Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something - Google redirects


  • This topic is locked This topic is locked
26 replies to this topic

#1 steelfish

steelfish

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 15 July 2011 - 01:42 PM

Hello,

I believe my laptop became infected last week as I was using it on a public Wi-Fi network. Received messages that my hard drive wasn't functioning correctly and the system needed to be restored. On my McAfee anti-virus scan it says my computer "is at risk" and 3 dangerous websites were found: 213.174.149.100, findfierce.org, and findinnocent.org. To stay protected, it prompts me to buy additional software for around $40.

After my computer became infected, whenever I do a search on Google and click on a link from the search results, instead of taking me to the webpage requested it redirects me to another site. I've noticed it directs me to "shopica.com" "findfast.com" among other sites. Also, when I try to login to my Comcast e-mail account I get the message that says "You are about to leave a secure Internet connection. It will be possible for others to view information you send. Do you want to continue?" In the past, I didn't receive this message when logging into my e-mail account.

As a side note, the speakers on my laptop stopped working. I can no longer hear music from a CD or from pandora.com or other internet sites. Not sure if this is related but considering it malfunctioned at the same time I'm thinking it might be.

I've tried various malware and spyware software but none worked. Recently, I tried Hijack This and noticed there was a program running called O18 – Filter hijack: text/xml – {807573E5-5146-11D5-A672-00B0D022E945} – C:\Program Files\Common Files\Microsoft Shared\OFFICE 14\MSOXMLMF.DLL. I tried to remove this several times but the program fails to remove it for some reason. Anyway, if somebody could help with this I would really appreciate it. Don't know what else to do at this point.

Here is the DDS.txt log as requested:

DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514
Run by mfortier at 13:35:24 on 2011-07-15
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2973.1592 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Program Files\Acer Bio Protection\CompPtcVUI.exe
C:\Program Files\Acer\Registration\GregHSRW.exe
C:\Program Files\Infineon\Security Platform Software\ifxspmgt.exe
C:\Program Files\Infineon\Security Platform Software\ifxtcs.exe
C:\Program Files\Acer Bio Protection\BASVC.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Program Files\Infineon\Security Platform Software\IfxPsdSv.exe
C:\Windows\system32\rpcnet.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Acer Bio Protection\PdtWzd.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WatchGuard\Mobile VPN\NcpBudgetGui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WatchGuard\Mobile VPN\NCPMON.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
C:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com
uWindow Title = Microsoft Internet Explorer provided by Triax Pharma, LLC
uDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=travelmate_6493&r=270503103825l0314z2m5x4962h452
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=travelmate_6493&r=270503103825l0314z2m5x4962h452
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} -
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IFXSPMGT] "c:\program files\infineon\security platform software\ifxspmgt.exe" /NotifyLogon
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [VitaKeyPdtWzd] "c:\program files\acer bio protection\PdtWzd.exe"
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NcpBudgetGui] "c:\program files\watchguard\mobile vpn\NcpBudgetGui.exe" -start
mRun: [NcpPopup] "c:\program files\watchguard\mobile vpn\ncppopup.exe" noerrmsg
mRun: [NcpMonitor] "c:\program files\watchguard\mobile vpn\ncpmon.exe" autorun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: legalnoticecaption = Triax Pharma, LLC Windows 2008 Network
mPolicies-System: legalnoticetext = Welcome to the Triax Pharma, LLC corporate network. Only current employees of Triax Pharma, LLC are authorized to access this network. All other login or access attempts to this network is illegal.
mPolicies-System: DisableCAD = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\acer bio protection\PwdBank.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 63.247.150.25 63.247.150.75
TCP: Interfaces\{11F88067-7FD6-499D-BAF0-C0AE48B457CC} : NameServer = 10.10.10.2
TCP: Interfaces\{11F88067-7FD6-499D-BAF0-C0AE48B457CC} : DHCPNameServer = 63.247.150.25 63.247.150.75
TCP: Interfaces\{CA6A6573-7F58-41A3-B9D5-89F6BADC07E2} : DHCPNameServer = 68.87.74.166 68.87.68.166 192.168.33.1
TCP: Interfaces\{CA6A6573-7F58-41A3-B9D5-89F6BADC07E2}\25572697758616C656 : DHCPNameServer = 68.87.74.166 68.87.68.166 192.168.1.1
TCP: Interfaces\{CA6A6573-7F58-41A3-B9D5-89F6BADC07E2}\3427F677E6567457563747 : DHCPNameServer = 208.67.222.222 208.67.220.220 64.105.124.154
TCP: Interfaces\{CA6A6573-7F58-41A3-B9D5-89F6BADC07E2}\472796168707861627D616 : DHCPNameServer = 10.10.10.2 10.10.10.9
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
SSODL: WebCheck - <orphaned>
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\windows mail\WinMail.exe" OCInstallUserConfigOE
.
============= SERVICES / DRIVERS ===============
.
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2009-7-19 39712]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-11-7 24576]
R2 Greg_Service;GRegService;c:\program files\acer\registration\GregHSRW.exe [2009-8-28 1150496]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 IGBASVC;EgisTec Service;c:\program files\acer bio protection\BASVC.exe [2009-10-14 3453440]
R2 ncpclcfg;ncpclcfg;c:\program files\watchguard\mobile vpn\ncpclcfg.exe [2010-5-5 86016]
R2 ncprwsnt;ncprwsnt;c:\program files\watchguard\mobile vpn\ncprwsnt.exe [2010-5-5 1092104]
R2 NcpSec;NcpSec;c:\program files\watchguard\mobile vpn\NCPSEC.EXE [2010-5-5 97280]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2009-6-17 144640]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-3-31 2477304]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-11-7 2058776]
R2 Updater Service;Updater Service;c:\program files\acer\acer updater\UpdaterService.exe [2009-11-7 240160]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-11-7 221912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-9 105592]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [2009-11-7 25088]
R3 ncplelhp;WatchGuard Secure Client NDIS6 Driver;c:\windows\system32\drivers\ncplelhp.sys [2010-5-5 77128]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-11-7 6114816]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-7-13 52768]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-7-10 42400]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-12 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-11-7 43944]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-12-31 29472]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-12 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 ncpfilt;WatchGuard Filter;c:\windows\system32\drivers\ncplelhp.sys [2010-5-5 77128]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2009-6-17 50432]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-9 52224]
.
=============== Created Last 30 ================
.
2011-07-15 15:56:00 388096 ----a-r- c:\users\mfortier.triaxpharma\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-15 15:55:59 -------- d-----w- c:\program files\Trend Micro
2011-07-15 13:42:03 -------- d-----w- c:\users\mfortier.triaxpharma\appdata\local\Broadcom
2011-07-15 02:08:22 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-07-15 02:08:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-14 20:47:58 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-14 20:37:28 -------- d-----w- c:\users\mfortier.triaxpharma\appdata\local\Sunbelt Software
2011-07-14 17:33:51 -------- d--h--w- C:\$AVG
2011-07-14 16:55:16 -------- d-----w- c:\users\mfortier.triaxpharma\appdata\roaming\AVG10
2011-07-14 16:53:11 -------- d--h--w- c:\programdata\Common Files
2011-07-14 16:51:51 -------- d-----w- c:\programdata\AVG10
2011-07-14 16:51:07 -------- d-----w- c:\program files\AVG
2011-07-13 14:18:49 -------- d-----w- c:\users\mfortier.triaxpharma\NTI-Shadow
2011-07-12 14:07:44 -------- d-----w- c:\users\mfortier.triaxpharma\appdata\roaming\Malwarebytes
2011-07-12 14:07:32 -------- d-----w- c:\programdata\Malwarebytes
2011-07-08 14:07:34 -------- d--h--w- c:\users\mfortier.triaxpharma\appdata\local\ElevatedDiagnostics
2011-06-27 13:24:20 -------- d--h--w- c:\windows\system32\appmgmt
2011-06-24 22:12:16 -------- d--h--w- c:\users\mfortier.triaxpharma\Tracing
.
==================== Find3M ====================
.
2011-07-15 16:55:15 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-07-15 16:55:13 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-07-15 16:52:21 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-07-12 14:00:22 110456 ----a-w- c:\users\mfortier.triaxpharma\g2ax_customer_downloadhelper_win32_x86.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: Hitachi_ rev.FC4O -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x82E41000]<< >>UNKNOWN [0x8B793000]<< >>UNKNOWN [0x8B782000]<< >>UNKNOWN [0x87070F16]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x82E7852F] -> \Device\Harddisk0\DR0[0x87051030]
\Driver\Disk[0x85936390] -> IRP_MJ_CREATE -> 0x8B79739F
3 [0x8B79759E] -> ntkrnlpa!IofCallDriver[0x82E7852F] -> \Device\Ide\IAAStorageDevice-1[0x8664A028]
\Driver\iaStor[0x8660F260] -> IRP_MJ_CREATE -> 0x8B280954
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:38:10.11 ===============

