Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

issues with blackhole, win32, intrusions...


  • This topic is locked This topic is locked
15 replies to this topic

#1 farginbastage

farginbastage

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 02 September 2011 - 03:03 AM

Greetings, I hope you can help me. I'm getting my rear kicked by my wife's laptop. The last two days the computer has been failing to go to websites in explorer (failed redirects?). Required to hard reset computer, will not shut down.

In the last day Norton internet security has stopped several intrusions from blackhole toolkit 5 and HTTP malicious rmf.

Recieved a pop-up stating "generic host process for win32 services error." Norton has just, as i type, alerted "win32 high cpu usage."

MBAM found a few items, but SUPERAntiSpyware was interupted twice and never finished scanning. The last SAS scan , in safe mode, when interrupted, sent me to a blue screen with the msg DRIVER_IRQL_NOT_LESS_OR_EQUAL.

All programs under start tab reads empty. C drive is hidden/empty/blank when I open.

I've managed to clean several of my computers with the assistance of your removal guides, but I'm way over my head with this one.

My appologies for the timing of this post, I will be unable to go hands on with this computer again until tomorrow evening.

Computer is a Toshiba sattelite laptop running xp, version 2002, sp3, 32-bit.


MBAM log



Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by AVERY at 21:40:25 on 2011-09-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.165 [GMT -7:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1249402064&rver=5.5.4177.0&wp=mbi&wreply=hxxp:%2f%2fmail.live.com%2fdefault.aspx&lc=1033&id=64855&mkt=en-us
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
dRun: [aAYlsTcGREvu] c:\documents and settings\all users\application data\aAYlsTcGREvu.exe
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: NoDesktop = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Search
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {18955D47-882E-48fc-B903-A4BDD030E7FD}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://static.slide.com/uploader/SlideImageUploader.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215355438187
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {96AD66E6-8375-4864-8F4D-0F15023C2AF6} - hxxp://www.wunderground.com/windowsinstall/weather.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102 192.168.1.1
TCP: Interfaces\{2CD11808-1E9D-4577-92A7-EE3BB696881A} : DhcpNameServer = 68.87.69.150 68.87.85.102 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\avery.sarah\application data\mozilla\firefox\profiles\kqiv9v33.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\avery.sarah\application data\mozilla\firefox\profiles\kqiv9v33.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\avery.sarah\application data\mozilla\firefox\profiles\kqiv9v33.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\avery.sarah\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110812.001\BHDrvx86.sys [2011-8-15 815736]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-5-4 116608]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-21 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-21 33024]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-6 54752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\SymcPCCULaunchSvc.exe [2009-12-12 120248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2009-12-12 126392]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2005-12-21 3456]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110831.030\IDSXpx86.sys [2011-8-31 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110901.002\NAVENG.SYS [2011-9-1 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110901.002\NAVEX15.SYS [2011-9-1 1576312]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
.
=============== Created Last 30 ================
.
2011-09-02 04:19:00 321536 ----a-w- c:\documents and settings\all users\application data\P1kAlMiG2Kb7Fz.exe
2011-09-02 03:47:58 404480 ---ha-w- c:\documents and settings\all users\application data\aAYlsTcGREvu.exe
2011-09-01 21:13:44 -------- d--h--w- c:\documents and settings\avery.sarah\application data\SUPERAntiSpyware.com
2011-09-01 18:22:14 -------- d--h--w- c:\documents and settings\avery.sarah\application data\Malwarebytes
2011-09-01 03:34:47 -------- d--h--w- c:\program files\ARO 2011
2011-08-21 18:48:48 -------- d--h--w- c:\windows\Hewlett-Packard
2011-08-20 17:48:43 -------- d--h--w- c:\documents and settings\avery.sarah\local settings\application data\IsolatedStorage
2011-08-20 17:48:17 -------- d--h--w- c:\documents and settings\avery.sarah\local settings\application data\HP
2011-08-20 17:39:12 -------- d--h--w- C:\bin
2011-08-20 17:38:17 -------- d--h--w- c:\program files\common files\Sonic Shared
2011-08-20 17:36:20 -------- d--h--w- c:\program files\common files\HP
2011-08-20 17:33:27 -------- d--h--w- c:\program files\common files\Hewlett-Packard
2011-08-20 17:32:51 6784 -c-ha-w- c:\windows\system32\dllcache\serscan.sys
2011-08-20 17:32:51 6784 ---ha-w- c:\windows\system32\drivers\serscan.sys
2011-08-20 16:57:06 69632 ---ha-w- c:\windows\system32\HPZipm12.1
2011-08-20 16:27:11 659456 ---ha-w- c:\windows\system32\hpowiax2.dll
2011-08-20 16:27:11 254026 ---ha-w- c:\windows\system32\hpovst09.dll
2011-08-20 16:27:10 827392 ---ha-w- c:\windows\system32\hpotiop2.dll
2011-08-20 15:34:44 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-14 16:11:57 -------- d--h--w- c:\program files\Cisco Systems
2011-08-10 14:06:55 -------- d--h--w- C:\be4dbd1be84be02e50af62497981e3
2011-08-09 23:26:07 139656 -c-h--w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 23:25:42 10496 -c-h--w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-07 16:44:55 -------- d--h--w- c:\program files\Amazon
2011-08-05 02:48:26 -------- d--h--w- c:\documents and settings\all users\application data\Cisco Systems
2011-08-04 14:20:03 -------- d--h--w- c:\documents and settings\all users\application data\!SASCORE
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ---ha-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ---ha-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ---ha-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ---ha-w- c:\windows\system32\winsrv.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1234GSX rev.AH001A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86C8E4C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x86c958a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x86c95730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F5FAB8]
3 CLASSPNP[0xF775EFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000097[0x86EE09E8]
5 ACPI[0xF76B5620] -> nt!IofCallDriver[0x804E13B9] -> [0x86F50940]
\Driver\atapi[0x86D07300] -> IRP_MJ_CREATE -> 0x86C8E4C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86C8E2E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:41:48.18 ===============






GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-01 23:19:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK1234GSX rev.AH001A
Running: gmer.exe; Driver: C:\DOCUME~1\AVERY~1.SAR\LOCALS~1\Temp\fgldypob.sys


---- System - GMER 1.0.15 ----

SSDT 86C0BE30 ZwAlertResumeThread
SSDT 86C0BF10 ZwAlertThread
SSDT 86C47100 ZwAllocateVirtualMemory
SSDT 86C2BB80 ZwAssignProcessToJobObject
SSDT 86B7DE78 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA1A2710]
SSDT 86B98B30 ZwCreateMutant
SSDT 86BAE868 ZwCreateSymbolicLinkObject
SSDT 86B77710 ZwCreateThread
SSDT 86B787B0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA1A2990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA1A2EF0]
SSDT 86C63EF0 ZwDuplicateObject
SSDT 86CA1100 ZwFreeVirtualMemory
SSDT 86B55700 ZwImpersonateAnonymousToken
SSDT 86B557E0 ZwImpersonateThread
SSDT 86A6C8E8 ZwLoadDriver
SSDT 86C4E008 ZwMapViewOfSection
SSDT 86B98A50 ZwOpenEvent
SSDT 86B55EF8 ZwOpenProcess
SSDT 86C47008 ZwOpenProcessToken
SSDT 86B4BAA0 ZwOpenSection
SSDT 86C63FC0 ZwOpenThread
SSDT 86C2BA90 ZwProtectVirtualMemory
SSDT 86C0BFD0 ZwResumeThread
SSDT 86AA5110 ZwSetContextThread
SSDT 86AA5008 ZwSetInformationProcess
SSDT 86B78870 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA1A3140]
SSDT 86B4BB80 ZwSuspendProcess
SSDT 86A7E110 ZwSuspendThread
SSDT 86AC9808 ZwTerminateProcess
SSDT 86A7E008 ZwTerminateThread
SSDT 86C4E110 ZwUnmapViewOfSection
SSDT 86CA1008 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A54 4 Bytes [E8, C8, A6, 86]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xEB04BEBF]
? C:\DOCUME~1\AVERY~1.SAR\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1696] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 020D000A
.text C:\WINDOWS\System32\svchost.exe[1696] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 020E000A
.text C:\WINDOWS\System32\svchost.exe[1696] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 020F000A
.text C:\WINDOWS\System32\svchost.exe[1696] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00AB000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4376] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86C8E2E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 86C8E2E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86C8E2E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86C8E2E0

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs A79B1400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\WINDOWS\system32\msi.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgId@ WindowsInstaller.Installer
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\TypeLib@ {000C1092-0000-0000-C000-000000000046}

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----



Thanks for any help

b

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 PM

Posted 02 September 2011 - 09:21 PM

Hi

Please do the following:

Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.


let me know if that resolves the hidden file issue before we move on to cleaning the infection

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 farginbastage

farginbastage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 02 September 2011 - 11:04 PM

ran unhide and it faulted in a manner i didn't document, my apologies. restarted computer and ran unhide again, it restored program names list under "all programs", but, with a few exceptions, accessories and toshiba, read empty after holding over. c:\ still blank. ran again in safe mode and c drive partially restored, but not all. and "all programs" tab still same.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 PM

Posted 02 September 2011 - 11:07 PM

OK, that's probably as good as we are going to get with that, we'll see what we can do to fix it later, we'll begin cleaning the machine now, please do the following:


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 farginbastage

farginbastage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 03 September 2011 - 12:12 AM

ran combo fix. it made it to about scan 50, give or take, and then locked up afaik. scan was about 30 min in duration. icons disappeared and wallpaper only thing visible for ten minutes, then "windows logging off..." screen for five minutes now and counting.

Edited by farginbastage, 03 September 2011 - 12:28 AM.


#6 farginbastage

farginbastage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 03 September 2011 - 01:11 AM

after hard reset by the impatient mrs b.


