Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect/Rootkit? Help!


  • This topic is locked This topic is locked
14 replies to this topic

#1 bennettsjb

bennettsjb

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 23 September 2011 - 11:31 AM

Just so yo know, I'm in IT, not an end user. Customer PC is getting internet redirects and Outlook will not connect to server. Co-worker tried Combofix (downloaded from here). It won't run. Basically, no removal tools are able to run. Tried to run GMER, it started and then quit right after I hit Scan. Not sure where to go from here!

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 6.0.2900.5512
Run by Administrator at 12:15:03 on 2011-09-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1751 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\277705832:2542498543.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.live.com
mStart Page = hxxp://www.dell.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: DeskBandHelper Class: {9e0b5480-4ff0-4fee-818b-d4db0f220d64} - c:\progra~1\lexisn~1\pclaw\plietool.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: PCLaw Web Timer: {0e1230f8-ea50-42a9-983c-d22abc2eed4b} - c:\progra~1\lexisn~1\pclaw\plietool.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ServiceControl]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} - c:\progra~1\lexisn~1\pclaw\plietool.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} - c:\progra~1\lexisn~1\pclaw\plietool.dll
LSP: mswsock.dll
DPF: PLLiveUpWeb - hxxp://support.pclaw.com/PLLiveUpWeb.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: Interfaces\{0226C5FF-D555-4FC8-8F14-F1570DB1FB96} : NameServer = 192.168.30.2,192.168.30.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-2-12 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-2-12 108392]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-7-6 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-8-3 47640]
S2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-4-22 1768376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-2 105592]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-6-3 30192]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110919.020\NAVENG.SYS [2011-9-19 86136]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110919.020\NAVEX15.SYS [2011-9-19 1576312]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-09-23 16:04:06 -------- d-----w- c:\documents and settings\administrator.bowmanltd\application data\SUPERAntiSpyware.com
2011-09-23 15:37:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-23 15:37:49 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-22 19:34:16 82944 ----a-w- c:\windows\sed.exe
2011-09-22 19:34:16 77312 ----a-w- c:\windows\mbr.exe
2011-09-22 19:34:16 278016 ----a-w- c:\windows\swreg.exe
2011-09-22 19:29:08 4200409 ----a-r- C:\ComboFix.exe
2011-09-22 19:14:34 -------- d-----w- C:\kdi
2011-09-22 19:11:46 -------- d-----w- c:\windows\pss
2011-09-22 19:10:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-22 19:10:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-22 19:10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-22 19:10:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-07 05:47:34 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-06 17:00:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-09-06 17:00:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-09-06 17:00:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-09-06 17:00:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-09-06 17:00:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-09-06 17:00:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-09-06 17:00:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-22 13:34:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 20:32:50 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-07-06 20:32:50 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 20:32:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-07-06 20:32:30 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-07-06 20:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2011-07-06 20:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-05 22:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 12:15:09.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:10 PM

Posted 27 September 2011 - 11:28 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\277705832
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 27 September 2011 - 11:29 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 bennettsjb

bennettsjb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 28 September 2011 - 09:39 AM

Here is the content of Result.txt:

DummyCreator by Farbar
Ran by ERubin (administrator) on 28-09-2011 at 08:49:31
**************************************************************

C:\WINDOWS\2777705832 [28-09-2011 08:49:31]

== End of log ==


Combofix found the zero access rootkit

Here is the ComboFix log:

ComboFix 11-09-28.01 - ERubin 09/28/2011 9:52.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1438 [GMT -4:00]
Running from: c:\documents and settings\erubin\Desktop\wexv.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\erubin\g2mdlhlpx.exe
c:\windows\$NtUninstallKB6811$
c:\windows\$NtUninstallKB6811$\1752468752\@
c:\windows\$NtUninstallKB6811$\1752468752\click.tlb
c:\windows\$NtUninstallKB6811$\1752468752\L\rohepcid
c:\windows\$NtUninstallKB6811$\1752468752\loader.tlb
c:\windows\$NtUninstallKB6811$\1752468752\U\@00000001
c:\windows\$NtUninstallKB6811$\1752468752\U\@000000c0
c:\windows\$NtUninstallKB6811$\1752468752\U\@000000cb
c:\windows\$NtUninstallKB6811$\1752468752\U\@000000cf
c:\windows\$NtUninstallKB6811$\1752468752\U\@80000000
c:\windows\$NtUninstallKB6811$\1752468752\U\@800000c0
c:\windows\$NtUninstallKB6811$\1752468752\U\@800000cb
c:\windows\$NtUninstallKB6811$\1752468752\U\@800000cf
c:\windows\$NtUninstallKB6811$\3334637623
c:\windows\2777705832
c:\windows\system32\
.
c:\windows\system32\drivers\cdrom.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_68748d10
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 )))))))))))))))))))))))))))))))
.
.
2011-09-28 12:51 . 2011-09-28 13:02 -------- d-----w- C:\wexv
2011-09-28 12:48 . 2011-09-28 12:48 -------- d-----w- C:\DummyCreator
2011-09-26 20:50 . 2011-09-26 20:50 -------- d-sh--w- c:\documents and settings\erubin\IECompatCache
2011-09-26 20:50 . 2011-09-26 20:50 -------- d-sh--w- c:\documents and settings\erubin\PrivacIE
2011-09-26 20:47 . 2011-09-26 20:47 -------- d-sh--w- c:\documents and settings\erubin\IETldCache
2011-09-26 20:46 . 2011-09-26 20:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-26 20:40 . 2011-09-26 20:40 -------- dc-h--w- c:\windows\ie8
2011-09-26 19:51 . 2011-09-26 19:51 -------- d-----w- c:\documents and settings\erubin\Local Settings\Application Data\Symantec
2011-09-26 19:50 . 2011-09-26 19:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-26 19:50 . 2011-09-26 19:51 136496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-26 19:50 . 2007-03-22 00:39 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2011-09-26 19:50 . 2011-09-26 19:51 -------- d-----w- c:\program files\Symantec
2011-09-26 19:20 . 2008-04-14 04:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-23 18:57 . 2011-09-23 18:57 -------- d-----w- c:\program files\ESET
2011-09-23 18:26 . 2011-09-23 18:26 -------- d--h--w- c:\windows\PIF
2011-09-23 18:22 . 2011-09-23 18:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 16:04 . 2011-09-23 16:04 -------- d-----w- c:\documents and settings\Administrator.BOWMANLTD\Application Data\SUPERAntiSpyware.com
2011-09-23 15:38 . 2011-09-23 15:38 -------- d-----w- c:\documents and settings\erubin\Application Data\SUPERAntiSpyware.com
2011-09-23 15:37 . 2011-09-23 18:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-23 15:37 . 2011-09-23 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-22 19:10 . 2011-09-22 19:10 -------- d-----w- c:\documents and settings\erubin\Application Data\Malwarebytes
2011-09-22 19:10 . 2011-09-22 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-22 06:17 . 2011-09-22 06:17 -------- d-sh--w- c:\documents and settings\erubin\UserData
2011-09-07 05:47 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-06 17:00 . 2011-09-06 17:00 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-09-06 17:00 . 2011-09-06 17:00 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-09-06 17:00 . 2011-09-06 17:00 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-09-06 17:00 . 2011-09-06 17:00 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-09-06 17:00 . 2011-09-06 17:00 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-09-06 17:00 . 2011-09-06 17:00 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-09-06 17:00 . 2011-09-06 17:00 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-09-06 17:00 . 2011-09-06 17:00 -------- d-----w- c:\program files\QuickTime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-28 12:45 . 2011-09-28 12:48 455503 ----a-w- C:\DummyCreator.zip
2011-09-09 09:12 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-22 13:34 . 2011-05-26 15:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2008-04-25 16:16 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 20:32 . 2011-08-03 13:34 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-07-06 20:32 . 2011-08-03 13:34 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 20:32 . 2011-08-03 13:34 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-07-06 20:32 . 2011-08-03 13:34 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-07-06 20:32 . 2011-08-03 13:34 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2011-07-06 20:32 . 2011-08-03 13:34 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-09-08 12:36 . 2011-05-17 18:56 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-28_12.57.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-28 14:03 . 2011-09-28 14:03 16384 c:\windows\Temp\Perflib_Perfdata_6dc.dat
+ 2011-09-28 14:00 . 2011-09-28 14:00 16384 c:\windows\Temp\Perflib_Perfdata_3f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-12 1015808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-01-21 1657448]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-26 14888960]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-26 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-01-11 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-08-06 115560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 20:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 3:30 PM 79168]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [7/6/2011 4:32 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/11/2011 7:04 PM 12856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/26/2011 4:00 PM 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 BlackBox;BlackBox SR2; [x]
S3 EBFB06FF;EBFB06FF;c:\windows\system32\EBFB06FF.exe --> c:\windows\system32\EBFB06FF.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} - c:\progra~1\LEXISN~1\PCLaw\plietool.dll
IE: {{9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} - c:\progra~1\LEXISN~1\PCLaw\plietool.dll
TCP: DhcpNameServer = 192.168.32.2 192.168.32.12
DPF: PLLiveUpWeb - hxxp://support.pclaw.com/PLLiveUpWeb.CAB
FF - ProfilePath - c:\documents and settings\erubin\Application Data\Mozilla\Firefox\Profiles\6gt71bmi.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-28 10:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\LMIinit.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(5200)
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-09-28 10:06:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-28 14:05
ComboFix2.txt 2011-09-28 13:02
.
Pre-Run: 136,785,481,728 bytes free
Post-Run: 137,411,325,952 bytes free
.
- - End Of File - - BD5A90CF3E746AEE025C95CB1D62561E