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 16 July 2011 - 02:11 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • The Attach.txt log from DDS
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 steelfish

steelfish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 17 July 2011 - 11:29 AM

Hi,

Thank you for your quick response. Much appreciated.

I followed your instructions, and the log generated is below:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-17 12:26:54
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FC4O
Running: 1k7tjjke.exe; Driver: C:\Users\MFORTI~1.TRI\AppData\Local\Temp\kgddqkob.sys


---- System - GMER 1.0.15 ----

SSDT 86221838 ZwAlertResumeThread
SSDT 87572C20 ZwAlertThread
SSDT 875A66B0 ZwAllocateVirtualMemory
SSDT 874E6300 ZwConnectPort
SSDT 87575410 ZwCreateMutant
SSDT 875A6740 ZwCreateThread
SSDT 8757D238 ZwFreeVirtualMemory
SSDT 87569478 ZwImpersonateAnonymousToken
SSDT 87580398 ZwImpersonateThread
SSDT 8757D158 ZwMapViewOfSection
SSDT 87575330 ZwOpenEvent
SSDT 87549F28 ZwOpenProcessToken
SSDT 87575DE0 ZwOpenThreadToken
SSDT 875068A0 ZwResumeThread
SSDT 875728D0 ZwSetContextThread
SSDT 87575EB0 ZwSetInformationProcess
SSDT 87575008 ZwSetInformationThread
SSDT 87575250 ZwSuspendProcess
SSDT 875690B0 ZwSuspendThread
SSDT 87551658 ZwTerminateProcess
SSDT 87573818 ZwTerminateThread
SSDT 8753ACE8 ZwUnmapViewOfSection
SSDT 87597EB0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82E93339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ECCD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82ED3DD0 8 Bytes [38, 18, 22, 86, 20, 2C, 57, ...] {CMP [EAX], BL; AND AL, [ESI-0x78a8d3e0]}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82ED3DE8 4 Bytes [B0, 66, 5A, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82ED3E88 4 Bytes [00, 63, 4E, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82ED3EC4 4 Bytes [10, 54, 57, 87] {ADC [EDI+EDX*2-0x79], DL}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82ED3EF8 4 Bytes [40, 67, 5A, 87]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!CallNextHookEx 755BABE1 5 Bytes JMP 6B743C96 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!UnhookWindowsHookEx 755BADF9 5 Bytes JMP 6B7FD963 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!SetWindowsHookExW 755BE30C 5 Bytes JMP 6B797DF9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!CreateWindowExW 755BEC7C 5 Bytes JMP 6B7D3834 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!DialogBoxParamW 755D3B9B 5 Bytes JMP 6B707F59 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!DialogBoxIndirectParamW 755E3B7F 5 Bytes JMP 6B90DCD8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!DialogBoxParamA 755FCF42 5 Bytes JMP 6B90DC75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!DialogBoxIndirectParamA 755FD274 5 Bytes JMP 6B90DD3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!MessageBoxIndirectA 7560E869 5 Bytes JMP 6B90DC0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!MessageBoxIndirectW 7560E963 5 Bytes JMP 6B90DB9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!MessageBoxExA 7560E9C9 5 Bytes JMP 6B90DB3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!MessageBoxExW 7560E9ED 5 Bytes JMP 6B90DADB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] ole32.dll!OleLoadFromStream 76FF6143 5 Bytes JMP 6B90E036 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] ole32.dll!CoCreateInstance 77039D0B 5 Bytes JMP 6B7D33C2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] WININET.dll!HttpAddRequestHeadersA 75D7DCD2 5 Bytes JMP 01C16822
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] WININET.dll!HttpAddRequestHeadersW 75D84FAE 5 Bytes JMP 01C16A2D
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] WS2_32.dll!closesocket 76B43918 5 Bytes JMP 0062000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] WS2_32.dll!getaddrinfo 76B44296 5 Bytes JMP 0065000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] WS2_32.dll!recv 76B46B0E 5 Bytes JMP 0060000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] WS2_32.dll!connect 76B46BDD 5 Bytes JMP 0061000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] WS2_32.dll!send 76B46F01 5 Bytes JMP 0063000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] WS2_32.dll!gethostbyname 76B57673 5 Bytes JMP 0064000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!CreateWindowExW 755BEC7C 5 Bytes JMP 6B7D3834 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!DialogBoxParamW 755D3B9B 5 Bytes JMP 6B707F59 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!DialogBoxIndirectParamW 755E3B7F 5 Bytes JMP 6B90DCD8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!DialogBoxParamA 755FCF42 5 Bytes JMP 6B90DC75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!DialogBoxIndirectParamA 755FD274 5 Bytes JMP 6B90DD3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!MessageBoxIndirectA 7560E869 5 Bytes JMP 6B90DC0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!MessageBoxIndirectW 7560E963 5 Bytes JMP 6B90DB9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!MessageBoxExA 7560E9C9 5 Bytes JMP 6B90DB3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] USER32.dll!MessageBoxExW 7560E9ED 5 Bytes JMP 6B90DADB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] WININET.dll!HttpAddRequestHeadersA 75D7DCD2 5 Bytes JMP 00516822
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] WININET.dll!HttpAddRequestHeadersW 75D84FAE 5 Bytes JMP 00516A2D
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] ws2_32.DLL!closesocket 76B43918 5 Bytes JMP 0064000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] ws2_32.DLL!getaddrinfo 76B44296 5 Bytes JMP 0067000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] ws2_32.DLL!recv 76B46B0E 5 Bytes JMP 002E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] ws2_32.DLL!connect 76B46BDD 5 Bytes JMP 002F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] ws2_32.DLL!send 76B46F01 5 Bytes JMP 0065000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5184] ws2_32.DLL!gethostbyname 76B57673 5 Bytes JMP 0066000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:228] 8706F0B3
Thread System [4:240] 870707FB

