Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor.Tidserv!kmem


  • This topic is locked This topic is locked
37 replies to this topic

#1 Mel_P

Mel_P

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 18 October 2011 - 12:46 PM

Norton 360 detects the threat, but cannot remove it.

DDS log :

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by controleur at 13:50:20 on 2011-10-18
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.503.183 [GMT -4:00]
.
AV: Antivirus Live *Enabled/Updated* {B316C67E-09F1-44c7-85E0-94F6DA8A4AA1}
AV: Antivirus *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PAIEPC\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sympatico.ca/defaultf.aspx?lang=fr-CA
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Norton Download Manager{NBRT41-B15-Retail-4abb-B07C-C084B04B4F12}] c:\documents and settings\all users\documents\norton\{nbrt41-b15-retail-4abb-b07c-c084b04b4f12}\NBRT-Retail-Downloader[1].exe /m
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/CPCViewAX_060503/CpcViewAX.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: Interfaces\{F7BC2B6C-44B5-4B70-A34F-00FB81375E32} : NameServer = 90.0.0.2,198.235.216.134
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SMR210;Symantec SMR Utility Service 2.1.0;c:\windows\system32\drivers\SMR210.SYS [2011-10-12 83064]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-5-23 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-5-23 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20111014.001\BHDrvx86.sys [2011-10-14 818808]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-5-23 136312]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-12 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-4-10 47640]
R2 MSSQL$PAIEPC;MSSQL$PAIEPC;c:\program files\microsoft sql server\mssql$paiepc\binn\sqlservr.exe -spaiepc --> c:\program files\microsoft sql server\mssql$paiepc\binn\sqlservr.exe -sPAIEPC [?]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-5-23 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\fichiers communs\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-8 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20111015.030\IDSXpx86.sys [2011-10-17 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20111017.032\NAVENG.SYS [2011-10-18 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20111017.032\NAVEX15.SYS [2011-10-18 1576312]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\contro~1\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\contro~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\contro~1\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\contro~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 gupdate1ca411d58378d40;Service Google Update (gupdate1ca411d58378d40);c:\program files\google\update\GoogleUpdate.exe [2009-9-29 133104]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-29 133104]
S3 SQLAgent$PAIEPC;SQLAgent$PAIEPC;c:\program files\microsoft sql server\mssql$paiepc\binn\sqlagent.exe -i paiepc --> c:\program files\microsoft sql server\mssql$paiepc\binn\sqlagent.EXE -i PAIEPC [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-10-12 13:24:55 20 ----a-w- c:\windows\system32\drivers\SMR210.dat
2011-10-12 13:24:53 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-10-12 13:24:40 -------- d-----w- c:\documents and settings\controleur\local settings\application data\NPE
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380819AS rev.3.04 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82304566]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8230a624]; MOV EAX, [0x8230a6a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x82393810]
3 CLASSPNP[0xF8581FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000069[0x8235AB08]
5 ACPI[0xF84C0620] -> nt!IofCallDriver[0x804E13B9] -> [0x82340940]
\Driver\atapi[0x82359458] -> IRP_MJ_CREATE -> 0x82304566
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskST380819AS______________________________3.04____#5&2346641&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x823043B2
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 13:51:38.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 19 October 2011 - 09:50 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Mel_P

Mel_P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 19 October 2011 - 12:19 PM

Here's the ComboFix log :

ComboFix 11-10-19.03 - controleur 10/19/11 12:07:14.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.503.141 [GMT -4:00]
Lancé depuis: c:\documents and settings\controleur\Bureau\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrateur\WINDOWS
c:\documents and settings\control.SANFACON.000\WINDOWS
c:\program files\AV8
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-09-19 au 2011-10-19 ))))))))))))))))))))))))))))))))))))
.
.
2011-10-12 13:24 . 2011-10-12 13:24 20 ----a-w- c:\windows\system32\drivers\SMR210.dat
2011-10-12 13:24 . 2011-10-12 13:24 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-10-12 13:24 . 2011-10-12 15:54 -------- d-----w- c:\documents and settings\controleur\Local Settings\Application Data\NPE
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2004-08-05 . D6D65EA32B190401B57EDB6706F29669 . 25088 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2002-08-29 . F4127A2A00825C69A870035DA1264AE0 . 22528 . . [5.1.2600.1106] . . c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 20:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:34 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-07-30 07:08 143360 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
2004-01-05 22:34 40960 ----a-w- c:\windows\vsnpstd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-15 11:51 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SMR210;Symantec SMR Utility Service 2.1.0;c:\windows\system32\drivers\SMR210.SYS [10/12/11 09:24 83064]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [05/23/11 13:34 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [05/23/11 13:34 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys [10/14/11 19:10 818808]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [05/23/11 13:34 136312]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/12/10 06:49 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [08/03/07 15:09 12856]
R2 MSSQL$PAIEPC;MSSQL$PAIEPC;c:\program files\Microsoft SQL Server\MSSQL$PAIEPC\Binn\sqlservr.exe -sPAIEPC --> c:\program files\Microsoft SQL Server\MSSQL$PAIEPC\Binn\sqlservr.exe -sPAIEPC [?]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [05/23/11 13:34 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Fichiers communs\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [08/08/11 02:59 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111018.030\IDSXpx86.sys [10/18/11 21:28 356280]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\CONTRO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\CONTRO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\CONTRO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\CONTRO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate1ca411d58378d40;Service Google Update (gupdate1ca411d58378d40);c:\program files\Google\Update\GoogleUpdate.exe [09/29/09 11:56 133104]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [09/29/09 11:56 133104]
S3 SQLAgent$PAIEPC;SQLAgent$PAIEPC;c:\program files\Microsoft SQL Server\MSSQL$PAIEPC\Binn\sqlagent.EXE -i PAIEPC --> c:\program files\Microsoft SQL Server\MSSQL$PAIEPC\Binn\sqlagent.EXE -i PAIEPC [?]
.
Contenu du dossier 'Tâches planifiées'
.
2011-10-19 c:\windows\Tasks\bu_bert.job
- C:\bu_bert.bat [2007-07-05 14:01]
.
2011-10-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
2011-10-16 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.4\DriverRobot.exe [2009-09-30 14:22]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 15:55]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 15:55]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.sympatico.ca/defaultf.aspx?lang=fr-CA
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: Interfaces\{F7BC2B6C-44B5-4B70-A34F-00FB81375E32}: NameServer = 90.0.0.2,198.235.216.134
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/CPCViewAX_060503/CpcViewAX.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-19 12:30
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
Binary file raw_enum.dat matches
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Heure de fin: 2011-10-19 12:33:03
ComboFix-quarantined-files.txt 2011-10-19 16:32
.
Avant-CF: 65 895 641 088 octets libres
Après-CF: 66 765 131 776 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect
.
- - End Of File - - 7BBFDD4A87E8AC1060A4282DAEE90930



