Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus infected machine


  • This topic is locked This topic is locked
28 replies to this topic

#1 UdayanSanyal

UdayanSanyal

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 03 July 2011 - 02:27 PM

This is my first post so please pardon me for my mistakes.A few days ago(about 10)I saw many programs starting to open even though I didn't click them.Then I did power off and later started the machine and used my symentec endpoint antivirus.It couldn't scan beyond a file.I saw the same result many times.So I started scanning drives individually.The scanner couldn't scan C and E drives while D and F were scanned.I deleated the files on which my scan used to stop in C and E drives.Besides,even my antivirus wouldn't update properly.Now the scanner could complete the scan.However,I had to frequently recover webpages(specially yahoo and facebook)as they would hang. But a few days later again different programs started popping up again and this time the scan to got completed without showing any viruses in its result.Though it showed presence of Trojen ADH(most probabally)in its quarantine.As a result I used combofix .Everytime it would delete some files.Soon I started deleting Temp files of C drive manually.Still I was not sure so I did the following things
1)Downloaded comodo firewall and system cleaner.
2)Saw steps from your website to remove virus manually at- http://www.bleepingcomputer.com/tutorials/how-to-remove-a-trojan-virus-worm-or-malware/
after that I scanned with combo fix and again it deleted a file-c:\windows\cscmondump.bin
I have also attached the combofix log
so please help me out soon and contact for all the info you require.
Your help,effort and time will be appreciated.Thank you in advance.

Attached Files


Edited by hamluis, 03 July 2011 - 04:01 PM.
Moved from Win 7 to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 11 July 2011 - 07:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

DR

#3 UdayanSanyal

UdayanSanyal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 12 July 2011 - 04:24 PM

I havent solved the problem yet and I am counting on you people.
Here is the info you requested-
1)Operating system-Microsoft Windows 7 Ultimate
Version-6.1.7601 Service Pack 1 Build 7601
2)Suspecious behaviour-In Safe mode Symentec Antivirus isn't working and shows warning while in normal mode its screen shows everything is ok but windows installer trys to update the symentec but can't finish it.I have attached 2 screenshots of what symentec shows in safe mode-on clicking ok in first one the second screen appears.
Besides one of the temp files isn't deleating which shows a message and i have attached a screenshot for that too.
Besides some suspecious file names-
Found in autoruns
catchme File not found: C:\Users\SKS\AppData\Local\Temp\catchme.sys
Synth3dVsc File not found: System32\drivers\synth3dvsc.sys
tsusbhub @%SystemRoot%\system32\drivers\tsusbhub.sys,-2 File not found: system32\drivers\tsusbhub.sys
VGPU File not found: System32\drivers\rdvgkmd.sys