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{7F34E9E5-C91F-4BE6-8668-DA0035DF798B}\Connection@Name isatap.{7B6482DB-E521-4812-A0A1-E01DEB4CFAAF}
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{2B967C95-E379-4BF1-8C23-64BE1EEB70C4}?\Device\{7185DD14-E033-44E9-B33A-8408B0B9F0CA}?\Device\{7F34E9E5-C91F-4BE6-8668-DA0035DF798B}?\Device\{06185E65-3615-46C8-A49F-A7F8954647D4}?\Device\{2DA7DC37-9B33-49EF-BB9F-77CBAA2AC54A}?\Device\{C910FE58-205E-4487-A81B-F2B4A4517536}?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{2B967C95-E379-4BF1-8C23-64BE1EEB70C4}"?"{7185DD14-E033-44E9-B33A-8408B0B9F0CA}"?"{7F34E9E5-C91F-4BE6-8668-DA0035DF798B}"?"{06185E65-3615-46C8-A49F-A7F8954647D4}"?"{2DA7DC37-9B33-49EF-BB9F-77CBAA2AC54A}"?"{C910FE58-205E-4487-A81B-F2B4A4517536}"?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{2B967C95-E379-4BF1-8C23-64BE1EEB70C4}?\Device\TCPIP6TUNNEL_{7185DD14-E033-44E9-B33A-8408B0B9F0CA}?\Device\TCPIP6TUNNEL_{7F34E9E5-C91F-4BE6-8668-DA0035DF798B}?\Device\TCPIP6TUNNEL_{06185E65-3615-46C8-A49F-A7F8954647D4}?\Device\TCPIP6TUNNEL_{2DA7DC37-9B33-49EF-BB9F-77CBAA2AC54A}?\Device\TCPIP6TUNNEL_{C910FE58-205E-4487-A81B-F2B4A4517536}?
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a49714
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{7F34E9E5-C91F-4BE6-8668-DA0035DF798B}@InterfaceName isatap.{7B6482DB-E521-4812-A0A1-E01DEB4CFAAF}
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{7F34E9E5-C91F-4BE6-8668-DA0035DF798B}@ReusableType 0
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a49714 (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\outdent[1].png 333 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\subscript[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\user_off[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\email[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\post_top[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\resize_small[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\advanced_search[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\icon13[1].gif 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\spacer[1].gif 43 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\stats_compression[1].png 692 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63KFFKX3\strike[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\tab_right[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\topic_button_left[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\unordered_list[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\ipb_print[1].css 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\btn_donate_SM[1].gif 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\help[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\index[1].php 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\index[2].php 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\report[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\digg[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKZT5OX8\email_open[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\resize_big[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\rte_arrow[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\superscript[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\th_bg[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\topic_button_right[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\page_topic_magnify[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\page_white_add[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\align_center[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\align_left[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\align_right[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FKYKIDJH\av-503010[1].jpg 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\arrow_rotate_clockwise[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\transmit_blue[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\download[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\stats_server[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\stats_time[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\steelfish1[1] 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\comment_add[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\undo[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\ordered_list[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\index[1].php 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\facebook[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\favicon[1].ico 3638 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9IUJK0M\feed[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\buzz[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\close_popup[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\default_thumb[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\emoticons[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\information[1].png 734 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\lightbox[1].js 9386 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\link[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\twitter[1].png 575 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\user_green[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\user_popup[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\opts_arrow[1].png 0 bytes
File C:\Users\mfortier.TRIAXPHARMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTF9X4OV\redo[1].png 0 bytes
File C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb 0 bytes

---- EOF - GMER 1.0.15 ----

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 17 July 2011 - 01:04 PM

steelfish:

Please do this next:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 steelfish

steelfish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 17 July 2011 - 07:01 PM

RPMcMurphy,

Thanks again for your quick response. Followed your instructions and logs for TDSSKiller and Combofix posted below:

TDSSKiller:

2011/07/17 19:35:43.0578 3456 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/17 19:35:43.0952 3456 ================================================================================
2011/07/17 19:35:43.0952 3456 SystemInfo:
2011/07/17 19:35:43.0952 3456
2011/07/17 19:35:43.0952 3456 OS Version: 6.1.7601 ServicePack: 1.0
2011/07/17 19:35:43.0952 3456 Product type: Workstation
2011/07/17 19:35:43.0952 3456 ComputerName: MFORTIER-PC
2011/07/17 19:35:43.0952 3456 UserName: mfortier
2011/07/17 19:35:43.0952 3456 Windows directory: C:\Windows
2011/07/17 19:35:43.0952 3456 System windows directory: C:\Windows
2011/07/17 19:35:43.0952 3456 Processor architecture: Intel x86
2011/07/17 19:35:43.0952 3456 Number of processors: 2
2011/07/17 19:35:43.0952 3456 Page size: 0x1000
2011/07/17 19:35:43.0952 3456 Boot type: Normal boot
2011/07/17 19:35:43.0952 3456 ================================================================================
2011/07/17 19:35:44.0576 3456 Initialize success
2011/07/17 19:36:12.0204 1920 ================================================================================
2011/07/17 19:36:12.0204 1920 Scan started
2011/07/17 19:36:12.0204 1920 Mode: Manual;
2011/07/17 19:36:12.0204 1920 ================================================================================
2011/07/17 19:36:13.0592 1920 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
2011/07/17 19:36:13.0639 1920 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
2011/07/17 19:36:13.0670 1920 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
2011/07/17 19:36:13.0701 1920 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/07/17 19:36:13.0733 1920 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/07/17 19:36:13.0748 1920 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/07/17 19:36:13.0811 1920 AFD (1151fd4fb0216cfed887bfde29ebd516) C:\Windows\system32\drivers\afd.sys
2011/07/17 19:36:13.0811 1920 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
2011/07/17 19:36:13.0873 1920 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/07/17 19:36:13.0998 1920 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
2011/07/17 19:36:14.0029 1920 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
2011/07/17 19:36:14.0076 1920 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
2011/07/17 19:36:14.0091 1920 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/07/17 19:36:14.0107 1920 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/07/17 19:36:14.0138 1920 amdsata (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys
2011/07/17 19:36:14.0154 1920 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/07/17 19:36:14.0169 1920 amdxata (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys
2011/07/17 19:36:14.0201 1920 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
2011/07/17 19:36:14.0263 1920 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/07/17 19:36:14.0294 1920 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/07/17 19:36:14.0435 1920 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/17 19:36:14.0466 1920 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
2011/07/17 19:36:14.0544 1920 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/07/17 19:36:14.0606 1920 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/07/17 19:36:14.0762 1920 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/07/17 19:36:14.0840 1920 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/07/17 19:36:14.0872 1920 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/17 19:36:14.0918 1920 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/07/17 19:36:14.0934 1920 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/07/17 19:36:14.0950 1920 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/07/17 19:36:14.0965 1920 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/07/17 19:36:14.0981 1920 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/07/17 19:36:14.0996 1920 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/07/17 19:36:15.0090 1920 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys
2011/07/17 19:36:15.0121 1920 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/07/17 19:36:15.0137 1920 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
2011/07/17 19:36:15.0168 1920 BTHPORT (195c41cc67e9e1cedd960ccb74925920) C:\Windows\System32\Drivers\BTHport.sys
2011/07/17 19:36:15.0215 1920 BTHUSB (43b3206dd654e783aa7e4ead340a43b8) C:\Windows\System32\Drivers\BTHUSB.sys
2011/07/17 19:36:15.0230 1920 btusbflt (92c5b845803f3662637eb691ac0b250f) C:\Windows\system32\drivers\btusbflt.sys
2011/07/17 19:36:15.0277 1920 btwaudio (d57d29132efe13a83133d9bd449e0cf1) C:\Windows\system32\drivers\btwaudio.sys
2011/07/17 19:36:15.0293 1920 btwavdt (d282c14a69357d0e1bafaecc2ca98c3a) C:\Windows\system32\DRIVERS\btwavdt.sys
2011/07/17 19:36:15.0308 1920 btwl2cap (aafd7cb76ba61fbb08e302da208c974a) C:\Windows\system32\DRIVERS\btwl2cap.sys
2011/07/17 19:36:15.0324 1920 btwrchid (02eb4d2b05967df2d32f29c84ab1fb17) C:\Windows\system32\DRIVERS\btwrchid.sys
2011/07/17 19:36:15.0402 1920 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/17 19:36:15.0464 1920 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
2011/07/17 19:36:15.0589 1920 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/07/17 19:36:15.0652 1920 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/07/17 19:36:15.0698 1920 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/07/17 19:36:15.0714 1920 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
2011/07/17 19:36:15.0776 1920 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/07/17 19:36:15.0823 1920 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/07/17 19:36:15.0854 1920 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
2011/07/17 19:36:15.0964 1920 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/07/17 19:36:16.0010 1920 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
2011/07/17 19:36:16.0088 1920 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
2011/07/17 19:36:16.0151 1920 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/07/17 19:36:16.0229 1920 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/07/17 19:36:16.0338 1920 DKbFltr (c701324c9e0c25dd9d60311bd87fbc84) C:\Windows\system32\DRIVERS\DKbFltr.sys
2011/07/17 19:36:16.0416 1920 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/07/17 19:36:16.0463 1920 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/17 19:36:16.0541 1920 e1yexpress (44a91d98d6719b49bcd649a863225b5c) C:\Windows\system32\DRIVERS\e1y6232.sys
2011/07/17 19:36:16.0697 1920 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/07/17 19:36:16.0868 1920 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/07/17 19:36:17.0040 1920 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/07/17 19:36:17.0196 1920 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/07/17 19:36:17.0321 1920 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
2011/07/17 19:36:17.0414 1920 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/07/17 19:36:17.0430 1920 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/07/17 19:36:17.0477 1920 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/17 19:36:17.0508 1920 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/07/17 19:36:17.0539 1920 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/07/17 19:36:17.0648 1920 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/17 19:36:17.0711 1920 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/07/17 19:36:17.0742 1920 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/07/17 19:36:17.0773 1920 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/17 19:36:17.0820 1920 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
2011/07/17 19:36:17.0867 1920 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/07/17 19:36:18.0023 1920 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/07/17 19:36:18.0070 1920 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
2011/07/17 19:36:18.0101 1920 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
2011/07/17 19:36:18.0132 1920 HECI (30d57ee84e1e169d41a6e873b549a096) C:\Windows\system32\DRIVERS\HECI.sys
2011/07/17 19:36:18.0148 1920 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/07/17 19:36:18.0179 1920 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/07/17 19:36:18.0179 1920 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/07/17 19:36:18.0226 1920 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
2011/07/17 19:36:18.0257 1920 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
2011/07/17 19:36:18.0304 1920 HSF_DPV (227c3ba25012752bb7450235392c719f) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/07/17 19:36:18.0428 1920 HSXHWAZL (4df5c76302dc2f8f3465966c8426a292) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/07/17 19:36:18.0475 1920 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
2011/07/17 19:36:18.0506 1920 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
2011/07/17 19:36:18.0538 1920 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
2011/07/17 19:36:18.0600 1920 iaStor (01446278d4563b3013c92830ae6cbb26) C:\Windows\system32\DRIVERS\iaStor.sys
2011/07/17 19:36:18.0709 1920 iaStorV (a3cae5d281db4cff7cff8233507ee5ad) C:\Windows\system32\drivers\iaStorV.sys
