Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe torjon attacks


  • This topic is locked This topic is locked
8 replies to this topic

#1 shacar

shacar

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 19 August 2011 - 04:31 PM

hi my norton 360 keeps telling me that an intrusion was stopped and it was coming from \device\harddiskvolume1\windows\system32\svchost.exe.

any help please

thanks

Edit: Moved topic from XP to the more appropriate forum, at the request of staff. ~ Animal

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:34 PM

Posted 19 August 2011 - 09:14 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 shacar

shacar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 17 September 2011 - 05:57 PM

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Norton 360
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 27
Out of date Java installed!
Adobe Flash Player 10.3.183.7
Adobe Reader X (10.1.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

MiniToolBox by Farbar
Ran by bobby (administrator) on 17-09-2011 at 17:46:42
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : all-af54638905c

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet

Physical Address. . . . . . . . . : 00-25-64-C9-07-5D

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.0.0.19

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.1

DHCP Server . . . . . . . . . . . : 10.0.0.1

DNS Servers . . . . . . . . . . . : 10.0.0.1

Lease Obtained. . . . . . . . . . : Saturday, September 17, 2011 5:39:17 PM

Lease Expires . . . . . . . . . . : Sunday, September 18, 2011 5:39:17 PM

Server: UnKnown
Address: 10.0.0.1

Name: google.com
Addresses: 74.125.65.104, 74.125.65.99, 74.125.65.106, 74.125.65.147
74.125.65.105, 74.125.65.103



Pinging google.com [74.125.45.105] with 32 bytes of data:



Reply from 74.125.45.105: bytes=32 time=33ms TTL=50

Reply from 74.125.45.105: bytes=32 time=36ms TTL=50



Ping statistics for 74.125.45.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 33ms, Maximum = 36ms, Average = 34ms

Server: UnKnown
Address: 10.0.0.1

Name: yahoo.com
Addresses: 67.195.160.76, 69.147.125.65, 72.30.2.43, 98.137.149.56
209.191.122.70



Pinging yahoo.com [69.147.125.65] with 32 bytes of data:



Reply from 69.147.125.65: bytes=32 time=37ms TTL=51

Reply from 69.147.125.65: bytes=32 time=37ms TTL=51



Ping statistics for 69.147.125.65:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 37ms, Maximum = 37ms, Average = 37ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 25 64 c9 07 5d ...... Broadcom NetLink ™ Gigabit Ethernet - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.19 20
10.0.0.0 255.255.255.0 10.0.0.19 10.0.0.19 20
10.0.0.19 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.0.0.19 10.0.0.19 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.0.0.19 10.0.0.19 20
224.0.0.0 240.0.0.0 10.0.0.19 10.0.0.19 20
255.255.255.255 255.255.255.255 10.0.0.19 10.0.0.19 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/17/2011 05:40:07 PM) (Source: .NET Runtime) (User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 4068. Message ID: [0x2500].

Error: (09/17/2011 08:25:40 AM) (Source: .NET Runtime) (User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 2764. Message ID: [0x2500].

Error: (09/16/2011 08:49:12 AM) (Source: .NET Runtime) (User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3092. Message ID: [0x2500].

Error: (09/15/2011 03:25:02 PM) (Source: Application Error) (User: )
Description: Faulting application webkit2webprocess.exe, version 7534.50.0.1, faulting module javascriptcore.dll, version 7534.49.0.2, fault address 0x000a1731.
Processing media-specific event for [webkit2webprocess.exe!ws!]

Error: (09/15/2011 08:57:37 AM) (Source: .NET Runtime) (User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3592. Message ID: [0x2500].

Error: (09/14/2011 08:49:43 AM) (Source: .NET Runtime) (User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3396. Message ID: [0x2500].

Error: (09/13/2011 01:24:14 PM) (Source: Application Error) (User: )
Description: Faulting application webkit2webprocess.exe, version 7534.50.0.1, faulting module javascriptcore.dll, version 7534.49.0.2, fault address 0x000a1643.
Processing media-specific event for [webkit2webprocess.exe!ws!]

Error: (09/13/2011 08:44:58 AM) (Source: .NET Runtime) (User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3944. Message ID: [0x2500].

