Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MRI_Disabled, Windows antivirus, Soundcard issues, svchost


  • This topic is locked This topic is locked
13 replies to this topic

#1 cronin66

cronin66

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 11 July 2011 - 08:33 PM

Was told to move over here after posting in am I infected?

my original post can be found here http://www.bleepingcomputer.com/forums/topic408968.html/page__gopid__2330810#entry2330810

here is the dds log I was told to create, the gmer program is still scanning and I can post it when its done

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Run by Sean Cronin at 21:03:03 on 2011-07-11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1297 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Sean Cronin\My Documents\Downloads\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Client Security Agent\bncsaui.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1010011
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{120DAF7C-D75D-49B2-B408-55389372BF70} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E4AB1D78-0CE4-425B-9585-3D25C6449551} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sean cronin\application data\mozilla\firefox\profiles\jim38wzm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4df8f30e&i=23&tp=ab&nt=1&q=
FF - plugin: c:\documents and settings\sean cronin\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\sean cronin\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\sean cronin\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-23 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-23 108392]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-3-10 103744]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-6-23 1831024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-5 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110711.018\NAVENG.SYS [2011-7-11 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110711.018\NAVEX15.SYS [2011-7-11 1542392]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S0 pgysg;pgysg;c:\windows\system32\drivers\pmbaq.sys --> c:\windows\system32\drivers\pmbaq.sys [?]
S2 BNPagent;Client Security Agent Service;"c:\program files\bradford networks\client security agent\bndaemon.exe" --> c:\program files\bradford networks\client security agent\bndaemon.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\drivers\Ca2001v.sys [2008-2-19 2333568]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-5-5 17149]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2007-9-9 13225]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-5-5 362944]
S4 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
.
=============== Created Last 30 ================
.
2011-07-11 21:15:56 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-11 21:15:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 03:50:57 69632 ----a-w- c:\windows\ALCMTR.EXE
2011-07-06 03:50:57 2806784 ----a-w- c:\windows\ALCWZRD.EXE
2011-07-06 03:50:54 9703424 ----a-w- c:\windows\RTLCPL.EXE
2011-07-06 03:50:54 86016 ----a-w- c:\windows\SOUNDMAN.EXE
2011-07-06 03:50:54 2121728 ----a-w- c:\windows\MicCal.exe
2011-07-06 03:50:54 14820864 ----a-w- c:\windows\RTHDCPL.EXE
2011-07-06 03:50:53 40960 ------r- c:\windows\system32\ChCfg.exe
2011-07-06 03:50:53 3856896 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-07-06 03:50:53 294912 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2011-07-06 03:50:53 262144 ----a-w- c:\windows\system32\RTSndMgr.CPL
2011-07-06 03:50:15 -------- d-----w- c:\program files\Realtek
2011-07-06 03:49:58 487424 ------r- c:\windows\RtlExUpd.dll
2011-07-06 03:49:53 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2011-07-06 03:49:52 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2011-07-06 03:49:52 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2011-07-06 03:49:52 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2011-07-06 03:49:52 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2011-07-06 03:49:49 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2011-07-06 03:49:49 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2011-07-05 17:00:30 -------- d-----w- c:\documents and settings\sean cronin\local settings\application data\Symantec
2011-07-05 16:57:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-05 16:57:30 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-05 16:56:20 -------- d-----w- c:\program files\common files\Symantec Shared
2011-07-05 16:56:20 -------- d-----w- c:\documents and settings\all users\application data\Symantec
2011-07-05 16:56:19 -------- d-----w- c:\program files\Symantec
2011-06-17 05:40:31 -------- d-----w- c:\program files\iTunes
2011-06-17 05:40:31 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-06-17 05:30:09 -------- d-----w- c:\program files\Bonjour
2011-06-15 18:00:21 -------- d-----w- c:\documents and settings\sean cronin\application data\AVG10
2011-06-15 17:59:31 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-15 17:57:22 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-06-15 17:56:54 -------- d-----w- c:\program files\AVG
2011-06-15 17:51:52 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-05-10 12:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-05 20:36:17 81920 ----a-w- c:\windows\ALCFDRTM.VER
.
============= FINISH: 21:05:21.25 ===============



thanks in advance

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:26 PM

Posted 26 July 2011 - 06:00 PM

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.



NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 cronin66

cronin66
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 26 July 2011 - 07:48 PM

aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-26 20:44:50
-----------------------------
20:44:50.088 OS Version: Windows 5.1.2600 Service Pack 2
20:44:50.088 Number of processors: 1 586 0xD08
20:44:50.088 ComputerName: SEAN-43170B3E03 UserName: Sean Cronin
20:44:51.354 Initialize success
20:45:04.697 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\viamraid1Port2Path0Target0Lun0
20:45:04.697 Disk 0 Vendor: HTS54108 MB4O Size: 76319MB BusType: 1
20:45:04.697 Device \Driver\viamraid -> DriverStartIo SCSIPORT.SYS f74ab40e
20:45:04.729 Disk 0 MBR read successfully
20:45:04.729 Disk 0 MBR scan
20:45:04.729 Disk 0 Windows XP default MBR code
20:45:04.744 Disk 0 scanning sectors +156280320
20:45:04.869 Disk 0 scanning C:\WINDOWS\system32\drivers
20:45:34.447 Service scanning
20:45:35.901 Modules scanning
20:46:03.182 Disk 0 trace - called modules:
20:46:03.213 ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll viamraid.sys
20:46:03.213 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b34ab8]
20:46:03.213 3 CLASSPNP.SYS[f766805b] -> nt!IofCallDriver -> \Device\Scsi\viamraid1Port2Path0Target0Lun0[0x89b8fa38]
20:46:03.572 Scan finished successfully
20:46:14.229 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sean Cronin\Desktop\MBR.dat"
20:46:14.244 The log file has been saved successfully to "C:\Documents and Settings\Sean Cronin\Desktop\aswMBR.txt

