Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirection - Rootkit


  • This topic is locked This topic is locked
10 replies to this topic

#1 jasoncape

jasoncape

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 11 May 2011 - 02:12 PM

Please review Logs to solve Browser Redirect, unseen scripts being run and producing errors. Browser Redirects in Google and with Mozilla. I uninstalled Mozilla. Audio from unseen web sites that are like ghosts in the computer. And Do you want to continue running this script Errors. Thanks in advance.

Jason

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 10:52:39.96 on Wed 05/11/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.359 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Bin\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Bin\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Bin\Smc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\search toolbar\tbhelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\symantec\symantec endpoint protection\12.1.601.4699.105\bin\ips\IPSBHO.DLL
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: : {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - No File
BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\search toolbar\tbcore3.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\search toolbar\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: catalinacanyonresort.com\www
Trusted Zone: catalinatours.com\www
Trusted Zone: centralpayment.com\www
Trusted Zone: kayak.com\www
Trusted Zone: sophos.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1304792473328
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.centralpayment.com/scripts/members/import/XUpload.ocx
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: igfxcui - igfxdev.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli AsWlnPkg
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-5-7 28552]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c010259\125b.105\x86\SymDS.sys [2011-1-28 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c010259\125b.105\x86\SymEFA.sys [2011-4-19 756344]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.601.4699.105\data\definitions\bashdefs\20110422.001\BHDrvx86.sys [2011-5-6 807544]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-4-7 31104]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-5-10 18816]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c010259\125b.105\x86\Ironx86.sys [2011-4-20 136312]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\12.1.601.4699.105\bin\ccSvcHst.exe [2011-4-20 137224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-6 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.601.4699.105\data\definitions\ipsdefs\20110504.001\IDSXpx86.sys [2011-5-6 341944]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-2-15 36608]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.601.4699.105\data\definitions\virusdefs\20110510.003\NAVENG.SYS [2011-5-10 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.601.4699.105\data\definitions\virusdefs\20110510.003\NAVEX15.SYS [2011-5-10 1393144]
S2 gupdate1c99682b6925c8;Google Update Service (gupdate1c99682b6925c8);c:\program files\google\update\GoogleUpdate.exe [2009-2-24 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-24 133104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\31.tmp --> c:\windows\system32\31.tmp [?]
S3 SyDvCtrl;SyDvCtrl;c:\program files\symantec\symantec endpoint protection\12.1.601.4699.105\bin\SyDvCtrl32.sys [2011-4-22 23984]
.
=============== Created Last 30 ================
.
2011-05-11 14:49:01 118784 ----a-w- c:\windows\system32\chg.exe
2011-05-10 15:48:49 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-05-10 13:24:55 -------- d-----w- c:\program files\Trend Micro
2011-05-10 13:07:14 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\PCHealth
2011-05-09 18:00:52 6144 ------w- c:\windows\system32\9.tmp
2011-05-09 18:00:36 6144 ------w- c:\windows\system32\8.tmp
2011-05-09 13:05:49 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2011-05-09 12:41:35 -------- d-----w- c:\program files\Registry Clean Expert
2011-05-09 12:25:12 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-08 16:21:02 6144 ------w- c:\windows\system32\2.tmp
2011-05-08 16:20:48 6144 ------w- c:\windows\system32\1.tmp
2011-05-08 15:03:03 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-05-08 15:03:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-08 13:24:12 -------- d-----w- c:\program files\Sophos
2011-05-07 22:54:18 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-05-07 22:53:53 -------- d-----w- c:\program files\Panda Security
2011-05-07 18:25:22 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-06 19:25:52 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-06 19:25:51 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-06 19:25:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-05-06 16:53:31 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Symantec
2011-05-06 16:52:50 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-06 16:52:50 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-06 16:52:50 -------- d-----w- c:\program files\common files\Symantec Shared
2011-05-06 16:52:12 94128 ----a-w- c:\windows\system32\FwsVpn.dll
2011-05-06 16:52:12 92080 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2011-05-06 16:52:12 374192 ----a-w- c:\windows\system32\sysfer.dll
2011-05-06 16:52:12 32208 ----a-w- c:\windows\system32\drivers\WGX.SYS
2011-05-06 16:52:12 240048 ----a-w- c:\windows\system32\SymVPN.dll
2011-05-06 16:52:12 10672 ----a-w- c:\windows\system32\sysferThunk.dll
2011-05-06 16:51:33 -------- d-----w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86
2011-05-06 16:51:33 -------- d-----w- c:\windows\system32\drivers\sep\0c010259\125B.105
2011-05-06 16:51:33 -------- d-----w- c:\windows\system32\drivers\sep\0C010259
2011-05-06 16:51:33 -------- d-----w- c:\windows\system32\drivers\SEP
2011-05-06 16:51:32 -------- d-----w- c:\program files\Symantec
2011-05-06 16:51:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2011-05-06 14:00:07 -------- d-----w- c:\windows\pss
2011-05-06 13:56:25 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-05-06 13:56:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-06 13:56:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-05-06 13:56:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-06 11:42:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-05-06 04:14:37 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-06 04:14:37 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-21 01:21:32 369784 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\symtdi.sys
2011-04-21 01:19:58 136312 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\Ironx86.sys
2011-04-19 21:53:24 756344 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\SymEFA.sys
2011-04-17 21:50:02 515704 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\srtsp.sys
2011-04-17 21:50:02 50168 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\srtspx.sys
.
==================== Find3M ====================
.
2011-03-27 21:12:06 72080 ----a-w- c:\documents and settings\administrator\g2mdlhlpx.exe
2011-03-18 18:32:10 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ---ha-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 16:03:01 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ---ha-w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 10:53:29.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 PM

