlnata.sys
2011-03-07 08:18 . 2004-08-04 03:31 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2011-03-07 08:17 . 2001-08-17 17:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2011-03-07 08:16 . 2001-08-17 19:04 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2011-03-07 08:15 . 2001-08-17 18:47 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2011-03-07 08:14 . 2001-08-17 17:50 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-03-07 08:13 . 2001-08-17 17:12 45632 ----a-w- c:\windows\system32\dllcache\ip5515.sys
2011-03-07 08:12 . 2001-08-18 03:36 324608 ----a-w- c:\windows\system32\dllcache\hpojwia.dll
2011-03-07 08:11 . 2001-08-17 17:19 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2011-03-07 08:10 . 2001-08-18 03:36 86016 ----a-w- c:\windows\system32\dllcache\dc240usd.dll
2011-03-07 08:09 . 2001-08-17 19:55 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2011-03-07 07:04 . 2011-03-07 07:23 -------- d-----w- C:\xit
2011-03-03 23:42 . 2011-03-04 00:01 -------- d-----w- C:\fcccsss
2011-03-02 00:56 . 2011-03-02 00:56 -------- d-----w- c:\documents and settings\grifadmin\Local Settings\Application Data\LogMeIn
2011-03-01 18:40 . 2011-03-01 18:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-02-28 18:44 . 2011-03-02 21:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-28 18:32 . 2011-02-28 18:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-02-23 13:16 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-02-09 21:30 . 2011-02-09 21:30 -------- d-----w- c:\documents and settings\parlapiano\Local Settings\Application Data\LogMeIn
2011-02-09 21:30 . 2010-12-08 18:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-02-09 21:30 . 2010-12-08 18:11 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-02-09 21:30 . 2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-02-09 21:30 . 2010-12-08 18:11 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-02-09 21:30 . 2010-09-17 20:40 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2011-02-09 21:30 . 2011-03-10 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2011-02-09 21:30 . 2011-02-09 21:35 -------- d-----w- c:\program files\LogMeIn
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-08 23:21 . 2009-03-26 23:28 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2011-03-08 23:21 . 2009-03-26 23:28 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-12-20 23:09 . 2010-09-16 18:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-09-16 18:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Google Update"="c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-11-05 140640]
"SimNotify.exe"="c:\program files\Sage\SIM\Client\SimNotify.exe" [2010-04-14 38696]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-08 274608]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2009-11-06 1286384]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2009-11-05 885000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Start Pervasive PSQL Workgroup Engine.lnk - c:\windows\Installer\{0A3238D7-AB32-1030-B717-F3E3F18B4A8C}\WGE.14A03FCD_EA43_4130_A5C0_F02D38895A13.exe [2010-8-11 92854]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-1138\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-1184\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-3106\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-500\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\SymDS.sys [3/8/2011 11:43 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\SymEFA.sys [3/8/2011 11:43 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110225.002\BHDrvx86.sys [2/25/2011 4:59 PM 800376]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/19/2009 10:44 AM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/19/2009 10:45 AM 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\Ironx86.sys [3/8/2011 11:43 PM 136312]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 2:58 AM 133968]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe [3/8/2011 11:43 PM 130000]
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe [4/7/2010 7:04 PM 107816]
R2 SageInstMgrClient;Sage Installation Manager Client;c:\program files\Sage\SIM\Client\Sage.Sim.Client.WindowsService.exe [4/14/2010 3:01 AM 15144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/8/2011 11:56 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110304.001\IDSXpx86.sys [3/8/2011 11:56 PM 341944]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 2:45 AM 42832]
S4 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/7/2009 11:39 AM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 14:44]
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 16:39]
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 16:39]
.
2011-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3994736024-1371218916-3720997399-3106Core.job
- c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 08:49]
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3994736024-1371218916-3720997399-3106UA.job
- c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 08:49]
.
2011-03-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3994736024-1371218916-3720997399-3106.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3994736024-1371218916-3720997399-3106.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-10 c:\windows\Tasks\User_Feed_Synchronization-{F5F49462-54BF-404C-B569-504ADBB7A619}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080902
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {F6F92FFF-2BE5-498C-994E-B8E45FAD740E} = 192.168.50.12
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Drop Down Deals\YontooIEClient.dll
Toolbar-Locked - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-10 02:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD80 rev.04.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89CE7439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89ced7b8]; MOV EAX, [0x89ced834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6FBA68]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89CE4388]
\Driver\iaStor[0x8A684D38] -> IRP_MJ_CREATE -> 0x89CE7439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800HLFS-75G6U0____________________04.04V01#4&3286f775&1&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1080)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1140)
c:\windows\system32\WININET.dll
c:\program files\Bonjour\mdnsNSP.dll
.
- - - - - - - > 'explorer.exe'(5488)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2011-03-10 02:23:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-10 07:23
ComboFix2.txt 2011-03-07 08:52
.
Pre-Run: 33,876,254,720 bytes free
Post-Run: 33,883,033,600 bytes free
.
- - End Of File - - A80703E4B41925F5C42D6F7DF97DE7CA

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:41 PM

Posted 10 March 2011 - 07:53 AM

Hi

Please do the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


Please re-run ComboFix (allow it to update is it requests to do so) - post the resulting log.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 TKMA

TKMA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 10 March 2011 - 08:07 PM

Hi, thanks again and sorry for the delay. I had to do enough work on the PC in question that I wanted to do a full backup before continuing with scans. Below is the TDSSKiller log. Running the CF again right now.