2011/07/26 20:42:59.0416 1452 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/26 20:42:59.0760 1452 ================================================================================
2011/07/26 20:42:59.0760 1452 SystemInfo:
2011/07/26 20:42:59.0760 1452
2011/07/26 20:42:59.0760 1452 OS Version: 5.1.2600 ServicePack: 2.0
2011/07/26 20:42:59.0760 1452 Product type: Workstation
2011/07/26 20:42:59.0760 1452 ComputerName: SEAN-43170B3E03
2011/07/26 20:42:59.0760 1452 UserName: Sean Cronin
2011/07/26 20:42:59.0760 1452 Windows directory: C:\WINDOWS
2011/07/26 20:42:59.0760 1452 System windows directory: C:\WINDOWS
2011/07/26 20:42:59.0760 1452 Processor architecture: Intel x86
2011/07/26 20:42:59.0760 1452 Number of processors: 1
2011/07/26 20:42:59.0760 1452 Page size: 0x1000
2011/07/26 20:42:59.0760 1452 Boot type: Normal boot
2011/07/26 20:42:59.0760 1452 ================================================================================
2011/07/26 20:43:00.0713 1452 Initialize success
2011/07/26 20:43:03.0807 0372 ================================================================================
2011/07/26 20:43:03.0807 0372 Scan started
2011/07/26 20:43:03.0807 0372 Mode: Manual;
2011/07/26 20:43:03.0807 0372 ================================================================================
2011/07/26 20:43:04.0916 0372 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/26 20:43:05.0026 0372 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/07/26 20:43:05.0166 0372 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/07/26 20:43:05.0276 0372 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/26 20:43:05.0401 0372 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/07/26 20:43:05.0947 0372 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/26 20:43:06.0729 0372 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/26 20:43:06.0822 0372 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/26 20:43:06.0947 0372 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/26 20:43:07.0010 0372 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/26 20:43:07.0213 0372 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/26 20:43:07.0447 0372 Ca2001v (ad60d9d3c237dc2b9017953e5adea19e) C:\WINDOWS\system32\Drivers\Ca2001v.sys
2011/07/26 20:43:07.0791 0372 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/26 20:43:07.0869 0372 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/26 20:43:07.0963 0372 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/26 20:43:08.0057 0372 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/26 20:43:08.0166 0372 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/26 20:43:08.0260 0372 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/26 20:43:08.0354 0372 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/26 20:43:08.0479 0372 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/26 20:43:08.0541 0372 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/26 20:43:08.0838 0372 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/26 20:43:08.0869 0372 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/26 20:43:08.0947 0372 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/26 20:43:09.0010 0372 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS
2011/07/26 20:43:09.0072 0372 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/26 20:43:09.0307 0372 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/07/26 20:43:09.0588 0372 ENTECH (fd9fc82f134b1c91004ffc76a5ae494b) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/07/26 20:43:09.0651 0372 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/07/26 20:43:09.0760 0372 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/26 20:43:09.0807 0372 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/26 20:43:09.0885 0372 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/26 20:43:09.0916 0372 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/26 20:43:10.0010 0372 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/07/26 20:43:10.0072 0372 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/26 20:43:10.0119 0372 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/26 20:43:10.0213 0372 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/07/26 20:43:10.0276 0372 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/26 20:43:10.0385 0372 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2011/07/26 20:43:10.0651 0372 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/26 20:43:10.0760 0372 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/26 20:43:10.0869 0372 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/07/26 20:43:10.0932 0372 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/07/26 20:43:10.0994 0372 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/07/26 20:43:11.0072 0372 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/26 20:43:11.0229 0372 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/26 20:43:11.0557 0372 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/26 20:43:11.0916 0372 IntcAzAudAddService (98b7fab86755a42fe8eb04538a4cd6c8) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/26 20:43:12.0369 0372 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/26 20:43:12.0447 0372 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/26 20:43:12.0494 0372 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/07/26 20:43:12.0541 0372 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/26 20:43:12.0651 0372 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/26 20:43:12.0729 0372 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/26 20:43:12.0791 0372 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/26 20:43:12.0854 0372 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/26 20:43:12.0947 0372 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/26 20:43:13.0057 0372 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/26 20:43:13.0401 0372 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/26 20:43:13.0526 0372 M2500 (a084c8846531bc12f6d44843c6fb48d8) C:\WINDOWS\system32\DRIVERS\M2500.sys
2011/07/26 20:43:13.0682 0372 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/26 20:43:13.0776 0372 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/26 20:43:13.0807 0372 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/26 20:43:13.0885 0372 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/26 20:43:13.0932 0372 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/26 20:43:14.0010 0372 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/26 20:43:14.0119 0372 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/26 20:43:14.0479 0372 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/26 20:43:14.0588 0372 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/26 20:43:14.0635 0372 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/26 20:43:14.0682 0372 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/26 20:43:14.0760 0372 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/26 20:43:14.0838 0372 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/26 20:43:14.0885 0372 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/26 20:43:14.0979 0372 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/26 20:43:15.0197 0372 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110725.037\NAVENG.SYS
2011/07/26 20:43:15.0322 0372 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110725.037\NAVEX15.SYS
