Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS rootkit virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 Brinleigh217

Brinleigh217

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 03 May 2011 - 12:04 PM

Hi, I've been reading a lot of posts on this website. I'm am first very thankful as my hosted IT solution group was less than great with this issue. Microsoft also remoted into my computer for over 5 hours and didn't fix it either.

My issue started 2 weeks ago when I noticed I was being redirected to ad websites from Google. I'd click on a Forbes article and end up at Stopzilla.com. I have an amazing appetite for research and logged a plethora of sites I was redirected to. Complimentarygiftcards.com, trackimizer.com, 123.fluxads.com, once even yellowpages.com...although it did not load fully. Usually a redirect went through admarketplace.com and meta.7search.com.

I have run a number of cleaners, all from reading this site, done some uninstalls (because I thought it might be helpful), and now I can no longer find any more symptoms. However, I'm not 100% sure I have cleaned my machine. I'm thinking about going ahead and reinstalling my whole operating system, however, I don't have the boot disks and they are on backorder currently from HP.

Here are the details of my computer/problem:
Problem: Redirecting from Google to adsites. Pretty sure a rootkit.
Computer OS: Microsoft XP Professional Service Pack 3
Browser used: Firefox 4

Programs I have run:
Malwarebytes, Combofix, CCleaner, Spybot Search and Destroy, Microsoft Safety Scanner, TPS, Esetscanner (that revealed that java was infected so I cleaned and then uninstalled java - have since reinstalled program). I also went ahead and uninstalled Firefox and have just reinstalled today. I've ran Kaspersky's TDSkiller twice, and it's not finding anything. Please if anyone can help me or tell me I'm clean and this is how I can monitor my machine, I'd be really really grateful!


I did a Hijack this log - please see below. I really am needing any kind of help, as I'm amateur at best when it comes to virus/malware/rootkit removal.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:31:53 AM, on 5/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\AVTC\PavSrvX86.exe
C:\Program Files\Panda Software\AVTC\AVENGINE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RemoteSupportManager\DaMaint.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\AVTC\PsImSvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\RemoteSupportManager\DesktopAuthority.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RemoteSupportManager\RMGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Panda Software\AVTC\PSCtrlC.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=all&pf=cmdt
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Panda Controller Client] "C:\Program Files\Panda Software\AVTC\PSCtrlC.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "c:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\Logishrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://eesbs01.energy.energyexchanger.com:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://eesbs01.energy.energyexchanger.com:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258472828391
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = energy.energyexchanger.com
O17 - HKLM\Software\..\Telephony: DomainName = energy.energyexchanger.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = energy.energyexchanger.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\DAinit.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0117681258412774) (0117681258412774mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\011768~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DA Remote Management Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\RemoteSupportManager\DaMaint.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Panda Software Controller - Panda Security - C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Security, S.L. - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda Antivirus Service (PavSrv) - Panda Security, S.L. - C:\Program Files\Panda Software\AVTC\PavSrvX86.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Panda AntiSpam Engine (PMShellSrv) - Panda Software International - C:\Program Files\Panda Software\AVTC\PSKMsSvc.exe
O23 - Service: Panda IManager Service (PsImSvc) - Panda Security - C:\Program Files\Panda Software\AVTC\PsImSvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Remote Support Manager (RemoteSupportManager) - ScriptLogic Corporation - C:\Program Files\RemoteSupportManager\DesktopAuthority.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Windows Agent Maintenance Service - N-able Technologies - C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
O23 - Service: Windows Agent Service - N-able Technologies - C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe

--
End of file - 12976 bytes

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:05 AM

Posted 03 May 2011 - 02:24 PM

Good evening. :)

As HijackThis has not been seriously updated by Trend Micro in some time, it is now no longer considered to be an effective tool for malware removal. You will need to go here, follow steps 6, 7 and 8 and post accordingly into this thread.

So long, and thanks for all the fish.