ComboFix 11-09-02.04 - AVERY 09/02/2011 21:47:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.289 [GMT -7:00]
Running from: c:\documents and settings\AVERY.SARAH\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\aAYlsTcGREvu.exe
c:\documents and settings\All Users\Application Data\P1kAlMiG2Kb7Fz.exe
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\1.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\a.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\b.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\c.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\d.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\e.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\f.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\g.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\h.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\i.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\J.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\k.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\l.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\m.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\n.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\o.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\p.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\q.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\r.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\s.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\t.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\u.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\v.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\w.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\x.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\y.xml
c:\documents and settings\AVERY.SARAH\Application Data\PriceGong\Data\z.xml
c:\documents and settings\AVERY.SARAH\WINDOWS
c:\documents and settings\Avery\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Emilys side\WINDOWS
c:\documents and settings\owner\WINDOWS
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\lvci11801048.dll
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-08-03 to 2011-09-03 )))))))))))))))))))))))))))))))
.
.
2011-09-03 03:44 . 2011-09-03 03:44 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-09-02 03:07 . 2011-09-02 03:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-09-02 02:57 . 2011-09-02 02:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-09-01 21:13 . 2011-09-01 21:13 -------- d-----w- c:\documents and settings\AVERY.SARAH\Application Data\SUPERAntiSpyware.com
2011-09-01 18:22 . 2011-09-01 18:22 -------- d-----w- c:\documents and settings\AVERY.SARAH\Application Data\Malwarebytes
2011-09-01 03:34 . 2011-09-01 03:34 -------- d-----w- c:\program files\ARO 2011
2011-08-31 01:19 . 2011-08-31 01:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-08-31 00:42 . 2011-08-31 00:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-08-31 00:39 . 2011-08-31 00:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-28 22:36 . 2011-08-28 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-08-21 18:48 . 2011-08-21 18:48 -------- d-----w- c:\windows\Hewlett-Packard
2011-08-20 17:50 . 2011-08-20 17:50 -------- d-----w- c:\documents and settings\AVERY.SARAH\Application Data\HP
2011-08-20 17:48 . 2011-08-20 17:48 -------- d-----w- c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\IsolatedStorage
2011-08-20 17:48 . 2011-08-20 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-08-20 17:48 . 2011-08-20 17:48 -------- d-----w- c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\HP
2011-08-20 17:39 . 2011-08-20 17:39 -------- d-----w- C:\bin
2011-08-20 17:38 . 2011-08-20 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2011-08-20 17:38 . 2011-08-20 17:38 -------- d-----w- c:\program files\Common Files\Sonic Shared
2011-08-20 17:36 . 2011-08-20 17:37 -------- d-----w- c:\program files\Common Files\HP
2011-08-20 17:34 . 2011-08-20 17:34 -------- d-----w- c:\program files\Hewlett-Packard
2011-08-20 17:33 . 2011-08-20 17:33 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-08-20 17:32 . 2001-08-17 20:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-08-20 17:32 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-08-20 16:57 . 2006-03-04 04:03 69632 ----a-w- c:\windows\system32\HPZipm12.1
2011-08-20 16:27 . 2006-04-13 00:02 659456 ----a-w- c:\windows\system32\hpowiax2.dll
2011-08-20 16:27 . 2006-04-13 00:02 254026 ----a-w- c:\windows\system32\hpovst09.dll
2011-08-20 16:27 . 2006-04-13 00:02 827392 ----a-w- c:\windows\system32\hpotiop2.dll
2011-08-20 15:34 . 2011-08-12 05:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-14 16:11 . 2011-08-14 16:11 -------- d-----w- c:\program files\Cisco Systems
2011-08-10 14:06 . 2011-08-10 14:06 -------- d-----w- C:\be4dbd1be84be02e50af62497981e3
2011-08-09 23:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 23:25 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-07 16:44 . 2011-08-07 16:44 -------- d-----w- c:\program files\Amazon
2011-08-05 02:48 . 2011-08-05 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2011-08-04 14:20 . 2011-08-04 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2006-02-15 14:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-02-15 14:03 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52 . 2010-02-20 20:17 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2010-02-20 20:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2006-02-15 15:34 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2006-02-15 14:04 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2006-02-15 14:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2006-02-15 14:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2006-02-15 14:02 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2006-02-15 14:04 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-08-12 05:57 . 2011-08-20 15:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2005-12-22 30208]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-26 563984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-26 2027792]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-22 04:42 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\AVERY.SARAH\\My Documents\\Downloads\\BitTorrent-7.2.1.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\owner\\Local Settings\\Temp\\7zS3A5B\\setup\\HPZnet01.exe"=
"c:\\Documents and Settings\\owner\\Local Settings\\Temp\\7zS3A5B\\setup\\hponicifs01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677
"3010:TCP"= 3010:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/9/2011 5:54 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/9/2011 5:54 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 8:27 PM 815736]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/9/2011 5:54 PM 136312]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 10:54 AM 116608]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [12/21/2005 9:55 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [12/21/2005 9:55 PM 33024]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 5:54 PM 130008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [12/12/2009 2:24 PM 120248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [12/12/2009 2:24 PM 126392]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [12/21/2005 9:25 PM 3456]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 5:46 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110902.030\IDSXpx86.sys [9/2/2011 9:40 PM 356280]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
2011-09-01 c:\windows\Tasks\Norton Security Scan for Emilys side.job
- c:\program files\Norton Security Scan\Engine\3.0.1.8\Nss.exe [2011-01-30 11:19]
.
2011-09-01 c:\windows\Tasks\Norton Security Scan for owner.job
- c:\progra~1\NORTON~4\Engine\301~1.8\Nss.exe [2011-01-30 11:19]
.
2008-07-06 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]
.
2011-09-03 c:\windows\Tasks\User_Feed_Synchronization-{4692B730-B49A-495F-93F1-7E9B3A7F093D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1249402064&rver=5.5.4177.0&wp=mbi&wreply=hxxp:%2f%2fmail.live.com%2fdefault.aspx&lc=1033&id=64855&mkt=en-us
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{18955D47-882E-48fc-B903-A4BDD030E7FD}
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102 192.168.1.1
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {96AD66E6-8375-4864-8F4D-0F15023C2AF6} - hxxp://www.wunderground.com/windowsinstall/weather.cab
FF - ProfilePath - c:\documents and settings\AVERY.SARAH\Application Data\Mozilla\Firefox\Profiles\kqiv9v33.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
HKCU-Run-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
HKLM-Run-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
HKLM-Run-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
HKU-Default-Run-aAYlsTcGREvu - c:\documents and settings\All Users\Application Data\aAYlsTcGREvu.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-02 22:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1234GSX rev.AH001A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86DE62E0
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\06\00\1a\16*2\05"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1296)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\mysafe.dll
.
- - - - - - - > 'explorer.exe'(9228)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\TDispVol.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\AGRSMMSG.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-02 22:59:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-03 05:59
.
Pre-Run: 45,438,103,552 bytes free
Post-Run: 47,271,587,840 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1FE4C2C7765896782692A2DDD48A7B82




side note, norton has caught multiple intrusions attempts by HTTP Malicious rmf in the duration anti-virus was dissabled.