Posted 11 May 2011 - 03:41 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#3 jasoncape

jasoncape
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 11 May 2011 - 05:20 PM

I have downloaded and tried to start TDSSKiller but it gives a brief glimpse of the hour glass and then nothing happens. I have tried renamimg per other posts. What other suggestions do you have? Thanks!

#4 jasoncape

jasoncape
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 11 May 2011 - 07:01 PM

Hi - I renamed TDSSKiller.exe to Helpme.com on a flash and that loaded the program. It ran and found one file C:\WINDOWS|System32\drivers\VolSnap.sys that was cured after a reboot. In the log it says it was forged and suspicious.

The first few google searches worked just fine without a re-direct. I am going to turn on System Restore and Symantec Endpoint to get back to normal.

Very nice to know this service is available. Much appreciated.

Jason

2011/05/11 18:54:41.0734 1936 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/11 18:54:42.0203 1936 ================================================================================
2011/05/11 18:54:42.0203 1936 SystemInfo:
2011/05/11 18:54:42.0203 1936
2011/05/11 18:54:42.0203 1936 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/11 18:54:42.0203 1936 Product type: Workstation
2011/05/11 18:54:42.0203 1936 ComputerName: BBIFRONTDESK
2011/05/11 18:54:42.0203 1936 UserName: Administrator
2011/05/11 18:54:42.0203 1936 Windows directory: C:\WINDOWS
2011/05/11 18:54:42.0203 1936 System windows directory: C:\WINDOWS
2011/05/11 18:54:42.0203 1936 Processor architecture: Intel x86
2011/05/11 18:54:42.0203 1936 Number of processors: 2
2011/05/11 18:54:42.0203 1936 Page size: 0x1000
2011/05/11 18:54:42.0203 1936 Boot type: Normal boot
2011/05/11 18:54:42.0203 1936 ================================================================================
2011/05/11 18:54:42.0671 1936 Initialize success
2011/05/11 18:54:55.0828 3896 ================================================================================
2011/05/11 18:54:55.0828 3896 Scan started
2011/05/11 18:54:55.0828 3896 Mode: Manual;
2011/05/11 18:54:55.0828 3896 ================================================================================
2011/05/11 18:54:56.0218 3896 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/05/11 18:54:56.0265 3896 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/11 18:54:56.0296 3896 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/11 18:54:56.0312 3896 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/05/11 18:54:56.0328 3896 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
2011/05/11 18:54:56.0390 3896 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/11 18:54:56.0437 3896 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/11 18:54:56.0484 3896 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/05/11 18:54:56.0500 3896 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/11 18:54:56.0640 3896 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/11 18:54:56.0671 3896 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/11 18:54:56.0765 3896 ati2mtag (92e6e84d152d2acc44936c1c89ff26c4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/11 18:54:56.0812 3896 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/11 18:54:56.0843 3896 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/11 18:54:56.0859 3896 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/11 18:54:57.0046 3896 BHDrvx86 (c73810d7f7f0e8b1feb2cb1267fa49c9) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Data\Definitions\BASHDefs\20110422.001\BHDrvx86.sys
2011/05/11 18:54:57.0203 3896 Camav (a839289518d08655e2162f3ecf3ee485) C:\WINDOWS\system32\Drivers\Camav.sys
2011/05/11 18:54:57.0250 3896 camflt (5320b8515bff632b85a97bd12da08825) C:\WINDOWS\system32\DRIVERS\camflt.sys
2011/05/11 18:54:57.0296 3896 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/11 18:54:57.0343 3896 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/11 18:54:57.0375 3896 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/11 18:54:57.0421 3896 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/11 18:54:57.0468 3896 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/11 18:54:57.0609 3896 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/11 18:54:57.0656 3896 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/11 18:54:57.0703 3896 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/11 18:54:57.0718 3896 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/11 18:54:57.0750 3896 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/11 18:54:57.0890 3896 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/05/11 18:54:57.0937 3896 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/05/11 18:54:57.0953 3896 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/05/11 18:54:57.0984 3896 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/05/11 18:54:58.0000 3896 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/11 18:54:58.0031 3896 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/11 18:54:58.0078 3896 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/05/11 18:54:58.0140 3896 eeCtrl (ba48a1508a1ccde14181a74ce983fcc8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/05/11 18:54:58.0187 3896 EraserUtilRebootDrv (7ce6e32555c5596f52de440e6d969b08) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/05/11 18:54:58.0250 3896 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/11 18:54:58.0343 3896 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/11 18:54:58.0375 3896 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/11 18:54:58.0421 3896 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/11 18:54:58.0468 3896 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/11 18:54:58.0515 3896 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/11 18:54:58.0546 3896 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/11 18:54:58.0609 3896 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/11 18:54:58.0671 3896 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/11 18:54:58.0703 3896 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/11 18:54:58.0734 3896 HECI (d0fc694df051bc65946db616f20d1168) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/05/11 