 

 


#3 Brinleigh217

Brinleigh217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 03 May 2011 - 07:54 PM

Thank you Noviciate, I have run both the DDS and the GMER programs as requested. They are shown below and I attached both logs as well.

DDS
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by lbrinlee at 14:47:50.47 on Tue 05/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.585 [GMT -5:00]
.
AV: Endpoint Security Manager *Enabled/Updated* {208F4477-D1F0-411A-8D21-0367EC0D3D43}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Software\AVTC\PavSrvX86.exe
C:\Program Files\Panda Software\AVTC\AVENGINE.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\RemoteSupportManager\DaMaint.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Panda Software\AVTC\PsImSvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\RemoteSupportManager\DesktopAuthority.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RemoteSupportManager\RMGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Panda Software\AVTC\PSCtrlC.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\lbrinlee\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=all&pf=cmdt
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Panda Controller Client] "c:\program files\panda software\avtc\PSCtrlC.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\lbrinlee\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://eesbs01.energy.energyexchanger.com:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://eesbs01.energy.energyexchanger.com:4343/officescan/console/ClientInstall/setup.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258472828391
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\windows\system32\DAinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\lbrinlee\applic~1\mozilla\firefox\profiles\96hcyi1r.default\
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2007-12-19 171024]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\Shldrv51.sys [2010-11-9 36744]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-13 14336]
R2 AmFSM;Panda Anti-Virus Filesystem Minifilter;c:\windows\system32\drivers\amm8651.sys [2010-11-9 56456]
R2 DAInfo;DAInfo;c:\program files\remotesupportmanager\DAinfo.sys [2011-4-27 12168]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\remotesupportmanager\DAMaint.exe [2011-4-27 85512]
R2 DAtf;DAtf;c:\program files\remotesupportmanager\DAtf.sys [2011-4-27 11144]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-5-2 10448]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql10_50.act7\mssql\binn\sqlservr.exe [2010-5-5 42884448]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda software\avtc\PSCtrlS.exe [2010-11-9 309568]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2010-11-9 163848]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda software\pavshld\PavPrSrv.exe [2010-11-9 62768]
R2 PavSrv;Panda Antivirus Service;c:\program files\panda software\avtc\pavsrvx86.exe [2010-11-9 183040]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 RemoteSupportManager;Remote Support Manager;c:\program files\remotesupportmanager\DesktopAuthority.exe [2011-4-27 1349128]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2011-4-27 1830856]
R2 Windows Agent Maintenance Service;Windows Agent Maintenance Service;c:\program files\n-able technologies\windows agent\bin\AgentMaint.exe [2011-2-14 28672]
R2 Windows Agent Service;Windows Agent Service;c:\program files\n-able technologies\windows agent\bin\agent.exe [2011-2-14 192512]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [2011-4-27 9352]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-23 36608]
S2 0117681258412774mcinstcleanup;McAfee Application Installer Cleanup (0117681258412774);c:\docume~1\admini~1\locals~1\temp\011768~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\011768~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 PavReport;Panda Antivirus Report Service;c:\program files\panda software\panda administrator 3\pavreport\PavReport.exe [2010-11-9 926976]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-5-5 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$ACT7;SQL Server Agent (ACT7);c:\program files\microsoft sql server\mssql10_50.act7\mssql\binn\SQLAGENT.EXE [2010-5-5 367456]
.
=============== Created Last 30 ================
.
2011-05-03 16:30:13 388096 ----a-r- c:\docume~1\lbrinlee\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-03 16:30:12 -------- d-----w- c:\program files\Trend Micro
2011-05-03 15:20:24 118784 ----a-w- c:\windows\system32\chg.exe
2011-05-02 21:07:35 -------- d-----w- c:\program files\VS Revo Group
2011-05-02 20:48:16 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-05-02 20:48:16 -------- d-----w- c:\program files\Belarc
2011-05-02 17:39:43 -------- d-----w- C:\tdsskiller
2011-05-02 17:25:33 53248 ----a-r- c:\docume~1\lbrinlee\applic~1\microsoft\installer\{3ee9bcae-e9a9-45e5-9b1c-83a4d357e05c}\ARPPRODUCTICON.exe
2011-05-02 17:22:51 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-05-02 17:21:42 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2011-05-02 17:14:11 -------- d-----w- c:\docume~1\lbrinlee\applic~1\Logishrd
2011-05-02 16:02:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-05-02 16:02:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-04-30 23:29:09 -------- d-----w- c:\program files\CCleaner
2011-04-28 21:43:25 621944 ----a-w- c:\windows\system32\pskill.exe
2011-04-28 20:37:14 -------- d-sha-r- C:\cmdcons
2011-04-28 00:13:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-04-28 00:13:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-04-28 00:13:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-04-28 00:13:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-04-28 00:13:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-04-28 00:13:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-04-28 00:13:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-04-27 23:16:15 -------- d-----w- c:\docume~1\lbrinlee\locals~1\applic~1\Help
2011-04-27 16:51:36 -------- d-----w- c:\program files\UltraVNC
2011-04-27 16:51:12 9352 ----a-w- c:\windows\system32\drivers\DAmirr.sys
2011-04-27 16:51:12 20104 ----a-w- c:\windows\system32\DAmirr.dll
2011-04-27 16:51:11 104448 ----a-w- c:\windows\system32\EAUninstaller.exe
2011-04-27 15:56:35 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-27 15:53:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-27 15:53:25 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-27 15:44:12 744853 ----a-w- c:\temp\PAVARK.exe
2011-04-27 15:43:02 6449984 ----a-w- c:\temp\HitmanPro35.exe
2011-04-26 21:56:24 -------- d-----w- C:\support
2011-04-21 22:22:39 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-21 22:10:14 -------- d-----w- c:\windows\pss
2011-04-21 19:33:56 1344600 ----a-w- c:\temp\123.com.exe
2011-04-21 19:33:46 2486352 ----a-w- c:\temp\RootkitBuster.exe
2011-04-20 15:33:40 21456 ----a-w- c:\windows\system32\drivers\SilvrLnk.sys
2011-04-20 15:33:15 -------- d-----w- c:\program files\common files\TI Shared
2011-04-20 15:26:16 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-04-20 14:12:18 9152 ----a-w- c:\windows\system32\drivers\Ticalc.sys
2011-04-20 14:12:18 -------- d-----w- c:\program files\TI Education
2011-04-14 13:45:20 0 ----a-w- c:\windows\Blogejaqapejucoh.bin
.
==================== Find3M ====================
.
2011-04-28 22:13:32 88 --sh--r- c:\docume~1\alluse~1\applic~1\517EA95130.sys
2011-04-28 22:13:32 848 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2003-01-01 12:50:00 475136 ------w- c:\program files\UCONVERT.exe
.
============= FINISH: 14:48:46.54 ===============