Edited by farginbastage, 03 September 2011 - 01:30 AM.


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 PM

Posted 03 September 2011 - 06:48 AM

Hi

Please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 farginbastage

farginbastage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 04 September 2011 - 12:44 AM

here they are


2011/09/03 19:45:07.0609 4888 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/03 19:45:09.0609 4888 ================================================================================
2011/09/03 19:45:09.0609 4888 SystemInfo:
2011/09/03 19:45:09.0609 4888
2011/09/03 19:45:09.0609 4888 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/03 19:45:09.0609 4888 Product type: Workstation
2011/09/03 19:45:09.0609 4888 ComputerName: MOM
2011/09/03 19:45:09.0609 4888 UserName: AVERY
2011/09/03 19:45:09.0609 4888 Windows directory: C:\WINDOWS
2011/09/03 19:45:09.0609 4888 System windows directory: C:\WINDOWS
2011/09/03 19:45:09.0609 4888 Processor architecture: Intel x86
2011/09/03 19:45:09.0609 4888 Number of processors: 2
2011/09/03 19:45:09.0609 4888 Page size: 0x1000
2011/09/03 19:45:09.0609 4888 Boot type: Normal boot
2011/09/03 19:45:09.0609 4888 ================================================================================
2011/09/03 19:45:13.0156 4888 Initialize success
2011/09/03 19:46:31.0062 5400 ================================================================================
2011/09/03 19:46:31.0062 5400 Scan started
2011/09/03 19:46:31.0062 5400 Mode: Manual;
2011/09/03 19:46:31.0062 5400 ================================================================================
2011/09/03 19:46:31.0484 5400 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/03 19:46:31.0515 5400 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/09/03 19:46:31.0578 5400 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/03 19:46:31.0640 5400 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/09/03 19:46:31.0703 5400 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/03 19:46:31.0781 5400 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/09/03 19:46:32.0109 5400 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/03 19:46:32.0218 5400 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/09/03 19:46:32.0281 5400 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/03 19:46:32.0328 5400 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/03 19:46:32.0390 5400 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/03 19:46:32.0437 5400 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/03 19:46:32.0625 5400 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/03 19:46:32.0796 5400 BHDrvx86 (f7ff24bb7714247f27b615b3a7d8b132) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110812.001\BHDrvx86.sys
2011/09/03 19:46:33.0031 5400 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/03 19:46:33.0109 5400 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/03 19:46:33.0187 5400 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/03 19:46:33.0250 5400 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/03 19:46:33.0296 5400 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/03 19:46:33.0390 5400 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/03 19:46:33.0562 5400 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/03 19:46:33.0656 5400 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/03 19:46:33.0734 5400 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/03 19:46:33.0812 5400 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/03 19:46:33.0890 5400 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/03 19:46:33.0953 5400 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/03 19:46:34.0078 5400 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/03 19:46:34.0109 5400 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/09/03 19:46:34.0312 5400 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/09/03 19:46:34.0359 5400 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/09/03 19:46:34.0562 5400 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/03 19:46:34.0625 5400 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/03 19:46:34.0734 5400 FdRedir (8affa5814b135417494e48eb9c0b6c5e) C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
2011/09/03 19:46:34.0750 5400 FileDisk2 (6ed5c6a25174118036e978b42f0974d1) C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
2011/09/03 19:46:34.0796 5400 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/03 19:46:34.0984 5400 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/03 19:46:35.0031 5400 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/03 19:46:35.0125 5400 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/09/03 19:46:35.0156 5400 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/03 19:46:35.0250 5400 FTDIBUS (a36e8beedb3aaca09bf55a1d17904bc8) C:\WINDOWS\system32\drivers\ftdibus.sys
2011/09/03 19:46:35.0281 5400 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/03 19:46:35.0312 5400 FTSER2K (a14a1f4bb391df9c233cb5dbd05feb70) C:\WINDOWS\system32\drivers\ftser2k.sys
2011/09/03 19:46:35.0531 5400 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/03 19:46:35.0593 5400 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/03 19:46:35.0671 5400 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/03 19:46:35.0734 5400 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/03 19:46:35.0828 5400 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/09/03 19:46:36.0031 5400 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/09/03 19:46:36.0031 5400 Scan interrupted by user!
2011/09/03 19:46:36.0031 5400 Scan interrupted by user!
2011/09/03 19:46:36.0031 5400 Scan interrupted by user!
2011/09/03 19:46:36.0031 5400 ================================================================================
2011/09/03 19:46:36.0031 5400 Scan finished
2011/09/03 19:46:36.0031 5400 ================================================================================
2011/09/03 19:46:36.0046 0708 Detected object count: 0
2011/09/03 19:46:36.0046 0708 Actual detected object count: 0
2011/09/03 19:46:56.0437 2768 ================================================================================
2011/09/03 19:46:56.0437 2768 Scan started
2011/09/03 19:46:56.0437 2768 Mode: Manual;
2011/09/03 19:46:56.0437 2768 ================================================================================
2011/09/03 19:46:56.0781 2768 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/03 19:46:56.0796 2768 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/09/03 19:46:56.0875 2768 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/03 19:46:56.0921 2768 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/09/03 19:46:56.0968 2768 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/03 19:46:57.0046 2768 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/09/03 19:46:57.0375 2768 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/03 19:46:57.0484 2768 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/09/03 19:46:57.0531 2768 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/03 19:46:57.0562 2768 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/03 19:46:57.0640 2768 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/03 19:46:57.0671 2768 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/03 19:46:57.0703 2768 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/03 19:46:57.0890 2768 BHDrvx86 (f7ff24bb7714247f27b615b3a7d8b132) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110812.001\BHDrvx86.sys
2011/09/03 19:46:58.0093 2768 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/03 19:46:58.0140 2768 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/03 19:46:58.0203 2768 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/03 19:46:58.0250 2768 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/03 19:46:58.0296 2768 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/03 19:46:58.0390 2768 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/03 19:46:58.0609 2768 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/03 19:46:58.0718 2768 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/03 19:46:58.0781 2768 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/03 19:46:58.0843 2768 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/03 19:46:58.0859 2768 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/03 19:46:58.0921 2768 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/03 19:46:59.0125 2768 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/03 19:46:59.0171 2768 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/09/03 19:46:59.0359 2768 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/09/03 19:46:59.0406 2768 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/09/03 19:46:59.0625 2768 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/03 19:46:59.0656 2768 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/03 19:46:59.0781 2768 FdRedir (8affa5814b135417494e48eb9c0b6c5e) C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
2011/09/03 19:46:59.0796 2768 FileDisk2 (6ed5c6a25174118036e978b42f0974d1) C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
2011/09/03 19:46:59.0828 2768 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/03 19:46:59.0921 2768 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/03 19:46:59.0968 2768 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/03 19:47:00.0093 2768 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/09/03 19:47:00.0125 2768 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/03 19:47:00.0187 2768 FTDIBUS (a36e8beedb3aaca09bf55a1d17904bc8) C:\WINDOWS\system32\drivers\ftdibus.sys
2011/09/03 19:47:00.0203 2768 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/03 19:47:00.0250 2768 FTSER2K (a14a1f4bb391df9c233cb5dbd05feb70) C:\WINDOWS\system32\drivers\ftser2k.sys
2011/09/03 19:47:00.0359 2768 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/03 19:47:00.0421 2768 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/03 19:47:00.0562 2768 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/03 19:47:00.0625 2768 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/03 19:47:00.0703 2768 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/09/03 19:47:00.0734 2768 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/09/03 19:47:00.0843 2768 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/09/03 19:47:01.0000 2768 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/03 19:47:01.0093 2768 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/03 19:47:01.0203 2768 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/03 19:47:01.0406 2768 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110902.030\IDSxpx86.sys