2011/07/26 20:43:15.0666 0372 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/26 20:43:15.0744 0372 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/26 20:43:15.0807 0372 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/26 20:43:15.0869 0372 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/26 20:43:15.0916 0372 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/26 20:43:15.0979 0372 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/26 20:43:16.0026 0372 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/26 20:43:16.0072 0372 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/26 20:43:16.0197 0372 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/26 20:43:16.0229 0372 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/26 20:43:16.0369 0372 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/26 20:43:16.0713 0372 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/26 20:43:16.0963 0372 nv (8b32e330acac354881e54fb5c1dfef49) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/26 20:43:17.0369 0372 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/26 20:43:17.0401 0372 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/26 20:43:17.0463 0372 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/26 20:43:17.0557 0372 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/26 20:43:17.0619 0372 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/26 20:43:17.0666 0372 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/26 20:43:17.0744 0372 PCANDIS5 (ceef86cb35abe95c40a88784f5b631ad) C:\WINDOWS\system32\PCANDIS5.SYS
2011/07/26 20:43:17.0791 0372 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/26 20:43:17.0838 0372 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/26 20:43:17.0916 0372 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/26 20:43:18.0104 0372 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/26 20:43:18.0494 0372 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/26 20:43:18.0526 0372 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/26 20:43:18.0682 0372 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/26 20:43:18.0744 0372 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/26 20:43:18.0791 0372 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/26 20:43:18.0822 0372 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/26 20:43:18.0932 0372 Razerlow (116c340acf37602d12cac6de6b8107cd) C:\WINDOWS\system32\Drivers\Razerlow.sys
2011/07/26 20:43:19.0010 0372 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/26 20:43:19.0057 0372 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/26 20:43:19.0104 0372 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/26 20:43:19.0197 0372 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/26 20:43:19.0291 0372 RTL8023xp (4a0ae7891fcf74acc848b109294cb80f) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2011/07/26 20:43:19.0463 0372 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/26 20:43:19.0682 0372 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2011/07/26 20:43:19.0760 0372 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/26 20:43:19.0854 0372 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/26 20:43:19.0963 0372 smserial (2a88b1286305eb6df1c053d39f88185c) C:\WINDOWS\system32\DRIVERS\smserial.sys
2011/07/26 20:43:20.0041 0372 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/07/26 20:43:20.0463 0372 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/07/26 20:43:20.0729 0372 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/26 20:43:20.0822 0372 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/26 20:43:20.0932 0372 SRTSP (5a293729e1f9fce3a2106d1f5dc5e98a) C:\WINDOWS\system32\Drivers\SRTSP.SYS
2011/07/26 20:43:21.0119 0372 SRTSPL (0ddb7fba32be09d8057063c0cee24137) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
2011/07/26 20:43:21.0213 0372 SRTSPX (a99719dfb61b61aa5026341bbb733c0a) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
2011/07/26 20:43:21.0307 0372 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/26 20:43:21.0604 0372 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/26 20:43:21.0697 0372 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/26 20:43:21.0760 0372 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/26 20:43:21.0916 0372 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/07/26 20:43:21.0994 0372 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/07/26 20:43:22.0104 0372 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/07/26 20:43:22.0307 0372 SynTP (59e9d90d6373f8ad4e3ebd0ecdedd35e) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/07/26 20:43:22.0557 0372 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/26 20:43:22.0713 0372 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/26 20:43:22.0822 0372 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/26 20:43:22.0869 0372 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/26 20:43:22.0947 0372 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/26 20:43:23.0041 0372 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/26 20:43:23.0166 0372 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/26 20:43:23.0447 0372 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/26 20:43:23.0541 0372 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/26 20:43:23.0635 0372 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/26 20:43:23.0697 0372 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/26 20:43:23.0744 0372 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/26 20:43:23.0791 0372 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/26 20:43:23.0838 0372 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/26 20:43:23.0901 0372 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/26 20:43:23.0963 0372 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/07/26 20:43:23.0994 0372 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/07/26 20:43:24.0072 0372 viamraid (0363e216e4eb5052969c96608934dbde) C:\WINDOWS\system32\DRIVERS\viamraid.sys
2011/07/26 20:43:24.0104 0372 VolSnap (20f4937eebd2715ae867b87b751d0290) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/26 20:43:24.0151 0372 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/26 20:43:24.0260 0372 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/26 20:43:24.0541 0372 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/07/26 20:43:24.0666 0372 WPN111 (75a833b635e093c728f5027b01f8cbb7) C:\WINDOWS\system32\DRIVERS\WPN111.sys
2011/07/26 20:43:24.0729 0372 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/26 20:43:24.0776 0372 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/26 20:43:24.0807 0372 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/26 20:43:24.0916 0372 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/26 20:43:25.0010 0372 Boot (0x1200) (d82cd3c4d710dcc080ff8d847f8b2a22) \Device\Harddisk0\DR0\Partition0
2011/07/26 20:43:25.0026 0372 ================================================================================
2011/07/26 20:43:25.0026 0372 Scan finished
2011/07/26 20:43:25.0026 0372 ================================================================================
2011/07/26 20:43:25.0057 3356 Detected object count: 0
2011/07/26 20:43:25.0057 3356 Actual detected object count: 0
2011/07/26 20:43:30.0151 0340 Deinitialize success