Error: (09/12/2011 10:40:10 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (09/12/2011 09:28:38 AM) (Source: .NET Runtime) (User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3688. Message ID: [0x2500].


System errors:
=============
Error: (07/27/2011 08:42:49 AM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 10.0.0.19 on the
Network Card with network address 002564C9075D.


Microsoft Office Sessions:
=========================
Error: (09/17/2011 05:40:07 PM) (Source: .NET Runtime)(User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 4068. Message ID: [0x2500].

Error: (09/17/2011 08:25:40 AM) (Source: .NET Runtime)(User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 2764. Message ID: [0x2500].

Error: (09/16/2011 08:49:12 AM) (Source: .NET Runtime)(User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3092. Message ID: [0x2500].

Error: (09/15/2011 03:25:02 PM) (Source: Application Error)(User: )
Description: webkit2webprocess.exe7534.50.0.1javascriptcore.dll7534.49.0.2000a1731

Error: (09/15/2011 08:57:37 AM) (Source: .NET Runtime)(User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3592. Message ID: [0x2500].

Error: (09/14/2011 08:49:43 AM) (Source: .NET Runtime)(User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3396. Message ID: [0x2500].

Error: (09/13/2011 01:24:14 PM) (Source: Application Error)(User: )
Description: webkit2webprocess.exe7534.50.0.1javascriptcore.dll7534.49.0.2000a1643

Error: (09/13/2011 08:44:58 AM) (Source: .NET Runtime)(User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3944. Message ID: [0x2500].

Error: (09/12/2011 10:40:10 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (09/12/2011 09:28:38 AM) (Source: .NET Runtime)(User: bobby)bobby
Description: .NET Runtime version 4.0.30319.235 - Loading profiler failed. COR_ENABLE_PROFILING was set properly, but COR_PROFILER was not. COR_PROFILER must be set to the CLSID of the profiler to load. Process ID (decimal): 3688. Message ID: [0x2500].


=========================== Installed Programs ============================

Adobe AIR (Version: 2.5.1.17730)
Adobe Flash Player 10 ActiveX (Version: 10.3.183.5)
Adobe Flash Player 10 Plugin (Version: 10.3.183.7)
Adobe Reader X (10.1.1) (Version: 10.1.1)
AIM 7
Apple Application Support (Version: 2.0.1)
Apple Mobile Device Support (Version: 3.3.0.69)
Apple Software Update (Version: 2.1.3.127)
Avanquest update (Version: 1.27)
Bonjour (Version: 2.0.5.0)
Broadcom NetXtreme-I Netlink Driver and Management Installer (Version: 12.25.02)
Brother MFL-Pro Suite (Version: 1.00)
Cricket Broadband (Version: 1.0.1177)
Cricket Broadband Connect (Version: 1.33)
Cricket Broadband CROSSWAVE (Version: ConnLaucher_WIN1.01.09.644)
Cricket Broadband EC1705 (Version: 21.003.16.16.644)
Cricket EVDO Modem (Version: 1.0.902.4263)
Crystal Reports for .NET Framework 2.0 (x86) (Version: 10.2.0)
Dell Resource CD (Version: 1.00.0000)
DivX Setup (Version: 2.4.1.4)
Download Updater (AOL LLC)
Ingenico CP210x USB to UART Bridge (Driver Removal)
Intel® Graphics Media Accelerator Driver
iTunes (Version: 10.1.1.4)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 27 (Version: 6.0.270)
Junk Mail filter update (Version: 14.0.8117.416)
KYOCERA USB Modem M6000 Driver (Version: 1.02.0000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office XP Professional with FrontPage (Version: 10.0.6626.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Mobile PhoneTools (Version: 3.55)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Norton 360 (Version: 4.3.0.5)
Pandora (Version: 2.0.5)
PANTECH USB Modem V2 (Version: 1.2.3937.1022)
PaperPort Image Printer (Version: 1.00.0000)
QuickTime (Version: 7.69.80.9)
Realtek High Definition Audio Driver (Version: 5.10.0.5871)
Safari (Version: 5.34.50.0)
ScanSoft PaperPort 11 (Version: 11.1.0000)
Segoe UI (Version: 14.0.4327.805)
System Requirements Lab CYRI (Version: 4.4.21.0)
TeamViewer 6 (Version: 6.0.10722)
TSP100 Setup Version 2.4.0 (Version: 2.4.0)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0 (Version: 04.00.6001.503)
Wireless Standard (Version: 7.3.1)