suspicious processes

CLPS.exe
csrss.exe

Please help me out and tell me wheather I will have to format my PC or not
Sorry that I cannot attach the GMER log as it is 629 kb so please tell me a way way out
3)DDS log-
.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by SKS at 23:20:02 on 2011-07-12
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.991.413 [GMT 5.5:30]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.in/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: @c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 59.179.243.70 203.94.243.70
TCP: Interfaces\{C23B02D1-88C2-4D2A-96A0-0FD16A4A79C6} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{C23B02D1-88C2-4D2A-96A0-0FD16A4A79C6} : DhcpNameServer = 59.179.243.70 203.94.243.70
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-5-2 37592]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-5-26 154424]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-12-29 2477304]
S1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [2010-12-9 64608]
S1 CFRPD;CFRPD;c:\windows\system32\drivers\CFRPD.sys [2010-12-9 33744]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-5-2 238960]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S2 Cleaner_Validator;COMODO System - Cleaner Service;c:\program files\comodo\comodo system-cleaner\Cleaner_Validator.exe [2010-12-9 305600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-10 136176]
S2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-3 105592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-10 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-16 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-16 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-15 1343400]
.
=============== Created Last 30 ================
.
2011-07-04 07:20:29 -------- d-----w- c:\users\sks\appdata\local\Safe mirror
2011-07-04 04:40:14 16462 ----a-w- c:\windows\cscmondump.bin
2011-07-03 18:58:11 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-03 18:58:07 -------- d-----w- c:\users\sks\appdata\local\temp
2011-07-03 18:06:15 -------- d-----w- c:\users\sks\appdata\local\VirtualStore
2011-07-03 17:52:58 564632 ----a-w- c:\programdata\microsoft\identitycrl\production\wlidui.dll
2011-07-03 17:52:40 18328 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
2011-07-03 10:48:51 -------- d-----w- C:\Autoruns
2011-07-03 06:39:41 -------- d-----w- c:\programdata\Comodo
2011-07-02 19:52:34 -------- d-----w- c:\users\sks\appdata\roaming\uTorrent
2011-07-02 19:08:45 -------- d-----w- c:\program files\COMODO
2011-07-02 19:08:41 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-07-01 12:23:16 98816 ----a-w- c:\windows\sed.exe
2011-07-01 12:23:16 518144 ----a-w- c:\windows\SWREG.exe
2011-07-01 12:23:16 256000 ----a-w- c:\windows\PEV.exe
2011-07-01 12:23:16 208896 ----a-w- c:\windows\MBR.exe
2011-06-25 19:15:30 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f346260b-93b0-48dc-be4e-0c09b6bbd0d0}\mpengine.dll
2011-06-21 18:17:16 -------- d-----w- c:\users\sks\appdata\local\Sony
2011-06-21 18:16:51 -------- d-----w- c:\users\sks\Podcasts
2011-06-21 18:16:19 -------- d-----w- c:\program files\common files\Sony Shared
2011-06-21 18:15:13 -------- d-----w- c:\programdata\Sony Corporation
2011-06-21 18:15:13 -------- d-----w- c:\program files\Sony
2011-06-19 15:29:47 -------- d-----w- c:\program files\Sony Media Go Install
2011-06-19 08:28:44 -------- d-----r- c:\program files\Skype
2011-06-16 18:51:16 8192 ----a-w- c:\windows\system32\srvany.exe
2011-06-16 11:44:22 -------- d-----w- c:\windows\system32\SPReview
2011-06-16 11:43:10 -------- d-----w- c:\windows\system32\EventProviders
2011-06-16 11:40:18 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-06-16 11:39:19 -------- d-----w- c:\program files\NVIDIA Corporation
2011-06-16 11:30:05 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-06-16 11:28:59 863744 ----a-w- c:\windows\system32\diagperf.dll
2011-06-16 11:27:59 2576384 ----a-w- c:\windows\system32\gameux.dll
2011-06-16 11:26:59 1456128 ----a-w- c:\program files\windows photo viewer\PhotoViewer.dll
2011-06-16 11:25:59 600576 ----a-w- c:\windows\system32\TabletPC.cpl
2011-06-16 11:24:59 69632 ----a-w- c:\windows\system32\tlscsp.dll
2011-06-16 11:23:18 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-06-16 11:23:18 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2011-06-15 18:11:37 -------- d-----w- c:\windows\system32\Wat
2011-06-15 17:57:26 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-06-15 17:57:26 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-06-15 17:57:26 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-06-15 17:56:59 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-06-15 17:56:59 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-06-15 17:56:24 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-06-15 17:55:55 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-06-15 17:55:53 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-06-15 17:55:52 2616320 ----a-w- c:\windows\explorer.exe
2011-06-15 17:55:28 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-06-15 17:55:26 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-06-15 17:55:26 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-06-15 17:55:26 107520 ----a-w- c:\windows\system32\cdd.dll
2011-06-15 17:55:04 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-06-15 17:02:49 -------- d-----w- c:\program files\MSXML 4.0
2011-06-15 16:53:12 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-15 16:53:11 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-15 16:52:07 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-06-15 16:50:09 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-06-15 16:50:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-06-15 16:48:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 16:47:11 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 16:47:10 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 16:47:10 187776 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2011-06-15 16:43:31 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-06-15 16:43:31 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-06-15 16:43:07 70656 ----a-w- c:\windows\system32\fontsub.dll
2011-06-15 16:43:07 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-06-15 16:43:07 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-06-15 16:41:27 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-06-15 16:41:26 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 16:40:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 16:40:45 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 16:40:45 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 16:40:10 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 16:40:10 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 16:40:10 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 16:39:36 542208 ----a-w- c:\windows\system32\kerberos.dll
2011-06-15 11:32:04 -------- d-----w- c:\windows\hi-IN
2011-06-15 11:32:03 -------- d-----w- c:\windows\system32\wbem\hi-IN
2011-06-15 11:32:03 -------- d-----w- c:\windows\system32\hi-IN
2011-06-15 11:23:30 -------- d-----w- c:\windows\bn-IN
2011-06-15 11:23:27 -------- d-----w- c:\windows\system32\wbem\bn-IN
2011-06-15 11:23:27 -------- d-----w- c:\windows\system32\bn-IN
.
==================== Find3M ====================
.
2011-06-24 06:57:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-16 11:52:17 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-24 13:44:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-02 15:06:44 37592 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-02 15:06:42 238960 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-02 15:06:42 19088 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-05-02 15:06:04 284744 ----a-w- c:\windows\system32\guard32.dll
.
============= FINISH: 23:20:22.78 ===============
Thank you for your effort,time and help.

Attached Files


Edited by UdayanSanyal, 12 July 2011 - 04:30 PM.


#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 13 July 2011 - 09:15 AM

Before proceeding, have you tried this suggestion?

http://www.symantec.com/business/support/index?page=content&id=TECH103080&locale=en_US

DR

#5 UdayanSanyal

UdayanSanyal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 13 July 2011 - 11:10 AM

Well though I didn't know about but I had the result as described in
http://www.symantec.com/business/support/index?page=content&id=TECH103080&locale=en_US
on pressing no.
Besides,in normal mode I always see that windows installer tries to install something about symentec but it can't be installed and in the antivirus when I press LiveUpdate a message comes that it cannot be updated.So there is some problem.
Please tell future course of action and how can I send you the GMER log.
Your effort,time and help will be appreciated.
Thank you in advance.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 PM

Posted 14 July 2011 - 05:56 PM

Hello UdayanSanyal,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.6.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.5.6.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


3.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Things to include in your next reply::
TDSSKILLER log
Combofix.txt
aswMBR log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 UdayanSanyal

UdayanSanyal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 15 July 2011 - 03:34 PM