Attached Files

  • Attached File  MBR.zip   499bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:26 PM

Posted 26 July 2011 - 08:00 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 cronin66

cronin66
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 28 July 2011 - 01:32 AM

ComboFix 11-07-28.01 - Sean Cronin 07/28/2011 2:04.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1561 [GMT -4:00]
Running from: c:\documents and settings\Sean Cronin\My Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Sean Cronin\Application Data\Adobe\plugs
c:\documents and settings\Sean Cronin\Application Data\Adobe\shed
c:\documents and settings\Sean Cronin\WINDOWS
c:\windows\system32\UACenqkeespabxcdgu.db
c:\windows\system32\UACiaeaeurjburpinc.log
c:\windows\system32\uactmp.db
c:\windows\system32\wl.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-11 21:15 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-11 21:15 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 03:50 . 2005-07-26 08:54 2806784 ----a-w- c:\windows\ALCWZRD.EXE
2011-07-06 03:50 . 2005-05-03 10:43 69632 ----a-w- c:\windows\ALCMTR.EXE
2011-07-06 03:50 . 2005-08-18 06:38 86016 ----a-w- c:\windows\SOUNDMAN.EXE
2011-07-06 03:50 . 2005-08-17 23:20 14820864 ----a-w- c:\windows\RTHDCPL.EXE
2011-07-06 03:50 . 2005-08-15 08:04 2121728 ----a-w- c:\windows\MicCal.exe
2011-07-06 03:50 . 2005-08-15 07:34 9703424 ----a-w- c:\windows\RTLCPL.EXE
2011-07-06 03:50 . 2005-08-18 07:35 3856896 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-07-06 03:50 . 2005-07-15 08:48 40960 ------r- c:\windows\system32\ChCfg.exe
2011-07-06 03:50 . 2005-06-21 07:12 294912 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2011-07-06 03:50 . 2005-05-26 06:14 262144 ----a-w- c:\windows\system32\RTSndMgr.CPL
2011-07-06 03:50 . 2011-07-06 03:50 -------- d-----w- c:\program files\Realtek
2011-07-06 03:49 . 2005-04-16 14:20 487424 ------r- c:\windows\RtlExUpd.dll
2011-07-06 03:49 . 2005-04-04 03:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-07-06 03:49 . 2005-04-04 03:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-07-06 03:49 . 2005-04-04 03:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-07-06 03:49 . 2005-04-04 03:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-07-06 03:49 . 2005-04-04 02:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-07-06 03:49 . 2011-07-06 03:49 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2011-07-06 03:49 . 2011-07-06 03:49 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-07-05 17:00 . 2011-07-05 17:00 -------- d-----w- c:\documents and settings\Sean Cronin\Local Settings\Application Data\Symantec
2011-07-05 16:57 . 2011-07-05 16:57 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-05 16:57 . 2011-07-05 16:57 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-05 16:56 . 2011-07-05 17:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-07-05 16:56 . 2011-07-05 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2011-07-05 16:56 . 2011-07-05 16:57 -------- d-----w- c:\program files\Symantec
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-23 18:03 . 2011-06-23 18:03 89600 ----a-w- c:\windows\system32\atl71.dll
2011-06-23 18:03 . 2011-06-23 18:03 87368 ----a-w- c:\windows\system32\FwsVpn.dll
2011-06-23 18:03 . 2011-06-23 18:03 625032 ----a-w- c:\windows\system32\SymNeti.dll
2011-06-23 18:03 . 2011-06-23 18:03 242056 ----a-w- c:\windows\system32\SymRedir.dll
2011-06-23 18:03 . 2011-06-23 18:03 107848 ----a-w- c:\windows\system32\SymVPN.dll
2011-06-23 18:03 . 2011-06-23 18:03 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2011-06-23 18:03 . 2011-06-23 18:03 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys
2011-06-23 18:03 . 2011-06-23 18:03 283184 ----a-w- c:\windows\system32\drivers\srtsp.sys
2011-06-23 18:03 . 2011-06-23 18:03 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2011-06-23 18:03 . 2011-06-23 18:03 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2011-06-23 18:03 . 2011-06-23 18:03 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2011-06-23 18:03 . 2011-06-23 18:03 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2011-06-23 18:03 . 2011-06-23 18:03 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2011-06-23 18:03 . 2011-06-23 18:03 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2011-06-23 18:03 . 2011-06-23 18:03 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2011-05-10 12:06 . 2010-01-04 02:03 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06 . 2007-10-03 18:20 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-05 20:36 . 2006-09-04 20:12 81920 ----a-w- c:\windows\ALCFDRTM.VER
2011-04-14 16:26 . 2011-05-11 17:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-01 7118848]
"nwiz"="nwiz.exe" [2005-07-01 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-02-25 589824]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-18 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-18 688217]
"SMSERIAL"="sm56hlpr.exe" [2004-12-28 544768]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2009-03-10 136512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-06-23 115560]
"SoundMan"="SOUNDMAN.EXE" [2005-08-18 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-26 2806784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2011-07-06 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 02:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 4:00 AM 105592]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S0 pgysg;pgysg;c:\windows\system32\drivers\pmbaq.sys --> c:\windows\system32\drivers\pmbaq.sys [?]
S2 BNPagent;Client Security Agent Service;"c:\program files\Bradford Networks\Client Security Agent\bndaemon.exe" --> c:\program files\Bradford Networks\Client Security Agent\bndaemon.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\drivers\Ca2001v.sys [2/19/2008 12:48 PM 2333568]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [5/5/2009 8:08 PM 17149]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [9/9/2007 9:57 PM 13225]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [5/5/2009 8:08 PM 362944]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Sean Cronin\Application Data\Mozilla\Firefox\Profiles\jim38wzm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4df8f30e&i=23&tp=ab&nt=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-bncsaui.exe - c:\program files\Bradford Networks\Client Security Agent\bncsaui.exe
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-28 02:25
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2988160727-3562475015-2858582939-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(776)
c:\program files\AlienGUIse\fastload.dll
.
- - - - - - - > 'explorer.exe'(2868)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\sm56hlpr.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\windows\SOUNDMAN.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-07-28 02:28:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-28 06:28
.
Pre-Run: 14,268,878,848 bytes free
Post-Run: 15,687,618,560 bytes free
.
- - End Of File - - B2DFEC3E461191CB01DCF92BCB170D2C