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:10 PM

Posted 28 September 2011 - 09:59 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 bennettsjb

bennettsjb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 28 September 2011 - 10:06 AM

Hi,

It didn't find any threats :

11:04:48.0531 1804 TDSS rootkit removing tool 2.6.2.0 Sep 26 2011 18:56:43
11:04:48.0750 1804 ============================================================
11:04:48.0750 1804 Current date / time: 2011/09/28 11:04:48.0750
11:04:48.0750 1804 SystemInfo:
11:04:48.0750 1804
11:04:48.0750 1804 OS Version: 5.1.2600 ServicePack: 3.0
11:04:48.0750 1804 Product type: Workstation
11:04:48.0750 1804 ComputerName: PC-D5R70LK1
11:04:48.0750 1804 UserName: ERubin
11:04:48.0750 1804 Windows directory: C:\WINDOWS
11:04:48.0750 1804 System windows directory: C:\WINDOWS
11:04:48.0750 1804 Processor architecture: Intel x86
11:04:48.0750 1804 Number of processors: 2
11:04:48.0750 1804 Page size: 0x1000
11:04:48.0750 1804 Boot type: Normal boot
11:04:48.0750 1804 ============================================================
11:04:49.0062 1804 Initialize success
11:04:51.0062 2984 ============================================================
11:04:51.0062 2984 Scan started
11:04:51.0062 2984 Mode: Manual;
11:04:51.0062 2984 ============================================================
11:04:51.0734 2984 Abiosdsk - ok
11:04:51.0765 2984 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:04:51.0781 2984 abp480n5 - ok
11:04:51.0812 2984 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:04:51.0812 2984 ACPI - ok
11:04:51.0828 2984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:04:51.0843 2984 ACPIEC - ok
11:04:51.0968 2984 ADIHdAudAddService (de25fc7de3a464e455c0d0012757b0ac) C:\WINDOWS\system32\drivers\ADIHdAud.sys
11:04:51.0968 2984 ADIHdAudAddService - ok
11:04:52.0109 2984 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:04:52.0109 2984 adpu160m - ok
11:04:52.0156 2984 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:04:52.0156 2984 aec - ok
11:04:52.0328 2984 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
11:04:52.0343 2984 AFD - ok
11:04:52.0421 2984 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:04:52.0437 2984 agp440 - ok
11:04:52.0484 2984 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:04:52.0484 2984 agpCPQ - ok
11:04:52.0562 2984 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:04:52.0562 2984 Aha154x - ok
11:04:52.0609 2984 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:04:52.0609 2984 aic78u2 - ok
11:04:52.0703 2984 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:04:52.0703 2984 aic78xx - ok
11:04:52.0765 2984 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:04:52.0765 2984 AliIde - ok
11:04:52.0812 2984 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:04:52.0812 2984 alim1541 - ok
11:04:52.0859 2984 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:04:52.0875 2984 amdagp - ok
11:04:52.0906 2984 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:04:52.0921 2984 amsint - ok
11:04:52.0937 2984 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:04:52.0953 2984 asc - ok
11:04:52.0984 2984 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:04:52.0984 2984 asc3350p - ok
11:04:53.0015 2984 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:04:53.0031 2984 asc3550 - ok
11:04:53.0062 2984 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:04:53.0062 2984 AsyncMac - ok
11:04:53.0109 2984 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:04:53.0125 2984 atapi - ok
11:04:53.0156 2984 Atdisk - ok
11:04:53.0187 2984 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:04:53.0187 2984 Atmarpc - ok
11:04:53.0234 2984 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:04:53.0234 2984 audstub - ok
11:04:53.0281 2984 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
11:04:53.0296 2984 b57w2k - ok
11:04:53.0437 2984 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
11:04:53.0437 2984 BASFND - ok
11:04:53.0578 2984 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:04:53.0578 2984 Beep - ok
11:04:53.0593 2984 BlackBox - ok
11:04:53.0625 2984 catchme - ok
11:04:53.0687 2984 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:04:53.0687 2984 cbidf - ok
11:04:53.0750 2984 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:04:53.0750 2984 cbidf2k - ok
11:04:53.0765 2984 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:04:53.0765 2984 cd20xrnt - ok
