Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton Internet Security 2011: svchost.exe and iexplorer.exe


  • This topic is locked This topic is locked
14 replies to this topic

#1 2011Joe90

2011Joe90

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 15 August 2011 - 03:41 PM

I am running an acer 5920 with Microsoft Vista Home Premium 32-bit

I have Norton Internet Security 2011, which when I ran a scan yesterday there were no results. I am being plagued by these Norton alerts, I could hit stop notifiying me but I want to get to the root of the problem and get rid of this.

I have also ran sypbot search and destroy and it returned no results.

I dont know if this is unrelated but some of my program windows and occasionally my taskbar keep changing between vista style and old windows e.g colour, button shape.

My computer is also running slow.

Norton Internet Security:

Severity: High Activity: An intrusion attempt by nnyfjpu35j2tnefd.com was blocked. Date & time: 15 August 2011 20:16 Status: Blocked Recommened Action: No Action Required

Risk Name: System Infected: Tidserv Activity
Attacking Computer nnyfjpu35j2tnefd (194.11.16.135, 80)
Attacker URL: altb-fieebhfvsxv.com/uVS2vdJx507MYxS3dmVyPTQuMiZiaWQ9bm9uYWIJmFpZD0zMDAwOCZzaWQ9MCZyZD0xMzEzMzUwODcyJMVuZz13d3cuz29vZ2xILmNvLnVrJnE9dmlzdGEgY2hhbmdIZCB0byBjbGFzc2ljIHZpZXcgaW50ZXJuZXQgZxhwbG(ZXI=36K
Destination Address:
SOurce Address:194.11.16.135
Traffic Description: TCP, www-http
Network traffic from nnyfjpu35j2tnefd.com matches the signature of a known attack.The attack resulted from \DEVICE\HARDDISKVOLUME2\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE. To stopbeing notified for this type of traffic, in the Actions panel, click Stop Notifying Me.
Network traffic from altb-fieebhfvsxv.com/uVS2vdJx507MYxS3dmVyPTQuMiZiaWQ9bm9uYWIJmFpZD0zMDAwOCZzaWQ9MCZyZD0xMzEzMzUwODcyJMVuZz13d3cuz29vZ2xILmNvLnVrJnE9dmlzdGEgY2hhbmdIZCB0byBjbGFzc2ljIHZpZXcgaW50ZXJuZXQgZxhwbG(ZXI=36K matches the signature of a known attack.The attack resulted from \DEVICE\HARDDISKVOLUME2\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE.


And the same as above except Attacking computer: 8bpao6zzpfs2xaoell.com (195.3.145.105,80)
Attacker URL altb-fieebh........

a-fjhhgbyh252nhgyj.com
Attacker URL; kulfxxrpdq65tht8a.com........



I am also being attacked by Tidserv Activity 2 This time \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE.


I'm not very knowledgeable about the background processes of computers, so could you please give me step by step instructions on how to get rid of this and if possible a brief explanation on each step.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:40 AM

Posted 15 August 2011 - 09:28 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 2011Joe90

2011Joe90
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 16 August 2011 - 04:51 PM

Ran dds had to use scrfix_vista as I had AutoCad installed.