2011/07/17 19:36:18.0881 1920 igfx (36cc40b02ae593d6152ac8bd657720af) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/07/17 19:36:19.0037 1920 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/07/17 19:36:19.0115 1920 int15 (58ff11c95c3681c9250914521cb9f036) C:\Windows\system32\drivers\int15.sys
2011/07/17 19:36:19.0208 1920 IntcAzAudAddService (d3d2f68cf450bfcf780b0ba94e41e68b) C:\Windows\system32\drivers\RTKVHDA.sys
2011/07/17 19:36:19.0333 1920 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
2011/07/17 19:36:19.0380 1920 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/17 19:36:19.0442 1920 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/17 19:36:19.0474 1920 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
2011/07/17 19:36:19.0505 1920 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/07/17 19:36:19.0552 1920 irda (9f7e491fb0ba0f9e370163834fc1fe31) C:\Windows\system32\DRIVERS\irda.sys
2011/07/17 19:36:19.0661 1920 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/07/17 19:36:19.0739 1920 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
2011/07/17 19:36:19.0770 1920 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
2011/07/17 19:36:19.0801 1920 ITEIRDA (2f467f26e843ef5e14757d4efd1e3204) C:\Windows\system32\DRIVERS\ITEirda.sys
2011/07/17 19:36:19.0832 1920 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
2011/07/17 19:36:19.0848 1920 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
2011/07/17 19:36:19.0895 1920 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/17 19:36:19.0926 1920 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
2011/07/17 19:36:20.0082 1920 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/17 19:36:20.0191 1920 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/07/17 19:36:20.0222 1920 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/07/17 19:36:20.0238 1920 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/07/17 19:36:20.0254 1920 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/07/17 19:36:20.0300 1920 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/07/17 19:36:20.0347 1920 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/07/17 19:36:20.0363 1920 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/07/17 19:36:20.0378 1920 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/07/17 19:36:20.0425 1920 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/07/17 19:36:20.0519 1920 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/17 19:36:20.0566 1920 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
2011/07/17 19:36:20.0597 1920 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/17 19:36:20.0628 1920 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
2011/07/17 19:36:20.0690 1920 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
2011/07/17 19:36:20.0722 1920 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/17 19:36:20.0753 1920 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
2011/07/17 19:36:20.0800 1920 mrxsmb (b272b4c3e085ea860c12f2e4faf2ffa2) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/17 19:36:20.0846 1920 mrxsmb10 (9ac33ef26c8a3ad0f117d00eb7301d03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/17 19:36:20.0956 1920 mrxsmb20 (e0abdb5ed7e199e242a7d028e76c1d3a) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/17 19:36:21.0034 1920 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
2011/07/17 19:36:21.0065 1920 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
2011/07/17 19:36:21.0127 1920 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/07/17 19:36:21.0143 1920 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/07/17 19:36:21.0158 1920 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
2011/07/17 19:36:21.0205 1920 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/17 19:36:21.0314 1920 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/17 19:36:21.0361 1920 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/07/17 19:36:21.0392 1920 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/07/17 19:36:21.0424 1920 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
2011/07/17 19:36:21.0455 1920 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/07/17 19:36:21.0502 1920 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/07/17 19:36:21.0533 1920 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/07/17 19:36:21.0580 1920 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/17 19:36:21.0736 1920 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110717.002\NAVENG.SYS
2011/07/17 19:36:21.0798 1920 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110717.002\NAVEX15.SYS
2011/07/17 19:36:21.0923 1920 ncpfilt (1a622eb1944020bfb34946a97decdb9c) C:\Windows\system32\DRIVERS\ncplelhp.sys
2011/07/17 19:36:21.0954 1920 ncplelhp (1a622eb1944020bfb34946a97decdb9c) C:\Windows\system32\DRIVERS\ncplelhp.sys
2011/07/17 19:36:22.0063 1920 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
2011/07/17 19:36:22.0157 1920 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/07/17 19:36:22.0219 1920 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/17 19:36:22.0282 1920 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/17 19:36:22.0313 1920 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/17 19:36:22.0360 1920 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
2011/07/17 19:36:22.0391 1920 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/17 19:36:22.0438 1920 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/17 19:36:22.0734 1920 NETw5s32 (ef51b405ad8acaae6f0231290d20f516) C:\Windows\system32\DRIVERS\NETw5s32.sys
2011/07/17 19:36:22.0968 1920 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
2011/07/17 19:36:23.0218 1920 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/07/17 19:36:23.0280 1920 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/07/17 19:36:23.0296 1920 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/17 19:36:23.0374 1920 Ntfs (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys
2011/07/17 19:36:23.0498 1920 NTIDrvr (6dcaa65f49ef3b97a5cffc0cb5de1c2f) C:\Windows\system32\drivers\NTIDrvr.sys
2011/07/17 19:36:23.0545 1920 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/07/17 19:36:23.0576 1920 nvraid (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys
2011/07/17 19:36:23.0608 1920 nvstor (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys
2011/07/17 19:36:23.0623 1920 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
2011/07/17 19:36:23.0654 1920 O2MDRDR (9ba48e9522bbbe594fb03ec5850d3127) C:\Windows\system32\DRIVERS\o2media.sys
2011/07/17 19:36:23.0686 1920 O2SCBUS (e2170923854c749650bb7c1f91fe1302) C:\Windows\system32\DRIVERS\ozscr.sys
2011/07/17 19:36:23.0717 1920 O2SDRDR (13b43e968345cfa1c3baef007cd984b6) C:\Windows\system32\DRIVERS\o2sd.sys
2011/07/17 19:36:23.0748 1920 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
2011/07/17 19:36:23.0920 1920 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/07/17 19:36:23.0951 1920 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
2011/07/17 19:36:23.0966 1920 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/07/17 19:36:23.0998 1920 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
2011/07/17 19:36:24.0013 1920 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
2011/07/17 19:36:24.0029 1920 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/07/17 19:36:24.0076 1920 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/07/17 19:36:24.0107 1920 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/07/17 19:36:24.0263 1920 PersonalSecureDrive (b27f1df5abc5240480d4d2d9666867a5) C:\Windows\System32\drivers\psd.sys
2011/07/17 19:36:24.0356 1920 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/17 19:36:24.0372 1920 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/07/17 19:36:24.0434 1920 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/17 19:36:24.0481 1920 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/07/17 19:36:24.0622 1920 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/07/17 19:36:24.0684 1920 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/17 19:36:24.0700 1920 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/17 19:36:24.0762 1920 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/07/17 19:36:24.0793 1920 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/17 19:36:24.0824 1920 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/17 19:36:24.0918 1920 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/17 19:36:24.0996 1920 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/17 19:36:25.0027 1920 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/07/17 19:36:25.0074 1920 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/17 19:36:25.0121 1920 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
2011/07/17 19:36:25.0168 1920 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/17 19:36:25.0199 1920 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/07/17 19:36:25.0292 1920 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
2011/07/17 19:36:25.0355 1920 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