11:04:53.0812 2984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:04:53.0828 2984 Cdaudio - ok
11:04:53.0859 2984 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:04:53.0875 2984 Cdfs - ok
11:04:53.0921 2984 Cdrom - ok
11:04:53.0937 2984 Changer - ok
11:04:53.0953 2984 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:04:53.0968 2984 CmdIde - ok
11:04:53.0984 2984 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:04:53.0984 2984 Cpqarray - ok
11:04:54.0015 2984 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:04:54.0015 2984 dac2w2k - ok
11:04:54.0031 2984 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:04:54.0046 2984 dac960nt - ok
11:04:54.0140 2984 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:04:54.0140 2984 Disk - ok
11:04:54.0171 2984 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
11:04:54.0171 2984 DLABMFSM - ok
11:04:54.0203 2984 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
11:04:54.0203 2984 DLABOIOM - ok
11:04:54.0218 2984 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
11:04:54.0218 2984 DLACDBHM - ok
11:04:54.0250 2984 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
11:04:54.0250 2984 DLADResM - ok
11:04:54.0265 2984 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
11:04:54.0265 2984 DLAIFS_M - ok
11:04:54.0296 2984 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
11:04:54.0296 2984 DLAOPIOM - ok
11:04:54.0312 2984 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
11:04:54.0312 2984 DLAPoolM - ok
11:04:54.0328 2984 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
11:04:54.0328 2984 DLARTL_M - ok
11:04:54.0343 2984 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
11:04:54.0343 2984 DLAUDFAM - ok
11:04:54.0359 2984 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
11:04:54.0359 2984 DLAUDF_M - ok
11:04:54.0406 2984 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:04:54.0437 2984 dmboot - ok
11:04:54.0468 2984 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:04:54.0484 2984 dmio - ok
11:04:54.0484 2984 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:04:54.0500 2984 dmload - ok
11:04:54.0546 2984 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:04:54.0546 2984 DMusic - ok
11:04:54.0656 2984 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:04:54.0656 2984 dpti2o - ok
11:04:54.0687 2984 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:04:54.0703 2984 drmkaud - ok
11:04:54.0750 2984 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
11:04:54.0750 2984 DRVMCDB - ok
11:04:54.0765 2984 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
11:04:54.0765 2984 DRVNDDM - ok
11:04:54.0890 2984 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
11:04:54.0890 2984 eeCtrl - ok
11:04:54.0890 2984 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
11:04:54.0906 2984 EraserUtilRebootDrv - ok
11:04:54.0984 2984 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:04:54.0984 2984 Fastfat - ok
11:04:55.0046 2984 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
11:04:55.0046 2984 Fdc - ok
11:04:55.0078 2984 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:04:55.0078 2984 Fips - ok
11:04:55.0109 2984 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:04:55.0109 2984 Flpydisk - ok
11:04:55.0140 2984 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:04:55.0140 2984 FltMgr - ok
11:04:55.0171 2984 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:04:55.0171 2984 Fs_Rec - ok
11:04:55.0250 2984 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:04:55.0250 2984 Ftdisk - ok
11:04:55.0296 2984 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
11:04:55.0312 2984 GEARAspiWDM - ok
11:04:55.0421 2984 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:04:55.0421 2984 Gpc - ok
11:04:55.0453 2984 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:04:55.0453 2984 HDAudBus - ok
11:04:55.0484 2984 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:04:55.0484 2984 hidusb - ok
11:04:55.0515 2984 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:04:55.0531 2984 hpn - ok
11:04:55.0609 2984 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:04:55.0609 2984 HTTP - ok
11:04:55.0687 2984 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:04:55.0687 2984 i2omgmt - ok
11:04:55.0734 2984 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:04:55.0734 2984 i2omp - ok
11:04:55.0781 2984 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:04:55.0781 2984 i8042prt - ok