2011/03/10 19:29:20.0629 6660 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/10 19:29:20.0707 6660 ================================================================================
2011/03/10 19:29:20.0707 6660 SystemInfo:
2011/03/10 19:29:20.0707 6660
2011/03/10 19:29:20.0707 6660 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/10 19:29:20.0707 6660 Product type: Workstation
2011/03/10 19:29:20.0707 6660 ComputerName: OPT755
2011/03/10 19:29:20.0707 6660 UserName: parlapiano
2011/03/10 19:29:20.0707 6660 Windows directory: C:\WINDOWS
2011/03/10 19:29:20.0707 6660 System windows directory: C:\WINDOWS
2011/03/10 19:29:20.0707 6660 Processor architecture: Intel x86
2011/03/10 19:29:20.0707 6660 Number of processors: 4
2011/03/10 19:29:20.0707 6660 Page size: 0x1000
2011/03/10 19:29:20.0707 6660 Boot type: Normal boot
2011/03/10 19:29:20.0707 6660 ================================================================================
2011/03/10 19:29:20.0941 6660 Initialize success
2011/03/10 19:29:34.0260 9448 ================================================================================
2011/03/10 19:29:34.0260 9448 Scan started
2011/03/10 19:29:34.0260 9448 Mode: Manual;
2011/03/10 19:29:34.0260 9448 ================================================================================
2011/03/10 19:29:34.0495 9448 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/03/10 19:29:34.0526 9448 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\drivers\ACPI.sys
2011/03/10 19:29:34.0557 9448 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/10 19:29:34.0588 9448 ADIHdAudAddService (0f0a69496989912351284bb1baa2ce57) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/03/10 19:29:34.0604 9448 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/03/10 19:29:34.0635 9448 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/10 19:29:34.0666 9448 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/10 19:29:34.0698 9448 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/03/10 19:29:34.0713 9448 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/03/10 19:29:34.0713 9448 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/03/10 19:29:34.0744 9448 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/03/10 19:29:34.0760 9448 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/03/10 19:29:34.0791 9448 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/03/10 19:29:34.0823 9448 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/03/10 19:29:34.0838 9448 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/03/10 19:29:34.0854 9448 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/03/10 19:29:34.0885 9448 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/03/10 19:29:34.0916 9448 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/03/10 19:29:34.0932 9448 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/03/10 19:29:34.0963 9448 AsfAlrt (c139fa963dbb9bd6560f404f509d1196) C:\WINDOWS\system32\Drivers\AsfAlrt.sys
2011/03/10 19:29:35.0010 9448 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/10 19:29:35.0026 9448 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
2011/03/10 19:29:35.0166 9448 ati2mtag (c06659ff381423d6cb19a91c2a2f80ad) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/10 19:29:35.0244 9448 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/10 19:29:35.0275 9448 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/10 19:29:35.0291 9448 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/10 19:29:35.0369 9448 BHDrvx86 (32d6e07922d17bed40ae746fc86b8a68) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110309.001\BHDrvx86.sys
2011/03/10 19:29:35.0416 9448 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/03/10 19:29:35.0431 9448 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/10 19:29:35.0463 9448 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/03/10 19:29:35.0510 9448 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/10 19:29:35.0556 9448 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/10 19:29:35.0572 9448 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/10 19:29:35.0603 9448 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/03/10 19:29:35.0634 9448 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/03/10 19:29:35.0666 9448 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/03/10 19:29:35.0681 9448 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/03/10 19:29:35.0713 9448 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/10 19:29:35.0744 9448 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
2011/03/10 19:29:35.0759 9448 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
2011/03/10 19:29:35.0775 9448 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/03/10 19:29:35.0806 9448 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
2011/03/10 19:29:35.0822 9448 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
2011/03/10 19:29:35.0853 9448 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
2011/03/10 19:29:35.0869 9448 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
2011/03/10 19:29:35.0884 9448 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2011/03/10 19:29:35.0916 9448 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
2011/03/10 19:29:35.0931 9448 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
2011/03/10 19:29:35.0978 9448 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/10 19:29:36.0009 9448 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/10 19:29:36.0025 9448 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/10 19:29:36.0072 9448 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/10 19:29:36.0087 9448 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/03/10 19:29:36.0119 9448 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/10 19:29:36.0119 9448 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/03/10 19:29:36.0150 9448 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/03/10 19:29:36.0165 9448 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/03/10 19:29:36.0181 9448 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/03/10 19:29:36.0212 9448 eamon (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys
2011/03/10 19:29:36.0275 9448 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/03/10 19:29:36.0306 9448 ehdrv (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2011/03/10 19:29:36.0337 9448 epfwtdir (ecd5f68e32ff5c6a728eb03dc892ae7f) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
2011/03/10 19:29:36.0353 9448 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/03/10 19:29:36.0384 9448 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/10 19:29:36.0446 9448 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/10 19:29:36.0462 9448 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/10 19:29:36.0493 9448 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/10 19:29:36.0509 9448 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/10 19:29:36.0540 9448 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/10 19:29:36.0571 9448 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/10 19:29:36.0603 9448 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/10 19:29:36.0649 9448 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/10 19:29:36.0665 9448 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/03/10 19:29:36.0696 9448 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/10 19:29:36.0727 9448 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/03/10 19:29:36.0743 9448 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/10 19:29:36.0774 9448 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/03/10 19:29:36.0790 9448 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/03/10 19:29:36.0806 9448 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/10 19:29:36.0821 9448 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\WINDOWS\system32\drivers\iaStor.sys
2011/03/10 19:29:36.0868 9448 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110310.002\IDSxpx86.sys
2011/03/10 19:29:36.0899 9448 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/10 19:29:36.0930 9448 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/03/10 19:29:36.0962 9448 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/10 19:29:36.0993 9448 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/10 19:29:37.0009 9448 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/10 19:29:37.0024 9448 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/10 19:29:37.0055 9448 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/10 19:29:37.0071 9448 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/10 19:29:37.0102 9448 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/10 19:29:37.0133 9448 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/10 19:29:37.0165 9448 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\drivers\isapnp.sys