Log:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_23
Run by Joseph at 21:42:09 on 2011-08-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.461 [GMT 1:00]
.
AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrvProxy.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrvProxy.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\p2phost.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Users\Joseph\AppData\Local\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Acer\Acer VCM\VC.exe
C:\Program Files\Acer\Acer VCM\acp2HID.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://uk.yahoo.com/
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
uSearch Bar =
mStart Page = hxxp://yeppo.net
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: TBSB05541 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\veehd plugin\tbcore3.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Veehd Plugin: {32ea9cd0-5187-4fe3-b989-b4d1408d2802} - c:\program files\veehd plugin\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [CollaborationHost] c:\windows\system32\p2phost.exe -s
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [Acer Tour]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Skytel] Skytel.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\joseph\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\joseph\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{34D86CA1-5EEA-41B4-8783-C12141923980} : DhcpNameServer = 143.117.223.19
TCP: Interfaces\{B31124B1-062C-4F4E-973B-4CB376AE0475} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\joseph\appdata\roaming\mozilla\firefox\profiles\og3sbkze.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn_2010_9_0_6\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\IPSFFPlgn
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coFFPlgn_2010_9_0_6
FF - Ext: XULRunner: {63617DF2-71CF-4C00-8F7F-72232203950E} - c:\users\joseph\appdata\local\{63617DF2-71CF-4C00-8F7F-72232203950E}
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-21 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-21 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20110812.001\BHDrvx86.sys [2011-8-16 815736]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-21 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20110815.030\IDSvix86.sys [2011-8-16 367736]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-21 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys [2010-9-21 339504]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2007-12-14 13560]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-9-17 21504]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-8-14 50688]
R2 DiskDoctorService;Norton Disk Doctor Service;c:\program files\norton utilities 15\tools\disk doctor\DiskDoctorSrv.exe [2011-5-2 1029480]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-17 21504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-21 126392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-22 1153368]
R2 SpeedDiskService;Norton SpeedDisk Service;c:\program files\norton utilities 15\tools\speeddisk\SpeedDiskSrv.exe [2011-5-2 1037672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-8-13 43008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-7 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-13 179712]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-24 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-7 133104]
S3 Start BT in service;Start BT in service;c:\program files\ivt corporation\bluesoleil\StartSkysolSvc.exe [2007-4-21 52080]
S3 SymDSMon;SymDSMon;c:\windows\system32\drivers\SymDSMon.sys [2011-5-2 128248]
S3 SYMSpeedDisk;SYMSpeedDisk;c:\windows\system32\drivers\SymSpeedDisk.sys [2011-5-2 108800]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-9-19 80744]
.
=============== Created Last 30 ================
.
2011-08-16 19:09:27 -------- d-----w- c:\users\joseph\appdata\local\{89127BBA-B97E-4FFF-8A38-51A8EF17259B}
2011-08-16 19:08:20 -------- d-----w- c:\users\joseph\appdata\local\{643C1C38-F2A9-4483-98FA-CB353911658D}
2011-08-15 15:30:07 -------- d-----w- c:\users\joseph\appdata\local\{46B1A73C-3AE3-4E19-9562-09D927D062EC}
2011-08-15 13:14:34 -------- d-----w- c:\users\joseph\appdata\local\{924DC5CC-AB38-4C5B-BAE7-FE85598150CE}
2011-08-14 14:39:14 -------- d-----w- c:\users\joseph\appdata\local\{208E726A-F15B-4590-8179-9CD444703866}
2011-08-13 16:44:06 -------- d-----w- c:\users\joseph\appdata\local\{ECA987DB-2FC3-48EB-A9FB-A5010FED3770}
2011-08-13 16:43:40 -------- d-----w- c:\users\joseph\appdata\local\{0516A035-C2D1-47E7-B321-CA2DBF59495A}
2011-08-12 17:32:58 -------- d-----w- c:\users\joseph\appdata\local\{98EB34AC-C4E0-4EAD-80C7-67411B3EC404}
2011-08-12 17:32:44 -------- d-----w- c:\users\joseph\appdata\local\{067A3CFA-3ACF-42AF-9639-61A9C5A5FFDF}
2011-08-11 18:38:39 -------- d-----w- c:\users\joseph\appdata\local\{3735A584-C99F-4047-8A74-2E176DE39449}
2011-08-11 18:38:27 -------- d-----w- c:\users\joseph\appdata\local\{1435DCB4-DD9D-49B6-A233-CF269E2A5F68}
2011-08-10 18:58:10 -------- d-----w- c:\users\joseph\appdata\local\{C737922C-8EF9-428D-BC21-08BDA68B9410}
2011-08-10 18:56:31 -------- d-----w- c:\users\joseph\appdata\local\{DDC32ECE-F878-4F45-835E-D243E627BDD5}
2011-08-09 19:00:58 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-09 18:35:27 -------- d-----w- c:\users\joseph\appdata\local\{2D101902-2A9C-4472-875A-81AD3BF48495}
2011-08-09 18:35:20 -------- d-----w- c:\users\joseph\appdata\local\{DE3F9AF9-6344-4536-A735-981D8BB7AD35}
2011-08-08 15:55:09 -------- d-----w- c:\users\joseph\appdata\local\{1BBB9205-B693-4EA8-AAAA-0B80E1A32F84}
2011-08-08 15:54:57 -------- d-----w- c:\users\joseph\appdata\local\{CE5A3C64-0FBC-47A9-AF1B-F488A8878CC4}
2011-08-08 11:29:27 -------- d-----w- c:\users\joseph\appdata\local\{F832B046-7B54-47AF-8BEF-39F8F02B0833}
2011-08-08 11:29:12 -------- d-----w- c:\users\joseph\appdata\local\{5CFF24C2-2825-41DD-AC06-26BC324433B6}
2011-08-07 12:34:59 -------- d-----w- c:\users\joseph\appdata\local\{0B86FBBE-3AE4-4623-8434-603CB65AFD10}
2011-08-07 12:34:44 -------- d-----w- c:\users\joseph\appdata\local\{202EFE0C-058C-4349-9AC3-568E7C4E8AF6}
2011-08-06 14:23:28 -------- d-----w- c:\users\joseph\appdata\local\{2BB946E3-D540-4448-B0DC-DA7BA30205DD}
2011-08-06 14:23:15 -------- d-----w- c:\users\joseph\appdata\local\{F27B6DF4-F8A8-4845-B4C7-26882FCE786B}
2011-08-05 19:17:57 -------- d-----w- c:\users\joseph\appdata\local\{2ED74854-63D6-4B73-B21F-AD163383C959}
2011-08-05 19:17:39 -------- d-----w- c:\users\joseph\appdata\local\{4A25BF88-4EDA-4EE9-9FC4-479EFDB9E301}
2011-08-04 18:04:59 -------- d-----w- c:\users\joseph\appdata\local\{8B66F928-B784-41F4-BBEF-69735E603869}
2011-08-04 18:04:35 -------- d-----w- c:\users\joseph\appdata\local\{A6FC885F-CF7C-4EC3-A32F-13BB6765360C}
2011-08-03 20:04:34 -------- d-----w- c:\users\joseph\appdata\local\{115E051F-B003-4E60-9B06-42521E95413D}
2011-08-03 20:04:08 -------- d-----w- c:\users\joseph\appdata\local\{02F6C01D-4F63-4EB4-9336-C422603A1679}
2011-08-02 18:27:31 -------- d-----w- c:\users\joseph\appdata\local\{255A03FD-49DC-4613-8FB9-DEBCD9A3D1C6}
2011-08-01 12:31:08 -------- d-----w- c:\users\joseph\appdata\local\{322688B1-F84D-4601-9B0E-1519551F9748}
2011-07-31 12:53:31 -------- d-----w- c:\users\joseph\appdata\local\{A1319169-653B-479E-9F16-5AF5546829DB}
2011-07-29 14:20:05 -------- d-----w- c:\users\joseph\appdata\local\{B1CE8FF3-5B13-4D2E-AE00-6511ED6BF9F8}
2011-07-28 18:43:08 -------- d-----w- c:\users\joseph\appdata\local\{22F20131-AC40-4739-B63C-4555A03E1CC0}
2011-07-27 19:27:43 -------- d-----w- c:\users\joseph\appdata\local\{16A641E1-70D5-4E5F-B8E0-847F77500787}
2011-07-26 19:14:51 -------- d-----w- c:\users\joseph\appdata\local\{C32ED19F-CD56-4640-8C88-6708E825F2B6}
2011-07-25 20:03:41 -------- d-----w- c:\users\joseph\appdata\local\{10706A2B-D8E8-4783-8246-6AA1861BE9AD}
2011-07-24 13:19:32 -------- d-----w- c:\users\joseph\appdata\local\{181A78E5-F574-4A99-A1C8-DD66FBC1BAC4}
2011-07-23 15:23:45 -------- d-----w- c:\users\joseph\appdata\local\{D00819B4-EAA4-495A-8857-C4CC4427920A}
2011-07-22 16:25:32 -------- d-----w- c:\users\joseph\appdata\local\{A647D67F-C249-4BBF-875E-537E625998D7}
2011-07-21 18:12:02 -------- d-----w- c:\users\joseph\appdata\local\{18EDDA41-DAC8-4B53-94B6-9FA1E29254E8}
2011-07-20 18:32:16 -------- d-----w- c:\users\joseph\appdata\local\{CE1980E7-B937-4864-A23E-D11E0F474486}
2011-07-19 18:08:39 -------- d-----w- c:\users\joseph\appdata\local\{0E42790F-B261-4D66-BDB5-D751D26632EC}
2011-07-18 18:05:27 -------- d-----w- c:\users\joseph\appdata\local\{DDAF79CD-7A96-4BC6-88F4-84C34BB8F583}
.
==================== Find3M ====================
.
2011-07-23 11:04:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-20 08:54:36 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-20 08:54:36 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-17 16:03:18 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 13:34:49 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-05-28 19:10:32 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-28 19:10:32 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
============= FINISH: 21:43:43.67 ===============