11:04:55.0843 2984 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\WINDOWS\system32\drivers\iaStor.sys
11:04:55.0843 2984 iaStor - ok
11:04:55.0906 2984 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:04:55.0906 2984 Imapi - ok
11:04:55.0953 2984 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:04:55.0953 2984 ini910u - ok
11:04:55.0984 2984 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:04:56.0000 2984 IntelIde - ok
11:04:56.0046 2984 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:04:56.0062 2984 intelppm - ok
11:04:56.0093 2984 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:04:56.0093 2984 Ip6Fw - ok
11:04:56.0125 2984 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:04:56.0125 2984 IpFilterDriver - ok
11:04:56.0156 2984 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:04:56.0156 2984 IpInIp - ok
11:04:56.0187 2984 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:04:56.0187 2984 IpNat - ok
11:04:56.0203 2984 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:04:56.0218 2984 IPSec - ok
11:04:56.0250 2984 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:04:56.0250 2984 IRENUM - ok
11:04:56.0343 2984 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:04:56.0343 2984 isapnp - ok
11:04:56.0359 2984 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:04:56.0375 2984 Kbdclass - ok
11:04:56.0421 2984 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:04:56.0421 2984 kbdhid - ok
11:04:56.0484 2984 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:04:56.0484 2984 kmixer - ok
11:04:56.0546 2984 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:04:56.0546 2984 KSecDD - ok
11:04:56.0578 2984 lbrtfdc - ok
11:04:56.0656 2984 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
11:04:56.0656 2984 LMIInfo - ok
11:04:56.0765 2984 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
11:04:56.0765 2984 lmimirr - ok
11:04:56.0765 2984 LMIRfsClientNP - ok
11:04:56.0828 2984 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
11:04:56.0828 2984 LMIRfsDriver - ok
11:04:56.0875 2984 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:04:56.0890 2984 mnmdd - ok
11:04:56.0921 2984 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:04:56.0937 2984 Modem - ok
11:04:56.0968 2984 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:04:56.0968 2984 Mouclass - ok
11:04:57.0031 2984 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:04:57.0046 2984 mouhid - ok
11:04:57.0078 2984 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:04:57.0078 2984 MountMgr - ok
11:04:57.0140 2984 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:04:57.0156 2984 mraid35x - ok
11:04:57.0156 2984 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:04:57.0156 2984 MRxDAV - ok
11:04:57.0187 2984 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:04:57.0218 2984 MRxSmb - ok
11:04:57.0218 2984 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:04:57.0218 2984 Msfs - ok
11:04:57.0234 2984 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:04:57.0234 2984 MSKSSRV - ok
11:04:57.0250 2984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:04:57.0250 2984 MSPCLOCK - ok
11:04:57.0265 2984 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:04:57.0265 2984 MSPQM - ok
11:04:57.0296 2984 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:04:57.0296 2984 mssmbios - ok
11:04:57.0359 2984 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:04:57.0359 2984 Mup - ok
11:04:57.0421 2984 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110927.033\NAVENG.SYS
11:04:57.0421 2984 NAVENG - ok
11:04:57.0484 2984 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110927.033\NAVEX15.SYS
11:04:57.0500 2984 NAVEX15 - ok
11:04:57.0593 2984 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:04:57.0593 2984 NDIS - ok
11:04:57.0671 2984 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:04:57.0687 2984 NdisTapi - ok
11:04:57.0703 2984 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:04:57.0703 2984 Ndisuio - ok
11:04:57.0718 2984 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:04:57.0734 2984 NdisWan - ok
11:04:57.0781 2984 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:04:57.0796 2984 NDProxy - ok
11:04:57.0859 2984 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:04:57.0859 2984 NetBIOS - ok
11:04:57.0875 2984 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:04:57.0890 2984 NetBT - ok