2011/03/10 19:29:37.0180 9448 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/10 19:29:37.0196 9448 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/10 19:29:37.0212 9448 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/10 19:29:37.0227 9448 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/10 19:29:37.0321 9448 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/03/10 19:29:37.0368 9448 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/03/10 19:29:37.0414 9448 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/10 19:29:37.0461 9448 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/10 19:29:37.0493 9448 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/10 19:29:37.0508 9448 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/10 19:29:37.0524 9448 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/10 19:29:37.0555 9448 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/03/10 19:29:37.0571 9448 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/10 19:29:37.0602 9448 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/10 19:29:37.0633 9448 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/10 19:29:37.0664 9448 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/10 19:29:37.0680 9448 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/10 19:29:37.0711 9448 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/10 19:29:37.0742 9448 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/10 19:29:37.0758 9448 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/10 19:29:37.0820 9448 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110310.003\NAVENG.SYS
2011/03/10 19:29:37.0867 9448 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110310.003\NAVEX15.SYS
2011/03/10 19:29:37.0930 9448 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/10 19:29:37.0945 9448 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/10 19:29:37.0977 9448 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/10 19:29:37.0992 9448 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/10 19:29:38.0008 9448 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/10 19:29:38.0023 9448 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/10 19:29:38.0055 9448 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/10 19:29:38.0102 9448 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/10 19:29:38.0164 9448 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/10 19:29:38.0211 9448 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/10 19:29:38.0258 9448 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/10 19:29:38.0305 9448 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/10 19:29:38.0320 9448 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/10 19:29:38.0351 9448 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/10 19:29:38.0367 9448 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/10 19:29:38.0398 9448 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/10 19:29:38.0414 9448 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/10 19:29:38.0445 9448 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\pciide.sys
2011/03/10 19:29:38.0476 9448 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/10 19:29:38.0539 9448 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/03/10 19:29:38.0554 9448 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/03/10 19:29:38.0617 9448 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/10 19:29:38.0632 9448 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\drivers\processr.sys
2011/03/10 19:29:38.0664 9448 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/10 19:29:38.0679 9448 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/10 19:29:38.0710 9448 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/10 19:29:38.0742 9448 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/03/10 19:29:38.0757 9448 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/03/10 19:29:38.0773 9448 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/03/10 19:29:38.0789 9448 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/03/10 19:29:38.0835 9448 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/03/10 19:29:38.0851 9448 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/10 19:29:38.0882 9448 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/10 19:29:38.0913 9448 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/10 19:29:38.0929 9448 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/10 19:29:38.0945 9448 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/10 19:29:38.0960 9448 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/10 19:29:39.0007 9448 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/10 19:29:39.0038 9448 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/10 19:29:39.0070 9448 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/10 19:29:39.0163 9448 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/03/10 19:29:39.0179 9448 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/03/10 19:29:39.0226 9448 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/10 19:29:39.0257 9448 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/03/10 19:29:39.0288 9448 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/10 19:29:39.0319 9448 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/10 19:29:39.0335 9448 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/10 19:29:39.0382 9448 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/03/10 19:29:39.0413 9448 snapman380 (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys
2011/03/10 19:29:39.0429 9448 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/03/10 19:29:39.0460 9448 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/10 19:29:39.0491 9448 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/10 19:29:39.0522 9448 SRTSP (a7a104a61c4e30de9c58f8c372a5c209) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SRTSP.SYS
2011/03/10 19:29:39.0569 9448 SRTSPX (2833445f786bd000bb14c84a9d91347a) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SRTSPX.SYS
2011/03/10 19:29:39.0600 9448 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/10 19:29:39.0632 9448 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/10 19:29:39.0647 9448 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/10 19:29:39.0694 9448 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/03/10 19:29:39.0710 9448 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/03/10 19:29:39.0741 9448 SymDS (bdf077b897b5f9f929b6bf0cfd436962) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMDS.SYS
2011/03/10 19:29:39.0772 9448 SymEFA (7732298ad2eddd364c1d4f439d99ae7c) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMEFA.SYS
2011/03/10 19:29:39.0803 9448 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/03/10 19:29:39.0850 9448 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NAV\1205000.07D\Ironx86.SYS
2011/03/10 19:29:39.0882 9448 SYMTDI (8c07683bf02b63ad71bcb2cf28af2d06) C:\WINDOWS\system32\drivers\NAV\1205000.07D\SYMTDI.SYS
2011/03/10 19:29:39.0913 9448 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/03/10 19:29:39.0944 9448 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/03/10 19:29:39.0960 9448 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/10 19:29:40.0006 9448 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/10 19:29:40.0038 9448 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/10 19:29:40.0053 9448 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/10 19:29:40.0069 9448 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/10 19:29:40.0116 9448 tifsfilter (e52011ffe8e8947078ac797df216e5a6) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2011/03/10 19:29:40.0147 9448 timounter (f644b9eba05806eb5d6f2a8716ce0eee) C:\WINDOWS\system32\DRIVERS\timntr.sys
2011/03/10 19:29:40.0178 9448 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/03/10 19:29:40.0209 9448 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/10 19:29:40.0241 9448 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/03/10 19:29:40.0288 9448 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/10 19:29:40.0319 9448 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/10 19:29:40.0334 9448 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/10 19:29:40.0366 9448 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/10 19:29:40.0397 9448 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/10 19:29:40.0412 9448 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/10 19:29:40.0428 9448 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/10 19:29:40.0459 9448 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/10 19:29:40.0475 9448 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/03/10 19:29:40.0506 9448 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/10 19:29:40.0522 9448 vmm (590c7a3a1133e51a7e1cef67366e75af) C:\WINDOWS\system32\Drivers\vmm.sys
2011/03/10 19:29:40.0569 9448 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/10 19:29:40.0600 9448 VPCNetS2 (f96a678debdccb0b4bb7f38cb2580589) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
2011/03/10 19:29:40.0631 9448 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/10 19:29:40.0662 9448 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/10 19:29:40.0772 9448 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/10 19:29:40.0818 9448 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/10 19:29:40.0865 9448 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/10 19:29:40.0865 9448 ================================================================================
2011/03/10 19:29:40.0865 9448 Scan finished
2011/03/10 19:29:40.0865 9448 ================================================================================
2011/03/10 19:29:40.0865 5648 Detected object count: 1
2011/03/10 19:30:04.0255 5648 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/10 19:30:04.0255 5648 \HardDisk0 - ok
2011/03/10 19:30:04.0255 5648 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/10 19:30:33.0548 9912 Deinitialize success