GMER
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-03 19:50:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500AAJS-60M0A0 rev.02.03E02
Running: gmer.exe; Driver: C:\DOCUME~1\lbrinlee\LOCALS~1\Temp\pwlyrfow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Protection driver/Panda Security, S.L.) ZwTerminateProcess [0xA9CA473A]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB98A6000, 0x235447, 0xE8000020]
? C:\DOCUME~1\lbrinlee\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[2576] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32605B49 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[2576] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 32920DB5 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2588] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 004170D0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00417140 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00416FC0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00416F10 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00417090 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00416F50 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00417000 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00416F80 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 00417040 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[3352] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00416ED0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\Program Files\Mozilla Firefox\firefox.exe[4544] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4832] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4832] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4832] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4832] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)
Device \FileSystem\Fastfat \FatCdrom ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)
Device \FileSystem\Fastfat \Fat ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Brinleigh217, 04 May 2011 - 09:18 AM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:05 AM

Posted 04 May 2011 - 01:45 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

Let me know if you are still suffering any redirections.

So long, and thanks for all the fish.

 

 


#5 Brinleigh217

Brinleigh217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 05 May 2011 - 11:53 AM

Thanks again for helping me! :)
I ran the Kaspersky TDSSKiller program as instructed. It ran with nothing found. Below is the log, and I've also attached it. Right before I ran it, as I am using IE today, I did get a pop-up. The website tag I found was for adtechus.com. However, the pop up never fully loaded as it was just a white background. It was actually a pop up this time, maybe this is how the rootkit operates in explorer? I'm not sure, as the redirections I got previously which alerted me to my problem initially were when I was using Firefox. Also, when I closed all my windows down to run the tdsskiller, I noticed when I closed out of a file folder, it made my whole screen go white and like maximized the folder window before it closed...just a weird thing as it was not instantanous when I "x"ed out of it. In general, windows explorer/my desktop is kind of acting "weird." I know that weird isn't specific, but sometimes when I close out of stuff, my icons disappear for a while, like for 5-15 seconds, or just three icons stay showing, etc. This is new since discovering the virus/rootkit/crap on my computer.

I also have a question. Our hosted IT solution group just recently (about a month ago) changed/updated all our computers from McAfee Security to Panda Endpoint security. Could this be a less superior antivirus than maybe some other options? Could this be what let in the tdss thing in the first place? I'm obviously less than satisfied with the Panda Endpoint, and am trying to pressure our IT solution to uploading/using a different AV. Any thoughts on this, that might help me sway them would be appreciated. Thanks again!

TDSSKILLER LOG:


2011/05/05 11:36:25.0379 0792 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/05 11:36:25.0957 0792 ================================================================================
2011/05/05 11:36:25.0957 0792 SystemInfo:
2011/05/05 11:36:25.0957 0792
2011/05/05 11:36:25.0957 0792 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/05 11:36:25.0957 0792 Product type: Workstation
2011/05/05 11:36:25.0957 0792 ComputerName: EECTUL-W001
2011/05/05 11:36:25.0957 0792 UserName: lbrinlee
2011/05/05 11:36:25.0957 0792 Windows directory: C:\WINDOWS
2011/05/05 11:36:25.0957 0792 System windows directory: C:\WINDOWS
2011/05/05 11:36:25.0957 0792 Processor architecture: Intel x86
2011/05/05 11:36:25.0957 0792 Number of processors: 2
2011/05/05 11:36:25.0957 0792 Page size: 0x1000
2011/05/05 11:36:25.0957 0792 Boot type: Normal boot
2011/05/05 11:36:25.0957 0792 ================================================================================
2011/05/05 11:36:26.0254 0792 Initialize success
2011/05/05 11:36:27.0879 3196 ================================================================================
2011/05/05 11:36:27.0879 3196 Scan started
2011/05/05 11:36:27.0879 3196 Mode: Manual;
2011/05/05 11:36:27.0879 3196 ================================================================================
2011/05/05 11:36:29.0473 3196 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/05/05 11:36:29.0488 3196 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/05 11:36:29.0520 3196 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/05 11:36:29.0551 3196 ADIHdAudAddService (53b29a84f5105a6d887b662188c93503) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/05/05 11:36:29.0582 3196 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/05/05 11:36:29.0598 3196 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
2011/05/05 11:36:29.0613 3196 AEAudio (b4afcc2f911939a1c16a26e7eba7f36b) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/05/05 11:36:29.0645 3196 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/05 11:36:29.0676 3196 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/05 11:36:29.0738 3196 ahcix86 (1a54b47e4439c67c8b040bfca3f292b9) C:\WINDOWS\system32\DRIVERS\ahcix86.sys
2011/05/05 11:36:29.0770 3196 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/05/05 11:36:29.0785 3196 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/05 11:36:29.0863 3196 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/05/05 11:36:29.0895 3196 AmdLLD (ad8fa28d8ed0d0a689a0559085ce0f18) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
2011/05/05 11:36:29.0926 3196 AmFSM (d8a8eb8d9a6e18b4bfbd8a567d69b36a) C:\WINDOWS\system32\Drivers\amm8651.sys
2011/05/05 11:36:30.0051 3196 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/05 11:36:30.0066 3196 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/05 11:36:30.0270 3196 ati2mtag (e002e2bc48dab7098f7a2b6ff6da4127) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/05 11:36:31.0379 3196 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/05 11:36:31.0410 3196 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/05 11:36:31.0457 3196 b57w2k (fbc80c5ad5d6995614cd99d505ec812d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/05/05 11:36:31.0504 3196 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/05/05 11:36:31.0551 3196 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/05 11:36:31.0613 3196 Blfp (ea4b6baeeafbf901cb54f8321fa7be59) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
2011/05/05 11:36:31.0816 3196 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/05 11:36:31.0863 3196 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/05 11:36:31.0879 3196 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/05 11:36:31.0910 3196 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/05 11:36:32.0113 3196 DAInfo (bc1a02f04ef31dec9ce46dc479f1b73b) C:\Program Files\RemoteSupportManager\DAInfo.sys
2011/05/05 11:36:32.0176 3196 DAmirr (3468e262e7f374f62a02eec877611b6f) C:\WINDOWS\system32\DRIVERS\DAmirr.sys
2011/05/05 11:36:32.0207 3196 DAtf (5da92ee34db265e2cbc1818a34b7c63d) C:\Program Files\RemoteSupportManager\DAtf.sys
2011/05/05 11:36:32.0254 3196 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/05 11:36:32.0285 3196 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/05 11:36:32.0316 3196 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/05 11:36:32.0332 3196 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/05 11:36:32.0363 3196 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/05 11:36:32.0395 3196 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/05/05 11:36:32.0410 3196 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/05 11:36:32.0441 3196 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/05 11:36:32.0473 3196 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/05 11:36:32.0504 3196 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/05 11:36:32.0520 3196 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/05 11:36:32.0551 3196 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/05 11:36:32.0566 3196 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/05 11:36:32.0582 3196 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/05 11:36:32.0598 3196 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/05 11:36:32.0660 3196 