11:04:57.0921 2984 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:04:57.0921 2984 Npfs - ok
11:04:57.0984 2984 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:04:57.0984 2984 Ntfs - ok
11:04:58.0015 2984 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:04:58.0015 2984 Null - ok
11:04:58.0187 2984 nv (1f2ac846c07cabaed42d9394e5627424) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:04:58.0296 2984 nv - ok
11:04:58.0375 2984 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:04:58.0375 2984 NwlnkFlt - ok
11:04:58.0406 2984 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:04:58.0406 2984 NwlnkFwd - ok
11:04:58.0437 2984 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:04:58.0437 2984 Parport - ok
11:04:58.0453 2984 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:04:58.0453 2984 PartMgr - ok
11:04:58.0484 2984 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:04:58.0500 2984 ParVdm - ok
11:04:58.0546 2984 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:04:58.0546 2984 PCI - ok
11:04:58.0578 2984 PCIDump - ok
11:04:58.0609 2984 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:04:58.0609 2984 PCIIde - ok
11:04:58.0671 2984 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:04:58.0671 2984 Pcmcia - ok
11:04:58.0703 2984 PDCOMP - ok
11:04:58.0718 2984 PDFRAME - ok
11:04:58.0734 2984 PDRELI - ok
11:04:58.0750 2984 PDRFRAME - ok
11:04:58.0781 2984 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:04:58.0796 2984 perc2 - ok
11:04:58.0828 2984 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:04:58.0828 2984 perc2hib - ok
11:04:58.0906 2984 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:04:58.0906 2984 PptpMiniport - ok
11:04:58.0968 2984 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:04:58.0968 2984 PSched - ok
11:04:58.0984 2984 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:04:59.0000 2984 Ptilink - ok
11:04:59.0046 2984 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:04:59.0046 2984 PxHelp20 - ok
11:04:59.0093 2984 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:04:59.0093 2984 ql1080 - ok
11:04:59.0140 2984 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:04:59.0156 2984 Ql10wnt - ok
11:04:59.0203 2984 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:04:59.0203 2984 ql12160 - ok
11:04:59.0250 2984 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:04:59.0250 2984 ql1240 - ok
11:04:59.0328 2984 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:04:59.0328 2984 ql1280 - ok
11:04:59.0359 2984 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:04:59.0359 2984 RasAcd - ok
11:04:59.0390 2984 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:04:59.0390 2984 Rasl2tp - ok
11:04:59.0406 2984 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:04:59.0421 2984 RasPppoe - ok
11:04:59.0437 2984 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:04:59.0437 2984 Raspti - ok
11:04:59.0468 2984 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:04:59.0468 2984 Rdbss - ok
11:04:59.0500 2984 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:04:59.0500 2984 RDPCDD - ok
11:04:59.0562 2984 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:04:59.0562 2984 rdpdr - ok
11:04:59.0625 2984 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:04:59.0625 2984 RDPWD - ok
11:04:59.0687 2984 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:04:59.0687 2984 redbook - ok
11:04:59.0765 2984 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:04:59.0781 2984 Secdrv - ok
11:04:59.0828 2984 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
11:04:59.0828 2984 SenFiltService - ok
11:04:59.0859 2984 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:04:59.0859 2984 Serenum - ok
11:04:59.0875 2984 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:04:59.0890 2984 Serial - ok
11:04:59.0953 2984 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:04:59.0953 2984 Sfloppy - ok
11:04:59.0984 2984 Simbad - ok
11:05:00.0015 2984 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:05:00.0015 2984 sisagp - ok
11:05:00.0078 2984 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:05:00.0078 2984 Sparrow - ok
11:05:00.0171 2984 SPBBCDrv (cb5a4e90451d80d415f0a6dbb86d1d9f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
11:05:00.0187 2984 SPBBCDrv - ok
11:05:00.0265 2984 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:05:00.0265 2984 splitter - ok
11:05:00.0375 2984 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:05:00.0375 2984 sr - ok