2011/09/03 19:47:01.0656 2768 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/03 19:47:01.0921 2768 IntcAzAudAddService (b12a9fc49cd2765a43829d834f518aed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/09/03 19:47:02.0328 2768 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/03 19:47:02.0375 2768 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/03 19:47:02.0421 2768 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/03 19:47:02.0468 2768 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/03 19:47:02.0515 2768 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/03 19:47:02.0703 2768 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/03 19:47:02.0750 2768 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/03 19:47:02.0796 2768 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/03 19:47:02.0828 2768 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/09/03 19:47:02.0890 2768 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/03 19:47:02.0937 2768 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/03 19:47:03.0093 2768 KR10N (00c1ea8decf810b8eccb5c5a8186a96e) C:\WINDOWS\system32\drivers\KR10N.sys
2011/09/03 19:47:03.0125 2768 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/03 19:47:03.0281 2768 LVcKap (fb548ff809634bfa866312b37d8a18ae) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
2011/09/03 19:47:03.0703 2768 LVMVDrv (fe3fb994f8702d9e37648927819b74b8) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
2011/09/03 19:47:03.0968 2768 LVPr2Mon (c7ea51f1ab10b0b2b443f4d5589fc1a5) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/09/03 19:47:04.0031 2768 LVUSBSta (caef4c05ba2c1acad4ebcaa4261cd55d) C:\WINDOWS\system32\drivers\LVUSBSta.sys
2011/09/03 19:47:04.0078 2768 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
2011/09/03 19:47:04.0140 2768 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/09/03 19:47:04.0171 2768 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/03 19:47:04.0250 2768 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/03 19:47:04.0406 2768 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/03 19:47:04.0453 2768 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/03 19:47:04.0515 2768 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/03 19:47:04.0546 2768 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/03 19:47:04.0656 2768 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/03 19:47:04.0718 2768 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/03 19:47:04.0890 2768 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/03 19:47:04.0921 2768 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/03 19:47:04.0953 2768 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/03 19:47:05.0015 2768 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/03 19:47:05.0078 2768 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/03 19:47:05.0125 2768 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/03 19:47:05.0312 2768 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/03 19:47:05.0484 2768 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110902.016\NAVENG.SYS
2011/09/03 19:47:05.0578 2768 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110902.016\NAVEX15.SYS
2011/09/03 19:47:05.0859 2768 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/03 19:47:05.0937 2768 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/03 19:47:05.0984 2768 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/03 19:47:06.0015 2768 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/03 19:47:06.0093 2768 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/03 19:47:06.0156 2768 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/03 19:47:06.0312 2768 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/03 19:47:06.0343 2768 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/03 19:47:06.0390 2768 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2011/09/03 19:47:06.0437 2768 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/03 19:47:06.0546 2768 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/03 19:47:06.0609 2768 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/03 19:47:06.0781 2768 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/03 19:47:06.0828 2768 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/03 19:47:06.0875 2768 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/03 19:47:06.0921 2768 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/03 19:47:07.0015 2768 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/09/03 19:47:07.0031 2768 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/03 19:47:07.0062 2768 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/03 19:47:07.0140 2768 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/03 19:47:07.0234 2768 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/03 19:47:07.0265 2768 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/09/03 19:47:07.0437 2768 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2011/09/03 19:47:07.0546 2768 PID_PEPI (3f96dcd4ac98c8e0d3c03c24fd49a2fe) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
2011/09/03 19:47:07.0703 2768 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/03 19:47:07.0843 2768 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/03 19:47:07.0890 2768 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/03 19:47:07.0937 2768 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/03 19:47:08.0078 2768 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/03 19:47:08.0109 2768 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/03 19:47:08.0140 2768 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/03 19:47:08.0171 2768 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/03 19:47:08.0296 2768 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/03 19:47:08.0406 2768 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/03 19:47:08.0437 2768 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/03 19:47:08.0500 2768 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/03 19:47:08.0546 2768 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/03 19:47:08.0625 2768 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/09/03 19:47:08.0781 2768 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/03 19:47:08.0781 2768 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/09/03 19:47:09.0000 2768 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/09/03 19:47:09.0062 2768 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/03 19:47:09.0140 2768 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/03 19:47:09.0187 2768 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/09/03 19:47:09.0281 2768 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/09/03 19:47:09.0453 2768 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/09/03 19:47:09.0484 2768 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/09/03 19:47:09.0546 2768 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/03 19:47:09.0640 2768 smihlp (aef89571c4e567575db8bdf120765b6c) C:\Program Files\Protector Suite QL\smihlp.sys
2011/09/03 19:47:09.0734 2768 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/03 19:47:09.0937 2768 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/03 19:47:10.0031 2768 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS
2011/09/03 19:47:10.0093 2768 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS
2011/09/03 19:47:10.0171 2768 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/03 19:47:10.0359 2768 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/09/03 19:47:10.0406 2768 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/03 19:47:10.0453 2768 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/03 19:47:10.0515 2768 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/03 19:47:10.0671 2768 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS
2011/09/03 19:47:10.0875 2768 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS
2011/09/03 19:47:10.0953 2768 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/09/03 19:47:11.0078 2768 SymIM (94a2459242a6dd0daf3baa99e96784ff) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2011/09/03 19:47:11.0109 2768 SymIMMP (94a2459242a6dd0daf3baa99e96784ff) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2011/09/03 19:47:11.0312 2768 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS
2011/09/03 19:47:11.0468 2768 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS
2011/09/03 19:47:11.0593 2768 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/09/03 19:47:11.0765 2768 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/03 19:47:11.0812 2768 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
2011/09/03 19:47:11.0906 2768 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/03 19:47:11.0984 2768 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/09/03 19:47:12.0031 2768 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/03 19:47:12.0062 2768 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/03 19:47:12.0250 2768 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/03 19:47:12.0328 2768 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
2011/09/03 19:47:12.0406 2768 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2011/09/03 19:47:12.0468 2768 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
2011/09/03 19:47:12.0515 2768 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
2011/09/03 19:47:12.0546 2768 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/03 19:47:12.0640 2768 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/03 19:47:12.0828 2768 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/03 19:47:12.0937 2768 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/03 19:47:12.0968 2768 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/03 19:47:13.0046 2768 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/03 19:47:13.0093 2768 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/03 19:47:13.0281 2768 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/03 19:47:13.0296 2768 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/03 19:47:13.0359 2768 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/03 19:47:13.0437 2768 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/03 19:47:13.0531 2768 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/03 19:47:13.0656 2768 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/09/03 19:47:13.0875 2768 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/03 19:47:13.0953 2768 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/09/03 19:47:14.0000 2768 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/03 19:47:14.0093 2768 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/03 19:47:14.0125 2768 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/03 19:47:14.0156 2768 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/03 19:47:14.0203 2768 MBR (0x1B8) (11aeb3a689d3a58beb53449e127a75f5) \Device\Harddisk0\DR0
2011/09/03 19:47:14.0203 2768 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
2011/09/03 19:47:14.0203 2768 Boot (0x1200) (89327d30ffbf6a5faab9917fc11668fa) \Device\Harddisk0\DR0\Partition0
2011/09/03 19:47:14.0218 2768 ================================================================================
2011/09/03 19:47:14.0218 2768 Scan finished
2011/09/03 19:47:14.0218 2768 ================================================================================
2011/09/03 19:47:14.0234 3108 Detected object count: 1
2011/09/03 19:47:14.0234 3108 Actual detected object count: 1
2011/09/03 19:47:37.0203 3108 \Device\Harddisk0\DR0 (Rootkit.Boot.Pihar.a) - will be cured after reboot
2011/09/03 19:47:37.0203 3108 \Device\Harddisk0\DR0 - ok
2011/09/03 19:47:37.0203 3108 Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/03 19:47:47.0640 4852 Deinitialize success



Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7647

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/3/2011 8:15:52 PM
mbam-log-2011-09-03 (20-15-51).txt

Scan type: Quick scan
Objects scanned: 237007
Time elapsed: 15 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



eset



C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\10\7c88068a-211a4b53 Java/Agent.BV trojan
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\29\59a9415d-43a16f7c Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\35\2b29fca3-4f1299b4 a variant of Java/Agent.BR trojan
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\35\6e9ba0e3-66c6f8b0 multiple threats
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-60eb03d1 Java/Agent.BV trojan
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\51\4c81ed73-4ee1ec94 probably a variant of Java/Agent.BR trojan
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-417bb7e4 Java/Agent.BV trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\76b5d642-466a60a9 Java/Agent.DJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\47\10974f6f-28b2f9bf Java/Agent.DJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\aAYlsTcGREvu.exe.vir a variant of Win32/Kryptik.SII trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz.exe.vir a variant of Win32/Kryptik.SII trojan
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP818\A0167287.exe probably a variant of Win32/Adware.FHRAXXN application
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP818\A0167300.exe a variant of Win32/Kryptik.SII trojan
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP818\A0167301.exe a variant of Win32/Kryptik.SII trojan



thaks again and i apologize for the wait, i'm working 12 hour days.

b

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 PM

Posted 04 September 2011 - 05:50 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\10\7c88068a-211a4b53 
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\29\59a9415d-43a16f7c 
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\35\2b29fca3-4f1299b4 
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\35\6e9ba0e3-66c6f8b0
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-60eb03d1 
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\51\4c81ed73-4ee1ec94 
C:\Documents and Settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-417bb7e4 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\76b5d642-466a60a9 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\47\10974f6f-28b2f9bf 

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and save it to your desktop.
  • Scroll down to where it says JDK 7 (JDK or JRE)
  • Click the Download JDK button tunderneath
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Oracle Binary Code License Agreement for Java SE ". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



NEXT



Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 farginbastage

farginbastage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 05 September 2011 - 12:02 AM

combofix log


ComboFix 11-09-04.03 - AVERY 09/04/2011 19:29:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.296 [GMT -7:00]
Running from: c:\documents and settings\AVERY.SARAH\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\AVERY.SARAH\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\10\7c88068a-211a4b53"
"c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\29\59a9415d-43a16f7c"
"c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\35\2b29fca3-4f1299b4"
"c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\35\6e9ba0e3-66c6f8b0"
"c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-60eb03d1"
"c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\51\4c81ed73-4ee1ec94"
"c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-417bb7e4"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\76b5d642-466a60a9"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\47\10974f6f-28b2f9bf"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ehshell.exe.a87fcbb.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.17e5e154.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.269f8317.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.86175743.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.935cd69c.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.a947503a.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.c6ac0d4f.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.cb6c347c.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL12.tmp.a36f932a.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL15.tmp.6f34b02d.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL47.tmp.399291ec.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SLBE.tmp.6a051d6c.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SLDA.tmp.86ac63e6.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SLE0.tmp.9c9a95f4.ini
c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\10\7c88068a-211a4b53
c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\29\59a9415d-43a16f7c
c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\35\2b29fca3-4f1299b4
c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\35\6e9ba0e3-66c6f8b0
c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-60eb03d1
c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\51\4c81ed73-4ee1ec94
c:\documents and settings\AVERY.SARAH\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-417bb7e4
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\ehshell.exe.a87fcbb.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.17e5e154.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.269f8317.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.86175743.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.935cd69c.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.a947503a.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.c6ac0d4f.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.cb6c347c.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\SL12.tmp.a36f932a.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\SL15.tmp.6f34b02d.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\SL47.tmp.399291ec.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\SLBE.tmp.6a051d6c.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\SLDA.tmp.86ac63e6.ini
c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\ApplicationHistory\SLE0.tmp.9c9a95f4.ini
c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\76b5d642-466a60a9
c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\47\10974f6f-28b2f9bf
.
.
((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))
.
.
2011-09-05 02:23 . 2011-09-05 02:23 -------- d-----w- c:\documents and settings\AVERY.SARAH\Application Data\HpUpdate
2011-09-04 03:22 . 2011-09-04 03:22 -------- d-----w- c:\program files\ESET
