Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect


  • Please log in to reply
13 replies to this topic

#1 voodoo76

voodoo76

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 14 April 2011 - 08:57 PM

Currently experiencing Google redirects, quite a few script errors even when my browser is not open, with odd random URL's. Chrome will not connect at all. I've run Malwarebytes, sees nothing. In addition I get connection errors when I try to update Malwarebytes (updated it on another box and moved the files). This started after I picked up the windows repair virus, cleared that out w/o too much difficulty but im left with this current mess.

DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by GLBellairs at 18:37:42.31 on Thu 04/14/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1301 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r213367\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\glbellairs\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [NWTRAY] NWTRAY.EXE
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [WavXMgr] "c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe"
mRun: [USCService] "c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe"
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [iPrint Event Monitor] "c:\windows\system32\iprntlgn.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [Apoint] "c:\program files\delltpad\Apoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244725214281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248194200140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-6-12 34592]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-2-2 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-2-2 108392]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\ocs inventory agent\OcsService.exe [2007-2-27 61440]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-2-2 2477304]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-6-11 6016]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-5 112512]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-6-5 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-6-5 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-19 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-5 109568]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110401.002\NAVENG.SYS [2011-4-1 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110401.002\NAVEX15.SYS [2011-4-1 1393144]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-6-4 232744]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\virtualbackplane.sys --> c:\windows\system32\drivers\VirtualBackplane.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-3 133104]
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [2004-1-12 71448]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-6-26 23888]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\182b.tmp --> c:\windows\system32\182B.tmp [?]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [2004-1-12 142592]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2004-1-12 30166]
S3 RSSERIAL;RSLinx Serial Driver;c:\windows\system32\rsserial.sys [2004-1-12 155440]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-12 189792]
S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-2-6 443168]
.
=============== Created Last 30 ================
.
2011-04-09 21:30:52 50688 ----a-w- C:\ATF_Cleaner.exe
2011-04-09 18:18:47 -------- d-----w- C:\TDSKiller
2011-04-02 20:58:19 -------- d-----w- c:\docume~1\glbell~1\locals~1\applic~1\PackageAware
2011-04-02 20:43:25 -------- d--h--w- c:\windows\PIF
2011-04-02 03:28:19 -------- d-----w- c:\program files\common files\iS3
2011-04-02 03:28:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-04-01 14:34:10 -------- d-----w- c:\program files\AKG CooL-Line
2011-03-19 20:16:32 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
============= FINISH: 18:38:07.12 ===============

GMER Log

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-14 20:47:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FCDO
Running: gmer.exe; Driver: C:\DOCUME~1\GLBELL~1\LOCALS~1\Temp\pwddypog.sys


---- System - GMER 1.0.15 ----

SSDT 8991B8C0 ZwAlertResumeThread
SSDT 89845920 ZwAlertThread
SSDT 8A511F70 ZwAllocateVirtualMemory
SSDT 89AFB2A8 ZwConnectPort
SSDT 8985C8F0 ZwCreateMutant
SSDT 89961898 ZwCreateThread
SSDT 89B22388 ZwFreeVirtualMemory
SSDT 89A903C0 ZwImpersonateAnonymousToken
SSDT 89A5F140 ZwImpersonateThread
SSDT 89778ED8 ZwMapViewOfSection
SSDT 89795AB0 ZwOpenEvent
SSDT 89A15208 ZwOpenProcessToken
SSDT 89AFEFC0 ZwOpenThreadToken
SSDT 89714898 ZwResumeThread
SSDT 89A907A8 ZwSetContextThread
SSDT 89AFCFC0 ZwSetInformationProcess
SSDT 89AFFC98 ZwSetInformationThread
SSDT 897A82B8 ZwSuspendProcess
SSDT 89A5DC68 ZwSuspendThread
SSDT 899E7320 ZwTerminateProcess
SSDT 89A52200 ZwTerminateThread
SSDT 897EB8B8 ZwUnmapViewOfSection
SSDT 8A511418 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? nwfilter.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
? C:\DOCUME~1\GLBELL~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[692] WININET.dll!HttpAddRequestHeadersA 3D94D02E 5 Bytes JMP 00D61601
.text C:\WINDOWS\Explorer.EXE[692] WININET.dll!HttpAddRequestHeadersW 3D94FF29 5 Bytes JMP 00D617C9