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/05 11:36:32.0691 3196 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/05 11:36:32.0754 3196 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/05 11:36:32.0832 3196 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/05 11:36:32.0910 3196 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/05 11:36:32.0973 3196 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/05/05 11:36:33.0004 3196 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/05/05 11:36:33.0020 3196 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/05/05 11:36:33.0035 3196 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/05/05 11:36:33.0051 3196 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/05/05 11:36:33.0082 3196 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/05/05 11:36:33.0113 3196 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2011/05/05 11:36:33.0129 3196 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2011/05/05 11:36:33.0145 3196 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2011/05/05 11:36:33.0160 3196 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/05/05 11:36:33.0176 3196 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/05/05 11:36:33.0191 3196 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/05/05 11:36:33.0207 3196 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/05/05 11:36:33.0223 3196 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2011/05/05 11:36:33.0238 3196 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2011/05/05 11:36:33.0285 3196 IFXTPM (2cdf483f8fc2bf3f7b93e3bdd734cfbd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/05/05 11:36:33.0316 3196 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/05 11:36:33.0395 3196 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/05 11:36:33.0410 3196 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/05 11:36:33.0426 3196 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/05 11:36:33.0441 3196 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/05 11:36:33.0457 3196 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/05 11:36:33.0473 3196 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/05 11:36:33.0488 3196 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/05 11:36:33.0520 3196 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/05 11:36:33.0551 3196 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/05/05 11:36:33.0613 3196 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/05 11:36:33.0645 3196 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/05 11:36:33.0660 3196 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/05 11:36:33.0691 3196 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/05 11:36:33.0723 3196 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2011/05/05 11:36:33.0754 3196 L8042mou (8a5993705add14352c9a279fa8338334) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/05/05 11:36:33.0816 3196 LBeepKE (c99ba72106a858cb8b521bb4c02c93ed) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2011/05/05 11:36:33.0879 3196 LHidFilt (318b3d608fbec44b7e0c23bf759dced5) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/05/05 11:36:33.0926 3196 LMouFilt (84af069d219df3c43dc6792b2bbd7bed) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/05/05 11:36:33.0941 3196 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/05/05 11:36:33.0973 3196 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2011/05/05 11:36:34.0004 3196 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/05 11:36:34.0051 3196 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/05 11:36:34.0098 3196 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/05 11:36:34.0145 3196 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/05 11:36:34.0191 3196 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/05 11:36:34.0238 3196 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/05 11:36:34.0285 3196 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/05 11:36:34.0316 3196 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/05 11:36:34.0363 3196 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/05 11:36:34.0363 3196 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/05 11:36:34.0379 3196 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/05 11:36:34.0426 3196 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/05 11:36:34.0473 3196 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/05 11:36:34.0566 3196 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/05 11:36:34.0629 3196 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/05 11:36:34.0770 3196 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/05 11:36:34.0926 3196 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/05 11:36:34.0941 3196 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/05 11:36:34.0973 3196 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/05 11:36:34.0988 3196 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/05 11:36:35.0035 3196 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/05 11:36:35.0082 3196 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/05 11:36:35.0145 3196 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/05 11:36:35.0176 3196 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/05 11:36:35.0191 3196 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/05 11:36:35.0223 3196 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/05/05 11:36:35.0254 3196 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/05 11:36:35.0270 3196 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/05 11:36:35.0285 3196 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/05 11:36:35.0332 3196 PavProc (a110035fdc4b8f8f0cd5e71d031274e1) C:\WINDOWS\system32\DRIVERS\PavProc.sys