#7 TKMA

TKMA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 10 March 2011 - 09:20 PM

Ok, below is the CF log. Also worth mentioning is that earlier in the day (before the TDSSKiller scan) Norton's auto-protect detected an intrusion attempt. I'm attaching the information it gave to this post. Both the TDSSKiller and CF scans were done with Norton disabled. Thanks!



ComboFix 11-03-10.01 - parlapiano 03/10/2011 20:59:35.7.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1321 [GMT -5:00]
Running from: c:\documents and settings\parlapiano\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 )))))))))))))))))))))))))))))))
.
.
2011-03-11 00:46 . 2011-03-11 00:46 -------- d-----w- c:\windows\LastGood
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-03-10 15:13 . 2011-03-10 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-03-10 06:38 . 2011-03-10 06:38 -------- d-sh--w- c:\documents and settings\admin2\IETldCache
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\documents and settings\parlapiano\Application Data\SUPERAntiSpyware.com
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-09 05:20 . 2011-03-09 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-09 05:20 . 2011-03-09 05:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-09 04:43 . 2011-03-09 04:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-03-09 04:43 . 2011-03-09 04:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-03-09 04:43 . 2011-03-09 04:43 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Symantec
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\windows\system32\drivers\NAV
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Norton AntiVirus
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Windows Sidebar
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\NortonInstaller
2011-03-07 09:29 . 2011-03-07 08:33 114 ----a-w- C:\shellfix.reg
2011-03-07 09:25 . 2011-03-07 09:25 -------- d-----w- c:\documents and settings\tempadmin
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-07 08:23 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-07 08:23 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-07 08:23 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-07 08:21 . 2001-08-17 17:14 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2011-03-07 08:20 . 2001-08-17 17:51 222336 ----a-w- c:\windows\system32\dllcache\trid3dm.sys
2011-03-07 08:19 . 2001-08-17 17:18 285760 ----a-w- c:\windows\system32\dllcache\stlnata.sys
2011-03-07 08:18 . 2004-08-04 03:31 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2011-03-07 08:17 . 2001-08-17 17:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2011-03-07 08:16 . 2001-08-17 19:04 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2011-03-07 08:15 . 2001-08-17 18:47 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2011-03-07 08:14 . 2001-08-17 17:50 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-03-07 08:13 . 2001-08-17 17:12 45632 ----a-w- c:\windows\system32\dllcache\ip5515.sys
2011-03-07 08:12 . 2001-08-18 03:36 324608 ----a-w- c:\windows\system32\dllcache\hpojwia.dll
2011-03-07 08:11 . 2001-08-17 17:19 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2011-03-07 08:10 . 2001-08-18 03:36 86016 ----a-w- c:\windows\system32\dllcache\dc240usd.dll
2011-03-07 08:09 . 2001-08-17 19:55 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2011-03-07 07:04 . 2011-03-07 07:23 -------- d-----w- C:\xit
2011-03-03 23:42 . 2011-03-04 00:01 -------- d-----w- C:\fcccsss
2011-03-02 00:56 . 2011-03-02 00:56 -------- d-----w- c:\documents and settings\grifadmin\Local Settings\Application Data\LogMeIn
2011-03-01 18:40 . 2011-03-01 18:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-02-28 18:44 . 2011-03-02 21:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-28 18:32 . 2011-02-28 18:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-02-23 13:16 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-02-09 21:30 . 2011-02-09 21:30 -------- d-----w- c:\documents and settings\parlapiano\Local Settings\Application Data\LogMeIn
2011-02-09 21:30 . 2010-12-08 18:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-02-09 21:30 . 2010-12-08 18:11 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-02-09 21:30 . 2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-02-09 21:30 . 2010-12-08 18:11 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-02-09 21:30 . 2010-09-17 20:40 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2011-02-09 21:30 . 2011-03-10 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2011-02-09 21:30 . 2011-02-09 21:35 -------- d-----w- c:\program files\LogMeIn
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-08 23:21 . 2009-03-26 23:28 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2011-03-08 23:21 . 2009-03-26 23:28 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-12-20 23:09 . 2010-09-16 18:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-09-16 18:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-10_07.19.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-11 00:46 . 2011-03-11 00:46 16384 c:\windows\temp\Perflib_Perfdata_7a4.dat
+ 2009-07-12 06:12 . 2009-07-12 06:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 06:09 . 2009-07-12 06:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 06:08 . 2009-07-12 06:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2011-03-10 15:12 . 2011-03-10 15:12 811008 c:\windows\Installer\1a79eab.msi
+ 2011-03-10 15:13 . 2011-03-10 15:13 9472000 c:\windows\Installer\1a7a149.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Google Update"="c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-11-05 140640]
"SimNotify.exe"="c:\program files\Sage\SIM\Client\SimNotify.exe" [2010-04-14 38696]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-08 274608]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2009-11-06 1286384]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2009-11-05 885000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Start Pervasive PSQL Workgroup Engine.lnk - c:\windows\Installer\{0A3238D7-AB32-1030-B717-F3E3F18B4A8C}\WGE.14A03FCD_EA43_4130_A5C0_F02D38895A13.exe [2010-8-11 92854]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-1138\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-1184\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-3106\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-500\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\SymDS.sys [3/8/2011 11:43 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\SymEFA.sys [3/8/2011 11:43 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [3/10/2011 5:09 PM 800376]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/19/2009 10:44 AM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/19/2009 10:45 AM 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\Ironx86.sys [3/8/2011 11:43 PM 136312]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 2:58 AM 133968]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe [3/8/2011 11:43 PM 130000]
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe [4/7/2010 7:04 PM 107816]
R2 SageInstMgrClient;Sage Installation Manager Client;c:\program files\Sage\SIM\Client\Sage.Sim.Client.WindowsService.exe [4/14/2010 3:01 AM 15144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/8/2011 11:56 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110310.002\IDSXpx86.sys [3/10/2011 6:10 PM 341944]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 2:45 AM 42832]
S4 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/7/2009 11:39 AM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 14:44]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 16:39]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 16:39]
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3994736024-1371218916-3720997399-3106Core.job
- c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 08:49]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3994736024-1371218916-3720997399-3106UA.job
- c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 08:49]
.
2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3994736024-1371218916-3720997399-3106.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3994736024-1371218916-3720997399-3106.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-11 c:\windows\Tasks\User_Feed_Synchronization-{F5F49462-54BF-404C-B569-504ADBB7A619}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080902
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {F6F92FFF-2BE5-498C-994E-B8E45FAD740E} = 192.168.50.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-10 21:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1080)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1136)
c:\program files\Bonjour\mdnsNSP.dll
.
- - - - - - - > 'explorer.exe'(1396)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-03-10 21:05:36
ComboFix-quarantined-files.txt 2011-03-11 02:05
ComboFix2.txt 2011-03-10 07:23
ComboFix3.txt 2011-03-07 08:52
.
Pre-Run: 33,248,788,480 bytes free
Post-Run: 33,470,791,680 bytes free
.
- - End Of File - - DF15244BDDA80B1B42EAC20C093FAAF9

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:41 PM

Posted 11 March 2011 - 10:50 AM

Hi,

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')


DirLook::
c:\documents and settings\tempadmin
C:\xit
C:\fcccsss


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 TKMA

TKMA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 11 March 2011 - 10:11 PM

Ok I ran the scans as instructed. I did the Eset last, but just so you know it found no threats and I couldn't find a way to export a log from it. Thanks!