here is the info you requested
1)TDSSkiller log-(though it detected nothing)
2011/07/16 00:35:14.0175 3756 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/16 00:35:14.0799 3756 ================================================================================
2011/07/16 00:35:14.0799 3756 SystemInfo:
2011/07/16 00:35:14.0799 3756
2011/07/16 00:35:14.0799 3756 OS Version: 6.1.7601 ServicePack: 1.0
2011/07/16 00:35:14.0799 3756 Product type: Workstation
2011/07/16 00:35:14.0799 3756 ComputerName: SKS-PC
2011/07/16 00:35:14.0799 3756 UserName: SKS
2011/07/16 00:35:14.0799 3756 Windows directory: C:\Windows
2011/07/16 00:35:14.0799 3756 System windows directory: C:\Windows
2011/07/16 00:35:14.0799 3756 Processor architecture: Intel x86
2011/07/16 00:35:14.0799 3756 Number of processors: 2
2011/07/16 00:35:14.0799 3756 Page size: 0x1000
2011/07/16 00:35:14.0799 3756 Boot type: Safe boot with network
2011/07/16 00:35:14.0799 3756 ================================================================================
2011/07/16 00:35:15.0704 3756 Initialize success
2011/07/16 00:35:28.0636 0416 ================================================================================
2011/07/16 00:35:28.0636 0416 Scan started
2011/07/16 00:35:28.0636 0416 Mode: Manual;
2011/07/16 00:35:28.0636 0416 ================================================================================
2011/07/16 00:35:29.0182 0416 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
2011/07/16 00:35:29.0245 0416 54796381 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\Windows\system32\DRIVERS\54796381.sys
2011/07/16 00:35:29.0276 0416 54796382 (a305fad3719c5db0c13d1c2bfd08a04d) C:\Windows\system32\DRIVERS\54796382.sys
2011/07/16 00:35:29.0338 0416 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
2011/07/16 00:35:29.0401 0416 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
2011/07/16 00:35:29.0494 0416 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/07/16 00:35:29.0557 0416 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/07/16 00:35:29.0588 0416 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/07/16 00:35:29.0697 0416 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
2011/07/16 00:35:29.0744 0416 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
2011/07/16 00:35:29.0806 0416 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/07/16 00:35:29.0869 0416 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
2011/07/16 00:35:29.0900 0416 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
2011/07/16 00:35:29.0931 0416 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
2011/07/16 00:35:29.0994 0416 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/07/16 00:35:30.0025 0416 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/07/16 00:35:30.0072 0416 amdsata (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys
2011/07/16 00:35:30.0118 0416 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/07/16 00:35:30.0165 0416 amdxata (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys
2011/07/16 00:35:30.0212 0416 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
2011/07/16 00:35:30.0321 0416 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/07/16 00:35:30.0337 0416 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/07/16 00:35:30.0399 0416 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/16 00:35:30.0446 0416 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
2011/07/16 00:35:30.0586 0416 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/07/16 00:35:30.0649 0416 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/07/16 00:35:30.0711 0416 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/07/16 00:35:30.0758 0416 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/07/16 00:35:30.0820 0416 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/16 00:35:30.0867 0416 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/07/16 00:35:30.0898 0416 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/07/16 00:35:30.0945 0416 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/07/16 00:35:30.0992 0416 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/07/16 00:35:31.0023 0416 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/07/16 00:35:31.0054 0416 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/07/16 00:35:31.0086 0416 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/07/16 00:35:31.0320 0416 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/16 00:35:31.0382 0416 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
2011/07/16 00:35:31.0444 0416 CFRMD (51a59d8608bcfa84d71dd9977439f074) C:\Windows\system32\DRIVERS\CFRMD.sys
2011/07/16 00:35:31.0491 0416 CFRPD (12ff8d1f133c4d60c5dc782cac7e1362) C:\Windows\system32\DRIVERS\CFRPD.sys
2011/07/16 00:35:31.0522 0416 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/07/16 00:35:31.0600 0416 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/07/16 00:35:31.0725 0416 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/07/16 00:35:31.0772 0416 cmdGuard (1d97ec9a58be303f263cf19dd63209bd) C:\Windows\system32\DRIVERS\cmdguard.sys
2011/07/16 00:35:31.0819 0416 cmdHlp (cfe944c2a85d1d3e341158ed537663b4) C:\Windows\system32\DRIVERS\cmdhlp.sys
2011/07/16 00:35:31.0866 0416 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
2011/07/16 00:35:31.0928 0416 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/07/16 00:35:31.0975 0416 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/07/16 00:35:32.0053 0416 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
2011/07/16 00:35:32.0146 0416 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/07/16 00:35:32.0271 0416 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
2011/07/16 00:35:32.0412 0416 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
2011/07/16 00:35:32.0474 0416 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/07/16 00:35:32.0536 0416 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/07/16 00:35:32.0646 0416 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/07/16 00:35:32.0724 0416 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/16 00:35:32.0864 0416 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/07/16 00:35:32.0973 0416 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/07/16 00:35:33.0098 0416 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/07/16 00:35:33.0192 0416 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/07/16 00:35:33.0285 0416 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
2011/07/16 00:35:33.0379 0416 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/07/16 00:35:33.0457 0416 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/07/16 00:35:33.0488 0416 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/16 00:35:33.0550 0416 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/07/16 00:35:33.0582 0416 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/07/16 00:35:33.0644 0416 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/16 00:35:33.0691 0416 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/07/16 00:35:33.0738 0416 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/07/16 00:35:33.0800 0416 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/16 00:35:33.0862 0416 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
2011/07/16 00:35:33.0909 0416 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/07/16 00:35:34.0003 0416 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/07/16 00:35:34.0065 0416 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
2011/07/16 00:35:34.0096 0416 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
2011/07/16 00:35:34.0143 0416 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/07/16 00:35:34.0174 0416 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/07/16 00:35:34.0206 0416 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/07/16 00:35:34.0315 0416 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
2011/07/16 00:35:34.0471 0416 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
2011/07/16 00:35:34.0564 0416 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
2011/07/16 00:35:34.0611 0416 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
2011/07/16 00:35:34.0674 0416 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
2011/07/16 00:35:34.0752 0416 iaStorV (a3cae5d281db4cff7cff8233507ee5ad) C:\Windows\system32\drivers\iaStorV.sys
2011/07/16 00:35:34.0798 0416 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/07/16 00:35:34.0923 0416 inspect (ad599bcb7ca45b469e1b1f2a2faaf285) C:\Windows\system32\DRIVERS\inspect.sys
2011/07/16 00:35:34.0986 0416 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
2011/07/16 00:35:35.0048 0416 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/16 00:35:35.0079 0416 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/16 00:35:35.0188 0416 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
2011/07/16 00:35:35.0235 0416 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/07/16 00:35:35.0282 0416 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/07/16 00:35:35.0329 0416 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
2011/07/16 00:35:35.0360 0416 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
2011/07/16 00:35:35.0422 0416 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
2011/07/16 00:35:35.0469 0416 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
2011/07/16 00:35:35.0532 0416 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/16 00:35:35.0594 0416 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
2011/07/16 00:35:35.0734 0416 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/16 00:35:35.0797 0416 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/07/16 00:35:35.0828 0416 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/07/16 00:35:35.0875 0416 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/07/16 00:35:35.0890 0416 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/07/16 00:35:35.0953 0416 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/07/16 00:35:36.0015 0416 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/07/16 00:35:36.0062 0416 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/07/16 00:35:36.0109 0416 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/07/16 00:35:36.0156 0416 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/16 00:35:36.0202 0416 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
2011/07/16 00:35:36.0265 0416 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/16 00:35:36.0327 0416 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
2011/07/16 00:35:36.0374 0416 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
2011/07/16 00:35:36.0421 0416 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/16 00:35:36.0483 0416 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
2011/07/16 00:35:36.0546 0416 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/16 00:35:36.0577 0416 mrxsmb10 (a70c828a93cce4c11617f6249f4d87fc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/16 00:35:36.0608 0416 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/16 00:35:36.0655 0416 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
2011/07/16 00:35:36.0702 0416 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
2011/07/16 00:35:36.0748 0416 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/07/16 00:35:36.0795 0416 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/07/16 00:35:36.0842 0416 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
2011/07/16 00:35:36.0920 0416 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/16 00:35:36.0951 0416 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/16 00:35:36.0982 0416 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/07/16 00:35:37.0014 0416 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/07/16 00:35:37.0076 0416 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
2011/07/16 00:35:37.0123 0416 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/07/16 00:35:37.0170 0416 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/07/16 00:35:37.0232 0416 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\Windows\system32\DRIVERS\ASACPI.sys
2011/07/16 00:35:37.0294 0416 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/07/16 00:35:37.0341 0416 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/16 00:35:37.0482 0416 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110702.002\NAVENG.SYS
2011/07/16 00:35:37.0544 0416 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110702.002\NAVEX15.SYS
2011/07/16 00:35:37.0638 0416 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