Attach.txt is also attached



Had problems running gmer so there is no log. The scan froze, so it was closed. My computer froze on another attempt. I also experienced a bluescreen a couple of times so my computer shut itself down.

Attached Files



#4 2011Joe90

2011Joe90
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 17 August 2011 - 03:28 PM

I another thing I am noticing is when I use do a google search using internet explorer, I am redirected to sites like gomeo

#5 2011Joe90

2011Joe90
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 17 August 2011 - 04:27 PM

Performed a quick scan in safe mode with Malwarebyte's Anti Malware. See log below:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7490

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19120

17/08/2011 22:15:57
mbam-log-2011-08-17 (22-15-57).txt

Scan type: Quick scan
Objects scanned: 198489
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Joseph\AppData\Local\Temp\onsrcemawx.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\Joseph\AppData\Roaming\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.

#6 2011Joe90

2011Joe90
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 19 August 2011 - 02:37 PM

Was able to get gmer to work by unchecking "devices" as well as the options recommended in the prep page. Here is the log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-19 18:37:36
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD25 rev.01.0
Running: gmer.exe; Driver: C:\Users\Joseph\AppData\Local\Temp\kfriqpow.sys


---- System - GMER 1.0.15 ----

SSDT 92DFF108 ZwAlertResumeThread
SSDT 917C7CA0 ZwAlertThread
SSDT 9CFA3438 ZwAllocateVirtualMemory
SSDT 8F3E9E18 ZwAlpcConnectPort
SSDT 87698C50 ZwAssignProcessToJobObject
SSDT 9CFE0900 ZwCreateMutant
SSDT 9CFE5C38 ZwCreateSymbolicLinkObject
SSDT 9CFA2F70 ZwCreateThread
SSDT 9CF38D90 ZwDebugActiveProcess
SSDT 9CFA35C8 ZwDuplicateObject
SSDT 9CFA4CF0 ZwFreeVirtualMemory
SSDT 921FB638 ZwImpersonateAnonymousToken
SSDT 92DFDA60 ZwImpersonateThread
SSDT 8FE50920 ZwLoadDriver
SSDT 9CFA4B90 ZwMapViewOfSection
SSDT 929F8120 ZwOpenEvent
SSDT 9CFA3828 ZwOpenProcess
SSDT 91DFD110 ZwOpenProcessToken
SSDT 917B3048 ZwOpenSection
SSDT 9CFA36D8 ZwOpenThread
SSDT 9CFE4970 ZwProtectVirtualMemory
SSDT 921FD110 ZwResumeThread
SSDT 917DFA40 ZwSetContextThread
SSDT 9CFA4978 ZwSetInformationProcess
SSDT 917B4048 ZwSetSystemInformation
SSDT 939F4048 ZwSuspendProcess
SSDT 91777120 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x99130620]
SSDT 91795120 ZwTerminateThread
SSDT 921F2110 ZwUnmapViewOfSection
SSDT 9CFA3128 ZwWriteVirtualMemory
SSDT 9CFE4110 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 828EC8A0 8 Bytes [08, F1, DF, 92, A0, 7C, 7C, ...] {OR CL, DH; FIST WORD [EDX-0x6e838360]}
.text ntkrnlpa.exe!KeSetEvent + 131 828EC8B4 4 Bytes [38, 34, FA, 9C] {CMP [EDX+EDI*8], DH; PUSHF }
.text ntkrnlpa.exe!KeSetEvent + 13D 828EC8C0 4 Bytes [18, 9E, 3E, 8F]
.text ntkrnlpa.exe!KeSetEvent + 191 828EC914 4 Bytes [50, 8C, 69, 87] {PUSH EAX; MOV WORD [ECX-0x79], GS}
.text ntkrnlpa.exe!KeSetEvent + 1F5 828EC978 4 Bytes [00, 09, FE, 9C]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe[596] kernel32.dll!SetUnhandledExceptionFilter 767CA8C5 4 Bytes [C2, 04, 00, 00]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtProtectVirtualMemory 77CD4B84 5 Bytes JMP 0088000A
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtWriteVirtualMemory 77CD54C4 5 Bytes JMP 008A000A
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!KiUserExceptionDispatcher 77CD5BF8 5 Bytes JMP 004A000A
.text C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe[2580] kernel32.dll!SetUnhandledExceptionFilter 767CA8C5 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrvProxy.exe[3268] kernel32.dll!SetUnhandledExceptionFilter 767CA8C5 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrvProxy.exe[3388] kernel32.dll!SetUnhandledExceptionFilter 767CA8C5 4 Bytes [C2, 04, 00, 00]
.text C:\Windows\Explorer.EXE[3460] ntdll.dll!NtProtectVirtualMemory 77CD4B84 5 Bytes JMP 01F6000A
.text C:\Windows\Explorer.EXE[3460] ntdll.dll!NtWriteVirtualMemory 77CD54C4 5 Bytes JMP 01F7000A
.text C:\Windows\Explorer.EXE[3460] ntdll.dll!KiUserExceptionDispatcher 77CD5BF8 5 Bytes JMP 01F1000A
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[5896] kernel32.dll!SetUnhandledExceptionFilter 767CA8C5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060eef78d
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060eef78d (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\09CCAEA80D86AE338BC4B6D2278EADBD@5C1093C35543A0E32A41B090A305076A