18:54:58.0765 3896 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/11 18:54:58.0828 3896 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/11 18:54:58.0968 3896 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/11 18:54:59.0000 3896 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/05/11 18:54:59.0046 3896 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/05/11 18:54:59.0046 3896 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/05/11 18:54:59.0062 3896 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/05/11 18:54:59.0093 3896 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/05/11 18:54:59.0140 3896 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/05/11 18:54:59.0171 3896 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2011/05/11 18:54:59.0203 3896 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2011/05/11 18:54:59.0218 3896 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2011/05/11 18:54:59.0234 3896 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/05/11 18:54:59.0281 3896 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/05/11 18:54:59.0312 3896 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/05/11 18:54:59.0343 3896 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/05/11 18:54:59.0375 3896 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2011/05/11 18:54:59.0453 3896 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2011/05/11 18:54:59.0656 3896 ialm (2da364ee62d4949620b6fae4ffea16a7) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/05/11 18:54:59.0875 3896 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/05/11 18:55:00.0109 3896 IDSxpx86 (0430740d5b09e64f0ae075bf2a45c2e9) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Data\Definitions\IPSDefs\20110504.001\IDSxpx86.sys
2011/05/11 18:55:00.0156 3896 IFXTPM (f67554da27d5b55efcb6c7cb4818fbfd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/05/11 18:55:00.0218 3896 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/11 18:55:00.0484 3896 IntcAzAudAddService (418fe3a08346ccca61bc9a04457f46cf) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/11 18:55:00.0562 3896 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/11 18:55:00.0593 3896 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/11 18:55:00.0640 3896 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/11 18:55:00.0671 3896 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/11 18:55:00.0687 3896 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/11 18:55:00.0718 3896 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/11 18:55:00.0750 3896 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/11 18:55:00.0796 3896 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/11 18:55:00.0812 3896 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/11 18:55:00.0906 3896 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/11 18:55:00.0937 3896 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/11 18:55:01.0046 3896 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/11 18:55:01.0078 3896 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/11 18:55:01.0140 3896 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/11 18:55:01.0171 3896 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/11 18:55:01.0187 3896 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/11 18:55:01.0218 3896 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/11 18:55:01.0281 3896 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/11 18:55:01.0312 3896 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/11 18:55:01.0343 3896 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/11 18:55:01.0359 3896 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/11 18:55:01.0390 3896 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/11 18:55:01.0437 3896 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/11 18:55:01.0531 3896 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/11 18:55:01.0562 3896 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/11 18:55:01.0609 3896 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/11 18:55:01.0656 3896 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/05/11 18:55:01.0859 3896 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Data\Definitions\VirusDefs\20110511.002\NAVENG.SYS
2011/05/11 18:55:01.0937 3896 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Data\Definitions\VirusDefs\20110511.002\NAVEX15.SYS
2011/05/11 18:55:02.0015 3896 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/11 18:55:02.0062 3896 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/11 18:55:02.0109 3896 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/11 18:55:02.0187 3896 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/11 18:55:02.0203 3896 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/11 18:55:02.0250 3896 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/11 18:55:02.0296 3896 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/11 18:55:02.0328 3896 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/11 18:55:02.0375 3896 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/11 18:55:02.0406 3896 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/11 18:55:02.0468 3896 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/11 18:55:02.0500 3896 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/11 18:55:02.0500 3896 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/11 18:55:02.0546 3896 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/05/11 18:55:02.0593 3896 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/11 18:55:02.0671 3896 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/11 18:55:02.0687 3896 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/11 18:55:02.0812 3896 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
2011/05/11 18:55:02.0843 3896 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/11 18:55:02.0890 3896 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/11 18:55:02.0937 3896 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/11 18:55:03.0078 3896 PersonalSecureDrive (9abf51856b69b6a343988bc7d74840c4) C:\WINDOWS\System32\drivers\psd.sys