There were no problems as it ran. When it finished, Windows had 39 updates to perform. On restart, Norton 360 still tells me that I have the backdoor.tidserv!kmem threat and that it cannot fix it.

Thanks !

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 19 October 2011 - 12:50 PM

Hello

Norton 360 still tells me that I have the backdoor.tidserv!kmem threat and that it cannot fix it.
does it give you a location?



I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Mel_P

Mel_P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 19 October 2011 - 01:22 PM

Norton 360 doesn't give me a location, just a warning that I have a high threat on my PC.

Here's the log from Tdsskiller :

14:42:00.0382 3688 TDSS rootkit removing tool 2.6.11.0 Oct 19 2011 13:50:27
14:42:00.0929 3688 ============================================================
14:42:00.0929 3688 Current date / time: 2011/10/19 14:42:00.0929
14:42:00.0929 3688 SystemInfo:
14:42:00.0929 3688
14:42:00.0929 3688 OS Version: 5.1.2600 ServicePack: 3.0
14:42:00.0929 3688 Product type: Workstation
14:42:00.0929 3688 ComputerName: HP12865651717
14:42:00.0929 3688 UserName: controleur
14:42:00.0929 3688 Windows directory: C:\WINDOWS
14:42:00.0929 3688 System windows directory: C:\WINDOWS
14:42:00.0929 3688 Processor architecture: Intel x86
14:42:00.0929 3688 Number of processors: 2
14:42:00.0929 3688 Page size: 0x1000
14:42:00.0929 3688 Boot type: Normal boot
14:42:00.0929 3688 ============================================================
14:42:02.0335 3688 Initialize success
14:42:05.0069 3800 ============================================================
14:42:05.0069 3800 Scan started
14:42:05.0069 3800 Mode: Manual;
14:42:05.0069 3800 ============================================================
14:42:06.0257 3800 Abiosdsk - ok
14:42:06.0273 3800 abp480n5 - ok
14:42:06.0319 3800 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
14:42:06.0319 3800 ac97intc - ok
14:42:06.0413 3800 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:42:06.0413 3800 ACPI - ok
14:42:06.0476 3800 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:42:06.0476 3800 ACPIEC - ok
14:42:06.0538 3800 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:42:06.0538 3800 adpu160m - ok
14:42:06.0569 3800 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
14:42:06.0569 3800 adpu320 - ok
14:42:06.0616 3800 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys
14:42:06.0616 3800 aeaudio - ok
14:42:06.0679 3800 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:42:06.0679 3800 aec - ok
14:42:06.0726 3800 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:42:06.0726 3800 AFD - ok
14:42:06.0741 3800 Aha154x - ok
14:42:06.0757 3800 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:42:06.0773 3800 aic78u2 - ok
14:42:06.0788 3800 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:42:06.0788 3800 aic78xx - ok
14:42:06.0804 3800 AliIde - ok
14:42:06.0819 3800 amsint - ok
14:42:06.0835 3800 asc - ok
14:42:06.0851 3800 asc3350p - ok
14:42:06.0866 3800 asc3550 - ok
14:42:06.0913 3800 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:42:06.0913 3800 AsyncMac - ok
14:42:06.0945 3800 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:42:06.0945 3800 atapi - ok
14:42:06.0960 3800 Atdisk - ok
14:42:06.0991 3800 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:42:07.0007 3800 Atmarpc - ok
14:42:07.0038 3800 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:42:07.0038 3800 audstub - ok
14:42:07.0101 3800 b57w2k (2fa609c3411ec5f77f42d0b04d304ae5) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
14:42:07.0179 3800 b57w2k - ok
14:42:07.0257 3800 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:42:07.0257 3800 Beep - ok
14:42:07.0648 3800 BHDrvx86 (fe57ab6683f48264d1cd36f5d5ee95a8) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys
14:42:07.0648 3800 BHDrvx86 - ok
14:42:07.0788 3800 Blfp (9976971b7092f5bff20073ab31ba1598) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
14:42:07.0788 3800 Blfp - ok
14:42:07.0898 3800 catchme - ok
14:42:07.0960 3800 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:42:07.0960 3800 cbidf2k - ok
14:42:08.0054 3800 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:42:08.0054 3800 CCDECODE - ok
14:42:08.0101 3800 cd20xrnt - ok
14:42:08.0116 3800 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:42:08.0116 3800 Cdaudio - ok
14:42:08.0179 3800 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:42:08.0179 3800 Cdfs - ok
14:42:08.0210 3800 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:42:08.0210 3800 Cdrom - ok
14:42:08.0226 3800 Changer - ok
14:42:08.0241 3800 CmdIde - ok
14:42:08.0257 3800 Cpqarray - ok
14:42:08.0273 3800 dac2w2k - ok
14:42:08.0288 3800 dac960nt - ok
14:42:08.0320 3800 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:42:08.0320 3800 Disk - ok
14:42:08.0382 3800 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys
14:42:08.0398 3800 dmboot - ok
14:42:08.0429 3800 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys
14:42:08.0429 3800 dmio - ok
14:42:08.0445 3800 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:42:08.0460 3800 dmload - ok
14:42:08.0491 3800 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:42:08.0491 3800 DMusic - ok
14:42:08.0538 3800 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:42:08.0554 3800 dpti2o - ok