2011/05/05 11:36:35.0379 3196 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/05 11:36:35.0410 3196 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/05 11:36:35.0441 3196 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/05 11:36:35.0613 3196 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/05 11:36:35.0629 3196 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/05 11:36:35.0645 3196 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/05 11:36:35.0676 3196 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/05 11:36:35.0770 3196 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/05 11:36:35.0801 3196 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/05 11:36:35.0816 3196 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/05 11:36:35.0832 3196 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/05 11:36:35.0863 3196 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/05 11:36:35.0879 3196 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/05 11:36:35.0895 3196 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/05 11:36:35.0941 3196 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/05 11:36:35.0988 3196 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/05 11:36:36.0035 3196 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
2011/05/05 11:36:36.0113 3196 RsFx0150 (a95840a95a9ff74b0009e5d848cddb39) C:\WINDOWS\system32\DRIVERS\RsFx0150.sys
2011/05/05 11:36:36.0160 3196 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/05 11:36:36.0191 3196 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/05 11:36:36.0207 3196 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/05 11:36:36.0254 3196 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/05 11:36:36.0301 3196 ShldDrv (c2ba5f2a52c57e7b5a2252574de294d7) C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
2011/05/05 11:36:36.0348 3196 SilverLink (392834adb35deb199b03ae6a6caab23a) C:\WINDOWS\system32\Drivers\SilvrLnk.sys
2011/05/05 11:36:36.0426 3196 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/05 11:36:36.0457 3196 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/05 11:36:36.0504 3196 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/05 11:36:36.0535 3196 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/05 11:36:36.0551 3196 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/05 11:36:36.0582 3196 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/05/05 11:36:36.0598 3196 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/05/05 11:36:36.0613 3196 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2011/05/05 11:36:36.0629 3196 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/05/05 11:36:36.0645 3196 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/05/05 11:36:36.0676 3196 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/05 11:36:36.0738 3196 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/05 11:36:36.0770 3196 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/05 11:36:36.0801 3196 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/05 11:36:36.0816 3196 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/05 11:36:36.0879 3196 TICalc (0dabaa63799b0bf20f95c73ce5d9ca87) C:\WINDOWS\system32\drivers\TICalc.sys
2011/05/05 11:36:36.0926 3196 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/05 11:36:37.0020 3196 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/05 11:36:37.0066 3196 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/05 11:36:37.0098 3196 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/05 11:36:37.0113 3196 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/05 11:36:37.0145 3196 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/05 11:36:37.0191 3196 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/05 11:36:37.0238 3196 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/05 11:36:37.0270 3196 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/05 11:36:37.0285 3196 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/05 11:36:37.0316 3196 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/05 11:36:37.0363 3196 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/05 11:36:37.0426 3196 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/05 11:36:37.0473 3196 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/05 11:36:37.0520 3196 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/05 11:36:37.0613 3196 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/05/05 11:36:37.0660 3196 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/05 11:36:37.0723 3196 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/05 11:36:37.0738 3196 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/05 11:36:37.0941 3196 ================================================================================
2011/05/05 11:36:37.0941 3196 Scan finished
2011/05/05 11:36:37.0941 3196 ================================================================================