========================= Memory info: ===================================

Percentage of memory in use: 51%
Total physical RAM: 2011.57 MB
Available physical RAM: 976.94 MB
Total Pagefile: 3904.31 MB
Available Pagefile: 2881.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1988.62 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:232.82 GB) (Free:206.32 GB) NTFS

========================= Users: ========================================

User accounts for \\ALL-AF54638905C

Administrator ASPNET bobby
Guest HelpAssistant SUPPORT_388945a0


**** End of log ****

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7737

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/17/2011 5:54:08 PM
mbam-log-2011-09-17 (17-54-08).txt

Scan type: Quick scan
Objects scanned: 168367
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:34 PM

Posted 17 September 2011 - 06:34 PM

...and GMER...

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 shacar

shacar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 18 September 2011 - 12:19 AM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-18 00:19:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250318AS rev.CC45
Running: ygtkzyho.exe; Driver: C:\DOCUME~1\bobby\LOCALS~1\Temp\kftiikog.sys


---- System - GMER 1.0.15 ----

SSDT 89DEC0B0 ZwAlertResumeThread
SSDT 89DFB4A8 ZwAlertThread
SSDT 8A432B90 ZwAllocateVirtualMemory
SSDT 8A4ACC48 ZwAssignProcessToJobObject
SSDT 89B25A80 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA7561210]
SSDT 8994F940 ZwCreateMutant
SSDT 8994A670 ZwCreateSymbolicLinkObject
SSDT 89AC6A68 ZwCreateThread
SSDT 8A4AC370 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA7561490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA75619F0]
SSDT 8A432E28 ZwDuplicateObject
SSDT 8A432370 ZwFreeVirtualMemory
SSDT 8A4C3468 ZwImpersonateAnonymousToken
SSDT 89DDD3C8 ZwImpersonateThread
SSDT 89BA19C0 ZwLoadDriver
SSDT 89AC0D40 ZwMapViewOfSection
SSDT 8A4C1CB8 ZwOpenEvent
SSDT 8A447458 ZwOpenProcess
SSDT 89E11720 ZwOpenProcessToken
SSDT 8A4AC5F0 ZwOpenSection
SSDT 8A4472C8 ZwOpenThread
SSDT 8994AD00 ZwProtectVirtualMemory
SSDT 89E00F10 ZwResumeThread
SSDT 89E10DF0 ZwSetContextThread
SSDT 89891BD8 ZwSetInformationProcess
SSDT 8A4A9E50 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA7561C40]
SSDT 8A493648 ZwSuspendProcess
SSDT 89E08E90 ZwSuspendThread
SSDT 89E11938 ZwTerminateProcess
SSDT 89E0B7B8 ZwTerminateThread
SSDT 89E10008 ZwUnmapViewOfSection
SSDT 8A432780 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2156] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [BA5AED56] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [BA5AED56] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:34 PM

Posted 18 September 2011 - 12:29 AM

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 shacar

shacar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 19 September 2011 - 08:50 AM