ComboFix 11-03-11.01 - parlapiano 03/11/2011 18:24:23.8.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1122 [GMT -5:00]
Running from: c:\documents and settings\parlapiano\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\parlapiano\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 )))))))))))))))))))))))))))))))
.
.
2011-03-11 00:46 . 2011-03-11 00:46 -------- d-----w- c:\windows\LastGood
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-03-10 15:13 . 2011-03-10 15:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-03-10 15:13 . 2011-03-10 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-03-10 06:38 . 2011-03-10 06:38 -------- d-sh--w- c:\documents and settings\admin2\IETldCache
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\documents and settings\parlapiano\Application Data\SUPERAntiSpyware.com
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-09 05:21 . 2011-03-09 05:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-09 05:20 . 2011-03-09 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-09 05:20 . 2011-03-09 05:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-09 04:43 . 2011-03-09 04:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-03-09 04:43 . 2011-03-09 04:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-03-09 04:43 . 2011-03-09 04:43 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Symantec
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\windows\system32\drivers\NAV
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Norton AntiVirus
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\Windows Sidebar
2011-03-09 04:43 . 2011-03-09 04:43 -------- d-----w- c:\program files\NortonInstaller
2011-03-07 09:29 . 2011-03-07 08:33 114 ----a-w- C:\shellfix.reg
2011-03-07 09:25 . 2011-03-07 09:25 -------- d-----w- c:\documents and settings\tempadmin
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn
2011-03-07 09:20 . 2011-03-07 09:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-07 08:23 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-07 08:23 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-07 08:23 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-07 08:21 . 2001-08-17 17:14 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2011-03-07 08:20 . 2001-08-17 17:51 222336 ----a-w- c:\windows\system32\dllcache\trid3dm.sys
2011-03-07 08:19 . 2001-08-17 17:18 285760 ----a-w- c:\windows\system32\dllcache\stlnata.sys
2011-03-07 08:18 . 2004-08-04 03:31 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2011-03-07 08:17 . 2001-08-17 17:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2011-03-07 08:16 . 2001-08-17 19:04 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2011-03-07 08:15 . 2001-08-17 18:47 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2011-03-07 08:14 . 2001-08-17 17:50 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-03-07 08:13 . 2001-08-17 17:12 45632 ----a-w- c:\windows\system32\dllcache\ip5515.sys
2011-03-07 08:12 . 2001-08-18 03:36 324608 ----a-w- c:\windows\system32\dllcache\hpojwia.dll
2011-03-07 08:11 . 2001-08-17 17:19 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2011-03-07 08:10 . 2001-08-18 03:36 86016 ----a-w- c:\windows\system32\dllcache\dc240usd.dll
2011-03-07 08:09 . 2001-08-17 19:55 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2011-03-07 07:04 . 2011-03-07 07:23 -------- d-----w- C:\xit
2011-03-03 23:42 . 2011-03-04 00:01 -------- d-----w- C:\fcccsss
2011-03-02 00:56 . 2011-03-02 00:56 -------- d-----w- c:\documents and settings\grifadmin\Local Settings\Application Data\LogMeIn
2011-03-01 18:40 . 2011-03-01 18:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-02-28 18:44 . 2011-03-02 21:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-28 18:32 . 2011-02-28 18:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-02-23 13:16 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-08 23:21 . 2009-03-26 23:28 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2011-03-08 23:21 . 2009-03-26 23:28 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-12-20 23:09 . 2010-09-16 18:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-09-16 18:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\tempadmin ----
.
2011-03-07 09:25 . 2011-03-07 09:25 552 --s-a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
2011-03-07 09:25 . 2011-03-07 09:25 132 --s-a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
2011-03-07 09:25 . 2011-03-07 09:25 16384 --sha-w- c:\documents and settings\tempadmin\Cookies\index.dat
2011-03-07 09:25 . 2011-03-07 09:25 8454 --sha-r- c:\documents and settings\tempadmin\ntuser.pol
2011-03-07 09:25 . 2004-08-11 21:07 62 --sha-w- c:\documents and settings\tempadmin\Application Data\desktop.ini
2011-03-07 09:25 . 2008-09-02 12:30 264 ----a-w- c:\documents and settings\tempadmin\Application Data\InstallShield\UpdateService\Database\isuspm.ini
2011-03-07 09:25 . 2004-08-11 21:23 21768 ----a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config
2011-03-07 09:25 . 2008-09-02 12:30 62728 ----a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch
2011-03-07 09:25 . 2010-06-10 18:54 2422 ----a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch
2011-03-07 09:25 . 2004-08-11 21:14 141 ----a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Internet Explorer\brndlog.bak
2011-03-07 09:25 . 2004-08-11 21:20 10389 ----a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Internet Explorer\brndlog.txt
2011-03-07 09:25 . 2004-08-11 21:20 2570 --sha-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Internet Explorer\Desktop.htt
2011-03-07 09:25 . 2004-08-11 21:20 119 --sha-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
2011-03-07 09:25 . 2004-08-11 21:20 683 ----a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
2011-03-07 09:25 . 2004-08-11 21:20 79 ----a-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
2011-03-07 09:25 . 2008-09-02 12:25 24 --sha-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Protect\CREDHIST
2011-03-07 09:25 . 2008-09-02 12:25 388 --sha-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Protect\S-1-5-21-2813972754-707214004-3086127918-500\ec23b6a0-b827-48a6-a416-6b950ffd2826
2011-03-07 09:25 . 2008-09-02 12:25 24 --sha-w- c:\documents and settings\tempadmin\Application Data\Microsoft\Protect\S-1-5-21-2813972754-707214004-3086127918-500\Preferred
2011-03-07 09:25 . 2008-09-02 12:23 15794176 ----a-w- c:\documents and settings\tempadmin\Application Data\Sun\Java\jre1.6.0_05\jre1.6.0_05.msi
2011-03-07 09:25 . 2008-09-02 12:28 800 ----a-w- c:\documents and settings\tempadmin\Desktop\Help and Support.lnk
2011-03-07 09:25 . 2004-08-11 21:20 122 --sha-w- c:\documents and settings\tempadmin\Favorites\Desktop.ini