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A2DB431DDF2324E378D69239C5C464B2@5C1093C35543A0E32A41B090A305076A 02:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871\NoRemove
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D9CB8EC66E4CBF13BAD176AB39585A51@5C1093C35543A0E32A41B090A305076A
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\Features@NetFx_Core_x86 2bH9udR2w@L`!Fr`$CwYDQzPu~vx'9F^ni_KqNz+9l,AZ2=Od==bStauA7UO651Wahf$J?6$'Ljzqr]XT~kyEA+,e=*H*$9[&~1zf=*mv8vWF?udTV[1RFKck$-tyK{mu=&NeXi[?g^Fttp?nlVPX8*gvj28f[Tb=epgYL`kq8.n2VYgG,5^,(q9faYu6=}E%lsX^{1Wqe')b_.&`@52M_Fks)OHj9hj1QP1s?{8@.R3ikgg(MQ0qhm&F@)Vr=nrsk5qOCsx1ns]-A^ky`'wy?%TLk6x3}dTy9r5Q{ZK?tznQ$rCX?Gog?{kdYOP~Cj753[o^X0JH=G(Y2RUgSNi1u['oxHOS=*3t+xhCI@]jAN1.0PF{?Zgj^,ufCF6(@TSr9.Q'AO@ulPJ2,[d3`~80vxjD?$YEj$y7=Q?`LD%D?HHQ9irO-Hxt5_+kP?lP!B=7Ar}@LE{1{H-V9d`rLJ@F=`Mv5HT?_0o8KsrnQoi)=dIV5DqM[Oicm77DcFz[=yaT2?AiB,8%7k{MAO-8@['DD1hnioo$$A$u(}NE@S1O8wvHTaJ8V%w.Z~5I9]e%@-Ym,N2kAqFL&=-O@iD?KG4Jjh9zJR`=Gr}5Az6m9n=s0Sns{a~`JxN?AZu5QQ_(VA]2lLI0B@fH?A`7Ngksq6gC(c(I_axM?[R$9*f8{_.lpMfZ?7cE@S@1$Pp2L^+kLzX5.,uV@817!p-NBizW1@i^`iBi?rBjQQssH]Ena^$`*cZdA`U4pKab=^&M8Rq7ycg{=rB4`)9+Yk]*R^C1~P(h(mtg}a&lrLWs'TF&(Jt`=utGFkLt7~Pn&Dx-GJcw?nkfvuy^B,IGk%n+br+Q?,vIu0u7H0C9@0'pcng]?HqN6rm38+$[Pr^mMbD+=OEGnfmj380KY)f(T',N=}^J*u6zjnAeL'[(R.%a?[7]2+!nyg@d(y,AQoa!?pbWnckn6EV+2MVANhB~=[}f3_)R&e&]t8M]P]S4@O,VSQOY=q53H(]B%.ca=rZCq7@bsL'Vp!
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\Features@KB2446708 lsrS0A!(47bxgOX@l[mNjR2M$q'RD7I2K,''_Z&)Rf[(1MIki5{dKJe9,R?-GFqUo$x_d5Wv]V@-&OE2?Servicing_Key
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\Features@KB2162169 4=t(KmlxK6T161cS*W4+ZTeK[h$6l4TU-7a5FA8]N8k-ZIhiS5&lbVKDnsZ&p5Vmd*^OG6HSvZS,+P==?Servicing_Key
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\Features@KB2468871 PL(`T%b?c4q'mZ26s4aolU?8l)'p!8*GAAWB66v1~fLBY`Bz94_9cYRQiSxU(V?!KVwQ(4i'CvdQ^Fz)?Servicing_Key
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\Features@KB2473228 qJ}rwztp&4U0~oz3Jel93IAeDmg~w7v=LiSv6,n!suXh7xP{'8^vJpJTft[2hyELH1g$s6Hmzs3OVKJ4?Servicing_Key
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\Features@KB2478063 Ab*jP.p!S4d[tFR6CS-kX{`b+bSmf4$gqZIu&*W-wtoqoM2_B7I,[p%e!}JW_ZMkHSpnQ5~&1G$@DJ1+?Servicing_Key
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\Features@KB2478663 G.Z$ee_D37$CU_$_NkKqbi',m**tL7?F7@7th%NwqSLhiSGrk5BjnIR{Nf4dnO'-)XjIQ62]TxQbQa6J?Servicing_Key
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\InstallProperties@InstallDate 20110809
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\InstallProperties@EstimatedSize 1225927
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5C1093C35543A0E32A41B090A305076A\Patches@AllPatches BD6080E35803A87348A00F3DEA63901D?A6A9D82760228E13F9563CAEEBCF5FE3?93BE2EC28C544D23A89955923CF8B199?38BA79E7EF1CED838B8478E7A0B48DE1?
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3C3901C5-3455-3E0A-A214-0B093A5070A6}@InstallDate 20110809
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3C3901C5-3455-3E0A-A214-0B093A5070A6}@EstimatedSize 1225927
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871@NoRemove 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 11784
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 11785
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\{16dcff2c-91a3-4e6a-8135-0a9e6681c1b5}@First Counter 10776
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\{16dcff2c-91a3-4e6a-8135-0a9e6681c1b5}@Last Counter 10814
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\{8ebb0470-da6d-485b-8441-8e06b049157a}@First Counter 10816
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\{8ebb0470-da6d-485b-8441-8e06b049157a}@Last Counter 10846
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\{e829b6db-21ab-453b-83c9-d980ec708edd}@First Counter 10696
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\{e829b6db-21ab-453b-83c9-d980ec708edd}@Last Counter 10774
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogNumber 24

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

#7 2011Joe90

2011Joe90
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 19 August 2011 - 05:50 PM

Ran a norton scan: detected and removed tracking cookies and 2 trojan.maljava.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:40 AM

Posted 19 August 2011 - 05:57 PM

Please WAIT for a team member to assist you.

you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

As I stated before:

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:40 AM

Posted 20 August 2011 - 03:11 PM

hi 2011Joe90,

You have a rootkit on your machine. You really shoudnt be using it until its clean and it should have no network connectivity, if your not sure how to stop this then I would just power it off. Reply back if you still need help.