2011/09/19 08:48:21.0187 2804 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17
2011/09/19 08:48:23.0203 2804 ================================================================================
2011/09/19 08:48:23.0203 2804 SystemInfo:
2011/09/19 08:48:23.0203 2804
2011/09/19 08:48:23.0203 2804 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/19 08:48:23.0203 2804 Product type: Workstation
2011/09/19 08:48:23.0203 2804 ComputerName: ALL-AF54638905C
2011/09/19 08:48:23.0203 2804 UserName: bobby
2011/09/19 08:48:23.0203 2804 Windows directory: C:\WINDOWS
2011/09/19 08:48:23.0203 2804 System windows directory: C:\WINDOWS
2011/09/19 08:48:23.0203 2804 Processor architecture: Intel x86
2011/09/19 08:48:23.0203 2804 Number of processors: 2
2011/09/19 08:48:23.0203 2804 Page size: 0x1000
2011/09/19 08:48:23.0203 2804 Boot type: Normal boot
2011/09/19 08:48:23.0203 2804 ================================================================================
2011/09/19 08:48:30.0640 2804 Initialize success
2011/09/19 08:48:36.0359 3536 ================================================================================
2011/09/19 08:48:36.0359 3536 Scan started
2011/09/19 08:48:36.0359 3536 Mode: Manual;
2011/09/19 08:48:36.0359 3536 ================================================================================
2011/09/19 08:48:41.0093 3536 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/19 08:48:41.0703 3536 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/19 08:48:42.0421 3536 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/19 08:48:42.0984 3536 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/19 08:48:45.0093 3536 androidusb (f71671248134ea39bfd10401ee5fd825) C:\WINDOWS\system32\Drivers\androidusb.sys
2011/09/19 08:48:47.0312 3536 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/19 08:48:48.0109 3536 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/19 08:48:49.0109 3536 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/19 08:48:49.0921 3536 ATMFBUS (28b3f7d066cad30c5b8e23270c9f9ac9) C:\WINDOWS\system32\DRIVERS\ATMFBUS.sys
2011/09/19 08:48:50.0625 3536 ATMFCVsp (94dac789c1826517909b62f4ce90bcc2) C:\WINDOWS\system32\DRIVERS\ATMFCVsp.sys
2011/09/19 08:48:51.0250 3536 ATMFFLT (752b9969856c32da6ce3aca56fba53e9) C:\WINDOWS\system32\DRIVERS\ATMFFLT.sys
2011/09/19 08:48:51.0718 3536 ATMFMdm (7b22209400ff758a6265852fb0f89413) C:\WINDOWS\system32\DRIVERS\ATMFMdm.sys
2011/09/19 08:48:52.0281 3536 ATMFNET (a292013720a797e7740f8d7ce27f4755) C:\WINDOWS\system32\DRIVERS\ATMFNET.sys
2011/09/19 08:48:52.0687 3536 ATMFNVsp (4bf654c6fe0c8685a6d1c608b1ec26e1) C:\WINDOWS\system32\DRIVERS\ATMFNVsp.sys
2011/09/19 08:48:53.0125 3536 ATMFVsp (e0ad6b1cb4a36a3530bef0b7d589947e) C:\WINDOWS\system32\DRIVERS\ATMFVsp.sys
2011/09/19 08:48:53.0593 3536 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/19 08:48:54.0109 3536 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/19 08:48:54.0937 3536 BHDrvx86 (09b8897ac84c49beabea75cf9fe1ab45) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20110909.001\BHDrvx86.sys
2011/09/19 08:48:55.0375 3536 Blfp (3edae8e7b40257da798c6952edb26eb0) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
2011/09/19 08:48:55.0796 3536 BMLoad (c9c78e00a21d3fe21ce5d81ba5b45e21) C:\WINDOWS\system32\drivers\BMLoad.sys
2011/09/19 08:48:56.0156 3536 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/19 08:48:56.0609 3536 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys
2011/09/19 08:48:57.0062 3536 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/19 08:48:57.0421 3536 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/19 08:48:57.0734 3536 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/19 08:48:59.0390 3536 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/19 08:48:59.0750 3536 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/19 08:49:00.0265 3536 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/19 08:49:00.0562 3536 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/19 08:49:00.0843 3536 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/19 08:49:01.0359 3536 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/19 08:49:01.0671 3536 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/09/19 08:49:02.0125 3536 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/09/19 08:49:03.0125 3536 ewusbnet (249ff0a3aa90a16c770875019427cbdb) C:\WINDOWS\system32\DRIVERS\ewusbnet.sys
2011/09/19 08:49:04.0812 3536 ew_hwusbdev (e98a64c7f106740a38fb2b78197816f8) C:\WINDOWS\system32\DRIVERS\ew_hwusbdev.sys
2011/09/19 08:49:05.0875 3536 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/19 08:49:06.0468 3536 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/19 08:49:07.0359 3536 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/19 08:49:07.0718 3536 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/19 08:49:08.0031 3536 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/19 08:49:08.0218 3536 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/19 08:49:08.0453 3536 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/19 08:49:08.0781 3536 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/09/19 08:49:09.0062 3536 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/19 08:49:09.0359 3536 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/19 08:49:09.0625 3536 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/19 08:49:09.0812 3536 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/19 08:49:09.0875 3536 huawei_enumerator (bb3c8e4b88842f3a1b9c5d603210c277) C:\WINDOWS\system32\DRIVERS\ew_jubusenum.sys