14:42:08.0554 3800 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:42:08.0554 3800 drmkaud - ok
14:42:08.0585 3800 E100B (1961f8b618e3c20df54c146b294efd2a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:42:08.0601 3800 E100B - ok
14:42:08.0741 3800 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Fichiers communs\Symantec Shared\EENGINE\eeCtrl.sys
14:42:08.0757 3800 eeCtrl - ok
14:42:08.0788 3800 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Fichiers communs\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
14:42:08.0788 3800 EraserUtilRebootDrv - ok
14:42:08.0976 3800 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:42:08.0976 3800 Fastfat - ok
14:42:09.0023 3800 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:42:09.0023 3800 Fdc - ok
14:42:09.0070 3800 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys
14:42:09.0070 3800 Fips - ok
14:42:09.0101 3800 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:42:09.0101 3800 Flpydisk - ok
14:42:09.0148 3800 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:42:09.0148 3800 FltMgr - ok
14:42:09.0210 3800 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:42:09.0210 3800 Fs_Rec - ok
14:42:09.0226 3800 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:42:09.0226 3800 Ftdisk - ok
14:42:09.0257 3800 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
14:42:09.0257 3800 GEARAspiWDM - ok
14:42:09.0304 3800 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:42:09.0304 3800 Gpc - ok
14:42:09.0335 3800 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:42:09.0335 3800 HidUsb - ok
14:42:09.0351 3800 hpn - ok
14:42:09.0413 3800 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:42:09.0413 3800 HPZid412 - ok
14:42:09.0445 3800 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:42:09.0445 3800 HPZipr12 - ok
14:42:09.0491 3800 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:42:09.0491 3800 HPZius12 - ok
14:42:09.0538 3800 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:42:09.0554 3800 HTTP - ok
14:42:09.0570 3800 i2omgmt - ok
14:42:09.0585 3800 i2omp - ok
14:42:09.0632 3800 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:42:09.0648 3800 i8042prt - ok
14:42:09.0679 3800 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
14:42:09.0679 3800 i81x - ok
14:42:09.0710 3800 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
14:42:09.0726 3800 iAimFP0 - ok
14:42:09.0742 3800 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
14:42:09.0742 3800 iAimFP1 - ok
14:42:09.0757 3800 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
14:42:09.0757 3800 iAimFP2 - ok
14:42:09.0773 3800 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
14:42:09.0773 3800 iAimFP3 - ok
14:42:09.0788 3800 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
14:42:09.0788 3800 iAimFP4 - ok
14:42:09.0804 3800 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
14:42:09.0804 3800 iAimFP5 - ok
14:42:09.0820 3800 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
14:42:09.0820 3800 iAimFP6 - ok
14:42:09.0835 3800 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
14:42:09.0851 3800 iAimFP7 - ok
14:42:09.0867 3800 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
14:42:09.0867 3800 iAimTV0 - ok
14:42:09.0882 3800 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
14:42:09.0882 3800 iAimTV1 - ok
14:42:09.0898 3800 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
14:42:09.0898 3800 iAimTV3 - ok
14:42:09.0929 3800 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
14:42:09.0929 3800 iAimTV4 - ok
14:42:09.0945 3800 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
14:42:09.0945 3800 iAimTV5 - ok
14:42:09.0976 3800 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
14:42:09.0976 3800 iAimTV6 - ok
14:42:10.0054 3800 ialm (1432958dc80b7bbacf07377763d70e91) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
14:42:10.0070 3800 ialm - ok
14:42:10.0304 3800 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111018.030\IDSxpx86.sys
14:42:10.0304 3800 IDSxpx86 - ok
14:42:10.0351 3800 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:42:10.0367 3800 Imapi - ok
14:42:10.0382 3800 ini910u - ok
14:42:10.0413 3800 IntelIde (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:42:10.0413 3800 IntelIde - ok
14:42:10.0476 3800 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:42:10.0476 3800 intelppm - ok
14:42:10.0507 3800 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:42:10.0507 3800 Ip6Fw - ok
14:42:10.0538 3800 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:42:10.0538 3800 IpFilterDriver - ok
14:42:10.0554 3800 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:42:10.0570 3800 IpInIp - ok
14:42:10.0617 3800 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:42:10.0617 3800 IpNat - ok
14:42:10.0632 3800 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:42:10.0632 3800 IPSec - ok
14:42:10.0663 3800 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:42:10.0663 3800 IRENUM - ok
14:42:10.0710 3800 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:42:10.0710 3800 isapnp - ok
14:42:10.0742 3800 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:42:10.0742 3800 Kbdclass - ok
14:42:10.0757 3800 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:42:10.0757 3800 kmixer - ok