11:05:00.0421 2984 SRTSP (fdb49acd281d72c5d5392d066eda9c1a) C:\WINDOWS\system32\Drivers\SRTSP.SYS
11:05:00.0421 2984 SRTSP - ok
11:05:00.0484 2984 SRTSPL (45bc2cabb0a65bb91f7f5b6aae809ef3) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
11:05:00.0500 2984 SRTSPL - ok
11:05:00.0531 2984 SRTSPX (c285bb1258d2a87d4068722937d0bf03) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
11:05:00.0546 2984 SRTSPX - ok
11:05:00.0609 2984 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:05:00.0609 2984 Srv - ok
11:05:00.0656 2984 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:05:00.0671 2984 swenum - ok
11:05:00.0718 2984 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:05:00.0718 2984 swmidi - ok
11:05:00.0765 2984 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:05:00.0781 2984 symc810 - ok
11:05:00.0859 2984 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:05:00.0875 2984 symc8xx - ok
11:05:00.0953 2984 SymEvent (4517bd567d4eab459194feccfa654a51) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
11:05:00.0953 2984 SymEvent - ok
11:05:01.0000 2984 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:05:01.0000 2984 sym_hi - ok
11:05:01.0062 2984 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:05:01.0078 2984 sym_u3 - ok
11:05:01.0140 2984 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:05:01.0140 2984 sysaudio - ok
11:05:01.0203 2984 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:05:01.0203 2984 Tcpip - ok
11:05:01.0250 2984 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:05:01.0265 2984 TDPIPE - ok
11:05:01.0312 2984 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:05:01.0328 2984 TDTCP - ok
11:05:01.0390 2984 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:05:01.0390 2984 TermDD - ok
11:05:01.0484 2984 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:05:01.0484 2984 TosIde - ok
11:05:01.0546 2984 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:05:01.0546 2984 Udfs - ok
11:05:01.0609 2984 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:05:01.0609 2984 ultra - ok
11:05:01.0687 2984 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:05:01.0687 2984 Update - ok
11:05:01.0750 2984 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
11:05:01.0765 2984 USBAAPL - ok
11:05:01.0812 2984 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:05:01.0812 2984 usbccgp - ok
11:05:01.0875 2984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:05:01.0890 2984 usbehci - ok
11:05:01.0937 2984 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:05:01.0937 2984 usbhub - ok
11:05:01.0984 2984 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:05:01.0984 2984 usbscan - ok
11:05:02.0046 2984 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:05:02.0046 2984 USBSTOR - ok
11:05:02.0109 2984 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:05:02.0109 2984 usbuhci - ok
11:05:02.0171 2984 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:05:02.0171 2984 VgaSave - ok
11:05:02.0250 2984 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:05:02.0250 2984 viaagp - ok
11:05:02.0312 2984 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:05:02.0312 2984 ViaIde - ok
11:05:02.0375 2984 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:05:02.0375 2984 VolSnap - ok
11:05:02.0375 2984 vsdatant - ok
11:05:02.0437 2984 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:05:02.0453 2984 Wanarp - ok
11:05:02.0500 2984 WDICA - ok
11:05:02.0546 2984 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:05:02.0546 2984 wdmaud - ok
11:05:02.0609 2984 MBR (0x1B8) (a00aa10c4a88fc5bbb6e341fed7b6ac3) \Device\Harddisk0\DR0
11:05:02.0703 2984 \Device\Harddisk0\DR0 - ok
11:05:02.0703 2984 MBR (0x1B8) (973e9ba32fdbb305c552ed3e1ebf0686) \Device\Harddisk1\DR5
11:05:11.0031 2984 \Device\Harddisk1\DR5 - ok
11:05:11.0062 2984 Boot (0x1200) (e55ac403b7e5a138e3563b689b816cb6) \Device\Harddisk0\DR0\Partition0
11:05:11.0062 2984 \Device\Harddisk0\DR0\Partition0 - ok
11:05:11.0062 2984 Boot (0x1200) (417995b6794b022069286dac138d6421) \Device\Harddisk1\DR5\Partition0
11:05:11.0078 2984 \Device\Harddisk1\DR5\Partition0 - ok
11:05:11.0078 2984 ============================================================
11:05:11.0078 2984 Scan finished
11:05:11.0078 2984 ============================================================
11:05:11.0078 2980 Detected object count: 0
11:05:11.0078 2980 Actual detected object count: 0