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Threads - GMER 1.0.15 ----

Thread System [4:164] 89BA6E84
Thread System [4:168] 89BA9084

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\glbellairs\Local Settings\Temporary Internet Files\Content.IE5\28GA5YWC\down[1] 0 bytes
File C:\Documents and Settings\glbellairs\Local Settings\Temporary Internet Files\Content.IE5\28GA5YWC\errorPageStrings[1] 0 bytes
File C:\Documents and Settings\glbellairs\Local Settings\Temporary Internet Files\Content.IE5\9XSVXBSV\background_gradient[1] 0 bytes
File C:\Documents and Settings\glbellairs\Local Settings\Temporary Internet Files\Content.IE5\9XSVXBSV\dnserrordiagoff_webOC[1] 0 bytes
File C:\Documents and Settings\glbellairs\Local Settings\Temporary Internet Files\Content.IE5\HRXS18Y7\ErrorPageTemplate[1] 0 bytes
File C:\Documents and Settings\glbellairs\Local Settings\Temporary Internet Files\Content.IE5\HRXS18Y7\httpErrorPagesScripts[1] 0 bytes
File C:\Documents and Settings\glbellairs\Local Settings\Temporary Internet Files\Content.IE5\HRXS18Y7\bullet[1] 0 bytes
File C:\Documents and Settings\glbellairs\Local Settings\Temporary Internet Files\Content.IE5\TO4UYAPY\info_48[1] 0 bytes

---- EOF - GMER 1.0.15 ----


Appreciate the help. This is a very interesting site.

Voodoo

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:56 PM

Posted 22 April 2011 - 07:48 PM

hi voodoo76,

Your post is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 voodoo76

voodoo76
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 22 April 2011 - 07:58 PM

Yes, still do.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:56 PM

Posted 23 April 2011 - 08:18 AM

ok. We will get a download to use. Its called combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the Combofix log:

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 voodoo76

voodoo76
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 23 April 2011 - 12:53 PM

shelf life,

When I attempt to run combofix it starts up per the instructions until I get to the initital screen. The combofix window opens, but instead of the "combofix is prepairing to run" prompt I get a bliniking cursor. Let this go for around 45m the first time. Rebooted and tried to launch combofix again with the same result.

The following log was produced on my desktop named "catchme.log".

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared
File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully

Voodoo

#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:56 PM

Posted 23 April 2011 - 01:11 PM

Try running combofix in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode. Log into your usual account. Once at the safe mode desktop run combofix. See if it works that way.

How Can I Reduce My Risk to Malware?


#7 voodoo76

voodoo76
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 23 April 2011 - 02:05 PM

Combofix ran in Safe Mode.