2011/07/16 00:35:37.0716 0416 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/07/16 00:35:37.0762 0416 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/16 00:35:37.0809 0416 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/16 00:35:37.0856 0416 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/16 00:35:37.0918 0416 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
2011/07/16 00:35:37.0965 0416 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/16 00:35:38.0012 0416 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/16 00:35:38.0152 0416 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/07/16 00:35:38.0199 0416 nmwcd (712bc0c22ba00b2ba324c6b8df668ee7) C:\Windows\system32\drivers\ccdcmb.sys
2011/07/16 00:35:38.0262 0416 nmwcdc (7312987b6ccde6f6cee32c14bed1ca2e) C:\Windows\system32\drivers\ccdcmbo.sys
2011/07/16 00:35:38.0293 0416 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/07/16 00:35:38.0324 0416 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/16 00:35:38.0402 0416 Ntfs (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys
2011/07/16 00:35:38.0449 0416 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/07/16 00:35:38.0496 0416 NVENETFD (b5e37e31c053bc9950455a257526514b) C:\Windows\system32\DRIVERS\nvm62x32.sys
2011/07/16 00:35:38.0776 0416 nvlddmkm (377140a534d013bd661c69f1741de43c) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/07/16 00:35:38.0932 0416 nvraid (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys
2011/07/16 00:35:38.0979 0416 nvstor (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys
2011/07/16 00:35:39.0042 0416 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
2011/07/16 00:35:39.0073 0416 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
2011/07/16 00:35:39.0213 0416 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/07/16 00:35:39.0276 0416 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
2011/07/16 00:35:39.0322 0416 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/07/16 00:35:39.0385 0416 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
2011/07/16 00:35:39.0416 0416 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
2011/07/16 00:35:39.0463 0416 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/07/16 00:35:39.0510 0416 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/07/16 00:35:39.0556 0416 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/07/16 00:35:39.0697 0416 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/16 00:35:39.0744 0416 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/07/16 00:35:39.0853 0416 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/16 00:35:39.0931 0416 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/07/16 00:35:39.0978 0416 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/07/16 00:35:40.0040 0416 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/16 00:35:40.0087 0416 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/16 00:35:40.0118 0416 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/07/16 00:35:40.0180 0416 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/16 00:35:40.0227 0416 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/16 00:35:40.0258 0416 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/16 00:35:40.0305 0416 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/16 00:35:40.0352 0416 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/07/16 00:35:40.0383 0416 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/16 00:35:40.0446 0416 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
2011/07/16 00:35:40.0508 0416 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/16 00:35:40.0555 0416 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/07/16 00:35:40.0602 0416 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
2011/07/16 00:35:40.0648 0416 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
2011/07/16 00:35:40.0695 0416 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
2011/07/16 00:35:40.0820 0416 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/16 00:35:40.0882 0416 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
2011/07/16 00:35:40.0960 0416 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
2011/07/16 00:35:41.0038 0416 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
2011/07/16 00:35:41.0163 0416 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/07/16 00:35:41.0226 0416 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/07/16 00:35:41.0272 0416 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/07/16 00:35:41.0319 0416 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/07/16 00:35:41.0475 0416 setup_9.0.0.722_07.07.2011_11-12drv (64d93ec1218765498c40619427a85a91) C:\Windows\system32\DRIVERS\5479638.sys
2011/07/16 00:35:41.0522 0416 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
2011/07/16 00:35:41.0553 0416 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
2011/07/16 00:35:41.0600 0416 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
2011/07/16 00:35:41.0662 0416 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/07/16 00:35:41.0725 0416 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
2011/07/16 00:35:41.0787 0416 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/07/16 00:35:41.0818 0416 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/07/16 00:35:41.0865 0416 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/07/16 00:35:41.0990 0416 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/07/16 00:35:42.0068 0416 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/07/16 00:35:42.0162 0416 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\Windows\system32\Drivers\SRTSP.SYS
2011/07/16 00:35:42.0208 0416 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\Windows\system32\Drivers\SRTSPL.SYS
2011/07/16 00:35:42.0255 0416 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\Windows\system32\Drivers\SRTSPX.SYS
2011/07/16 00:35:42.0349 0416 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
2011/07/16 00:35:42.0380 0416 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/16 00:35:42.0411 0416 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/16 00:35:42.0474 0416 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/07/16 00:35:42.0520 0416 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
2011/07/16 00:35:42.0567 0416 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
2011/07/16 00:35:42.0598 0416 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
2011/07/16 00:35:42.0661 0416 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\Windows\system32\Drivers\SYMEVENT.SYS
2011/07/16 00:35:42.0708 0416 SYMREDRV (394b2368212114d538316812af60fddd) C:\Windows\System32\Drivers\SYMREDRV.SYS
2011/07/16 00:35:42.0739 0416 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\Windows\System32\Drivers\SYMTDI.SYS
2011/07/16 00:35:42.0879 0416 Tcpip (24326784df8f3d5f5bbb9f878ce33c14) C:\Windows\system32\drivers\tcpip.sys
2011/07/16 00:35:42.0973 0416 TCPIP6 (24326784df8f3d5f5bbb9f878ce33c14) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/16 00:35:43.0020 0416 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/16 00:35:43.0098 0416 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
2011/07/16 00:35:43.0129 0416 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
2011/07/16 00:35:43.0176 0416 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/16 00:35:43.0222 0416 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
2011/07/16 00:35:43.0316 0416 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/16 00:35:43.0363 0416 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
2011/07/16 00:35:43.0456 0416 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/16 00:35:43.0488 0416 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/07/16 00:35:43.0534 0416 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/16 00:35:43.0628 0416 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
2011/07/16 00:35:43.0690 0416 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
2011/07/16 00:35:43.0722 0416 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/07/16 00:35:43.0784 0416 upperdev (7062ed67a10f1c83b2ab951736e24f11) C:\Windows\system32\DRIVERS\usbser_lowerflt.sys
2011/07/16 00:35:43.0815 0416 usbccgp (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\drivers\usbccgp.sys
2011/07/16 00:35:43.0862 0416 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
2011/07/16 00:35:43.0893 0416 usbehci (cfbce999c057d78979a181c9c60f208e) C:\Windows\system32\drivers\usbehci.sys
2011/07/16 00:35:43.0940 0416 usbhub (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\drivers\usbhub.sys
2011/07/16 00:35:43.0987 0416 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\drivers\usbohci.sys
2011/07/16 00:35:44.0049 0416 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/07/16 00:35:44.0096 0416 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
2011/07/16 00:35:44.0158 0416 usbser (31181de6190b39fc8007dffd1a48ffd6) C:\Windows\system32\drivers\usbser.sys
2011/07/16 00:35:44.0190 0416 UsbserFilt (b76d8039f5b595c4ca551b3d5dd15a98) C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys
2011/07/16 00:35:44.0252 0416 USBSTOR (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/07/16 00:35:44.0283 0416 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\drivers\usbuhci.sys
2011/07/16 00:35:44.0346 0416 utqxndcy (524d8d450622db4a7875b111c299a76b) C:\Windows\system32\Drivers\utqxndcy.sys
2011/07/16 00:35:44.0408 0416 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
2011/07/16 00:35:44.0455 0416 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/16 00:35:44.0502 0416 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/07/16 00:35:44.0580 0416 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
2011/07/16 00:35:44.0626 0416 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
2011/07/16 00:35:44.0689 0416 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/07/16 00:35:44.0720 0416 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
2011/07/16 00:35:44.0751 0416 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
2011/07/16 00:35:44.0798 0416 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
2011/07/16 00:35:44.0829 0416 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
2011/07/16 00:35:44.0892 0416 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/07/16 00:35:44.0970 0416 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
2011/07/16 00:35:45.0016 0416 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/07/16 00:35:45.0063 0416 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2011/07/16 00:35:45.0110 0416 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/07/16 00:35:45.0157 0416 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/16 00:35:45.0172 0416 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/16 00:35:45.0266 0416 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/07/16 00:35:45.0313 0416 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/16 00:35:45.0438 0416 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/07/16 00:35:45.0469 0416 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/07/16 00:35:45.0640 0416 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
2011/07/16 00:35:45.0718 0416 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/16 00:35:45.0796 0416 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
2011/07/16 00:35:45.0859 0416 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/16 00:35:45.0921 0416 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/16 00:35:45.0968 0416 Boot (0x1200) (fe4b79418310130ef773a797652d70a4) \Device\Harddisk0\DR0\Partition0
2011/07/16 00:35:45.0984 0416 Boot (0x1200) (a3e375dffacba9136f7e4bb79200623d) \Device\Harddisk0\DR0\Partition1
2011/07/16 00:35:46.0015 0416 Boot (0x1200) (502b99064c96efa84e0349dac343851a) \Device\Harddisk0\DR0\Partition2
2011/07/16 00:35:46.0046 0416 Boot (0x1200) (b92d723d0cd7d1162a0c48e3d7116253) \Device\Harddisk0\DR0\Partition3
2011/07/16 00:35:46.0077 0416 Boot (0x1200) (088710509c1b1f0411f2825e393409c8) \Device\Harddisk0\DR0\Partition4
2011/07/16 00:35:46.0093 0416 ================================================================================
2011/07/16 00:35:46.0093 0416 Scan finished
2011/07/16 00:35:46.0093 0416 ================================================================================
2011/07/16 00:35:46.0108 3300 Detected object count: 0
2011/07/16 00:35:46.0108 3300 Actual detected object count: 0
2011/07/16 00:36:31.0816 1800 Deinitialize success