2011/05/11 18:55:03.0140 3896 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/11 18:55:03.0171 3896 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/11 18:55:03.0218 3896 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/11 18:55:03.0328 3896 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/11 18:55:03.0359 3896 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/11 18:55:03.0375 3896 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/11 18:55:03.0390 3896 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/11 18:55:03.0437 3896 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/11 18:55:03.0453 3896 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/11 18:55:03.0546 3896 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/11 18:55:03.0578 3896 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/11 18:55:03.0625 3896 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/11 18:55:03.0671 3896 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/05/11 18:55:03.0718 3896 SAVRKBootTasks (0aef47e0a6b0cba8c9833d55298b2791) C:\WINDOWS\system32\SAVRKBootTasks.sys
2011/05/11 18:55:03.0796 3896 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/11 18:55:03.0828 3896 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/11 18:55:03.0843 3896 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/11 18:55:03.0906 3896 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/11 18:55:04.0062 3896 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/11 18:55:04.0109 3896 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/11 18:55:04.0171 3896 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/11 18:55:04.0296 3896 SRTSP (41453d5c343405b58ee3385a3d14a46f) C:\WINDOWS\system32\Drivers\SEP\0C010259\125B.105\x86\SRTSP.SYS
2011/05/11 18:55:04.0343 3896 SRTSPX (cd824ec0d7eb2d8c8dda8c497bed59ff) C:\WINDOWS\system32\Drivers\SEP\0C010259\125B.105\x86\SRTSPX.SYS
2011/05/11 18:55:04.0375 3896 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/11 18:55:04.0421 3896 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/11 18:55:04.0468 3896 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/11 18:55:04.0531 3896 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/11 18:55:04.0640 3896 SyDvCtrl (f9584676e224e1c4319793acb5698514) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Bin\SyDvCtrl32.sys
2011/05/11 18:55:04.0750 3896 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/05/11 18:55:04.0765 3896 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/05/11 18:55:04.0812 3896 SymDS (4f6ddb644f2f254ea7da5c7db2dc958a) C:\WINDOWS\system32\Drivers\SEP\0C010259\125B.105\x86\SYMDS.SYS
2011/05/11 18:55:04.0937 3896 SymEFA (23496d1ce9aa1ed45d1e6beb08c70561) C:\WINDOWS\system32\Drivers\SEP\0C010259\125B.105\x86\SYMEFA.SYS
2011/05/11 18:55:05.0015 3896 SymEvent (8aa4379c0762b357a47d6ed52991be56) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/05/11 18:55:05.0062 3896 SymIRON (9bb5854455d2cda60703377acc3c2135) C:\WINDOWS\system32\Drivers\SEP\0C010259\125B.105\x86\Ironx86.SYS
2011/05/11 18:55:05.0125 3896 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2011/05/11 18:55:05.0140 3896 SYMTDI (336cace58f0359d5cbb1ae6b8a2fb205) C:\WINDOWS\system32\Drivers\SEP\0C010259\125B.105\x86\SYMTDI.SYS
2011/05/11 18:55:05.0156 3896 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/05/11 18:55:05.0187 3896 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/05/11 18:55:05.0234 3896 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/11 18:55:05.0328 3896 SysPlant (809f24cde467899d52d767616394cc06) C:\WINDOWS\system32\Drivers\SysPlant.sys
2011/05/11 18:55:05.0390 3896 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/11 18:55:05.0468 3896 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/11 18:55:05.0500 3896 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/11 18:55:05.0562 3896 Teefer2 (a88b7e02c79a82799266f39406cc4e99) C:\WINDOWS\system32\DRIVERS\teefer.sys
2011/05/11 18:55:05.0609 3896 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/11 18:55:05.0656 3896 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/11 18:55:05.0765 3896 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/11 18:55:05.0796 3896 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/11 18:55:05.0890 3896 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/11 18:55:05.0921 3896 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/11 18:55:05.0937 3896 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/11 18:55:05.0968 3896 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/11 18:55:05.0984 3896 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/11 18:55:06.0015 3896 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/11 18:55:06.0031 3896 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/11 18:55:06.0046 3896 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/11 18:55:06.0062 3896 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/05/11 18:55:06.0062 3896 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/05/11 18:55:06.0093 3896 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/11 18:55:06.0125 3896 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/11 18:55:06.0187 3896 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/05/11 18:55:06.0250 3896 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/11 18:55:06.0328 3896 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/11 18:55:06.0421 3896 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/11 18:55:06.0453 3896 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/11 18:55:06.0765 3896 ================================================================================
2011/05/11 18:55:06.0765 3896 Scan finished
2011/05/11 18:55:06.0765 3896 ================================================================================
2011/05/11 18:55:06.0781 0936 Detected object count: 1
2011/05/11 18:57:10.0390 0936 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/11 18:57:10.0390 0936 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/05/11 18:57:12.0406 0936 Backup copy found, using it..
2011/05/11 18:57:12.0515 0936 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/05/11 18:57:12.0515 0936 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/05/11 18:58:28.0640 3988 Deinitialize success