2011/07/17 19:36:25.0417 1920 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/07/17 19:36:25.0495 1920 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/17 19:36:25.0589 1920 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
2011/07/17 19:36:25.0651 1920 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
2011/07/17 19:36:25.0698 1920 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
2011/07/17 19:36:25.0745 1920 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
2011/07/17 19:36:25.0807 1920 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/07/17 19:36:25.0932 1920 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/07/17 19:36:25.0979 1920 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/07/17 19:36:26.0010 1920 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/07/17 19:36:26.0041 1920 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
2011/07/17 19:36:26.0057 1920 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
2011/07/17 19:36:26.0072 1920 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
2011/07/17 19:36:26.0088 1920 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/07/17 19:36:26.0119 1920 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
2011/07/17 19:36:26.0135 1920 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/07/17 19:36:26.0166 1920 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/07/17 19:36:26.0213 1920 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/07/17 19:36:26.0369 1920 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/07/17 19:36:26.0494 1920 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/07/17 19:36:26.0634 1920 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\Windows\system32\Drivers\SRTSP.SYS
2011/07/17 19:36:26.0665 1920 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\Windows\system32\Drivers\SRTSPL.SYS
2011/07/17 19:36:26.0681 1920 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\Windows\system32\Drivers\SRTSPX.SYS
2011/07/17 19:36:26.0728 1920 srv (112127c3b2e64d7680cc39cd0a39dd7e) C:\Windows\system32\DRIVERS\srv.sys
2011/07/17 19:36:26.0774 1920 srv2 (e5dd784a4ee5ebc72a86c677c988fcdb) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/17 19:36:26.0821 1920 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/07/17 19:36:26.0962 1920 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2011/07/17 19:36:27.0040 1920 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2011/07/17 19:36:27.0164 1920 srvnet (cdbe627e16cc9e98f343d73f8e81d258) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/17 19:36:27.0258 1920 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/07/17 19:36:27.0289 1920 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
2011/07/17 19:36:27.0320 1920 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
2011/07/17 19:36:27.0336 1920 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
2011/07/17 19:36:27.0367 1920 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\Windows\system32\Drivers\SYMEVENT.SYS
2011/07/17 19:36:27.0398 1920 SYMREDRV (394b2368212114d538316812af60fddd) C:\Windows\System32\Drivers\SYMREDRV.SYS
2011/07/17 19:36:27.0430 1920 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\Windows\System32\Drivers\SYMTDI.SYS
2011/07/17 19:36:27.0554 1920 SynTP (85aa36b9c4c07cabc1b4e57e11e60e24) C:\Windows\system32\DRIVERS\SynTP.sys
2011/07/17 19:36:27.0664 1920 Tcpip (37e8fa3779668837ca9e2c36d2415949) C:\Windows\system32\drivers\tcpip.sys
2011/07/17 19:36:27.0757 1920 TCPIP6 (37e8fa3779668837ca9e2c36d2415949) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/17 19:36:27.0820 1920 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/17 19:36:27.0929 1920 TcUsb (51d4e3f5d221539c0a4a186a27c09ad7) C:\Windows\system32\Drivers\tcusb.sys
2011/07/17 19:36:27.0976 1920 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
2011/07/17 19:36:28.0007 1920 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
2011/07/17 19:36:28.0038 1920 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/17 19:36:28.0069 1920 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
2011/07/17 19:36:28.0116 1920 TPM (5ad05191dc8b444a7ba4d79b76c42a30) C:\Windows\system32\drivers\tpm.sys
2011/07/17 19:36:28.0178 1920 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/17 19:36:28.0225 1920 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
2011/07/17 19:36:28.0350 1920 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/17 19:36:28.0412 1920 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/07/17 19:36:28.0428 1920 UBHelper (d79c0b9bb011218b93705cbf77fa3e5e) C:\Windows\system32\drivers\UBHelper.sys
2011/07/17 19:36:28.0459 1920 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/17 19:36:28.0506 1920 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
2011/07/17 19:36:28.0537 1920 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
2011/07/17 19:36:28.0553 1920 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/07/17 19:36:28.0584 1920 usbccgp (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\drivers\usbccgp.sys
2011/07/17 19:36:28.0615 1920 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
2011/07/17 19:36:28.0631 1920 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/17 19:36:28.0662 1920 usbhub (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\drivers\usbhub.sys
2011/07/17 19:36:28.0678 1920 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2011/07/17 19:36:28.0693 1920 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/07/17 19:36:28.0709 1920 USBSTOR (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\drivers\USBSTOR.SYS
2011/07/17 19:36:28.0724 1920 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/07/17 19:36:28.0756 1920 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\System32\Drivers\usbvideo.sys
2011/07/17 19:36:28.0787 1920 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
2011/07/17 19:36:28.0802 1920 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/17 19:36:28.0834 1920 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/07/17 19:36:28.0927 1920 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
2011/07/17 19:36:28.0974 1920 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
2011/07/17 19:36:29.0005 1920 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/07/17 19:36:29.0021 1920 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
2011/07/17 19:36:29.0052 1920 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
2011/07/17 19:36:29.0068 1920 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
2011/07/17 19:36:29.0083 1920 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
2011/07/17 19:36:29.0114 1920 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/07/17 19:36:29.0146 1920 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
2011/07/17 19:36:29.0177 1920 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/07/17 19:36:29.0208 1920 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/07/17 19:36:29.0239 1920 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/07/17 19:36:29.0270 1920 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
2011/07/17 19:36:29.0302 1920 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/07/17 19:36:29.0426 1920 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/17 19:36:29.0442 1920 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/17 19:36:29.0504 1920 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/07/17 19:36:29.0551 1920 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/17 19:36:29.0723 1920 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/07/17 19:36:29.0754 1920 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/07/17 19:36:29.0801 1920 winachsf (8b976d4ca270110111df4f313da0e6e8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/07/17 19:36:29.0879 1920 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
2011/07/17 19:36:30.0004 1920 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/17 19:36:30.0082 1920 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
2011/07/17 19:36:30.0128 1920 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/17 19:36:30.0175 1920 XAudio (894f963be999ba9db5aac3aed55b115d) C:\Windows\system32\DRIVERS\XAudio32.sys
2011/07/17 19:36:30.0238 1920 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
2011/07/17 19:36:30.0238 1920 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
2011/07/17 19:36:30.0253 1920 Boot (0x1200) (1c3a440c1e0d8056525e3fb29ddb5261) \Device\Harddisk0\DR0\Partition0
2011/07/17 19:36:30.0269 1920 Boot (0x1200) (34b6d1e121bb978b2c250c834aa4c014) \Device\Harddisk0\DR0\Partition1
2011/07/17 19:36:30.0300 1920 Boot (0x1200) (59acca44c74696553802726d6dad6f5e) \Device\Harddisk0\DR0\Partition2
2011/07/17 19:36:30.0300 1920 ================================================================================
2011/07/17 19:36:30.0300 1920 Scan finished
2011/07/17 19:36:30.0300 1920 ================================================================================
2011/07/17 19:36:30.0316 1104 Detected object count: 1
2011/07/17 19:36:30.0316 1104 Actual detected object count: 1
2011/07/17 19:37:31.0811 1104 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot
2011/07/17 19:37:31.0811 1104 \Device\Harddisk0\DR0 - ok
2011/07/17 19:37:31.0842 1104 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/17 19:37:54.0930 5464 Deinitialize success