ComboFix 11-04-22.03 - GLBellairs 04/23/2011 13:52:29.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1596 [GMT -5:00]
Running from: c:\documents and settings\glbellairs\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\glbellairs\g2mdlhlpx.exe
c:\documents and settings\JRJohnson\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
.
.
2011-04-21 02:29 . 2011-04-21 02:29 -------- d-----w- c:\program files\Sophos
2011-04-20 23:23 . 2011-04-02 20:17 1377112 ----a-w- C:\irweasle.com
2011-04-09 21:30 . 2011-04-09 21:28 50688 ----a-w- C:\ATF_Cleaner.exe
2011-04-09 18:18 . 2011-04-09 18:19 -------- d-----w- C:\TDSKiller
2011-04-02 21:02 . 2011-04-02 21:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Search
2011-04-02 21:02 . 2011-04-02 21:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-04-02 20:58 . 2011-04-02 20:58 -------- d-----w- c:\documents and settings\glbellairs\Local Settings\Application Data\PackageAware
2011-04-02 20:43 . 2011-04-02 20:43 -------- d--h--w- c:\windows\PIF
2011-04-02 18:18 . 2011-04-09 23:01 -------- d-----w- c:\documents and settings\vader
2011-04-02 03:54 . 2011-04-02 03:54 -------- d-----w- c:\documents and settings\CPAC\Application Data\Malwarebytes
2011-04-02 03:28 . 2011-04-02 03:28 -------- d-----w- c:\program files\Common Files\iS3
2011-04-02 03:28 . 2011-04-02 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-04-01 14:34 . 2011-04-01 14:34 -------- d-----w- c:\program files\AKG CooL-Line
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-23 18:58 . 2009-08-26 21:03 0 ----a-w- c:\documents and settings\glbellairs\Local Settings\Application Data\WavXMapDrive.bat
2011-04-09 22:35 . 2009-06-11 12:55 0 ----a-w- c:\documents and settings\CPAC\Local Settings\Application Data\WavXMapDrive.bat
2011-02-18 21:36 . 2010-07-14 20:30 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2010-07-14 20:30 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\457\g2mstart.exe" [2010-11-12 39816]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2009-12-04 57344]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-02-02 115560]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-21 15:20 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"LiveUpdate"=3 (0x3)
"SCardSvr"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Documents and Settings\\glbellairs\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [6/12/2009 9:58 AM 34592]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [2/27/2007 2:32 PM 61440]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/11/2009 3:29 PM 6016]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/5/2009 12:40 AM 112512]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/5/2009 12:40 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/5/2009 12:40 AM 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/19/2010 9:31 AM 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/5/2009 12:40 AM 109568]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/4/2009 10:20 PM 232744]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 8:37 PM 133104]
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [1/12/2004 1:07 PM 71448]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/26/2008 9:33 AM 23888]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1/12/2004 1:07 PM 142592]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/12/2004 1:07 PM 30166]
S3 RSSERIAL;RSLinx Serial Driver;c:\windows\system32\rsserial.sys [1/12/2004 1:07 PM 155440]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-04-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 15:32]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 01:37]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 01:37]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982176290-4273415865-4244866014-1007Core.job
- c:\documents and settings\glbellairs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-13 22:58]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982176290-4273415865-4244866014-1007UA.job
- c:\documents and settings\glbellairs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-13 22:58]
.
2011-04-23 c:\windows\Tasks\User_Feed_Synchronization-{857847F0-6F83-4507-BB5E-26130B9405E3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\glbellairs\Application Data\Mozilla\Firefox\Profiles\9w3d2zf5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-TPSvc - TPSvc.dll
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 14:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1372)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'Explorer.exe'(6880)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\windows\system32\igfxdo.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\drivers\audio\r213367\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\progra~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\OPC Foundation\OPCENUM.EXE
c:\progra~1\ROCKWE~1\RSLINX\RSLINX.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\UltraVNC\winvnc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\NWTRAY.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Citrix\GoToMeeting\457\g2mcomm.exe
c:\program files\Citrix\GoToMeeting\457\g2mlauncher.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\iPod\bin\iPodService.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-04-23 14:01:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-23 19:01
.
Pre-Run: 212,359,737,344 bytes free
Post-Run: 210,239,066,112 bytes free
.
- - End Of File - - 9F64020DA2C8E23198DD36EAAD3D5B60

#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:56 PM

Posted 24 April 2011 - 08:21 AM

Not much there to worry about. Are you still getting the browser re-directs?

How Can I Reduce My Risk to Malware?


#9 voodoo76

voodoo76
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 24 April 2011 - 10:37 AM

Yes, still getting the redirects. I did note that when I tried to run combofix after a regular boot (not safe mode) I was getting a warning that Symantic Endpoint was on and might interfere. Even though it was deactivated. I was also unable to manually kill the symantic process. I went into msconfic and shut off all Symantic components and booted up. No Symantic process now show up in process explorer.

Would it be worthwhile to re-run combofix?

Edited by voodoo76, 24 April 2011 - 12:03 PM.


#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:56 PM

Posted 24 April 2011 - 07:37 PM

Sure you can try rerunning combofix again. Also you can get another download to use:

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk © as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

How Can I Reduce My Risk to Malware?


#11 voodoo76

voodoo76
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 24 April 2011 - 08:26 PM

Interesting, when I tried to run combofix with Symantic Endpoint killed I got a blue screen. I uninstalled Symantic and combofix gave me a "presence of rootkit activity" notice, followed by a reboot right into a scan. Log is attached, apparently this time combofix found and restored the file volsnap.sys. Redirects are gone.

I attached the TDSSKiller log as well, it found nothing. I had tried TDSSKiller previously and it would not launch (tried renaming, ect).