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:10 PM

Posted 28 September 2011 - 10:23 AM

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 bennettsjb

bennettsjb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 28 September 2011 - 10:34 AM

here you go :



Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


..
Failed to open \\?\c:\\Documents and Settings\Administrator.BOWMANLTD\Desktop\gmer.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Administrator.BOWMANLTD\Desktop\WiNlOgOn.exe: Access is denied.


.
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\5a11af98-9a87-4b29-9282-afc5087c9734.com: Access is denied.


...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

..\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5

.

...

...

...

...

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:10 PM

Posted 28 September 2011 - 12:20 PM

For x86 bit systems please download GrantPerms.zip and
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\System Volume Information
c:\Documents and Settings\Administrator.BOWMANLTD\Desktop\gmer.exe
c:\Documents and Settings\Administrator.BOWMANLTD\Desktop\WiNlOgOn.exe
c:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp
c:\Program Files\SUPERAntiSpyware\5a11af98-9a87-4b29-9282-afc5087c9734.com


Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 bennettsjb

bennettsjb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 28 September 2011 - 12:31 PM

GrantPerms by Farbar
Ran by ERubin at 2011-09-28 13:30:11

===============================================
\\?\c:\System Volume Information

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\Documents and Settings\Administrator.BOWMANLTD\Desktop\gmer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\Administrator.BOWMANLTD\Desktop\WiNlOgOn.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Power Users change ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users write ALLOW (CI)(I)


\\?\c:\Program Files\SUPERAntiSpyware\5a11af98-9a87-4b29-9282-afc5087c9734.com

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:10 PM

Posted 28 September 2011 - 03:29 PM

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 bennettsjb

bennettsjb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 29 September 2011 - 09:16 AM

Hi,

I tried the Java update and got the following message:

"bin\jqs.exe old file not found, however a file of the same name was found. no update done since file contents do not match"

after that i could no longer open java from control panel - i get this error: "could not create java virtual machine"

here are the logs from mbam and hijackthis :

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7827

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/29/2011 9:46:13 AM
mbam-log-2011-09-29 (09-46-13).txt

Scan type: Quick scan
Objects scanned: 304409
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator.bowmanltd\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.






Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:06:18 AM, on 9/29/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: DeskBandHelper Class - {9E0B5480-4FF0-4FEE-818B-D4DB0F220D64} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: PCLaw Web Timer - {0E1230F8-EA50-42A9-983C-D22ABC2EED4B} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: PLLiveUpWeb - http://support.pclaw.com/PLLiveUpWeb.CAB
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bowmanltd.local
O17 - HKLM\Software\..\Telephony: DomainName = bowmanltd.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bowmanltd.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{0226C5FF-D555-4FC8-8F14-F1570DB1FB96}: NameServer = 192.168.30.2,192.168.30.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bowmanltd.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bowmanltd.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: EBFB06FF - Unknown owner - C:\WINDOWS\system32\EBFB06FF.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 11195 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:10 PM

Posted 29 September 2011 - 09:53 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
      O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
      O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
      O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
      O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
      O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
      O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 bennettsjb

bennettsjb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 29 September 2011 - 10:50 AM

still have a file in c:\windows named 277705832 im not entirely sure what this is but i thought is was related to the rootkit, no?

here's the eset log:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=f6ade283c107ab4d94697299dc0c89e6
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-09-23 07:46:45
# local_time=2011-09-23 03:46:45 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=93316
# found=4
# cleaned=3
# scan_time=2617
C:\Documents and Settings\erubin\Application Data\Sun\Java\Deployment\cache\6.0\26\416c0c5a-1dacea7b Win32/Sirefef.CY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\RECYCLER\S-1-5-21-1745944259-1863876211-3445363467-500\Dc17\22.09.2011_15.25.20\susp0000\svc0000\tsk0000.dta Win32/Rootkit.Agent.NUT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\23.09.2011_14.42.03\susp0000\svc0000\tsk0000.dta Win32/Rootkit.Agent.NUT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\cdrom.sys Win32/Rootkit.Agent.NUT trojan (unable to clean) 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=f6ade283c107ab4d94697299dc0c89e6
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-09-23 07:54:25
# local_time=2011-09-23 03:54:25 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=3292
# found=0
# cleaned=0
# scan_time=129
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=f6ade283c107ab4d94697299dc0c89e6
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-09-28 12:46:50
# local_time=2011-09-28 08:46:50 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=4997
# found=0
# cleaned=0
# scan_time=156
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=f6ade283c107ab4d94697299dc0c89e6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-09-29 03:44:45
# local_time=2011-09-29 11:44:45 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=58802
# found=0
# cleaned=0
# scan_time=2295

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:10 PM

Posted 29 September 2011 - 02:50 PM

Hello


That file can be removed now


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:10 PM

Posted 03 October 2011 - 01:05 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users