How Can I Reduce My Risk to Malware?


#10 2011Joe90

2011Joe90
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 21 August 2011 - 08:13 AM

Yes, I need help to remove this, what would you suggest?

#11 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:40 AM

Posted 21 August 2011 - 03:01 PM

We can start with tdsskiller:

Please download TDSS Killer.exe and save it to your desktop

Double click to launch the utility. Vista and Windows 7 right click and "run as admin.." After it initializes click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."


If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

A report can also be found in your Root drive Local Disk © as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log report

How Can I Reduce My Risk to Malware?


#12 2011Joe90

2011Joe90
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 21 August 2011 - 03:57 PM

Here is the log:

2011/08/21 21:31:15.0112 5768 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17
2011/08/21 21:31:16.0766 5768 ================================================================================
2011/08/21 21:31:16.0766 5768 SystemInfo:
2011/08/21 21:31:16.0766 5768
2011/08/21 21:31:16.0766 5768 OS Version: 6.0.6002 ServicePack: 2.0
2011/08/21 21:31:16.0766 5768 Product type: Workstation
2011/08/21 21:31:16.0766 5768 ComputerName: JOSEPH-PC
2011/08/21 21:31:16.0766 5768 UserName: Joseph
2011/08/21 21:31:16.0766 5768 Windows directory: C:\Windows
2011/08/21 21:31:16.0766 5768 System windows directory: C:\Windows
2011/08/21 21:31:16.0766 5768 Processor architecture: Intel x86
2011/08/21 21:31:16.0766 5768 Number of processors: 2
2011/08/21 21:31:16.0766 5768 Page size: 0x1000
2011/08/21 21:31:16.0766 5768 Boot type: Normal boot
2011/08/21 21:31:16.0766 5768 ================================================================================
2011/08/21 21:31:20.0151 5768 Initialize success
2011/08/21 21:31:47.0373 10088 ================================================================================
2011/08/21 21:31:47.0373 10088 Scan started
2011/08/21 21:31:47.0373 10088 Mode: Manual;
2011/08/21 21:31:47.0373 10088 ================================================================================
2011/08/21 21:31:50.0321 10088 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/08/21 21:31:50.0524 10088 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/08/21 21:31:50.0743 10088 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/08/21 21:31:50.0914 10088 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/08/21 21:31:51.0055 10088 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/08/21 21:31:51.0304 10088 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
2011/08/21 21:31:51.0491 10088 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/08/21 21:31:51.0679 10088 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/08/21 21:31:51.0866 10088 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/08/21 21:31:52.0006 10088 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/08/21 21:31:52.0147 10088 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/08/21 21:31:52.0303 10088 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/08/21 21:31:52.0459 10088 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/08/21 21:31:52.0615 10088 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/08/21 21:31:52.0833 10088 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/08/21 21:31:53.0036 10088 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/08/21 21:31:53.0270 10088 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/08/21 21:31:53.0457 10088 b57nd60x (0b92ccf7bfcbe2b33838434f2f50cb61) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/08/21 21:31:53.0644 10088 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/08/21 21:31:53.0987 10088 BHDrvx86 (f7ff24bb7714247f27b615b3a7d8b132) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20110812.001\BHDrvx86.sys
2011/08/21 21:31:54.0346 10088 BlueletAudio (1d866faf96d7369a1817ab208c04cf55) C:\Windows\system32\DRIVERS\blueletaudio.sys
2011/08/21 21:31:54.0549 10088 BlueletSCOAudio (8fc27b12a02b43947787f0ef1885df9b) C:\Windows\system32\DRIVERS\BlueletSCOAudio.sys
2011/08/21 21:31:54.0767 10088 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/08/21 21:31:54.0970 10088 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/08/21 21:31:55.0111 10088 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/08/21 21:31:55.0282 10088 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/08/21 21:31:55.0438 10088 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/08/21 21:31:55.0610 10088 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/08/21 21:31:55.0766 10088 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/08/21 21:31:55.0937 10088 BT (c5cce2b26f73f8cf7f3c82159e79aa08) C:\Windows\system32\DRIVERS\btnetdrv.sys
2011/08/21 21:31:56.0140 10088 Btcsrusb (d5d025b5f704817b42d13a3e443f7893) C:\Windows\system32\Drivers\btcusb.sys
2011/08/21 21:31:56.0312 10088 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
2011/08/21 21:31:56.0483 10088 BTHidEnum (ce643d0918123d76a5caab008fca9663) C:\Windows\system32\Drivers\vbtenum.sys
2011/08/21 21:31:56.0655 10088 BTHidMgr (dfca4fe4c8aec786b4d0f432eb730f48) C:\Windows\system32\Drivers\BTHidMgr.sys
2011/08/21 21:31:56.0842 10088 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/08/21 21:31:56.0998 10088 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
2011/08/21 21:31:57.0170 10088 BTHPORT (73d53f8e90550ba81e2cf44a0873b410) C:\Windows\system32\Drivers\BTHport.sys
2011/08/21 21:31:57.0451 10088 BTHUSB (32045a4bb143bbc5bab1298c4e9e309a) C:\Windows\system32\Drivers\BTHUSB.sys
2011/08/21 21:31:57.0731 10088 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\Windows\system32\drivers\NIS\1108000.005\ccHPx86.sys
2011/08/21 21:31:57.0950 10088 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/08/21 21:31:58.0137 10088 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/08/21 21:31:58.0309 10088 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\DRIVERS\circlass.sys
2011/08/21 21:31:58.0465 10088 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/08/21 21:31:58.0667 10088 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/08/21 21:31:58.0839 10088 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/08/21 21:31:59.0011 10088 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/08/21 21:31:59.0167 10088 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/08/21 21:31:59.0323 10088 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/08/21 21:31:59.0525 10088 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
2011/08/21 21:31:59.0744 10088 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/08/21 21:31:59.0962 10088 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
2011/08/21 21:32:00.0165 10088 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/08/21 21:32:00.0399 10088 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/08/21 21:32:00.0649 10088 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/08/21 21:32:00.0898 10088 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/08/21 21:32:01.0039 10088 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/08/21 21:32:01.0335 10088 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/08/21 21:32:01.0663 10088 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/08/21 21:32:05.0597 10088 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/08/21 21:32:05.0940 10088 FANTOM (e3b0cd18146f9d51a34969e9bc2458d2) C:\Windows\system32\DRIVERS\fantom.sys
2011/08/21 21:32:06.0112 10088 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/08/21 21:32:06.0252 10088 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/08/21 21:32:06.0392 10088 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/08/21 21:32:06.0486 10088 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/08/21 21:32:06.0548 10088 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/08/21 21:32:06.0673 10088 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/08/21 21:32:06.0985 10088 fssfltr (d909075fa72c090f27aa926c32cb4612) C:\Windows\system32\DRIVERS\fssfltr.sys
2011/08/21 21:32:07.0094 10088 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/08/21 21:32:07.0157 10088 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/08/21 21:32:07.0219 10088 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/08/21 21:32:07.0360 10088 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/08/21 21:32:07.0422 10088 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/08/21 21:32:07.0469 10088 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/08/21 21:32:07.0531 10088 HidIr (d8df3722d5e961baa1292aa2f12827e2) C:\Windows\system32\DRIVERS\hidir.sys
2011/08/21 21:32:07.0578 10088 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/08/21 21:32:07.0625 10088 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/08/21 21:32:07.0672 10088 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/08/21 21:32:07.0734 10088 HSF_DPV (347385d69c15e3d045aa1cb46e4cb86d) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/08/21 21:32:07.0828 10088 HSXHWAZL (919337d853703267da203e79a0ac1f2b) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/08/21 21:32:07.0890 10088 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/08/21 21:32:07.0937 10088 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/08/21 21:32:08.0015 10088 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/08/21 21:32:08.0093 10088 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\Windows\system32\drivers\iastor.sys