14:42:10.0804 3800 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:42:10.0804 3800 KSecDD - ok
14:42:10.0820 3800 lbrtfdc - ok
14:42:10.0960 3800 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
14:42:10.0960 3800 LMIInfo - ok
14:42:11.0007 3800 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
14:42:11.0007 3800 lmimirr - ok
14:42:11.0023 3800 LMIRfsClientNP - ok
14:42:11.0054 3800 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
14:42:11.0054 3800 LMIRfsDriver - ok
14:42:11.0101 3800 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:42:11.0117 3800 mnmdd - ok
14:42:11.0148 3800 Modem (510ade9327fe84c10254e1902697e25f) C:\WINDOWS\system32\drivers\Modem.sys
14:42:11.0148 3800 Modem - ok
14:42:11.0179 3800 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:42:11.0195 3800 Mouclass - ok
14:42:11.0242 3800 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:42:11.0242 3800 mouhid - ok
14:42:11.0257 3800 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:42:11.0257 3800 MountMgr - ok
14:42:11.0273 3800 mraid35x - ok
14:42:11.0288 3800 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:42:11.0288 3800 MRxDAV - ok
14:42:11.0351 3800 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:42:11.0351 3800 MRxSmb - ok
14:42:11.0398 3800 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:42:11.0398 3800 Msfs - ok
14:42:11.0429 3800 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:42:11.0429 3800 MSKSSRV - ok
14:42:11.0460 3800 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:42:11.0476 3800 MSPCLOCK - ok
14:42:11.0507 3800 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:42:11.0507 3800 MSPQM - ok
14:42:11.0538 3800 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:42:11.0554 3800 mssmbios - ok
14:42:11.0601 3800 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:42:11.0601 3800 MSTEE - ok
14:42:11.0632 3800 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:42:11.0632 3800 Mup - ok
14:42:11.0663 3800 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:42:11.0663 3800 NABTSFEC - ok
14:42:11.0835 3800 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20111019.003\NAVENG.SYS
14:42:11.0835 3800 NAVENG - ok
14:42:11.0913 3800 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20111019.003\NAVEX15.SYS
14:42:11.0976 3800 NAVEX15 - ok
14:42:12.0148 3800 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:42:12.0163 3800 NDIS - ok
14:42:12.0210 3800 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:42:12.0210 3800 NdisIP - ok
14:42:12.0288 3800 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:42:12.0288 3800 NdisTapi - ok
14:42:12.0335 3800 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:42:12.0335 3800 Ndisuio - ok
14:42:12.0351 3800 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:42:12.0351 3800 NdisWan - ok
14:42:12.0398 3800 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:42:12.0398 3800 NDProxy - ok
14:42:12.0429 3800 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:42:12.0429 3800 NetBIOS - ok
14:42:12.0460 3800 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:42:12.0460 3800 NetBT - ok
14:42:12.0492 3800 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:42:12.0492 3800 Npfs - ok
14:42:12.0523 3800 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:42:12.0523 3800 Ntfs - ok
14:42:12.0585 3800 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:42:12.0585 3800 Null - ok
14:42:12.0617 3800 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:42:12.0617 3800 NwlnkFlt - ok
14:42:12.0632 3800 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:42:12.0632 3800 NwlnkFwd - ok
14:42:12.0664 3800 P3 (cecb679633523ac5eb7eb85f92dcd806) C:\WINDOWS\system32\DRIVERS\p3.sys
14:42:12.0679 3800 P3 - ok
14:42:12.0695 3800 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\DRIVERS\parport.sys
14:42:12.0695 3800 Parport - ok
14:42:12.0710 3800 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:42:12.0710 3800 PartMgr - ok
14:42:12.0757 3800 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys
14:42:12.0757 3800 ParVdm - ok
14:42:12.0773 3800 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys
14:42:12.0773 3800 PCI - ok
14:42:12.0789 3800 PCIDump - ok
14:42:12.0820 3800 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:42:12.0820 3800 PCIIde - ok
14:42:12.0851 3800 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:42:12.0851 3800 Pcmcia - ok
14:42:12.0867 3800 PDCOMP - ok
14:42:12.0882 3800 PDFRAME - ok
14:42:12.0898 3800 PDRELI - ok
14:42:12.0914 3800 PDRFRAME - ok
14:42:12.0914 3800 perc2 - ok
14:42:12.0929 3800 perc2hib - ok
14:42:12.0992 3800 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:42:12.0992 3800 PptpMiniport - ok
14:42:13.0023 3800 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk0\DR0
14:42:13.0117 3800 \Device\Harddisk0\DR0 - ok
14:42:13.0117 3800 Boot (0x1200) (cc0b30de19d8f56f1bab23b03abbe4a1) \Device\Harddisk0\DR0\Partition0
14:42:13.0117 3800 \Device\Harddisk0\DR0\Partition0 - ok
14:42:13.0117 3800 ============================================================
14:42:13.0117 3800 Scan finished
14:42:13.0117 3800 ============================================================
14:42:13.0132 3368 Detected object count: 0
14:42:13.0132 3368 Actual detected object count: 0