2011-09-03 03:44 . 2011-09-03 03:44 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-09-02 03:07 . 2011-09-02 03:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-09-02 02:57 . 2011-09-02 02:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-09-01 21:13 . 2011-09-01 21:13 -------- d-----w- c:\documents and settings\AVERY.SARAH\Application Data\SUPERAntiSpyware.com
2011-09-01 18:22 . 2011-09-01 18:22 -------- d-----w- c:\documents and settings\AVERY.SARAH\Application Data\Malwarebytes
2011-09-01 03:34 . 2011-09-01 03:34 -------- d-----w- c:\program files\ARO 2011
2011-08-31 01:19 . 2011-08-31 01:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-08-31 00:42 . 2011-08-31 00:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-08-31 00:39 . 2011-08-31 00:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-28 22:36 . 2011-08-28 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-08-21 18:48 . 2011-08-21 18:48 -------- d-----w- c:\windows\Hewlett-Packard
2011-08-20 17:50 . 2011-08-20 17:50 -------- d-----w- c:\documents and settings\AVERY.SARAH\Application Data\HP
2011-08-20 17:48 . 2011-08-20 17:48 -------- d-----w- c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\IsolatedStorage
2011-08-20 17:48 . 2011-08-20 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-08-20 17:48 . 2011-08-20 17:48 -------- d-----w- c:\documents and settings\AVERY.SARAH\Local Settings\Application Data\HP
2011-08-20 17:39 . 2011-08-20 17:39 -------- d-----w- C:\bin
2011-08-20 17:38 . 2011-08-20 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2011-08-20 17:38 . 2011-08-20 17:38 -------- d-----w- c:\program files\Common Files\Sonic Shared
2011-08-20 17:36 . 2011-08-20 17:37 -------- d-----w- c:\program files\Common Files\HP
2011-08-20 17:34 . 2011-08-20 17:34 -------- d-----w- c:\program files\Hewlett-Packard
2011-08-20 17:33 . 2011-08-20 17:33 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-08-20 17:32 . 2001-08-17 20:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-08-20 17:32 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-08-20 16:57 . 2006-03-04 04:03 69632 ----a-w- c:\windows\system32\HPZipm12.1
2011-08-20 16:27 . 2006-04-13 00:02 659456 ----a-w- c:\windows\system32\hpowiax2.dll
2011-08-20 16:27 . 2006-04-13 00:02 254026 ----a-w- c:\windows\system32\hpovst09.dll
2011-08-20 16:27 . 2006-04-13 00:02 827392 ----a-w- c:\windows\system32\hpotiop2.dll
2011-08-20 15:34 . 2011-08-12 05:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-14 16:11 . 2011-08-14 16:11 -------- d-----w- c:\program files\Cisco Systems
2011-08-10 14:06 . 2011-08-10 14:06 -------- d-----w- C:\be4dbd1be84be02e50af62497981e3
2011-08-09 23:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 23:25 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-07 16:44 . 2011-08-07 16:44 -------- d-----w- c:\program files\Amazon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2006-02-15 14:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-02-15 14:03 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52 . 2010-02-20 20:17 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2010-02-20 20:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2006-02-15 15:34 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2006-02-15 14:04 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2006-02-15 14:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2006-02-15 14:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2006-02-15 14:02 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2006-02-15 14:04 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-08-12 05:57 . 2011-08-20 15:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-03_05.51.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-05 02:17 . 2011-09-05 02:17 16384 c:\windows\Temp\Perflib_Perfdata_340.dat
+ 2011-09-05 02:16 . 2011-09-05 02:16 16384 c:\windows\Temp\Perflib_Perfdata_1a0.dat
+ 2009-04-19 16:04 . 2011-09-04 02:28 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-04-19 16:04 . 2011-09-03 05:48 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2005-12-22 30208]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-26 563984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-26 2027792]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-22 04:42 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\AVERY.SARAH\\My Documents\\Downloads\\BitTorrent-7.2.1.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\owner\\Local Settings\\Temp\\7zS3A5B\\setup\\HPZnet01.exe"=
"c:\\Documents and Settings\\owner\\Local Settings\\Temp\\7zS3A5B\\setup\\hponicifs01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677
"3010:TCP"= 3010:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/9/2011 5:54 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/9/2011 5:54 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 8:27 PM 815736]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/9/2011 5:54 PM 136312]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 10:54 AM 116608]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [12/21/2005 9:55 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [12/21/2005 9:55 PM 33024]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 5:54 PM 130008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [12/12/2009 2:24 PM 120248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [12/12/2009 2:24 PM 126392]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [12/21/2005 9:25 PM 3456]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 5:46 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110902.030\IDSXpx86.sys [9/2/2011 9:40 PM 356280]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
2011-09-01 c:\windows\Tasks\Norton Security Scan for Emilys side.job
- c:\program files\Norton Security Scan\Engine\3.0.1.8\Nss.exe [2011-01-30 11:19]
.
2011-09-01 c:\windows\Tasks\Norton Security Scan for owner.job
- c:\progra~1\NORTON~4\Engine\301~1.8\Nss.exe [2011-01-30 11:19]
.
2008-07-06 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]
.
2011-09-05 c:\windows\Tasks\User_Feed_Synchronization-{4692B730-B49A-495F-93F1-7E9B3A7F093D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1249402064&rver=5.5.4177.0&wp=mbi&wreply=hxxp:%2f%2fmail.live.com%2fdefault.aspx&lc=1033&id=64855&mkt=en-us
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{18955D47-882E-48fc-B903-A4BDD030E7FD}
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {96AD66E6-8375-4864-8F4D-0F15023C2AF6} - hxxp://www.wunderground.com/windowsinstall/weather.cab
FF - ProfilePath - c:\documents and settings\AVERY.SARAH\Application Data\Mozilla\Firefox\Profiles\kqiv9v33.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-04 19:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\06\00\1a\16*2\05"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1304)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\mysafe.dll
.
Completion time: 2011-09-04 19:50:04
ComboFix-quarantined-files.txt 2011-09-05 02:49
ComboFix2.txt 2011-09-03 05:59
.
Pre-Run: 47,049,818,112 bytes free
Post-Run: 47,163,654,144 bytes free
.
- - End Of File - - 5953C1B72CEF982AE3EDFB1C38A16935