ComboFix 11-04-23.02 - glbellairs 04/24/2011 13:06:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1550 [GMT -5:00]
Running from: c:\documents and settings\glbellairs\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-21 02:29 . 2011-04-21 02:29 -------- d-----w- c:\program files\Sophos
2011-04-20 23:23 . 2011-04-02 20:17 1377112 ----a-w- C:\irweasle.com
2011-04-09 21:30 . 2011-04-09 21:28 50688 ----a-w- C:\ATF_Cleaner.exe
2011-04-09 18:18 . 2011-04-09 18:19 -------- d-----w- C:\TDSKiller
2011-04-02 21:02 . 2011-04-02 21:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Search
2011-04-02 21:02 . 2011-04-02 21:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-04-02 20:58 . 2011-04-02 20:58 -------- d-----w- c:\documents and settings\glbellairs\Local Settings\Application Data\PackageAware
2011-04-02 20:43 . 2011-04-02 20:43 -------- d--h--w- c:\windows\PIF
2011-04-02 18:18 . 2011-04-09 23:01 -------- d-----w- c:\documents and settings\vader
2011-04-02 03:54 . 2011-04-02 03:54 -------- d-----w- c:\documents and settings\CPAC\Application Data\Malwarebytes
2011-04-02 03:28 . 2011-04-02 03:28 -------- d-----w- c:\program files\Common Files\iS3
2011-04-02 03:28 . 2011-04-02 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-04-01 14:34 . 2011-04-01 14:34 -------- d-----w- c:\program files\AKG CooL-Line
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-24 17:56 . 2009-08-26 21:03 0 ----a-w- c:\documents and settings\glbellairs\Local Settings\Application Data\WavXMapDrive.bat
2011-04-09 22:35 . 2009-06-11 12:55 0 ----a-w- c:\documents and settings\CPAC\Local Settings\Application Data\WavXMapDrive.bat
2011-02-18 21:36 . 2010-07-14 20:30 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2010-07-14 20:30 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-23_18.57.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-24 18:03 . 2011-04-24 18:03 16384 c:\windows\temp\Perflib_Perfdata_394.dat
+ 2008-04-25 16:16 . 2011-04-24 18:07 79188 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2008-04-14 12:00 52352 c:\windows\system32\dllcache\volsnap.sys
+ 2008-04-25 16:16 . 2011-04-24 18:07 464078 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\457\g2mstart.exe" [2010-11-12 39816]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2009-12-04 57344]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-21 15:20 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Documents and Settings\\glbellairs\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [6/12/2009 9:58 AM 34592]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [2/27/2007 2:32 PM 61440]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/11/2009 3:29 PM 6016]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/5/2009 12:40 AM 112512]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/5/2009 12:40 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/5/2009 12:40 AM 244368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/5/2009 12:40 AM 109568]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/4/2009 10:20 PM 232744]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 8:37 PM 133104]
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [1/12/2004 1:07 PM 71448]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1/12/2004 1:07 PM 142592]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/12/2004 1:07 PM 30166]
S3 RSSERIAL;RSLinx Serial Driver;c:\windows\system32\rsserial.sys [1/12/2004 1:07 PM 155440]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-04-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 15:32]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 01:37]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 01:37]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982176290-4273415865-4244866014-1007Core.job
- c:\documents and settings\glbellairs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-13 22:58]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982176290-4273415865-4244866014-1007UA.job
- c:\documents and settings\glbellairs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-13 22:58]
.
2011-04-24 c:\windows\Tasks\User_Feed_Synchronization-{857847F0-6F83-4507-BB5E-26130B9405E3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-24 13:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1332)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2011-04-24 13:11:58
ComboFix-quarantined-files.txt 2011-04-24 18:11
ComboFix2.txt 2011-04-23 19:01
.
Pre-Run: 210,651,975,680 bytes free
Post-Run: 211,007,299,584 bytes free
.
- - End Of File - - 71CB526A91D62C52DFF7765A30313606