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 19 October 2011 - 02:38 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Mel_P

Mel_P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 October 2011 - 09:24 AM

Here's the ComboFix Log :

ComboFix 11-10-19.03 - controleur 10/20/11 10:10:22.2.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.503.31 [GMT -4:00]
Lancé depuis: c:\documents and settings\controleur\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\controleur\Bureau\cfscript.txt
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Favoris\_favdata.dat
C:\Thumbs.db
c:\windows\ehome\medctrro.exe
c:\windows\system32\d3d9caps.dat
c:\windows\system32\TZLog.log
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-09-20 au 2011-10-20 ))))))))))))))))))))))))))))))))))))
.
.
2011-10-19 16:54 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-10-19 16:54 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-19 16:53 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-10-19 16:52 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-19 16:51 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-10-12 13:24 . 2011-10-12 13:24 20 ----a-w- c:\windows\system32\drivers\SMR210.dat
2011-10-12 13:24 . 2011-10-12 13:24 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-10-12 13:24 . 2011-10-12 15:54 -------- d-----w- c:\documents and settings\controleur\Local Settings\Application Data\NPE
2011-09-26 15:41 . 2011-09-26 15:41 614400 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2011-09-26 15:41 22528 ------w- c:\windows\system32\dllcache\oleaccrc.dll
2011-09-26 15:41 . 2011-09-26 15:41 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 15:41 . 2004-08-05 02:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 15:41 . 2004-08-05 02:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-09 09:12 . 2004-08-05 02:00 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 14:10 . 2004-08-05 02:00 1859072 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:41 . 2004-08-05 02:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:41 . 2004-08-05 02:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:41 . 2004-08-05 02:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-05 02:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-05 02:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2004-08-05 . D6D65EA32B190401B57EDB6706F29669 . 25088 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2002-08-29 . F4127A2A00825C69A870035DA1264AE0 . 22528 . . [5.1.2600.1106] . . c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-10-19_16.30.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-19 17:28 . 2011-10-19 17:28 16384 c:\windows\Temp\Perflib_Perfdata_7c4.dat
+ 2011-10-19 17:25 . 2011-10-19 17:25 16384 c:\windows\Temp\Perflib_Perfdata_740.dat
+ 2011-10-19 17:25 . 2011-10-19 17:25 16384 c:\windows\Temp\Perflib_Perfdata_634.dat
- 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
+ 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
- 2004-08-05 02:00 . 2010-09-10 05:50 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-05 02:00 . 2011-08-22 23:41 66560 c:\windows\system32\mshtmled.dll
- 2006-11-08 02:03 . 2010-09-10 05:50 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 02:03 . 2011-08-22 23:41 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-05 02:00 . 2010-09-10 05:50 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-05 02:00 . 2011-08-22 23:41 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-05 02:00 . 2010-11-18 18:12 86016 c:\windows\system32\isign32.dll
- 2004-08-05 02:00 . 2008-04-14 02:33 86016 c:\windows\system32\isign32.dll
+ 2004-08-05 02:00 . 2010-11-02 15:17 40960 c:\windows\system32\drivers\ndproxy.sys
+ 2004-08-05 02:00 . 2011-07-08 14:02 10496 c:\windows\system32\drivers\ndistapi.sys
+ 2010-11-27 16:02 . 2011-07-06 16:44 27888 c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2004-08-05 02:00 . 2009-04-20 17:18 45568 c:\windows\system32\dnsrslvr.dll
- 2004-08-05 02:00 . 2008-04-14 02:33 45568 c:\windows\system32\dnsrslvr.dll
- 2009-08-04 11:38 . 2010-09-10 05:50 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-08-04 11:38 . 2011-08-22 23:41 12800 c:\windows\system32\dllcache\xpshims.dll
- 2006-05-10 05:24 . 2010-09-10 05:50 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-05-10 05:24 . 2011-08-22 23:41 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 11:48 . 2011-08-22 23:41 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-09 11:48 . 2010-09-10 05:50 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2006-10-17 17:05 . 2011-08-22 23:41 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2006-10-17 17:05 . 2010-09-10 05:50 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2006-05-10 05:24 . 2011-08-22 23:41 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2006-05-10 05:24 . 2010-09-10 05:50 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-11-18 18:12 . 2010-11-18 18:12 86016 c:\windows\system32\dllcache\isign32.dll