Combofix:

ComboFix 11-07-17.03 - mfortier 07/17/2011 19:47:48.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2973.1973 [GMT -4:00]
Running from: c:\users\mfortier.TRIAXPHARMA\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\mfortier.RPRX\g2ax_customer_downloadhelper_win32_x86.exe
c:\users\mfortier.RPRX\GoToAssistDownloadHelper.exe
c:\users\mfortier.TRIAXPHARMA\g2ax_customer_downloadhelper_win32_x86.exe
c:\users\mfortier.TRIAXPHARMA\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-17 to 2011-07-17 )))))))))))))))))))))))))))))))
.
.
2011-07-17 23:53 . 2011-07-17 23:53 -------- d-----w- c:\users\njcn\AppData\Local\temp
2011-07-17 23:53 . 2011-07-17 23:53 -------- d-----w- c:\users\mfortier.RPRX\AppData\Local\temp
2011-07-17 23:53 . 2011-07-17 23:53 -------- d-----w- c:\users\MFORTI~1~RPR\AppData\Local\temp
2011-07-17 23:53 . 2011-07-17 23:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-15 18:01 . 2011-07-15 18:01 -------- d-----w- c:\users\mfortier.TRIAXPHARMA\AppData\Local\WinZip
2011-07-15 16:53 . 2011-07-15 16:53 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2011-07-15 15:56 . 2011-07-15 15:56 388096 ----a-r- c:\users\mfortier.TRIAXPHARMA\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-15 15:55 . 2011-07-15 15:55 -------- d-----w- c:\program files\Trend Micro
2011-07-15 13:42 . 2011-07-15 13:42 -------- d-----w- c:\users\mfortier.TRIAXPHARMA\AppData\Local\Broadcom
2011-07-15 02:08 . 2011-07-15 16:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-15 02:08 . 2011-07-15 16:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-07-14 20:50 . 2011-07-14 20:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Sunbelt Software
2011-07-14 20:48 . 2011-07-15 01:55 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-14 20:47 . 2011-07-14 20:47 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-14 20:37 . 2011-07-14 20:37 -------- d-----w- c:\users\mfortier.TRIAXPHARMA\AppData\Local\Sunbelt Software
2011-07-14 20:36 . 2011-07-15 01:55 -------- d-----w- c:\programdata\Lavasoft
2011-07-14 17:33 . 2011-07-14 17:33 -------- d-----w- C:\$AVG
2011-07-14 16:55 . 2011-07-14 16:55 -------- d-----w- c:\users\mfortier.TRIAXPHARMA\AppData\Roaming\AVG10
2011-07-14 16:53 . 2011-07-14 16:53 -------- d--h--w- c:\programdata\Common Files
2011-07-14 16:51 . 2011-07-14 17:59 -------- d-----w- c:\programdata\AVG10
2011-07-14 16:51 . 2011-07-14 16:51 -------- d-----w- c:\program files\AVG
2011-07-13 14:18 . 2011-07-13 14:19 -------- d-----w- c:\users\mfortier.TRIAXPHARMA\NTI-Shadow
2011-07-12 14:07 . 2011-07-12 14:07 -------- d-----w- c:\users\mfortier.TRIAXPHARMA\AppData\Roaming\Malwarebytes
2011-07-12 14:07 . 2011-07-12 14:07 -------- d-----w- c:\programdata\Malwarebytes
2011-07-08 14:07 . 2011-07-09 17:37 -------- d--h--w- c:\users\mfortier.TRIAXPHARMA\AppData\Local\ElevatedDiagnostics
2011-06-24 22:12 . 2011-07-17 23:40 -------- d--h--w- c:\users\mfortier.TRIAXPHARMA\Tracing
2011-06-21 13:13 . 2011-06-21 13:14 -------- d--h--w- c:\users\TEMP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-17 23:40 . 2009-12-31 10:38 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-07-17 23:40 . 2010-03-23 23:21 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-07-15 16:52 . 2009-12-31 10:39 17920 ----a-w- c:\windows\system32\rpcnetp.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-07 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-08-24 1190920]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-17 7707168]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-08-04 358424]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"IFXSPMGT"="c:\program files\Infineon\Security Platform Software\ifxspmgt.exe" [2009-08-04 1107232]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2009-07-21 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-08 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-08 151064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-09-17 1565992]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]
"VitaKeyPdtWzd"="c:\program files\Acer Bio Protection\PdtWzd.exe" [2009-10-14 3577344]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"NcpBudgetGui"="c:\program files\WatchGuard\Mobile VPN\NcpBudgetGui.exe" [2010-01-29 1032192]
"NcpPopup"="c:\program files\WatchGuard\Mobile VPN\ncppopup.exe" [2010-01-13 579072]
"NcpMonitor"="c:\program files\WatchGuard\Mobile VPN\ncpmon.exe" [2010-02-24 6637056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-31 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-17 795936]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2009-06-26 18:05 568072 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ c:\program files\Acer Bio Protection\PwdFilter
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 135664]
R2 NcpSec;NcpSec;c:\program files\WatchGuard\Mobile VPN\ncpsec.exe [2010-02-05 97280]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 135664]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 ncpfilt;WatchGuard Filter;c:\windows\system32\DRIVERS\ncplelhp.sys [2010-02-23 77128]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2009-07-19 39712]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2009-08-12 24576]
S2 Greg_Service;GRegService;c:\program files\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 IGBASVC;EgisTec Service;c:\program files\Acer Bio Protection\BASVC.exe [2009-10-14 3453440]
S2 ncpclcfg;ncpclcfg;c:\program files\WatchGuard\Mobile VPN\ncpclcfg.exe [2008-06-30 86016]
S2 ncprwsnt;ncprwsnt;c:\program files\WatchGuard\Mobile VPN\ncprwsnt.exe [2010-02-25 1092104]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-08-04 2058776]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-12 221912]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-06-15 105592]
S3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\DRIVERS\ITEirda.sys [2008-08-22 25088]
S3 ncplelhp;WatchGuard Secure Client NDIS6 Driver;c:\windows\system32\DRIVERS\ncplelhp.sys [2010-02-23 77128]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2009-07-14 52768]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2009-07-10 42400]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-17 c:\windows\Tasks\Acer Registration Data Sending.job
- c:\program files\Acer\Registration\GREG.exe [2009-08-28 09:40]
.
2011-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 14:24]
.
2011-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 14:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=travelmate_6493&r=270503103825l0314z2m5x4962h452
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 68.87.74.166 68.87.68.166 192.168.33.1
TCP: Interfaces\{11F88067-7FD6-499D-BAF0-C0AE48B457CC}: NameServer = 10.10.10.2
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
SafeBoot-Symantec Antvirus
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(608)
c:\program files\Acer Bio Protection\PwdFilter.DLL
.
Completion time: 2011-07-17 19:54:42
ComboFix-quarantined-files.txt 2011-07-17 23:54
.
Pre-Run: 101,274,546,176 bytes free
Post-Run: 101,839,568,896 bytes free
.
- - End Of File - - F00E13517A13CBD345C9E44F55857F4B