2011/08/21 21:32:08.0124 10088 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/08/21 21:32:08.0358 10088 IDSVix86 (c15fcea5c150314489698b2571a5190d) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20110819.030\IDSvix86.sys
2011/08/21 21:32:08.0514 10088 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/08/21 21:32:08.0623 10088 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/08/21 21:32:08.0748 10088 int15 (9d64201c9e5ac8d1f088762ba00ff3ab) C:\Acer\Empowering Technology\eRecovery\int15.sys
2011/08/21 21:32:08.0857 10088 IntcAzAudAddService (9f5898ebd3bbe82eadf2efa595f02a72) C:\Windows\system32\drivers\RTKVHDA.sys
2011/08/21 21:32:08.0951 10088 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/08/21 21:32:09.0013 10088 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/08/21 21:32:09.0076 10088 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/08/21 21:32:09.0169 10088 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/08/21 21:32:09.0216 10088 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/08/21 21:32:09.0294 10088 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/08/21 21:32:09.0325 10088 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/08/21 21:32:09.0388 10088 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/08/21 21:32:09.0450 10088 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/08/21 21:32:09.0497 10088 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/08/21 21:32:09.0559 10088 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/08/21 21:32:09.0637 10088 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/08/21 21:32:09.0700 10088 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/08/21 21:32:09.0809 10088 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/08/21 21:32:09.0902 10088 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/08/21 21:32:09.0934 10088 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/08/21 21:32:09.0965 10088 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/08/21 21:32:10.0012 10088 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/08/21 21:32:10.0058 10088 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/08/21 21:32:10.0121 10088 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/08/21 21:32:10.0214 10088 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/08/21 21:32:10.0261 10088 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/08/21 21:32:10.0292 10088 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/08/21 21:32:10.0324 10088 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/08/21 21:32:10.0370 10088 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/08/21 21:32:10.0433 10088 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/08/21 21:32:10.0480 10088 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/08/21 21:32:10.0542 10088 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/08/21 21:32:10.0589 10088 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/08/21 21:32:10.0636 10088 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/08/21 21:32:10.0698 10088 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/08/21 21:32:10.0745 10088 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/08/21 21:32:10.0792 10088 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/08/21 21:32:10.0823 10088 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/08/21 21:32:10.0916 10088 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/08/21 21:32:10.0979 10088 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/08/21 21:32:11.0041 10088 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/08/21 21:32:11.0104 10088 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/08/21 21:32:11.0322 10088 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/08/21 21:32:11.0572 10088 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/08/21 21:32:11.0759 10088 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/08/21 21:32:12.0008 10088 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/08/21 21:32:12.0180 10088 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/08/21 21:32:12.0336 10088 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/08/21 21:32:12.0570 10088 NAVENG (862f55824ac81295837b0ab63f91071f) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20110821.003\NAVENG.SYS
2011/08/21 21:32:12.0664 10088 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20110821.003\NAVEX15.SYS
2011/08/21 21:32:12.0866 10088 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/08/21 21:32:12.0960 10088 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/08/21 21:32:13.0022 10088 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/08/21 21:32:13.0069 10088 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/08/21 21:32:13.0147 10088 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/08/21 21:32:13.0225 10088 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/08/21 21:32:13.0272 10088 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/08/21 21:32:13.0459 10088 NETw4v32 (1d73499a6664b4da05d750ff83fdb274) C:\Windows\system32\DRIVERS\NETw4v32.sys
2011/08/21 21:32:13.0771 10088 NETw5v32 (8de67bd902095a13329fd82c85a1fa09) C:\Windows\system32\DRIVERS\NETw5v32.sys
2011/08/21 21:32:13.0927 10088 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/08/21 21:32:13.0990 10088 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/08/21 21:32:14.0052 10088 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/08/21 21:32:14.0146 10088 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/08/21 21:32:14.0255 10088 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/08/21 21:32:14.0286 10088 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/08/21 21:32:14.0333 10088 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/08/21 21:32:14.0582 10088 nvlddmkm (8e5e17b69830d7cc4691a8e564870c46) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/08/21 21:32:14.0832 10088 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/08/21 21:32:14.0879 10088 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/08/21 21:32:14.0926 10088 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/08/21 21:32:15.0050 10088 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/08/21 21:32:15.0144 10088 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/08/21 21:32:15.0191 10088 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/08/21 21:32:15.0222 10088 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/08/21 21:32:15.0284 10088 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/08/21 21:32:15.0331 10088 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2011/08/21 21:32:15.0378 10088 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/08/21 21:32:15.0456 10088 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/08/21 21:32:15.0628 10088 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/08/21 21:32:15.0674 10088 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/08/21 21:32:15.0737 10088 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/08/21 21:32:15.0784 10088 PSDFilter (e801d5cc24e1cf18fa87d24d7074b876) C:\Windows\system32\DRIVERS\psdfilter.sys
2011/08/21 21:32:15.0799 10088 PSDNServ (24b5e3429f7f0e779fc2e6e36a0a5f73) C:\Windows\system32\drivers\PSDNServ.sys
2011/08/21 21:32:15.0846 10088 psdvdisk (01cbfd08c0e8a6106bb26fcda297154e) C:\Windows\system32\drivers\psdvdisk.sys
2011/08/21 21:32:15.0893 10088 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
2011/08/21 21:32:15.0971 10088 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/08/21 21:32:16.0049 10088 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/08/21 21:32:16.0111 10088 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/08/21 21:32:16.0158 10088 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/08/21 21:32:16.0236 10088 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/08/21 21:32:16.0298 10088 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/08/21 21:32:16.0345 10088 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/08/21 21:32:16.0408 10088 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/08/21 21:32:16.0470 10088 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/08/21 21:32:16.0610 10088 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/08/21 21:32:16.0657 10088 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/08/21 21:32:16.0704 10088 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/08/21 21:32:16.0798 10088 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/08/21 21:32:16.0860 10088 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\Windows\system32\DRIVERS\rimmptsk.sys
2011/08/21 21:32:16.0891 10088 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\Windows\system32\DRIVERS\rimsptsk.sys
2011/08/21 21:32:16.0938 10088 rismxdp (d231b577024aa324af13a42f3a807d10) C:\Windows\system32\DRIVERS\rixdptsk.sys