java updated


only issue i know of left with computer is the start/all programs list, almost all programs read empty.

thanks, b

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 PM

Posted 05 September 2011 - 07:18 AM

Hi

Try the following:

Posted Image
  • Then click on the Restore button.



NEXT


To manually recreate "All Programs" entries, follow these steps...

  • Download App Paths
  • Double click on AppPaths.exe to run the program.
  • Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.
  • Go Start>All Programs.
  • Right click on Avast entry, click "Properties".

Posted Image
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

  • You'll see this window:

Posted Image

Due to the damage caused by the infection, you'll find "Target" box empty.

  • Go back to AppPaths window and find Avast entry.
  • Right click on Avast line, click "Edit".
  • A pop-up window will open:

Posted Image

  • Highlight everything in "Path" box, right click on it, click "Copy"
  • Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  • IMPORTANT! Add quotation marks at the beginning of the path and at the end
  • Click OK and you're done.

Posted Image


In case, program's link shows as (empty):

Posted Image

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

Posted Image

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 farginbastage

farginbastage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 06 September 2011 - 12:06 AM

Restored the accessories with no issues.

Had to use windows explorer and create shortcut method to create "all programs" entries, found about half. About one quarter are items mrs b doesn't care to have restored to all programs list. I am down to half a dozen that i would like to find out of pride, but they can wait. This has been an opportunity to evaluate the amount of stuff on the computer and a good cleaning house session will follow the computer recieving a clean bill of health.

Performance is greatly improved, the mrs b is much impressed.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 PM

Posted 06 September 2011 - 08:23 PM

That's good to hear, then I will leave you to the task to complete at your leisure.

let's just clean up our tools now


Please do the following:


Posted Image Your Java is out of date.
Java™ 6 Update 21 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


You can delete the unhide, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 farginbastage

farginbastage
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 07 September 2011 - 11:09 AM

ok, tools deleted, and combofix uninstalled. Java is up to date, and i tweaked the internet explorer settings. downloaded and ran tfc, wot and erunt. Thank you for the links to the security articles, using common sense internetting on this computer is long overdue . computer is running great, as far as i know. i appreicate your time and effort fixing this mess.

thank you again

b

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 PM

Posted 07 September 2011 - 04:39 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users