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:26 PM

Posted 28 July 2011 - 05:59 AM

Hi,

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic409022.html/page__pid__2330826#entry2330826

Collect::
c:\windows\system32\drivers\pmbaq.sys 

Driver::
pgysg

RegLock::
[HKEY_USERS\S-1-5-21-2988160727-3562475015-2858582939-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 cronin66

cronin66
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 01 August 2011 - 04:26 PM

ComboFix 11-07-28.01 - Sean Cronin 08/01/2011 17:04:45.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1519 [GMT -4:00]
Running from: c:\documents and settings\Sean Cronin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sean Cronin\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_pgysg
.
.
((((((((((((((((((((((((( Files Created from 2011-07-01 to 2011-08-01 )))))))))))))))))))))))))))))))
.
.
2011-07-11 21:15 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-11 21:15 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 03:50 . 2005-07-26 08:54 2806784 ----a-w- c:\windows\ALCWZRD.EXE
2011-07-06 03:50 . 2005-05-03 10:43 69632 ----a-w- c:\windows\ALCMTR.EXE
2011-07-06 03:50 . 2005-08-18 06:38 86016 ----a-w- c:\windows\SOUNDMAN.EXE
2011-07-06 03:50 . 2005-08-17 23:20 14820864 ----a-w- c:\windows\RTHDCPL.EXE
2011-07-06 03:50 . 2005-08-15 08:04 2121728 ----a-w- c:\windows\MicCal.exe
2011-07-06 03:50 . 2005-08-15 07:34 9703424 ----a-w- c:\windows\RTLCPL.EXE
2011-07-06 03:50 . 2005-08-18 07:35 3856896 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-07-06 03:50 . 2005-07-15 08:48 40960 ------r- c:\windows\system32\ChCfg.exe
2011-07-06 03:50 . 2005-06-21 07:12 294912 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2011-07-06 03:50 . 2005-05-26 06:14 262144 ----a-w- c:\windows\system32\RTSndMgr.CPL
2011-07-06 03:50 . 2011-07-06 03:50 -------- d-----w- c:\program files\Realtek
2011-07-06 03:49 . 2005-04-16 14:20 487424 ------r- c:\windows\RtlExUpd.dll
2011-07-06 03:49 . 2005-04-04 03:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-07-06 03:49 . 2005-04-04 03:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-07-06 03:49 . 2005-04-04 03:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-07-06 03:49 . 2005-04-04 03:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-07-06 03:49 . 2005-04-04 02:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-07-06 03:49 . 2011-07-06 03:49 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2011-07-06 03:49 . 2011-07-06 03:49 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-07-05 17:00 . 2011-07-05 17:00 -------- d-----w- c:\documents and settings\Sean Cronin\Local Settings\Application Data\Symantec
2011-07-05 16:57 . 2011-07-05 16:57 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-05 16:57 . 2011-07-05 16:57 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-05 16:56 . 2011-07-05 17:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-07-05 16:56 . 2011-07-05 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2011-07-05 16:56 . 2011-07-05 16:57 -------- d-----w- c:\program files\Symantec
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-23 18:03 . 2011-06-23 18:03 89600 ----a-w- c:\windows\system32\atl71.dll
2011-06-23 18:03 . 2011-06-23 18:03 87368 ----a-w- c:\windows\system32\FwsVpn.dll
2011-06-23 18:03 . 2011-06-23 18:03 625032 ----a-w- c:\windows\system32\SymNeti.dll
2011-06-23 18:03 . 2011-06-23 18:03 242056 ----a-w- c:\windows\system32\SymRedir.dll
2011-06-23 18:03 . 2011-06-23 18:03 107848 ----a-w- c:\windows\system32\SymVPN.dll
2011-06-23 18:03 . 2011-06-23 18:03 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2011-06-23 18:03 . 2011-06-23 18:03 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys
2011-06-23 18:03 . 2011-06-23 18:03 283184 ----a-w- c:\windows\system32\drivers\srtsp.sys
2011-06-23 18:03 . 2011-06-23 18:03 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2011-06-23 18:03 . 2011-06-23 18:03 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2011-06-23 18:03 . 2011-06-23 18:03 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2011-06-23 18:03 . 2011-06-23 18:03 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2011-06-23 18:03 . 2011-06-23 18:03 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2011-06-23 18:03 . 2011-06-23 18:03 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2011-06-23 18:03 . 2011-06-23 18:03 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2011-05-10 12:06 . 2010-01-04 02:03 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06 . 2007-10-03 18:20 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-05 20:36 . 2006-09-04 20:12 81920 ----a-w- c:\windows\ALCFDRTM.VER