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 PM

Posted 12 May 2011 - 02:15 PM

Good evening. :)

Nice job! :thumbup2: The usual final step is a scan to check for stragglers:

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#6 jasoncape

jasoncape
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 12 May 2011 - 11:02 PM

Here is the DDS Log. And I have loaded the attach.txt.

THe ESet scan found two files that looked suspicious. It did not clear them and I did not write down the location. I thought I was getting a log on that as well but did not see where it might have been saved. I will retrace those steps and see about removing those files. The computer is running normal at this time.

Thanks again.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 23:48:46.31 on Thu 05/12/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.407 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Bin\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Bin\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.601.4699.105\Bin\Smc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
F:\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\search toolbar\tbhelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\symantec\symantec endpoint protection\12.1.601.4699.105\bin\ips\IPSBHO.DLL
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: : {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - No File
BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\search toolbar\tbcore3.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\search toolbar\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: catalinacanyonresort.com\www
Trusted Zone: catalinatours.com\www
Trusted Zone: centralpayment.com\www
Trusted Zone: kayak.com\www
Trusted Zone: sophos.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1304792473328
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.centralpayment.com/scripts/members/import/XUpload.ocx
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: igfxcui - igfxdev.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli AsWlnPkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\e1hmqc6a.default\
FF - plugin: c:\documents and settings\administrator\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-5-7 28552]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c010259\125b.105\x86\SymDS.sys [2011-1-28 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c010259\125b.105\x86\SymEFA.sys [2011-4-19 756344]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.601.4699.105\data\definitions\bashdefs\20110422.001\BHDrvx86.sys [2011-5-6 807544]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-4-7 31104]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-5-10 18816]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c010259\125b.105\x86\Ironx86.sys [2011-4-20 136312]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\12.1.601.4699.105\bin\ccSvcHst.exe [2011-4-20 137224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-6 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.601.4699.105\data\definitions\ipsdefs\20110504.001\IDSXpx86.sys [2011-5-6 341944]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-2-15 36608]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.601.4699.105\data\definitions\virusdefs\20110512.002\NAVENG.SYS [2011-5-12 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.601.4699.105\data\definitions\virusdefs\20110512.002\NAVEX15.SYS [2011-5-12 1393144]
S2 gupdate1c99682b6925c8;Google Update Service (gupdate1c99682b6925c8);c:\program files\google\update\GoogleUpdate.exe [2009-2-24 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-24 133104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\31.tmp --> c:\windows\system32\31.tmp [?]
S3 SyDvCtrl;SyDvCtrl;c:\program files\symantec\symantec endpoint protection\12.1.601.4699.105\bin\SyDvCtrl32.sys [2011-4-22 23984]
.
=============== Created Last 30 ================
.
2011-05-12 19:38:07 -------- d-----w- c:\program files\ESET
2011-05-11 21:37:46 -------- d-----w- C:\tdsskiller
2011-05-10 15:48:49 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-05-10 13:24:55 -------- d-----w- c:\program files\Trend Micro
2011-05-10 13:07:14 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\PCHealth
2011-05-09 18:00:52 6144 ------w- c:\windows\system32\9.tmp
2011-05-09 18:00:36 6144 ------w- c:\windows\system32\8.tmp
2011-05-09 13:05:49 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2011-05-09 12:41:35 -------- d-----w- c:\program files\Registry Clean Expert
2011-05-09 12:25:12 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-08 16:21:02 6144 ------w- c:\windows\system32\2.tmp
2011-05-08 16:20:48 6144 ------w- c:\windows\system32\1.tmp