2011/04/24 18:12:30.0796 1832 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/24 18:12:31.0484 1832 ================================================================================
2011/04/24 18:12:31.0484 1832 SystemInfo:
2011/04/24 18:12:31.0484 1832
2011/04/24 18:12:31.0484 1832 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/24 18:12:31.0484 1832 Product type: Workstation
2011/04/24 18:12:31.0484 1832 ComputerName: LTWXP3539
2011/04/24 18:12:31.0484 1832 UserName: GLBellairs
2011/04/24 18:12:31.0484 1832 Windows directory: C:\WINDOWS
2011/04/24 18:12:31.0484 1832 System windows directory: C:\WINDOWS
2011/04/24 18:12:31.0484 1832 Processor architecture: Intel x86
2011/04/24 18:12:31.0484 1832 Number of processors: 2
2011/04/24 18:12:31.0484 1832 Page size: 0x1000
2011/04/24 18:12:31.0484 1832 Boot type: Normal boot
2011/04/24 18:12:31.0484 1832 ================================================================================
2011/04/24 18:12:31.0718 1832 Initialize success
2011/04/24 18:12:36.0046 2412 ================================================================================
2011/04/24 18:12:36.0046 2412 Scan started
2011/04/24 18:12:36.0046 2412 Mode: Manual;
2011/04/24 18:12:36.0046 2412 ================================================================================
2011/04/24 18:12:36.0593 2412 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/04/24 18:12:36.0656 2412 ABKTCX (f25a62362ae736a5ac670f17ba28642c) C:\WINDOWS\System32\Drivers\ABKTCX.sys
2011/04/24 18:12:36.0718 2412 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/04/24 18:12:36.0781 2412 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/24 18:12:36.0796 2412 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/24 18:12:36.0828 2412 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/04/24 18:12:36.0875 2412 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/24 18:12:36.0906 2412 AESTAud (f21d5e93a94514be9f5b6ebf74a696b2) C:\WINDOWS\system32\drivers\AESTAud.sys
2011/04/24 18:12:36.0953 2412 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/24 18:12:36.0984 2412 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/24 18:12:37.0015 2412 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/04/24 18:12:37.0062 2412 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/04/24 18:12:37.0109 2412 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/04/24 18:12:37.0171 2412 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/04/24 18:12:37.0218 2412 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/04/24 18:12:37.0265 2412 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/04/24 18:12:37.0312 2412 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/04/24 18:12:37.0375 2412 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/04/24 18:12:37.0437 2412 ApfiltrService (b83f9da84f7079451c1c6a4a2f140920) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/04/24 18:12:37.0484 2412 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/24 18:12:37.0515 2412 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/04/24 18:12:37.0546 2412 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/04/24 18:12:37.0593 2412 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/04/24 18:12:37.0703 2412 AsfAlrt (acee9813685f4a03ee5a160057dd61a8) C:\WINDOWS\system32\Drivers\AsfAlrt.sys
2011/04/24 18:12:37.0781 2412 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/24 18:12:37.0812 2412 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/24 18:12:37.0875 2412 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/24 18:12:37.0921 2412 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/24 18:12:37.0953 2412 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/04/24 18:12:38.0046 2412 BCM43XX (fe4ed785396eaa554c561992106a35fa) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/04/24 18:12:38.0187 2412 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/24 18:12:38.0328 2412 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/04/24 18:12:38.0343 2412 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/24 18:12:38.0406 2412 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/24 18:12:38.0453 2412 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/04/24 18:12:38.0468 2412 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/24 18:12:38.0515 2412 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/24 18:12:38.0562 2412 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/24 18:12:38.0625 2412 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/24 18:12:38.0671 2412 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/04/24 18:12:38.0734 2412 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/24 18:12:38.0796 2412 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/04/24 18:12:38.0875 2412 CVirtA (cb7d7c0e74adcb7da96d08ec8db86062) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/04/24 18:12:38.0921 2412 CVPNDRVA (16ddb343f0e77133de96e211e1a4dcd2) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2011/04/24 18:12:38.0968 2412 cvusbdrv (a95d9b8d882adf93ef40d7dc9b9bb508) C:\WINDOWS\system32\Drivers\cvusbdrv.sys
2011/04/24 18:12:39.0031 2412 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/04/24 18:12:39.0078 2412 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/04/24 18:12:39.0140 2412 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/24 18:12:39.0203 2412 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
2011/04/24 18:12:39.0218 2412 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
2011/04/24 18:12:39.0234 2412 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/04/24 18:12:39.0265 2412 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
2011/04/24 18:12:39.0281 2412 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
2011/04/24 18:12:39.0312 2412 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
2011/04/24 18:12:39.0328 2412 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
2011/04/24 18:12:39.0343 2412 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2011/04/24 18:12:39.0375 2412 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
2011/04/24 18:12:39.0406 2412 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
2011/04/24 18:12:39.0468 2412 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/24 18:12:39.0500 2412 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/24 18:12:39.0546 2412 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/24 18:12:39.0593 2412 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/24 18:12:39.0656 2412 DNE (c86fbf607445bf693450d84b775f168c) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/04/24 18:12:39.0703 2412 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/04/24 18:12:39.0734 2412 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/24 18:12:39.0812 2412 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/04/24 18:12:39.0828 2412 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/04/24 18:12:39.0875 2412 e1yexpress (10cbd2b278ce365b41de378632cb5ddb) C:\WINDOWS\system32\DRIVERS\e1y5132.sys