2)aswMBR log-
aswMBR version 0.9.7.750 Copyright© 2011 AVAST Software
Run date: 2011-07-16 00:32:20
-----------------------------
00:32:20.438 OS Version: Windows 6.1.7601 Service Pack 1
00:32:20.438 Number of processors: 2 586 0x6B01
00:32:20.438 ComputerName: SKS-PC UserName: SKS
00:32:20.906 Initialize success
00:32:47.769 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
00:32:47.769 Disk 0 Vendor: ST325082 3.AC Size: 238475MB BusType: 3
00:32:49.782 Disk 0 MBR read successfully
00:32:49.782 Disk 0 MBR scan
00:32:49.813 Disk 0 Windows 7 default MBR code
00:32:51.825 Disk 0 scanning sectors +488392065
00:32:51.903 Disk 0 scanning C:\Windows\system32\drivers
00:32:58.393 Service scanning
00:32:59.313 Disk 0 trace - called modules:
00:32:59.329 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
00:32:59.329 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8453f030]
00:32:59.329 3 CLASSPNP.SYS[8600459e] -> nt!IofCallDriver -> [0x83e65700]
00:32:59.344 5 ACPI.sys[860393d4] -> nt!IofCallDriver -> \Device\00000069[0x83e65030]
00:32:59.344 Scan finished successfully
00:33:17.706 Disk 0 MBR has been saved successfully to "C:\Users\SKS\Desktop\MBR.dat"
00:33:17.721 The log file has been saved successfully to "C:\Users\SKS\Desktop\aswMBR.txt"