+ 2009-04-20 17:18 . 2009-04-20 17:18 45568 c:\windows\system32\dllcache\dnsrslvr.dll
- 2009-12-14 07:09 . 2009-12-14 07:09 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:09 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2004-08-05 02:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
- 2004-08-05 02:00 . 2009-12-14 07:09 33280 c:\windows\system32\csrsrv.dll
- 2010-09-23 19:55 . 2010-09-23 19:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-07-08 18:00 . 2011-07-08 18:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-07-07 16:04 . 2011-07-07 16:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2010-09-23 06:26 . 2010-09-23 06:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2010-09-23 06:26 . 2010-09-23 06:26 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-07-07 16:04 . 2011-07-07 16:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2010-09-23 06:26 . 2010-09-23 06:26 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2011-07-07 16:03 . 2011-07-07 16:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2010-09-23 07:17 . 2010-09-23 07:17 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-07-07 17:09 . 2011-07-07 17:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-07-07 17:09 . 2011-07-07 17:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
- 2010-09-23 07:17 . 2010-09-23 07:17 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 12800 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 43520 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
+ 2011-10-19 17:08 . 2011-10-19 17:08 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_b98d6103\System.Drawing.Design.dll
+ 2011-10-19 17:08 . 2011-10-19 17:08 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_31b6a27a\CustomMarshalers.dll
- 2010-09-30 14:14 . 2010-09-30 14:14 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-19 17:07 . 2011-10-19 17:07 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2008-05-05 11:25 . 2010-08-27 01:43 5632 c:\windows\system32\xpsp4res.dll
+ 2008-05-05 11:25 . 2011-02-17 12:54 5632 c:\windows\system32\xpsp4res.dll
- 2004-08-05 02:00 . 2010-06-18 17:45 293888 c:\windows\system32\winsrv.dll
+ 2004-08-05 02:00 . 2011-06-20 17:44 293888 c:\windows\system32\winsrv.dll
+ 2004-08-05 02:00 . 2011-03-04 06:36 420864 c:\windows\system32\vbscript.dll
- 2004-08-05 02:00 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll
+ 2004-08-05 02:00 . 2011-08-22 23:41 105984 c:\windows\system32\url.dll
+ 2004-08-05 02:00 . 2009-07-27 23:17 135680 c:\windows\system32\shsvcs.dll
- 2004-08-05 02:00 . 2008-04-14 02:33 135680 c:\windows\system32\shsvcs.dll
+ 2004-08-05 02:00 . 2011-01-21 14:44 441344 c:\windows\system32\shimgvw.dll
+ 2004-08-05 02:00 . 2011-04-29 17:25 151552 c:\windows\system32\schannel.dll
- 2004-08-05 02:00 . 2008-04-14 02:33 270848 c:\windows\system32\sbe.dll
+ 2004-08-05 02:00 . 2011-02-09 13:54 270848 c:\windows\system32\sbe.dll
- 2004-08-05 02:00 . 2008-04-14 02:33 551936 c:\windows\system32\oleaut32.dll
+ 2004-08-05 02:00 . 2010-12-20 17:32 551936 c:\windows\system32\oleaut32.dll
+ 2004-08-05 02:00 . 2010-11-09 14:52 249856 c:\windows\system32\odbc32.dll
- 2004-08-05 02:00 . 2008-04-14 02:33 249856 c:\windows\system32\odbc32.dll
- 2004-08-05 02:00 . 2010-09-10 05:50 206848 c:\windows\system32\occache.dll
+ 2004-08-05 02:00 . 2011-08-22 23:41 206848 c:\windows\system32\occache.dll
+ 2004-08-05 02:00 . 2010-12-09 15:15 743424 c:\windows\system32\ntdll.dll
+ 2004-08-05 02:00 . 2008-06-20 16:03 247808 c:\windows\system32\mswsock.dll
- 2004-08-05 02:00 . 2008-06-20 17:47 247808 c:\windows\system32\mswsock.dll
+ 2004-08-05 02:00 . 2011-01-27 11:57 677888 c:\windows\system32\mstsc.exe
- 2004-08-05 02:00 . 2008-04-14 02:34 677888 c:\windows\system32\mstsc.exe
- 2004-08-05 02:00 . 2010-09-10 05:50 611840 c:\windows\system32\mstime.dll
+ 2004-08-05 02:00 . 2011-08-22 23:41 611840 c:\windows\system32\mstime.dll
- 2006-11-08 02:03 . 2010-09-10 05:50 602112 c:\windows\system32\msfeeds.dll
+ 2006-11-08 02:03 . 2011-08-22 23:41 602112 c:\windows\system32\msfeeds.dll
- 2004-08-05 02:00 . 2010-09-18 16:23 974848 c:\windows\system32\mfc42u.dll
+ 2004-08-05 02:00 . 2011-02-08 13:34 974848 c:\windows\system32\mfc42u.dll
+ 2004-08-05 02:00 . 2011-02-08 13:34 978944 c:\windows\system32\mfc42.dll
- 2004-08-05 02:00 . 2009-06-25 08:26 736768 c:\windows\system32\lsasrv.dll
+ 2004-08-05 02:00 . 2010-12-20 17:26 736768 c:\windows\system32\lsasrv.dll
- 2004-08-05 02:00 . 2009-06-25 08:26 301568 c:\windows\system32\kerberos.dll
+ 2004-08-05 02:00 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll
+ 2004-08-05 02:00 . 2011-03-04 06:36 726528 c:\windows\system32\jscript.dll
- 2004-08-05 02:00 . 2009-12-09 05:54 726528 c:\windows\system32\jscript.dll
- 2004-08-05 02:00 . 2010-06-09 07:44 692736 c:\windows\system32\inetcomm.dll