2011/04/24 18:12:39.0937 2412 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/24 18:12:39.0984 2412 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/24 18:12:40.0015 2412 FilterService (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/04/24 18:12:40.0046 2412 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/24 18:12:40.0062 2412 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/24 18:12:40.0078 2412 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/24 18:12:40.0093 2412 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/24 18:12:40.0125 2412 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/24 18:12:40.0156 2412 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/24 18:12:40.0171 2412 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/24 18:12:40.0234 2412 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys
2011/04/24 18:12:40.0281 2412 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/24 18:12:40.0296 2412 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/24 18:12:40.0343 2412 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/04/24 18:12:40.0390 2412 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/24 18:12:40.0421 2412 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/04/24 18:12:40.0437 2412 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/04/24 18:12:40.0468 2412 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/24 18:12:40.0640 2412 ialm (3b743262b6456167888d15f1121b3bf7) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/04/24 18:12:40.0828 2412 iaStor (baabb0301949774a66b955c65319635a) C:\WINDOWS\system32\drivers\iaStor.sys
2011/04/24 18:12:40.0875 2412 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/24 18:12:40.0921 2412 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/04/24 18:12:40.0984 2412 IntcHdmiAddService (f32a62c765885bd8e4352a1565f702a6) C:\WINDOWS\system32\drivers\IntcHdmi.sys
2011/04/24 18:12:41.0015 2412 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/24 18:12:41.0062 2412 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/24 18:12:41.0093 2412 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/24 18:12:41.0140 2412 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/24 18:12:41.0171 2412 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/24 18:12:41.0203 2412 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/24 18:12:41.0281 2412 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/24 18:12:41.0328 2412 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/24 18:12:41.0343 2412 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/24 18:12:41.0359 2412 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/24 18:12:41.0390 2412 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/24 18:12:41.0421 2412 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/24 18:12:41.0484 2412 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/04/24 18:12:41.0531 2412 LVRS (e52f5a2cadcf08d07f559962f807a0a2) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/04/24 18:12:41.0718 2412 LVUVC (c3d02260beb2b48dea1efdfca91e4b69) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/04/24 18:12:41.0859 2412 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/24 18:12:41.0875 2412 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/24 18:12:41.0921 2412 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/24 18:12:41.0937 2412 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/24 18:12:41.0953 2412 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/24 18:12:42.0000 2412 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/04/24 18:12:42.0015 2412 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/24 18:12:42.0078 2412 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/24 18:12:42.0171 2412 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/04/24 18:12:42.0187 2412 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/24 18:12:42.0218 2412 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/24 18:12:42.0250 2412 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/24 18:12:42.0281 2412 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/24 18:12:42.0312 2412 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/24 18:12:42.0343 2412 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/24 18:12:42.0359 2412 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/24 18:12:42.0390 2412 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/24 18:12:42.0437 2412 NAL (a467e1deb3bb2b57426c8a5993ba933e) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/04/24 18:12:42.0484 2412 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/24 18:12:42.0531 2412 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/24 18:12:42.0578 2412 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/24 18:12:42.0640 2412 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/24 18:12:42.0656 2412 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/24 18:12:42.0671 2412 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/24 18:12:42.0703 2412 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/24 18:12:42.0734 2412 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/24 18:12:42.0796 2412 NetwareWorkstation (d7f6c6be3dadaf80801225bd49994cb8) C:\WINDOWS\system32\NetWare\nwfs.sys
2011/04/24 18:12:42.0828 2412 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/24 18:12:42.0843 2412 NICM (c501404558ea82e8a875de6331f0748d) C:\WINDOWS\system32\drivers\nicm.sys
2011/04/24 18:12:42.0875 2412 nipplpt2 (6bab4daa0e4bf40a8df1c61e8426ae87) C:\WINDOWS\system32\drivers\nipplpt.sys
2011/04/24 18:12:42.0890 2412 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/24 18:12:42.0937 2412 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/24 18:12:43.0015 2412 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/24 18:12:43.0078 2412 NWDHCP (a4b071419e0ea596ffb3da89c1f04e61) C:\WINDOWS\system32\NetWare\nwdhcp.sys
2011/04/24 18:12:43.0093 2412 NWDNS (5fe8761fe5fa3761f778fb8d7c0a6763) C:\WINDOWS\system32\NetWare\nwdns.sys
2011/04/24 18:12:43.0125 2412 NWFILTER (7bbf493e2b4979312fa5b350fcf5a4c4) C:\WINDOWS\system32\NetWare\nwfilter.sys
2011/04/24 18:12:43.0140 2412 NWHOST (baa75acf404bebce7065663664a7c3e4) C:\WINDOWS\system32\NetWare\NWHOST.sys
2011/04/24 18:12:43.0171 2412 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/24 18:12:43.0187 2412 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/24 18:12:43.0218 2412 NWSAP (2726a6792bbb080ff345ed9a8111360f) C:\WINDOWS\system32\NetWare\NWSAP.sys
2011/04/24 18:12:43.0234 2412 NWSIPX32 (0c19ea7bf54f23ef37d8a14c61f64891) C:\WINDOWS\system32\NetWare\nwsipx32.sys
2011/04/24 18:12:43.0265 2412 NWSLP (0b5c354bebc5381b59a196bd7e517814) C:\WINDOWS\system32\NetWare\nwslp.sys
2011/04/24 18:12:43.0281 2412 NWSNS (172308996609da67e99c87fa784df8bc) C:\WINDOWS\system32\NetWare\NWSNS.sys
2011/04/24 18:12:43.0312 2412 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/24 18:12:43.0406 2412 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/24 18:12:43.0421 2412 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/24 18:12:43.0453 2412 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/24 18:12:43.0500 2412 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