2011/09/19 08:49:09.0984 3536 hwdatacard (3e3bfe85b9fe3720bf4c108f57c945fb) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
2011/09/19 08:49:10.0125 3536 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/09/19 08:49:10.0312 3536 ialm (a01bb8da8d73bca83702a4cf1cd56dce) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/09/19 08:49:10.0843 3536 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20110917.031\IDSxpx86.sys
2011/09/19 08:49:11.0046 3536 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/19 08:49:11.0421 3536 IntcAzAudAddService (9126d796a5101765650cc39d99c5ace7) C:\WINDOWS\system32\drivers\RtDHDAud.sys
2011/09/19 08:49:11.0718 3536 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/19 08:49:11.0859 3536 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/19 08:49:11.0968 3536 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/19 08:49:12.0093 3536 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/19 08:49:12.0156 3536 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/19 08:49:12.0265 3536 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/19 08:49:12.0328 3536 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/19 08:49:12.0500 3536 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/19 08:49:12.0859 3536 k57w2k (997190701bd80dd0f4412ed202cc7816) C:\WINDOWS\system32\DRIVERS\k57xp32.sys
2011/09/19 08:49:13.0031 3536 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/19 08:49:13.0328 3536 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/19 08:49:13.0562 3536 kcusbser (bae4a6f180e7263febf91633a7f6187b) C:\WINDOWS\system32\DRIVERS\kcusbser.sys
2011/09/19 08:49:13.0718 3536 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/19 08:49:14.0000 3536 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/19 08:49:14.0312 3536 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/19 08:49:14.0640 3536 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/19 08:49:14.0781 3536 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/19 08:49:14.0953 3536 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/19 08:49:15.0062 3536 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/19 08:49:15.0187 3536 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/19 08:49:15.0328 3536 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/19 08:49:15.0453 3536 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/19 08:49:15.0562 3536 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/19 08:49:15.0718 3536 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/19 08:49:16.0015 3536 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/19 08:49:16.0125 3536 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/19 08:49:16.0250 3536 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/19 08:49:16.0437 3536 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20110917.007\NAVENG.SYS
2011/09/19 08:49:16.0843 3536 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20110917.007\NAVEX15.SYS
2011/09/19 08:49:17.0218 3536 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/19 08:49:17.0578 3536 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/19 08:49:18.0031 3536 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/19 08:49:18.0687 3536 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/19 08:49:19.0234 3536 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/19 08:49:19.0546 3536 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/19 08:49:20.0093 3536 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/19 08:49:20.0734 3536 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/19 08:49:21.0281 3536 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/19 08:49:22.0078 3536 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/19 08:49:22.0609 3536 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/19 08:49:23.0000 3536 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/19 08:49:23.0359 3536 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/19 08:49:23.0796 3536 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/19 08:49:24.0265 3536 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/19 08:49:25.0218 3536 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/19 08:49:26.0031 3536 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/19 08:49:26.0484 3536 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/19 08:49:28.0875 3536 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/19 08:49:29.0484 3536 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/19 08:49:30.0031 3536 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/19 08:49:30.0359 3536 PTUMWBus (9866479c5c894c3a064eeb6f68618822) C:\WINDOWS\system32\DRIVERS\PTUMWBus.sys
2011/09/19 08:49:30.0921 3536 PTUMWCDF (c51eac8fb88163304329279e82f1d89f) C:\WINDOWS\system32\DRIVERS\PTUMWCDF.sys
2011/09/19 08:49:31.0484 3536 PTUMWFLT (4f840761bb4d674856f6c36f9b66624c) C:\WINDOWS\system32\DRIVERS\PTUMWFLT.sys
2011/09/19 08:49:32.0046 3536 PTUMWMdm (411e332a6426c9b87f5f9b02bcdd15bf) C:\WINDOWS\system32\DRIVERS\PTUMWMdm.sys
2011/09/19 08:49:32.0578 3536 PTUMWNET (bdc1f41f77415a432ca030f30f2ab898) C:\WINDOWS\system32\DRIVERS\PTUMWNET.sys
2011/09/19 08:49:33.0140 3536 PTUMWVsp (e4812824cdc46a90dde225c0fd284098) C:\WINDOWS\system32\DRIVERS\PTUMWVsp.sys