2011-04-14 16:26 . 2011-05-11 17:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-28_06.22.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-01 21:18 . 2011-08-01 21:18 16384 c:\windows\Temp\Perflib_Perfdata_758.dat
+ 2004-08-04 12:00 . 2011-07-28 06:28 71462 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2011-06-14 21:29 71462 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2011-07-28 06:28 441692 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2011-06-14 21:29 441692 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-01 7118848]
"nwiz"="nwiz.exe" [2005-07-01 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-02-25 589824]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-18 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-18 688217]
"SMSERIAL"="sm56hlpr.exe" [2004-12-28 544768]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2009-03-10 136512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-06-23 115560]
"SoundMan"="SOUNDMAN.EXE" [2005-08-18 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-26 2806784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2011-07-06 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 02:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 4:00 AM 105592]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S2 BNPagent;Client Security Agent Service;"c:\program files\Bradford Networks\Client Security Agent\bndaemon.exe" --> c:\program files\Bradford Networks\Client Security Agent\bndaemon.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\drivers\Ca2001v.sys [2/19/2008 12:48 PM 2333568]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [5/5/2009 8:08 PM 17149]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [9/9/2007 9:57 PM 13225]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [5/5/2009 8:08 PM 362944]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Sean Cronin\Application Data\Mozilla\Firefox\Profiles\jim38wzm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4df8f30e&i=23&tp=ab&nt=1&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-01 17:22
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(784)
c:\program files\AlienGUIse\fastload.dll
.
- - - - - - - > 'explorer.exe'(2096)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\sm56hlpr.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-01 17:25:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-01 21:24
ComboFix2.txt 2011-07-28 06:28
.
Pre-Run: 16,297,132,032 bytes free
Post-Run: 16,287,129,600 bytes free
.
- - End Of File - - F30151BC252392C54EE54C998EB0A30B

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:26 PM

Posted 01 August 2011 - 07:09 PM

please post the MBAM and ESET logs when you get a chance

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 cronin66

cronin66
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 02 August 2011 - 12:24 PM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7348

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

8/1/2011 5:33:48 PM
mbam-log-2011-08-01 (17-33-48).txt

Scan type: Quick scan
Objects scanned: 168561
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\0\3023a1c0-782b51dc Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\45\6dfd656d-6caf8103 Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\55\51d1c3f7-39566ada a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\System Volume Information\_restore{F1784E2A-5C99-4246-9F2D-A93C8B4874AF}\RP46\A0034708.ini Win32/Adware.AntimalwareDoctor.AE.Gen application

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:26 PM

Posted 02 August 2011 - 06:02 PM

Hi

Please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 26 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 26 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u26 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please post a fresh DDS Log and advise how your computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 cronin66

cronin66
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 02 August 2011 - 06:40 PM