2011/04/24 18:12:43.0546 2412 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/24 18:12:43.0593 2412 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/24 18:12:43.0609 2412 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/24 18:12:43.0671 2412 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/04/24 18:12:43.0718 2412 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/04/24 18:12:43.0750 2412 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/24 18:12:43.0765 2412 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/24 18:12:43.0781 2412 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/24 18:12:43.0812 2412 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/24 18:12:43.0828 2412 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/04/24 18:12:43.0843 2412 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/04/24 18:12:43.0890 2412 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/04/24 18:12:43.0921 2412 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/04/24 18:12:43.0937 2412 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/04/24 18:12:44.0015 2412 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/24 18:12:44.0031 2412 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/24 18:12:44.0046 2412 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/24 18:12:44.0062 2412 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/24 18:12:44.0093 2412 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/24 18:12:44.0109 2412 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/24 18:12:44.0140 2412 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/24 18:12:44.0171 2412 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/24 18:12:44.0203 2412 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/24 18:12:44.0234 2412 RESMGR (16c27d650113b0aa0c8255c561a71cd4) C:\WINDOWS\system32\NetWare\resmgr.sys
2011/04/24 18:12:44.0281 2412 rimmptsk (ea885e7a56f1be1f14c372337c42fe48) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/04/24 18:12:44.0328 2412 RsiKtControl (c4c9900e86a5a2cf5bcd393f19986a05) C:\WINDOWS\system32\RSIKT.SYS
2011/04/24 18:12:44.0421 2412 RSSERIAL (b089419975668e2a701178032d652a24) C:\WINDOWS\SYSTEM32\RSSERIAL.SYS
2011/04/24 18:12:44.0468 2412 RS_SS_NT (e4fab1cdfaed6ef7542606aa055b104a) C:\WINDOWS\SYSTEM32\RS_SS_NT.SYS
2011/04/24 18:12:44.0531 2412 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/04/24 18:12:44.0578 2412 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/24 18:12:44.0625 2412 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/24 18:12:44.0656 2412 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/24 18:12:44.0718 2412 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/04/24 18:12:44.0750 2412 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/24 18:12:44.0812 2412 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/04/24 18:12:44.0843 2412 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/24 18:12:44.0875 2412 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/24 18:12:44.0921 2412 SRS_PremiumSound_Service (584477fdfa731af4635f5875c6b52531) C:\WINDOWS\system32\drivers\srs_PremiumSound_i386.sys
2011/04/24 18:12:44.0968 2412 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/24 18:12:45.0015 2412 SRVLOC (21d0242d37ab7b275261ed030adaaad5) C:\WINDOWS\system32\NetWare\srvloc.sys
2011/04/24 18:12:45.0109 2412 STHDA (1b76479b80ff0f6e245ba590a64102be) C:\WINDOWS\system32\drivers\sthda.sys
2011/04/24 18:12:45.0171 2412 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/24 18:12:45.0218 2412 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/24 18:12:45.0265 2412 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/24 18:12:45.0328 2412 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/04/24 18:12:45.0359 2412 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/04/24 18:12:45.0406 2412 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/04/24 18:12:45.0453 2412 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/04/24 18:12:45.0468 2412 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/24 18:12:45.0562 2412 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/24 18:12:45.0625 2412 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/24 18:12:45.0640 2412 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/24 18:12:45.0671 2412 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/24 18:12:45.0734 2412 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/04/24 18:12:45.0781 2412 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/24 18:12:45.0859 2412 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/04/24 18:12:45.0937 2412 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/24 18:12:45.0984 2412 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/24 18:12:46.0031 2412 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/04/24 18:12:46.0078 2412 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/24 18:12:46.0093 2412 USBCCID (2825e0e294686a26506690059e1f437a) C:\WINDOWS\system32\DRIVERS\usbccid.sys
2011/04/24 18:12:46.0125 2412 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/24 18:12:46.0156 2412 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/24 18:12:46.0187 2412 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/24 18:12:46.0218 2412 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/24 18:12:46.0265 2412 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/24 18:12:46.0296 2412 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/24 18:12:46.0359 2412 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/04/24 18:12:46.0390 2412 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/24 18:12:46.0437 2412 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/04/24 18:12:46.0468 2412 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/04/24 18:12:46.0515 2412 vnccom (b67632451f760797bb183e1fb99f4b39) C:\WINDOWS\system32\Drivers\vnccom.SYS
2011/04/24 18:12:46.0593 2412 vncdrv (4ec979b157d1aa075330362acb5424e5) C:\WINDOWS\system32\DRIVERS\vncdrv.sys
2011/04/24 18:12:46.0656 2412 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/24 18:12:46.0703 2412 vsdatant (d658e49302c382b88c8e9a08e20b2e82) C:\WINDOWS\system32\vsdatant.sys
2011/04/24 18:12:46.0781 2412 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/24 18:12:46.0812 2412 WavxDMgr (fc2606083f35db9c497d6ba9f554d22c) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
2011/04/24 18:12:46.0875 2412 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/04/24 18:12:46.0921 2412 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/24 18:12:46.0968 2412 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/24 18:12:47.0031 2412 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/04/24 18:12:47.0109 2412 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/24 18:12:47.0125 2412 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/24 18:12:47.0156 2412 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/24 18:12:47.0218 2412 ================================================================================
2011/04/24 18:12:47.0218 2412 Scan finished
2011/04/24 18:12:47.0218 2412 ================================================================================
2011/04/24 18:12:53.0968 0248 Deinitialize success