+ 2004-08-05 02:00 . 2011-05-02 15:31 692736 c:\windows\system32\inetcomm.dll
- 2004-08-05 02:00 . 2010-09-10 05:50 184320 c:\windows\system32\iepeers.dll
+ 2004-08-05 02:00 . 2011-08-22 23:41 184320 c:\windows\system32\iepeers.dll
- 2004-08-05 02:00 . 2010-09-10 05:50 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-05 02:00 . 2011-08-22 23:41 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-05 02:00 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
- 2004-08-16 03:32 . 2011-02-15 21:17 122928 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-16 03:32 . 2011-10-19 17:25 122928 c:\windows\system32\FNTCACHE.DAT
- 2004-08-05 02:00 . 2008-04-14 02:33 186880 c:\windows\system32\encdec.dll
+ 2004-08-05 02:00 . 2011-02-09 13:54 186880 c:\windows\system32\encdec.dll
+ 2004-08-05 02:00 . 2011-02-17 13:18 357888 c:\windows\system32\drivers\srv.sys
- 2004-08-05 02:00 . 2008-04-14 02:34 139656 c:\windows\system32\drivers\rdpwd.sys
+ 2004-08-05 02:00 . 2011-06-24 14:10 139656 c:\windows\system32\drivers\rdpwd.sys
+ 2004-08-05 02:00 . 2011-04-21 13:37 105472 c:\windows\system32\drivers\mup.sys
+ 2004-08-05 02:00 . 2011-07-15 13:29 456320 c:\windows\system32\drivers\mrxsmb.sys
+ 2004-08-05 02:00 . 2011-03-03 06:55 149504 c:\windows\system32\dnsapi.dll
+ 2010-06-18 17:45 . 2011-06-20 17:44 293888 c:\windows\system32\dllcache\winsrv.dll
- 2010-06-18 17:45 . 2010-06-18 17:45 293888 c:\windows\system32\dllcache\winsrv.dll
- 2006-05-10 05:24 . 2010-09-10 05:50 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-05-10 05:24 . 2011-08-22 23:41 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-09-18 14:15 . 2011-04-30 03:01 758784 c:\windows\system32\dllcache\vgx.dll
+ 2008-05-09 10:55 . 2011-03-04 06:36 420864 c:\windows\system32\dllcache\vbscript.dll
- 2006-10-17 17:05 . 2009-03-08 08:34 105984 c:\windows\system32\dllcache\url.dll
+ 2006-10-17 17:05 . 2011-08-22 23:41 105984 c:\windows\system32\dllcache\url.dll
+ 2008-10-15 05:51 . 2011-02-17 13:18 357888 c:\windows\system32\dllcache\srv.sys
+ 2009-07-27 23:17 . 2009-07-27 23:17 135680 c:\windows\system32\dllcache\shsvcs.dll
+ 2011-01-21 14:44 . 2011-01-21 14:44 441344 c:\windows\system32\dllcache\shimgvw.dll
+ 2008-12-05 06:57 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
+ 2011-02-09 13:54 . 2011-02-09 13:54 270848 c:\windows\system32\dllcache\sbe.dll
+ 2010-12-20 17:32 . 2010-12-20 17:32 551936 c:\windows\system32\dllcache\oleaut32.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll
- 2006-10-17 17:04 . 2010-09-10 05:50 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 17:04 . 2011-08-22 23:41 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-04-15 01:24 . 2010-12-09 15:15 743424 c:\windows\system32\dllcache\ntdll.dll
+ 2008-06-20 17:47 . 2008-06-20 16:03 247808 c:\windows\system32\dllcache\mswsock.dll
- 2008-06-20 17:47 . 2008-06-20 17:47 247808 c:\windows\system32\dllcache\mswsock.dll
+ 2006-05-10 05:24 . 2011-08-22 23:41 611840 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:24 . 2010-09-10 05:50 611840 c:\windows\system32\dllcache\mstime.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll
+ 2007-05-09 11:48 . 2011-08-22 23:41 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 11:48 . 2010-09-10 05:50 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll
+ 2008-11-12 15:15 . 2011-07-15 13:29 456320 c:\windows\system32\dllcache\mrxsmb.sys
+ 2006-10-14 08:13 . 2011-02-08 13:34 974848 c:\windows\system32\dllcache\mfc42u.dll
- 2006-10-14 08:13 . 2010-09-18 16:23 974848 c:\windows\system32\dllcache\mfc42u.dll
+ 2010-10-14 17:24 . 2011-02-08 13:34 978944 c:\windows\system32\dllcache\mfc42.dll
- 2009-04-15 01:24 . 2009-06-25 08:26 736768 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-04-15 01:24 . 2010-12-20 17:26 736768 c:\windows\system32\dllcache\lsasrv.dll
+ 2011-01-27 11:57 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
- 2009-06-25 08:26 . 2009-06-25 08:26 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2009-06-25 08:26 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
- 2008-05-09 10:55 . 2009-12-09 05:54 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:55 . 2011-03-04 06:36 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-08-13 05:22 . 2010-06-09 07:44 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-08-13 05:22 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2009-08-04 11:38 . 2011-08-22 23:41 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-08-04 11:38 . 2010-09-10 05:50 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2006-05-10 05:24 . 2010-09-10 05:50 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-05-10 05:24 . 2011-08-22 23:41 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-10 18:30 . 2011-08-22 23:41 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-10 18:30 . 2010-09-10 05:50 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2006-11-07 08:27 . 2010-09-10 05:50 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-11-07 08:27 . 2011-08-22 23:41 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-11-07 08:26 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-02-09 13:54 . 2011-02-09 13:54 186880 c:\windows\system32\dllcache\encdec.dll