2011-05-08 15:03:03 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-05-08 15:03:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-08 13:24:12 -------- d-----w- c:\program files\Sophos
2011-05-07 22:54:18 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-05-07 22:53:53 -------- d-----w- c:\program files\Panda Security
2011-05-07 18:25:22 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-06 19:25:52 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-06 19:25:51 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-06 19:25:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-05-06 16:53:31 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Symantec
2011-05-06 16:52:50 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-06 16:52:50 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-06 16:52:50 -------- d-----w- c:\program files\common files\Symantec Shared
2011-05-06 16:52:12 94128 ----a-w- c:\windows\system32\FwsVpn.dll
2011-05-06 16:52:12 92080 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2011-05-06 16:52:12 374192 ----a-w- c:\windows\system32\sysfer.dll
2011-05-06 16:52:12 32208 ----a-w- c:\windows\system32\drivers\WGX.SYS
2011-05-06 16:52:12 240048 ----a-w- c:\windows\system32\SymVPN.dll
2011-05-06 16:52:12 10672 ----a-w- c:\windows\system32\sysferThunk.dll
2011-05-06 16:51:33 -------- d-----w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86
2011-05-06 16:51:33 -------- d-----w- c:\windows\system32\drivers\sep\0c010259\125B.105
2011-05-06 16:51:33 -------- d-----w- c:\windows\system32\drivers\sep\0C010259
2011-05-06 16:51:33 -------- d-----w- c:\windows\system32\drivers\SEP
2011-05-06 16:51:32 -------- d-----w- c:\program files\Symantec
2011-05-06 16:51:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2011-05-06 14:00:07 -------- d-----w- c:\windows\pss
2011-05-06 13:56:25 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-05-06 13:56:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-06 13:56:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-05-06 13:56:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-06 11:42:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-05-06 04:14:37 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-06 04:14:37 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-21 01:21:32 369784 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\symtdi.sys
2011-04-21 01:19:58 136312 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\Ironx86.sys
2011-04-19 21:53:24 756344 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\SymEFA.sys
2011-04-17 21:50:02 515704 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\srtsp.sys
2011-04-17 21:50:02 50168 ----a-w- c:\windows\system32\drivers\sep\0c010259\125b.105\x86\srtspx.sys
.
==================== Find3M ====================
.
2011-03-27 21:12:06 72080 ----a-w- c:\documents and settings\administrator\g2mdlhlpx.exe
2011-03-18 18:32:10 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ---ha-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 16:03:01 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ---ha-w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 23:49:52.07 ===============

Attached Files



#7 jasoncape

jasoncape
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 12 May 2011 - 11:06 PM

Here are the two files found by Eset. I remembered doing the export. Should I just find these files and delete?

C:\Documents and Settings\Administrator\Desktop\Downloads\fp2006-final-3.00-setup.zip JS/BadJoke.KillFiles.A application
C:\Program Files\Evrsoft First Page 2006\Iscripts\Games\games-scripts.izs JS/BadJoke.KillFiles.A application

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 PM

Posted 13 May 2011 - 01:29 PM

Good evening. :)

Should I just find these files and delete?

I don't recognize the files, so i'll bow to your greater knowledge as you will know what they are and where you got them from, or not. If you can vouch for their legitimacy, then they stay... otherwise, bye-bye.

The following look odd, so they can go too:

c:\windows\system32\9.tmp
c:\windows\system32\8.tmp
c:\windows\system32\2.tmp
c:\windows\system32\1.tmp


Any similarly named files in the system32 folder, they can go too.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#9 jasoncape

jasoncape
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 13 May 2011 - 02:34 PM

Muchos Gracias!

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 PM

Posted 13 May 2011 - 03:45 PM

Siempre un placer.

So long, and thanks for all the fish.

 

 


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 PM

Posted 15 May 2011 - 01:34 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users