#12 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:56 PM

Posted 25 April 2011 - 06:15 PM

Combofix has problems running if AVG is installed, First time Ive seen a problem with Symantic if thats what the cause of it was anyway. Hard to say with todays malware. What about Malwarebytes, can you update it ok now? I also would do a scan after checking for updates, just for good measure. TDSSkiller not launching could also have been caused by the malware. Malware evolves to, what works one day may not work the next, until its updated anyway.

How Can I Reduce My Risk to Malware?


#13 voodoo76

voodoo76
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 25 April 2011 - 06:46 PM

I did a full scan with Malwarebytes, found the following. Should I have deleted the two files found? I can clean up pretty well from here, do appreciate the help I learned quite a bit walking through this.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6433

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/24/2011 2:25:21 PM
mbam-log-2011-04-24 (14-25-13).txt

Scan type: Full scan (C:\|)
Objects scanned: 266752
Time elapsed: 28 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\volsnap.sys.vir (Rootkit.Patch) -> No action taken.
c:\system volume information\_restore{45b5e8b9-949a-471e-999d-f381da56a2d3}\RP3\A0003879.sys (Rootkit.Patch) -> No action taken.

#14 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:56 PM

Posted 26 April 2011 - 06:05 PM

ok good.

Should I have deleted the two files found

You can have malwarebytes delete them, this:c:\Qoobox is actually combofix's quarantine folder. The other is your system restore archives which malwarebytes does a good job of cleaning out.

you can remove combofix like this:
start>run and type in: combofix /uninstall
note the space after the x and before the /

You can also delete the tdsskiller icon from your desktop. Last you can make a new restore point, the why and the how:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.



(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK, then reboot


Everybody gets this, so if all is good on your end:

10 Tips for Prevention and Avoidance of Malware:

There is no reason why your computer can not stay malware free.


No software can think for you. Help yourself. In no special order:


1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for web based applications, browser plugins and addons like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.



2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.



3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.



4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source? See also E-mail phishing Tricks.



5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.



6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?



7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.



8) Install and understand the *limitations* of a software firewall.



9) A slide show how to for securing Internet Explorer 8.0 for safer surfing. How to harden FireFox. for safer surfing.



10) Warez, cracks etc are very popular for carrying malware payloads.If you download/install files via p2p networks you will encounter malware. A file can be named anything be nothing but malware or have malware bundled in it. Can you really trust the source of the file?


More info/tips with pictures, links below

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users