3)Suspicious activity-
Well when I started Combofix in normal mode it extrated something and then a message came-Do I want to move combofix to recycle bin.So I started my computer in safe mode ,the same happened.Then it finished its operation and I have attached the log.
Now though my PC is working allright but I have a gut feeling that the problem is not over.The PC is working a bit slow though I had the scans on.I do have a kaspersky trial version setep of internet security,should I install that and remove the old symentec.What do you suggest.
Your help,effort and time will be appreciated.
Thank you.

Attached Files



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 PM

Posted 15 July 2011 - 04:09 PM

Hello,

If your going to use Kaspersky. You need to remove Symentec. Here is a tool for removing Symentec.

Uninstall Norton


The following removal utility can be used to uninstall the program:

  • Download the Norton Removal Tool to your desktop.
  • On the Windows desktop, double-click the Norton Removal Tool icon.
  • Follow the on-screen instructions.
    Note:Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts
Norton should now be removed from your PC.


For illustrated instructions please refer to here:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039


1.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\drivers\utqxndcy.sys
C:\uwldypow.sys

Please post back the results of the scan in your next post.


2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Things to include in your next reply::
JOtti results.
MBAM log
Eset log
How is your machine running now?

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 UdayanSanyal

UdayanSanyal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 16 July 2011 - 06:47 AM

Here is the info you requested-
1)Jotti scan log


for C:\uwldypow.sys
Jotti's malware scan


This file has been scanned before. The results for this previous scan are listed below.












--------------------------------------------------------------------------------




Filename:

pgdyrfod.sys2



Status:


Scan finished. 0 out of 20 scanners reported malware.



Scan taken on:

Wed 29 Jun 2011 15:53:33 (CET) Permalink










--------------------------------------------------------------------------------




Additional info



File size:

100736 bytes



Filetype:

PE32 executable for MS Windows (native) Intel 80386 32-bit



MD5:

9ccc1693cddec11f3f5712501219c0da



SHA1:

261ac71a4faff88c709fdf67da

For-c:\windows\system32\drivers\utqxndcy.sys

This file has been scanned before. The results for this previous scan are listed below.













--------------------------------------------------------------------------------




Filename:

utqxndcy.sys



Status:


Scan finished. 2 out of 20 scanners reported malware.



Scan taken on:

Sat 16 Jul 2011 11:29:37 (CET) Permalink










--------------------------------------------------------------------------------




Additional info



File size:

7168 bytes



Filetype:

PE32 executable for MS Windows (DLL) (native) Intel 80386 32-bit



MD5:

524d8d450622db4a7875b111c299a76b



SHA1:

fe22db1e0b864e77baeca5520c05c42431784fd8


Scanners which detected it as malware

1)Clam AV-Trojan.Agent-66914
2)F-Prot-W32/Bagle.IJ



2)Malwarebytes' Anti-Malware log-
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 7160

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

16-07-2011 15:28:06
mbam-log-2011-07-16 (15-28-06).txt

Scan type: Quick scan
Objects scanned: 144512
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

3)Eset Nod online scanner-It could not run as whenever it came to the part of asking for Installation of active X.I clicked install button but then a message came to press "retry"button or "cancel" button(the one that comes to resend information).On pressing retry I got only a blank page

4)Suspicious behavior-
Besides my computer also got hang once and I had to power off and start it.On starting it I saw a 3 stage process of something(related to Windows) start.After that the PC rebooted and then when I wanted to delete some files permenently messages came that I needed admin rights and had to click continue to delete then.Please note this is suspicious as never have I had such messages when I had deleated the same files even a day ago.
Do you think formating the C drive is a solution

Besides Symentec Endpoint Protection could not be unistalled using the norton removal tool.