2011-03-07 09:25 . 2008-09-02 12:09 52 ----a-w- c:\documents and settings\tempadmin\Favorites\Dell\Dell Auction.url
2011-03-07 09:25 . 2008-09-02 12:09 124 ----a-w- c:\documents and settings\tempadmin\Favorites\Dell\Dell Internet Security.url
2011-03-07 09:25 . 2008-09-02 12:09 45 ----a-w- c:\documents and settings\tempadmin\Favorites\Dell\Dell.url
2011-03-07 09:25 . 2008-09-02 12:09 49 ----a-w- c:\documents and settings\tempadmin\Favorites\Dell\Support.Dell.Com.url
2011-03-07 09:25 . 2004-08-11 21:20 119 ----a-w- c:\documents and settings\tempadmin\Favorites\Links\Customize Links.url
2011-03-07 09:25 . 2004-08-11 21:20 119 ----a-w- c:\documents and settings\tempadmin\Favorites\MSN.com.url
2011-03-07 09:25 . 2004-08-11 21:20 197 ----a-w- c:\documents and settings\tempadmin\Favorites\Radio Station Guide.url
2011-03-07 09:25 . 2004-08-11 21:20 113 ----a-w- c:\documents and settings\tempadmin\Favorites\Links\Free Hotmail.url
2011-03-07 09:25 . 2004-08-11 21:20 169 ----a-w- c:\documents and settings\tempadmin\Favorites\Links\Windows Marketplace.url
2011-03-07 09:25 . 2004-08-11 21:20 118 ----a-w- c:\documents and settings\tempadmin\Favorites\Links\Windows Media.url
2011-03-07 09:25 . 2004-08-11 21:20 113 ----a-w- c:\documents and settings\tempadmin\Favorites\Links\Windows.url
2011-03-07 09:25 . 2008-09-02 12:30 0 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
2011-03-07 09:25 . 2008-09-02 12:30 0 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
2011-03-07 09:25 . 2008-09-02 12:27 136 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\fusioncache.dat
2011-03-07 09:25 . 2008-09-02 12:28 12328 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2011-03-07 09:25 . 2008-09-02 12:30 2703438 ---ha-w- c:\documents and settings\tempadmin\Local Settings\Application Data\IconCache.db
2011-03-07 09:25 . 2004-08-11 21:24 2852 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
2011-03-07 09:25 . 2004-08-11 21:23 1340 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\ApplicationHistory\SL30.tmp.47ef97a6.ini
2011-03-07 09:25 . 2004-08-11 21:14 720896 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb
2011-03-07 09:25 . 2011-03-07 09:26 262144 ---h--w- c:\documents and settings\tempadmin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2011-03-07 09:25 . 2011-03-07 09:26 1024 ---ha-w- c:\documents and settings\tempadmin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2011-03-07 09:25 . 2004-08-11 21:14 498 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD
2011-03-07 09:25 . 2004-08-11 21:14 12784 ----a-w- c:\documents and settings\tempadmin\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
2011-03-07 09:25 . 2011-03-07 09:25 62 --sha-w- c:\documents and settings\tempadmin\Local Settings\desktop.ini
2011-03-07 09:25 . 2008-11-12 21:59 145 --sha-w- c:\documents and settings\tempadmin\Local Settings\History\desktop.ini
2011-03-07 09:25 . 2008-11-12 21:59 145 --sha-w- c:\documents and settings\tempadmin\Local Settings\History\History.IE5\desktop.ini
2011-03-07 09:25 . 2011-03-07 09:25 32768 ----a-w- c:\documents and settings\tempadmin\Local Settings\History\History.IE5\index.dat
2011-03-07 09:25 . 2008-09-02 12:28 11399 ----a-w- c:\documents and settings\tempadmin\My Documents\My Google Gadgets\Analog Clock-Google.gg
2011-03-07 09:25 . 2008-11-12 21:59 67 --sha-w- c:\documents and settings\tempadmin\Local Settings\Temporary Internet Files\desktop.ini
2011-03-07 09:25 . 2004-08-11 21:20 84 --sha-w- c:\documents and settings\tempadmin\My Documents\desktop.ini
2011-03-07 09:25 . 2008-09-02 12:28 58913 ----a-w- c:\documents and settings\tempadmin\My Documents\My Google Gadgets\Weather-Google Inc..gg
2011-03-07 09:25 . 2008-09-02 12:25 262904 ----a-w- c:\documents and settings\tempadmin\REBOOT=ReallySuppress
2011-03-07 09:25 . 2004-08-11 21:20 189 --sha-w- c:\documents and settings\tempadmin\My Documents\My Music\Desktop.ini
2011-03-07 09:25 . 2004-08-11 21:20 542 ----a-w- c:\documents and settings\tempadmin\My Documents\My Music\Sample Music.lnk
2011-03-07 09:25 . 2004-08-11 21:20 191 --sha-w- c:\documents and settings\tempadmin\My Documents\My Pictures\Desktop.ini
2011-03-07 09:25 . 2004-08-11 21:20 572 ----a-w- c:\documents and settings\tempadmin\My Documents\My Pictures\Sample Pictures.lnk
2011-03-07 09:25 . 2008-09-02 12:29 190 --sha-w- c:\documents and settings\tempadmin\My Documents\My Videos\Desktop.ini
2011-03-07 09:25 . 2004-08-11 21:20 150 --sha-w- c:\documents and settings\tempadmin\Recent\Desktop.ini
2011-03-07 09:25 . 2004-08-11 21:13 0 ----a-w- c:\documents and settings\tempadmin\SendTo\Compressed (zipped) Folder.ZFSendToTarget
2011-03-07 09:25 . 2004-08-11 21:13 0 ----a-w- c:\documents and settings\tempadmin\SendTo\Desktop (create shortcut).DeskLink
2011-03-07 09:25 . 2004-08-11 21:13 181 --sha-w- c:\documents and settings\tempadmin\SendTo\desktop.ini
2011-03-07 09:25 . 2004-08-11 21:13 0 ----a-w- c:\documents and settings\tempadmin\SendTo\Mail Recipient.MAPIMail
2011-03-07 09:25 . 2004-08-11 21:20 0 ----a-w- c:\documents and settings\tempadmin\SendTo\My Documents.mydocs
2011-03-07 09:25 . 2004-08-11 21:07 62 --sha-w- c:\documents and settings\tempadmin\Start Menu\desktop.ini
2011-03-07 09:25 . 2004-08-11 21:15 348 --sha-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2011-03-07 09:25 . 2004-08-11 21:15 1429 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
2011-03-07 09:25 . 2004-08-11 21:15 1436 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
2011-03-07 09:25 . 2004-08-11 21:20 678 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Address Book.lnk
2011-03-07 09:25 . 2004-08-11 21:15 1459 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Command Prompt.lnk
2011-03-07 09:25 . 2004-08-11 21:20 542 --sha-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\desktop.ini
2011-03-07 09:25 . 2004-08-11 21:15 1405 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
2011-03-07 09:25 . 2004-08-11 21:15 1443 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
2011-03-07 09:25 . 2004-08-11 21:15 84 --sha-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2011-03-07 09:25 . 2004-08-11 21:20 708 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk
2011-03-07 09:25 . 2004-08-11 21:15 1423 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Notepad.lnk
2011-03-07 09:25 . 2004-08-11 21:15 386 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
2011-03-07 09:25 . 2004-08-11 21:15 1423 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Synchronize.lnk
2011-03-07 09:25 . 2004-08-11 21:15 1431 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Tour Windows XP.lnk
2011-03-07 09:25 . 2004-08-11 21:20 234 --sha-w- c:\documents and settings\tempadmin\Start Menu\Programs\desktop.ini
2011-03-07 09:25 . 2004-08-11 21:20 671 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Internet Explorer.lnk