Attached Files



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:05 AM

Posted 05 May 2011 - 01:44 PM

Good evening. :)

Our hosted IT solution group

I take it this is a business machine?

So long, and thanks for all the fish.

 

 


#7 Brinleigh217

Brinleigh217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 05 May 2011 - 03:28 PM

Yes, and I run IT in house... only because they made me assume the roll because I'm the least incompetent (computer-wise) of all who work here. (And I'm the one who gets the rootkit! haha) So we pay an outside group to provide IT services as a "hosted solution" but they have done less than stellar job on this issue. I can fire them if I want to, but I have not decided what course of action to take from here on out. Right now I'm just trying to get back to work on a virus free machine. Is this a problem?

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:05 AM

Posted 05 May 2011 - 03:52 PM

My main concern with business machines is data security - both in keeping out of the hands of those who shouldn't have access to it and also keeping it incorrupt - if that's a word.
With that in mind my first choice with all business machine infections is reformat and reinstall. It's not that all infections require such a drastic step, and most don't, but that the consequences of not doing it when it is required could be so great that you really don't want to take a chance that this is one such occasion when it is necessary.

So long, and thanks for all the fish.

 

 


#9 Brinleigh217

Brinleigh217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 05 May 2011 - 03:58 PM

I ultimately agree on this point, to reinstall and reformat. However, when I inherited the title of IT person, the person before me did not bestow me with any ANY reboot/restore CDs. HP is sending them to me but they are not currently in stock and could be 14-21 days before I get them. Aren't I lucky! haha. So that is why I am here, my thought process is if I can make sure I'm virus free, or whatever, I can at least operate normally (or close to) until I get the disks...whenever that might be. I'm just trying to get work done in the mean time. Any help is greatly appreciated :)

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:05 AM

Posted 05 May 2011 - 04:32 PM

The tools used don't have a 100% success rate as the scanners cannot identify every malicious file and the log creators don't enumerate every place that malware may hide, so I can't guarantee a clean PC for you or anyone else - which is what you really need with a business machine.

The risks associated with business data being lost through theft or corrupted by the action of malware or damage caused to the Operating System during the removal process which can kill an OS have to be taken seriously and that's why you need to back-up and then nuke and pave.

Although these same risks can affect home users, the consequences are considerably less and so acceptable - to me at least.

I sympathise with your situation as having a boss that allows somebody to inherit a responsibility for IT without adequate tools to discharge that responsibility is insulting, but it doesn't change the fact that you have a business machine that needs to be clean and you can only guarantee that with a reinstall.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users