2011/08/21 21:32:17.0032 10088 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2011/08/21 21:32:17.0094 10088 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/08/21 21:32:17.0172 10088 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/21 21:32:17.0234 10088 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/21 21:32:17.0297 10088 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/08/21 21:32:17.0406 10088 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
2011/08/21 21:32:17.0468 10088 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/08/21 21:32:17.0515 10088 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
2011/08/21 21:32:17.0562 10088 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/08/21 21:32:17.0624 10088 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/08/21 21:32:17.0687 10088 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/08/21 21:32:17.0718 10088 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/08/21 21:32:17.0749 10088 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/08/21 21:32:17.0780 10088 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/08/21 21:32:17.0827 10088 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/08/21 21:32:17.0874 10088 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/08/21 21:32:17.0905 10088 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/08/21 21:32:17.0968 10088 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/08/21 21:32:18.0155 10088 SNP2UVC (1c550748f896e53b7b0fe7717845132b) C:\Windows\system32\DRIVERS\snp2uvc.sys
2011/08/21 21:32:18.0358 10088 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/08/21 21:32:18.0498 10088 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\Windows\System32\Drivers\NIS\1108000.005\SRTSP.SYS
2011/08/21 21:32:18.0560 10088 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\Windows\system32\drivers\NIS\1108000.005\SRTSPX.SYS
2011/08/21 21:32:18.0607 10088 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/08/21 21:32:18.0670 10088 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
2011/08/21 21:32:18.0763 10088 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
2011/08/21 21:32:18.0919 10088 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/08/21 21:32:18.0982 10088 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/08/21 21:32:19.0122 10088 SymDS (56890bf9d9204b93042089d4b45ae671) C:\Windows\system32\drivers\NIS\1108000.005\SYMDS.SYS
2011/08/21 21:32:19.0184 10088 SymDSMon (4c155fa65cbf81513e4b9d088737e9cf) C:\Windows\system32\drivers\SymDSMon.sys
2011/08/21 21:32:19.0294 10088 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\Windows\system32\drivers\NIS\1108000.005\SYMEFA.SYS
2011/08/21 21:32:19.0387 10088 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\Windows\system32\Drivers\SYMEVENT.SYS
2011/08/21 21:32:19.0543 10088 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\Windows\system32\drivers\NIS\1108000.005\Ironx86.SYS
2011/08/21 21:32:19.0730 10088 SYMSpeedDisk (e9983667331d463f1e5b34f9170a9ae0) C:\Windows\system32\drivers\SymSpeedDisk.sys
2011/08/21 21:32:20.0027 10088 SYMTDIv (bf610335eda8d9026e45b4ac73d0de58) C:\Windows\System32\Drivers\NIS\1108000.005\SYMTDIV.SYS
2011/08/21 21:32:20.0542 10088 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/08/21 21:32:20.0822 10088 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/08/21 21:32:20.0978 10088 SynTP (5d6e865780aae258aba1a1484782cfec) C:\Windows\system32\DRIVERS\SynTP.sys
2011/08/21 21:32:21.0088 10088 Tcpip (2756186e287139310997090797e0182b) C:\Windows\system32\drivers\tcpip.sys
2011/08/21 21:32:21.0166 10088 Tcpip6 (2756186e287139310997090797e0182b) C:\Windows\system32\DRIVERS\tcpip.sys
2011/08/21 21:32:21.0212 10088 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/08/21 21:32:21.0259 10088 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/08/21 21:32:21.0322 10088 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/08/21 21:32:21.0509 10088 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/08/21 21:32:21.0758 10088 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/08/21 21:32:22.0008 10088 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/08/21 21:32:22.0227 10088 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/08/21 21:32:22.0352 10088 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/08/21 21:32:22.0602 10088 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/08/21 21:32:23.0101 10088 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/08/21 21:32:23.0273 10088 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/08/21 21:32:23.0413 10088 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/08/21 21:32:23.0460 10088 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/08/21 21:32:23.0507 10088 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/08/21 21:32:23.0569 10088 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/08/21 21:32:23.0678 10088 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
2011/08/21 21:32:23.0772 10088 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2011/08/21 21:32:23.0803 10088 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/08/21 21:32:23.0959 10088 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/08/21 21:32:24.0411 10088 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/08/21 21:32:25.0082 10088 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/08/21 21:32:25.0254 10088 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/08/21 21:32:25.0550 10088 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/08/21 21:32:25.0691 10088 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/08/21 21:32:25.0862 10088 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/08/21 21:32:26.0127 10088 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/08/21 21:32:26.0315 10088 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\Windows\system32\DRIVERS\VClone.sys
2011/08/21 21:32:26.0377 10088 VComm (51750b0539986186c6931fc40d171521) C:\Windows\system32\DRIVERS\VComm.sys
2011/08/21 21:32:26.0424 10088 VcommMgr (6d9c891c0a761afed1f3609c2e56f2b9) C:\Windows\system32\Drivers\VcommMgr.sys
2011/08/21 21:32:26.0533 10088 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/08/21 21:32:26.0580 10088 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/08/21 21:32:26.0627 10088 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/08/21 21:32:26.0673 10088 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/08/21 21:32:26.0705 10088 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/08/21 21:32:26.0767 10088 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/08/21 21:32:26.0829 10088 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/08/21 21:32:26.0907 10088 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/08/21 21:32:26.0970 10088 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/08/21 21:32:27.0017 10088 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/08/21 21:32:27.0063 10088 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/21 21:32:27.0079 10088 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/21 21:32:27.0126 10088 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/08/21 21:32:27.0235 10088 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/08/21 21:32:27.0344 10088 winachsf (3344b5c3209e538291398ff12f895155) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/08/21 21:32:27.0407 10088 winbondcir (3fa87d56769838aac82fafc3e78fc732) C:\Windows\system32\DRIVERS\winbondcir.sys
2011/08/21 21:32:27.0547 10088 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/08/21 21:32:27.0687 10088 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/08/21 21:32:27.0750 10088 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/08/21 21:32:27.0828 10088 WSVD (2584df81cc9f7e7bd3545691106f8cae) C:\Windows\system32\drivers\WSVD.sys
2011/08/21 21:32:27.0890 10088 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/08/21 21:32:27.0953 10088 XAudio (2e579520e114a9ca309f13bf40ad8292) C:\Windows\system32\DRIVERS\xaudio.sys
2011/08/21 21:32:28.0093 10088 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796} (8098180b3f6c430a4e60333bc036f936) C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl
2011/08/21 21:32:28.0171 10088 MBR (0x1B8) (e1d1d586ac841525e8c087b729eeb6a0) \Device\Harddisk0\DR0
2011/08/21 21:32:28.0171 10088 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/08/21 21:32:28.0187 10088 MBR (0x1B8) (b880d8f173a9408df7d86dc10550d6a2) \Device\Harddisk1\DR1
2011/08/21 21:32:28.0265 10088 Boot (0x1200) (f58ffd33bcb116aec62cc176bbfb6a55) \Device\Harddisk0\DR0\Partition0
2011/08/21 21:32:28.0358 10088 Boot (0x1200) (22598b111eadea6cce425863c7343c4f) \Device\Harddisk0\DR0\Partition1
2011/08/21 21:32:28.0358 10088 ================================================================================
2011/08/21 21:32:28.0358 10088 Scan finished
2011/08/21 21:32:28.0358 10088 ================================================================================
2011/08/21 21:32:28.0374 5100 Detected object count: 1
2011/08/21 21:32:28.0374 5100 Actual detected object count: 1
2011/08/21 21:33:24.0986 5100 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/08/21 21:33:24.0986 5100 \Device\Harddisk0\DR0 - ok
2011/08/21 21:33:25.0033 5100 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/21 21:36:36.0071 3864 Deinitialize success