2011-03-07 09:25 . 2004-08-11 21:13 1391 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Accessories\Windows Explorer.lnk
2011-03-07 09:25 . 2008-09-02 12:12 1211 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Dell Accessories\Express Service Code.lnk
2011-03-07 09:25 . 2004-08-11 21:20 642 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Outlook Express.lnk
2011-03-07 09:25 . 2004-08-11 21:15 1503 ----a-w- c:\documents and settings\tempadmin\Start Menu\Programs\Remote Assistance.lnk
2011-03-07 09:25 . 2004-08-11 21:15 84 --sha-w- c:\documents and settings\tempadmin\Start Menu\Programs\Startup\desktop.ini
2011-03-07 09:25 . 2004-08-04 09:00 4570 ----a-w- c:\documents and settings\tempadmin\Templates\amipro.sam
2011-03-07 09:25 . 2004-08-04 09:00 5632 ----a-w- c:\documents and settings\tempadmin\Templates\excel.xls
2011-03-07 09:25 . 2004-08-04 09:00 1518 ----a-w- c:\documents and settings\tempadmin\Templates\excel4.xls
2011-03-07 09:25 . 2004-08-04 09:00 2448 ----a-w- c:\documents and settings\tempadmin\Templates\lotus.wk4
2011-03-07 09:25 . 2004-08-04 09:00 12288 ----a-w- c:\documents and settings\tempadmin\Templates\powerpnt.ppt
2011-03-07 09:25 . 2004-08-04 09:00 461 ----a-w- c:\documents and settings\tempadmin\Templates\presenta.shw
2011-03-07 09:25 . 2004-08-04 09:00 4017 ----a-w- c:\documents and settings\tempadmin\Templates\quattro.wb2
2011-03-07 09:25 . 2004-08-04 09:00 58 ----a-w- c:\documents and settings\tempadmin\Templates\sndrec.wav
2011-03-07 09:25 . 2004-08-04 09:00 4608 ----a-w- c:\documents and settings\tempadmin\Templates\winword.doc
2011-03-07 09:25 . 2004-08-04 09:00 1769 ----a-w- c:\documents and settings\tempadmin\Templates\winword2.doc
2011-03-07 09:25 . 2004-08-04 09:00 30 ----a-w- c:\documents and settings\tempadmin\Templates\wordpfct.wpd
2011-03-07 09:25 . 2004-08-04 09:00 57 ----a-w- c:\documents and settings\tempadmin\Templates\wordpfct.wpg
2011-03-07 09:25 . 2011-03-07 09:26 178 --sha-w- c:\documents and settings\tempadmin\ntuser.ini
2011-03-07 09:25 . 2011-03-11 23:23 1024 ---ha-w- c:\documents and settings\tempadmin\ntuser.dat.LOG
2011-03-07 09:25 . 2011-03-07 09:26 524288 ---ha-w- c:\documents and settings\tempadmin\NTUSER.DAT
.
---- Directory of C:\fcccsss ----
.
2011-03-03 23:42 . 2011-03-03 23:41 389120 ----a-r- c:\fcccsss\CF22508.cfxxe
.
---- Directory of C:\xit ----
.
2011-03-07 07:04 . 2011-03-07 07:03 389120 ----a-r- c:\xit\CF5241.cfxxe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-10_07.19.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-11 00:46 . 2011-03-11 00:46 16384 c:\windows\temp\Perflib_Perfdata_7a4.dat
+ 2009-07-12 06:12 . 2009-07-12 06:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 06:09 . 2009-07-12 06:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 06:08 . 2009-07-12 06:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2011-03-10 15:12 . 2011-03-10 15:12 811008 c:\windows\Installer\1a79eab.msi
+ 2011-03-10 15:13 . 2011-03-10 15:13 9472000 c:\windows\Installer\1a7a149.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Google Update"="c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-11-05 140640]
"SimNotify.exe"="c:\program files\Sage\SIM\Client\SimNotify.exe" [2010-04-14 38696]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-08 274608]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2009-11-06 1286384]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2009-11-05 885000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Start Pervasive PSQL Workgroup Engine.lnk - c:\windows\Installer\{0A3238D7-AB32-1030-B717-F3E3F18B4A8C}\WGE.14A03FCD_EA43_4130_A5C0_F02D38895A13.exe [2010-8-11 92854]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-1138\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-1184\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-3106\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3994736024-1371218916-3720997399-500\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\SymDS.sys [3/8/2011 11:43 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\SymEFA.sys [3/8/2011 11:43 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [3/10/2011 5:09 PM 800376]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/19/2009 10:44 AM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/19/2009 10:45 AM 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\Ironx86.sys [3/8/2011 11:43 PM 136312]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 2:58 AM 133968]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe [3/8/2011 11:43 PM 130000]
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe [4/7/2010 7:04 PM 107816]
R2 SageInstMgrClient;Sage Installation Manager Client;c:\program files\Sage\SIM\Client\Sage.Sim.Client.WindowsService.exe [4/14/2010 3:01 AM 15144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/8/2011 11:56 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110310.002\IDSXpx86.sys [3/10/2011 6:10 PM 341944]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 2:45 AM 42832]
S4 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/7/2009 11:39 AM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 14:44]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 16:39]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 16:39]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3994736024-1371218916-3720997399-3106Core.job
- c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 08:49]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3994736024-1371218916-3720997399-3106UA.job
- c:\documents and settings\parlapiano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 08:49]
.
2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3994736024-1371218916-3720997399-3106.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3994736024-1371218916-3720997399-3106.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-11 c:\windows\Tasks\User_Feed_Synchronization-{F5F49462-54BF-404C-B569-504ADBB7A619}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080902
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {F6F92FFF-2BE5-498C-994E-B8E45FAD740E} = 192.168.50.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-11 18:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1080)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1136)
c:\program files\Bonjour\mdnsNSP.dll
.
- - - - - - - > 'explorer.exe'(9960)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
Completion time: 2011-03-11 18:29:27
ComboFix-quarantined-files.txt 2011-03-11 23:29
ComboFix2.txt 2011-03-11 02:05
ComboFix3.txt 2011-03-10 07:23
ComboFix4.txt 2011-03-07 08:52
.
Pre-Run: 33,413,656,576 bytes free
Post-Run: 33,393,438,720 bytes free
.
- - End Of File - - F753B1AAF909A891D9BBA7E07C27F6E5