Thank you for all your effort

Edited by UdayanSanyal, 16 July 2011 - 07:33 AM.


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 PM

Posted 16 July 2011 - 09:04 AM

Hello,

Re- formatting is always an option. It would be entirely up to you. Lets try another Scanner that is very good. Lets see what it says.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 UdayanSanyal

UdayanSanyal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 17 July 2011 - 12:53 AM

Hello
here is the dr web log-
Autorun.exe;E:\All Mou\LastZeusDocs\ResumeMaker® Professional 15.0 [Retail] - HeartBug;Modification of BackDoor.Generic.957;Moved.;
Setup.exe;E:\All Mou\LastZeusDocs\ResumeMaker® Professional 15.0 [Retail] - HeartBug;Modification of BackDoor.Generic.957;Moved.;

both the files were moved however they were not deleated.Do you suggest manually deleating them as I think the files are no use to me . Dr Web scanner took 10 hrs and 30 minutes to complete ,so is it normal.
First time I was scanning the PC got hanged so I had to power off and start it again.

Besides my system restore is on ,should I switch it of. My PC is working normally though it is slow but my ram is less but I am going to upgrade it soon.
Your suggession will be appreciated.
Thank you

Edited by UdayanSanyal, 17 July 2011 - 05:47 AM.


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 PM

Posted 17 July 2011 - 11:13 AM

Hello,

Well lets take a look at your computer it self and see if we can speed it up a bit.


1.
Install HijackThis:

You can download the latest version of HijackThis by clicking HERE.
Should you be prompted to save to a certain directory, please choose the desktop.
Note:Only this file should be saved to the desktop. During the installation process, you must allow HijackThis to install into its own directory.

Once you download the HijackThis Installer from the above link:

  • Double-click the new HJTInstall.exe icon on your desktop or your default download location.
  • An install window will appear, please accept all the default locations and settings. (Vista users may need to approve a notification from windows. Please accept this warning if it appears, and allow the instalation)
  • Once installed, you will be presented with a list of options, please select 'Do a system scan and save a logfile'. (Vista users: you may need to close the program, then Right-click the HijackThis icon, choosing 'Run as Administrator')
  • Once he scan has completed, a 'Notepad' window will appear. This is the log i require.
  • In the notepad window, select 'Edit' from the top row, then 'Select all'
  • Again, in the notepad window, select 'Edit' again, this time choosing 'copy'
  • Close HijackThis by clicking the red X in the top right hand corner of the programs window.
  • Please reply to this message. In the reply window, please Right click, and select Paste
  • Once your log is posted, please close the Notepad window. You may also delete HJTInstall.exe from your desktop, as it is no longer required.

Note: DO NOT have HijackThis fix anything yet! Most of what it finds is legitimate, and DANGEROUS if misinterpreted!!
DO NOT use this program unless told to by a Trained Malware Removal Expert, and make sure you understand and follow ALL instructions. If you don't understand STOP and ASK!!!



2.
  • Please download and save HardwareInfo to you desktop.
  • Double click HardwareInfo it will produce a log named HardwareInfo.txt.
  • Copy and paste that log in your next reply.

3.
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

4.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

5.
Please run the F-Secure Online Scanner
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Things to include in your next reply::
HardwareInfo.txt
HiJackThis log
SAS log
F-secure log
How is your machine running now?

Edited by fireman4it, 17 July 2011 - 11:29 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 UdayanSanyal

UdayanSanyal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 19 July 2011 - 02:10 AM

Hello,
Sorry that I have delayed writting to you but I was very busy,
here is the info you requested-
1)HardwareInfo log-

Logfile of Aommaster's HardwareInfo v.1.0.0
###############
Computer information
###############
Manufacturer: System manufacturer
Model: System Product Name
Type: Desktop

##############
Disk Drive information
##############
--------------
Drive \\.\PHYSICALDRIVE0
--------------
Manufacturer:(Standard disk drives)
Model:ST325082 0SV SCSI Disk Device
Interface Type:SCSI
Media Type:Fixed hard disk media
Partitions: 5
Total Space: 232.88 GB


##############
Partition information
##############
--------------
Drive C:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 39.9 GB
Free Space: 21.01 GB
Used Space: 18.89 GB

--------------
Drive D:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 79.99 GB
Free Space: 17.86 GB
Used Space: 62.12 GB

--------------
Drive E:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 79.99 GB
Free Space: 15.99 GB
Used Space: 64 GB

--------------
Drive F:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 32.88 GB
Free Space: 6.11 GB
Used Space: 26.77 GB

###########
OS information
###########
----------------------------
Operating System: Microsoft Windows 7 Ultimate
----------------------------
Version: 6.1.7601
Service Pack: SP1
OS Architecture: 32-bit
Total Virtual Memory: 2.8 GB
Free Virtual Memory: 0.63 GB
RAM Available to OS: 990.55 MB
Free RAM: 107.81 MB


###########
RAM information
###########
----------------------------
Name: Physical Memory 2
----------------------------
Manufacturer: None
Part Number: None
RAM: 1 GB
Speed: 667 MHz
Type: Unknown