Also my task bar keeps changing from vista to old windows without my authorisation,could this also have something to do with the rootkit?

Attached Files



#13 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:40 AM

Posted 21 August 2011 - 04:48 PM

ok good. Update and run Malwarebytes once more.

could this also have something to do with the rootkit?

rootkit is history, but its possible this could be a leftover.

How Can I Reduce My Risk to Malware?


#14 2011Joe90

2011Joe90
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 21 August 2011 - 05:22 PM

Here is the log:
Time elapsed: 10 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The attachment that showed what the changes that had happened to my taskbar, etc, the printscreen was taken during the infestation. It hasnt happened since I rebooted through tdss killer.

Do you have any recommendations has to how I can improve: Security, computer speed, boot up time etc.?

#15 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:40 AM

Posted 22 August 2011 - 04:52 PM

Looks good. You can remove TDSSkiller by deleting the icon from your desktop. to improve speed; have you ever de-fraged your HD? Windows has a built-in utility to do that. If you see alot of icons down by the clock you can check and see what they are and then check options for them not to start with Windows. Obviously you want your AV and any antimalware to start with Windows. Commercial machines usually come with lots of useless bloatware already installed and running by default, most likely half or more of this can be uninstalled via the add/remove programs panel. Disabling the Vista side bar may improve things also.
I do have some security tips but save them for last.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users