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by Sean Cronin at 19:38:41 on 2011-08-02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1430 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1010011
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E4AB1D78-0CE4-425B-9585-3D25C6449551} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: c:\windows\system32\wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sean cronin\application data\mozilla\firefox\profiles\jim38wzm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4df8f30e&i=23&tp=ab&nt=1&q=
FF - plugin: c:\documents and settings\sean cronin\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\sean cronin\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\sean cronin\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-23 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-23 108392]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-3-10 103744]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-6-23 1831024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110801.020\NAVENG.SYS [2011-8-1 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110801.020\NAVEX15.SYS [2011-8-1 1542392]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S2 BNPagent;Client Security Agent Service;"c:\program files\bradford networks\client security agent\bndaemon.exe" --> c:\program files\bradford networks\client security agent\bndaemon.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\drivers\Ca2001v.sys [2008-2-19 2333568]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-5-5 17149]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2007-9-9 13225]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-5-5 362944]
S4 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
.
=============== Created Last 30 ================
.
2011-08-02 23:34:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-01 21:38:26 -------- d-----w- c:\program files\ESET
2011-07-28 05:53:28 -------- d-sha-r- C:\cmdcons
2011-07-28 05:50:31 208896 ----a-w- c:\windows\MBR.exe
2011-07-28 05:50:30 518144 ----a-w- c:\windows\SWREG.exe
2011-07-28 05:50:30 256000 ----a-w- c:\windows\PEV.exe
2011-07-28 05:50:29 98816 ----a-w- c:\windows\sed.exe
2011-07-11 21:15:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-11 21:15:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 03:50:57 69632 ----a-w- c:\windows\ALCMTR.EXE
2011-07-06 03:50:57 2806784 ----a-w- c:\windows\ALCWZRD.EXE
2011-07-06 03:50:54 9703424 ----a-w- c:\windows\RTLCPL.EXE
2011-07-06 03:50:54 86016 ----a-w- c:\windows\SOUNDMAN.EXE
2011-07-06 03:50:54 2121728 ----a-w- c:\windows\MicCal.exe
2011-07-06 03:50:54 14820864 ----a-w- c:\windows\RTHDCPL.EXE
2011-07-06 03:50:53 40960 ------r- c:\windows\system32\ChCfg.exe
2011-07-06 03:50:53 3856896 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-07-06 03:50:53 294912 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2011-07-06 03:50:53 262144 ----a-w- c:\windows\system32\RTSndMgr.CPL
2011-07-06 03:50:15 -------- d-----w- c:\program files\Realtek
2011-07-06 03:49:58 487424 ------r- c:\windows\RtlExUpd.dll
2011-07-06 03:49:53 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2011-07-06 03:49:52 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2011-07-06 03:49:52 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2011-07-06 03:49:52 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2011-07-06 03:49:52 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2011-07-06 03:49:49 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2011-07-06 03:49:49 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2011-07-05 17:00:30 -------- d-----w- c:\documents and settings\sean cronin\local settings\application data\Symantec
2011-07-05 16:57:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-05 16:57:30 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-05 16:56:20 -------- d-----w- c:\program files\common files\Symantec Shared
2011-07-05 16:56:20 -------- d-----w- c:\documents and settings\all users\application data\Symantec
2011-07-05 16:56:19 -------- d-----w- c:\program files\Symantec
.
==================== Find3M ====================
.
2011-08-02 23:34:09 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-10 12:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-05 20:36:17 81920 ----a-w- c:\windows\ALCFDRTM.VER
.
============= FINISH: 19:39:42.42 ===============

#12 cronin66

cronin66
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 02 August 2011 - 06:41 PM

Things are certainly running a lot better since I first started getting help. As far as I can tell my computer is running great, only thing is the MRI_Disabled folder pops up when I reboot.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:26 PM

Posted 02 August 2011 - 07:01 PM

Hi

Please do the following:

  • Click Start
  • Open the Control Panel.
  • Open the Display icon.
  • Click the Desktop tab.
  • Click the Customize Desktop button.
  • Click the Web tab in the Desktop Items window.
  • If there are other entries there as well as "My Current Home Page." delete them
  • click "apply" then "OK"

see if that resolves the issue.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:26 PM

Posted 10 August 2011 - 10:24 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users