---------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6027

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/11/2011 6:38:56 PM
mbam-log-2011-03-11 (18-38-56).txt

Scan type: Quick scan
Objects scanned: 221716
Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:41 PM

Posted 11 March 2011 - 11:28 PM

Please post a fresh DDS log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 TKMA

TKMA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 12 March 2011 - 03:33 PM

It certainly seems a lot better but I will use it more extensively today and see how it does. I have a couple questions on the infection, but I will wait until you're done with log analysis.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by parlapiano at 15:21:23.66 on Sat 03/12/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1043 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe
C:\Program Files\Sage\SIM\Client\Sage.Sim.Client.WindowsService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sage\SIM\Client\SimNotify.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\parlapiano\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080902
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\parlapiano\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [SimNotify.exe] c:\program files\sage\sim\client\SimNotify.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageechoworkstation\TimounterMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startp~1.lnk - c:\windows\installer\{0a3238d7-ab32-1030-b717-f3e3f18b4a8c}\WGE.14A03FCD_EA43_4130_A5C0_F02D38895A13.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222397346295
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {F6F92FFF-2BE5-498C-994E-B8E45FAD740E} = 192.168.50.12
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1205000.07d\SymDS.sys [2011-3-8 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1205000.07d\SymEFA.sys [2011-3-8 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.5.0.125\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-10 800376]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1205000.07d\Ironx86.sys [2011-3-8 136312]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-2-9 47640]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.5.0.125\ccSvcHst.exe [2011-3-8 130000]
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\common files\sage\ls1\servicehost\1.0\Sage.LS1.ServiceHost.exe [2010-4-7 107816]
R2 SageInstMgrClient;Sage Installation Manager Client;c:\program files\sage\sim\client\Sage.Sim.Client.WindowsService.exe [2010-4-14 15144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-3-8 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.5.0.125\definitions\ipsdefs\20110311.001\IDSXpx86.sys [2011-3-12 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.5.0.125\definitions\virusdefs\20110312.002\NAVENG.SYS [2011-3-12 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.5.0.125\definitions\virusdefs\20110312.002\NAVEX15.SYS [2011-3-12 1360760]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-1-23 42832]
S4 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-03-10 15:13:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-03-10 15:13:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-03-10 15:13:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-03-10 15:13:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-03-10 15:13:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-03-10 15:13:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-03-10 15:13:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-03-10 06:51:27 89088 ----a-w- c:\windows\MBR.exe
2011-03-10 06:51:25 98816 ----a-w- c:\windows\sed.exe
2011-03-10 06:51:25 256512 ----a-w- c:\windows\PEV.exe
2011-03-10 06:51:25 161792 ----a-w- c:\windows\SWREG.exe
2011-03-09 05:21:19 -------- d-----w- c:\docume~1\parlap~1\applic~1\SUPERAntiSpyware.com
2011-03-09 05:21:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-09 05:21:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-09 05:20:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-09 05:20:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-07 09:29:00 114 ----a-w- C:\shellfix.reg
2011-03-07 08:55:52 -------- d-----w- C:\xit31008x
2011-03-07 08:36:50 -------- d-----w- C:\xit10288x
2011-03-07 08:23:04 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-07 08:23:02 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-07 08:23:01 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-07 08:21:59 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2011-03-07 08:20:58 222336 ----a-w- c:\windows\system32\dllcache\trid3dm.sys
2011-03-07 08:19:59 285760 ----a-w- c:\windows\system32\dllcache\stlnata.sys
2011-03-07 08:18:59 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2011-03-07 08:17:59 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2011-03-07 08:16:58 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2011-03-07 08:15:59 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2011-03-07 08:14:59 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-03-07 08:13:59 45632 ----a-w- c:\windows\system32\dllcache\ip5515.sys
2011-03-07 08:12:58 324608 ----a-w- c:\windows\system32\dllcache\hpojwia.dll
2011-03-07 08:11:59 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2011-03-07 08:10:59 86016 ----a-w- c:\windows\system32\dllcache\dc240usd.dll
2011-03-07 08:09:59 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2011-03-07 07:35:42 -------- d-----w- C:\xit14341x
2011-03-07 07:04:03 -------- d-----w- C:\xit
2011-03-03 23:42:13 -------- d-----w- C:\fcccsss
2011-03-02 21:36:02 -------- d-sha-r- C:\cmdcons
2011-02-23 13:16:22 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-03-09 04:43:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
.
============= FINISH: 15:22:10.22 ===============

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:41 PM

Posted 12 March 2011 - 05:25 PM

Hi

we just have some housekeeping to do now

you were infected with TDL4 a rootkit MBR infection:

please do the following:


You can delete the DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:41 PM

Posted 19 March 2011 - 06:04 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users