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 17 July 2011 - 08:40 PM

steelfish:

Please do this next:

Posted Image Click Start > Run or Press the Windows Key + R. copy and paste the following text into the run box that opens and press OK:
C:\Qoobox\Add-Remove Programs.txt

Post the contents of the text file that opens in your next reply.

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • Add/Remove Programs list
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 steelfish

steelfish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 17 July 2011 - 10:32 PM

I was not able to complete the Malwarebyte's scan - attempted to run it several times but it continued to get stuck about 30-45 seconds in during a scan of C:\System Volume Information

The Qoobox log is below:

2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office system
Acer Assist
Acer Bio Protection
Acer Crystal Eye Webcam
Acer Empowering Technology
Acer ePower Management
Acer eRecovery Management
Acer GridVista
Acer Registration
Acer ScreenSaver
Acer Updater
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1 MUI
Business Contact Manager for Outlook 2007 SP2
Citrix XenApp Web Plugin
eBay Worldwide
eSobi v2
Fingerprint Solution
FRx 6.7 (C:\Program Files\FRx Software\FRx 6.7)
FRx 6.7 Connection Manager for Microsoft Dynamics
FRx 6.7 Service Pack Setup
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Identity Card
Infineon TPM Professional Package
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® TV Wizard
Intel® Active Management Technology
Intel® Matrix Storage Manager
ITEFIR
Java Auto Updater
Java™ 6 Update 20
Junk Mail filter update
KONICA MINOLTA bizhub C353 Series
Launch Manager
LiveUpdate 3.3 (Symantec Corporation)
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Dynamics GP 9.0
Microsoft FRx 6.7 Programmability Support
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Small Business Connectivity Components
Microsoft Office Standard 2010
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Norton Online Backup
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
NTI Shadow
O2Micro Flash Memory Card Reader Driver
OZ711 SCR Driver V3.0.1.6B
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SPBA 5.8
Symantec Endpoint Protection
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2508979)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WatchGuard Mobile VPN
Welcome Center
WIDCOMM Bluetooth Software
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Small Business Server 2008 ClientAgent
WinSCP 4.3.3
WinZip 15.5

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 18 July 2011 - 04:20 PM

steelfish:

Please do this next:

Posted Image Clear & Reset System Restore's Cache

  • Press the Windows key + R
  • Type or copy/paste control sysdm.cpl,,4 & press Enter
  • Click on Continue
  • Under Automatic Restore points
  • Uncheck (untick) all the boxes under Create restore points automatically on the selected disks section.
  • Click Turn System Restore Off.
  • Click Apply

Turn System Restore back on now.
  • Check (tick) all the boxes under Create restore points automatically on the selected disks section.
  • Click OK.
Posted Image Now try running the MBAM scan again.

Please include the following in your next post:
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 steelfish

steelfish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 18 July 2011 - 04:43 PM

RPMcMurphy,

When I press Windows Key + R
Then copy and paste control sysdm.cpl,,4 & press Enter

I'm seeing the attached image

Where do I go from here?

Thanks

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 18 July 2011 - 05:17 PM

I don't see an image attached, but try this instead:

Posted Image Next, we need to reset your System Restore Points:
  • Click Start, and then Right click on Computer and select Properties from the menu.
  • In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  • You will see a list of hard disk drives installed on your system, with checkboxes to the left. Turn off System Protection by clearing (un-checking) the check box next to the disk.
  • Once you uncheck the checkbox, a System Protection dialog box will appear. Click on Turn System Restore Off button. Then click Apply and OK.
  • Click Start, and then Right click on Computer and select Properties from the menu.
  • In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  • You will see a list of hard disk drives installed on your system, with checkboxes to the left. Turn on System Protection by checking the box next to the disk. Then click Apply.
  • Next, create a new restore point by clicking the Create button.
  • Press OK.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 steelfish

steelfish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 18 July 2011 - 07:43 PM

There were no checkboxes, but I selected the C drive and then "Configure". There was a "Turn System Protection Off" radio dial so I selected that. Then I turned it back on.

Then I created a new restore point.

Still having problems running Malwarebytes - it continues to get stuck on the c:\System Volume area

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 19 July 2011 - 10:04 PM

steelfish:

OK, let's skip that for now and do this:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 steelfish

steelfish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 20 July 2011 - 10:27 AM

RPMcMurphy,

Ran the scan and it found no threats. There is no log in text format, only a window with scan results that says "No threats found". I did a print screen and pasted on a word document, but for some reason I cannot paste the results window into this reply. I've saved as a PDF file and attached to the reply instead. Thanks again for your help.

Attached Files

  • Attached File  Doc1.pdf   137.25KB   2 downloads


#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 20 July 2011 - 08:08 PM

steelfish:

Your logs look good, but I'm a bit puzzled by the MBAM issue. Please do this:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Uninstall Malwarebytes via Control Panel > Add/Remove Programs
  • Reboot
  • Download the Malwarebytes Removal Tool
  • Double click on the utility to run it
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here
Once you're done, try running another scan for me and post the log.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 steelfish

steelfish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 21 July 2011 - 10:17 AM

RPMcMurphy,

I followed your instructions, and re-installed Malwarebytes. Unfortunately, the scan continues to get stuck on the "C:\System Volume Information" area - usually about 30 seconds - 1 minute into the scan. As I mentioned earlier, right after my computer became infected I lost the volume on my laptop. I'm wondering if this is related in some way?

Anyway, I've attached a file with a print screen of the scan at the point it gets stuck. Thanks again for your help.

Attached Files

  • Attached File  Doc2.pdf   122.97KB   1 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users