2011/09/19 08:49:33.0781 3536 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/19 08:49:36.0078 3536 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/19 08:49:36.0562 3536 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/19 08:49:37.0015 3536 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/19 08:49:37.0578 3536 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/19 08:49:38.0093 3536 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/19 08:49:38.0453 3536 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/19 08:49:39.0015 3536 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/19 08:49:39.0515 3536 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/19 08:49:40.0000 3536 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/19 08:49:40.0562 3536 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/19 08:49:41.0046 3536 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/19 08:49:41.0468 3536 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/19 08:49:42.0078 3536 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/19 08:49:42.0500 3536 silabenm (c16173316918a1360dc22947c4ff6352) C:\WINDOWS\system32\DRIVERS\silabenm.sys
2011/09/19 08:49:42.0921 3536 silabser (16dd3cbc2f9ad558cd714a98b355f162) C:\WINDOWS\system32\DRIVERS\silabser.sys
2011/09/19 08:49:43.0265 3536 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/19 08:49:43.0734 3536 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/19 08:49:44.0343 3536 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS
2011/09/19 08:49:44.0921 3536 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS
2011/09/19 08:49:45.0468 3536 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/19 08:49:46.0078 3536 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/09/19 08:49:46.0687 3536 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/19 08:49:47.0187 3536 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/19 08:49:48.0093 3536 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\N360\0403000.005\SYMDS.SYS
2011/09/19 08:49:48.0875 3536 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\N360\0403000.005\SYMEFA.SYS
2011/09/19 08:49:49.0468 3536 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/09/19 08:49:50.0328 3536 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS
2011/09/19 08:49:50.0968 3536 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS
2011/09/19 08:49:51.0937 3536 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/19 08:49:52.0468 3536 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/19 08:49:53.0031 3536 tcpipBM (b1a9e04d803fde6b78314455211b726e) C:\WINDOWS\system32\drivers\tcpipBM.sys
2011/09/19 08:49:53.0578 3536 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/19 08:49:54.0046 3536 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/19 08:49:54.0312 3536 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/19 08:49:55.0171 3536 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/19 08:49:55.0968 3536 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/19 08:49:56.0671 3536 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/19 08:49:57.0140 3536 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/19 08:49:57.0453 3536 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/19 08:49:57.0765 3536 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/19 08:49:58.0234 3536 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/19 08:49:58.0906 3536 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/19 08:49:59.0468 3536 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/19 08:49:59.0984 3536 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/19 08:50:00.0546 3536 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/19 08:50:01.0046 3536 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/19 08:50:01.0453 3536 vsbus (9a6d82a92023d761b65d6f4bb21ffecb) C:\WINDOWS\system32\DRIVERS\vsb.sys
2011/09/19 08:50:01.0968 3536 vserial (1347a382745d9f57fca86bc3d78881c7) C:\WINDOWS\system32\DRIVERS\vserial.sys
2011/09/19 08:50:02.0218 3536 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/19 08:50:02.0953 3536 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/09/19 08:50:03.0765 3536 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/19 08:50:04.0171 3536 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/09/19 08:50:04.0437 3536 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/19 08:50:04.0671 3536 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/19 08:50:04.0734 3536 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/19 08:50:07.0593 3536 Boot (0x1200) (d943c8101e0977961efb5b87617581c6) \Device\Harddisk0\DR0\Partition0
2011/09/19 08:50:07.0593 3536 ================================================================================
2011/09/19 08:50:07.0593 3536 Scan finished
2011/09/19 08:50:07.0593 3536 ================================================================================
2011/09/19 08:50:07.0593 4020 Detected object count: 0
2011/09/19 08:50:07.0593 4020 Actual detected object count: 0

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:34 PM

Posted 19 September 2011 - 06:52 PM

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:34 PM

Posted 20 September 2011 - 08:56 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic419719.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users