###########
Motherboard information
###########
----------------------------
Name: Base Board
----------------------------
Description: ASUSTek Computer INC.
Product: M2NPV-VM


###########
BIOS information
###########
----------------------------
Name: Phoenix - AwardBIOS v6.00PG
----------------------------
Description: Phoenix Technologies, LTD
BIOS Version: ASUS M2NPV-VM ACPI BIOS Revision 0705


###########
CPU information
###########
----------------------------
Name: AMD Athlon™ 64 X2 Dual Core Processor 4800+
----------------------------
Type: 64-bit
Cores: 2
Maximum Clock Speed: 2.5 GHz
Current Clock Speed: 2.5 GHz


###########
GPU information
###########
----------------------------
Name: NVIDIA GeForce 6150
----------------------------
Card Memory: 32 MB


~~~EOF~~~

2)Hijak this log-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:12:21, on 18-07-2011
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
O4 - HKLM\..\Run: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: setup_9.0.0.722_07.07.2011_11-12.lnk = C:\Users\SKS\Desktop\Virus Removal Tool\setup_9.0.0.722_07.07.2011_11-12\startup.exe
O4 - Startup: _uninst_setup_9.0.0.722_07.07.2011_11-12.exe.lnk = SKS\AppData\Local\temp\_uninst_setup_9.0.0.722_07.07.2011_11-12.exe.bat
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C23B02D1-88C2-4D2A-96A0-0FD16A4A79C6}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{C23B02D1-88C2-4D2A-96A0-0FD16A4A79C6}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{C23B02D1-88C2-4D2A-96A0-0FD16A4A79C6}: NameServer = 156.154.70.22,156.154.71.22
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\Windows\System32\guard32.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COMODO System - Cleaner Service (Cleaner_Validator) - Unknown owner - C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 8897 bytes

3)SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/19/2011 at 02:34 AM

Application Version : 4.55.1000

Core Rules Database Version : 7421
Trace Rules Database Version: 5233

Scan type : Complete Scan
Total Scan Time : 01:41:04

Memory items scanned : 406
Memory threats detected : 0
Registry items scanned : 8668
Registry threats detected : 6
File items scanned : 170178
File threats detected : 22

Trojan.Agent/Gen
HKLM\System\ControlSet001\Services\utqxndcy
C:\WINDOWS\SYSTEM32\DRIVERS\UTQXNDCY.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_utqxndcy
HKLM\System\ControlSet002\Services\utqxndcy
HKLM\System\ControlSet002\Enum\Root\LEGACY_utqxndcy
HKLM\System\CurrentControlSet\Services\utqxndcy
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_utqxndcy

Adware.Tracking Cookie
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\sks@lfstmedia[1].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\sks@kantarmedia[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\sks@ads.bleepingcomputer[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\sks@collective-media[1].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\sks@imrworldwide[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\sks@adinterax[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\sks@atdmt[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\sks@legolas-media[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@ad.yieldmanager[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@adinterax[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@ads.bleepingcomputer[1].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@adx.bixee[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@adx.ibibo[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@chitika[1].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@collective-media[1].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@doubleclick[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@kontera[1].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@legolas-media[2].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@mm.chitika[1].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@questionmarket[1].txt
C:\Users\SKS\AppData\Roaming\Microsoft\Windows\Cookies\Low\sks@serving-sys[1].txt

4)F-Secure-It couldnt open.Nothing happened after a message came that download was complete and click the Recheck button.Maybe these online scans dont work on Internet xplorer 9.Should I download another browser.

5)How is comp working ?-Well it is finally working normally after the Super Anti spyware scan.Though it was going to get hanged in the f-secure website when I was downoading the virus removal toolI belive for the first time in last 25 days has the PC been so fast.
Please suggest what to do with the quarantimed viruses of super Anti Spyware .Should I click remov button(I think that button will permenantly remove the virus).
Suggest future course of action.I should be happy to scan with another scanner.
Thank you for all that you are doing.

#14 UdayanSanyal

UdayanSanyal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 19 July 2011 - 01:24 PM

Well just half hour ago there was some unusual activity
I was working on a word document and suddenly the cursor started got down line after line though the enter button was not pressed.
When I closed the word document I found that many programs stated to open without clicking them-my computers,sony media go,etc.
I couldn't shut down the PC so I had to do power off.
I believe the virus has just got revived.What to do next.

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 PM

Posted 19 July 2011 - 04:00 PM

Hello,

Well I don't know about all that never heard of any virus doing such things. Lets run another scanner and take another look.

1.
Download and Run Kaspersky Virus Removal Tool
Please disable all anti-malware protection before running this tool. Refer to this page if you are not sure how.
  • Click HERE to go to the download page. Select External Mirror 1. Save the installer on your desktop.
  • Double click the installer and follow the prompts. Kaspersky Virus Removal Tool will open after the installation.
  • Just under the "Automatic Scan" tab, check off all the boxes.
  • Click in the Settings box. Set the "Security Level" to High.
  • Change the Action settings to Do not Prompt for Action. Check Disinfect and Delete if disinfection fails. Click Ok to apply the settings.
  • Select Scan. Please be patient while the scan completes.
  • When the scan is finished, click the Report... button in the lower middle, select Save to file..., and save it onto your desktop as "report".
  • Close out of the program. When asked to uninstall, select Yes.
  • Reply back with the report saved on your desktop.

2.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    volsnap.sys
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply::
Kaspersky log
OTl.txt
Attach.txt
Gmer log
How is your machine running now?

Edited by fireman4it, 19 July 2011 - 04:00 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users