+ 2008-06-20 17:47 . 2011-03-03 06:55 149504 c:\windows\system32\dllcache\dnsapi.dll
+ 2011-09-09 09:12 . 2011-09-09 09:12 606208 c:\windows\system32\dllcache\crypt32.dll
+ 2010-04-20 05:30 . 2011-02-15 12:56 290432 c:\windows\system32\dllcache\atmfd.dll
- 2008-06-20 11:40 . 2008-08-14 10:04 138496 c:\windows\system32\dllcache\afd.sys
+ 2008-06-20 11:40 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
+ 2004-08-05 02:00 . 2011-02-15 12:56 290432 c:\windows\system32\atmfd.dll
- 2010-09-23 06:26 . 2010-09-23 06:26 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-07-07 16:04 . 2011-07-07 16:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-07-07 16:01 . 2011-07-07 16:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2010-09-23 06:25 . 2010-09-23 06:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2010-09-23 07:17 . 2010-09-23 07:17 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-07-07 17:09 . 2011-07-07 17:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 916480 c:\windows\ie8updates\KB2586448-IE8\wininet.dll
+ 2011-10-19 17:13 . 2009-03-08 08:34 105984 c:\windows\ie8updates\KB2586448-IE8\url.dll
+ 2011-10-19 17:13 . 2010-07-05 13:17 406392 c:\windows\ie8updates\KB2586448-IE8\spuninst\updspapi.dll
+ 2011-10-19 17:13 . 2010-07-05 13:17 234872 c:\windows\ie8updates\KB2586448-IE8\spuninst\spuninst.exe
+ 2011-10-19 17:13 . 2010-09-10 05:50 206848 c:\windows\ie8updates\KB2586448-IE8\occache.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 611840 c:\windows\ie8updates\KB2586448-IE8\mstime.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 602112 c:\windows\ie8updates\KB2586448-IE8\msfeeds.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 247808 c:\windows\ie8updates\KB2586448-IE8\ieproxy.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 184320 c:\windows\ie8updates\KB2586448-IE8\iepeers.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 743424 c:\windows\ie8updates\KB2586448-IE8\iedvtool.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 387584 c:\windows\ie8updates\KB2586448-IE8\iedkcs32.dll
+ 2011-10-19 17:13 . 2010-08-26 12:22 173056 c:\windows\ie8updates\KB2586448-IE8\ie4uinit.exe
+ 2011-10-19 17:09 . 2009-03-08 08:33 759296 c:\windows\ie8updates\KB2544521-IE8\vgx.dll
+ 2011-10-19 17:09 . 2010-07-05 13:17 406392 c:\windows\ie8updates\KB2544521-IE8\spuninst\updspapi.dll
+ 2011-10-19 17:09 . 2010-07-05 13:17 234872 c:\windows\ie8updates\KB2544521-IE8\spuninst\spuninst.exe
+ 2011-10-19 17:10 . 2010-03-10 06:16 420352 c:\windows\ie8updates\KB2510531-IE8\vbscript.dll
+ 2011-10-19 17:10 . 2010-07-05 13:18 406392 c:\windows\ie8updates\KB2510531-IE8\spuninst\updspapi.dll
+ 2011-10-19 17:10 . 2010-07-05 13:17 234872 c:\windows\ie8updates\KB2510531-IE8\spuninst\spuninst.exe
+ 2011-10-19 17:10 . 2009-12-09 05:54 726528 c:\windows\ie8updates\KB2510531-IE8\jscript.dll
+ 2008-11-12 15:15 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-10-19 17:08 . 2011-10-19 17:08 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_78d13170\System.Drawing.dll
+ 2011-10-19 16:53 . 2010-10-23 00:51 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\GdiPlus.dll
+ 2004-08-05 02:00 . 2011-08-22 23:41 1212416 c:\windows\system32\urlmon.dll
- 2004-08-05 02:00 . 2010-07-27 06:30 8518656 c:\windows\system32\shell32.dll
+ 2004-08-05 02:00 . 2011-01-21 14:44 8518656 c:\windows\system32\shell32.dll
+ 2004-08-05 02:00 . 2010-12-09 15:14 2150912 c:\windows\system32\ntoskrnl.exe
+ 2004-08-05 02:00 . 2010-12-09 15:14 2029056 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-05 02:00 . 2011-02-02 07:59 2067456 c:\windows\system32\mstscax.dll
+ 2004-08-05 02:00 . 2011-10-03 08:34 5971456 c:\windows\system32\mshtml.dll
+ 2006-10-17 16:57 . 2011-08-22 23:41 2000384 c:\windows\system32\iertutil.dll
+ 2008-10-15 05:50 . 2011-09-06 14:10 1859072 c:\windows\system32\dllcache\win32k.sys
+ 2006-05-10 05:24 . 2011-08-22 23:41 1212416 c:\windows\system32\dllcache\urlmon.dll
- 2008-06-17 19:02 . 2010-07-27 06:30 8518656 c:\windows\system32\dllcache\shell32.dll
+ 2008-06-17 19:02 . 2011-01-21 14:44 8518656 c:\windows\system32\dllcache\shell32.dll
+ 2008-10-15 05:50 . 2010-12-09 15:14 2194816 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-15 05:50 . 2010-12-09 15:14 2029056 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 05:50 . 2010-12-09 15:14 2071424 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 05:50 . 2010-12-09 15:14 2150912 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2006-05-19 15:09 . 2011-10-03 08:34 5971456 c:\windows\system32\dllcache\mshtml.dll
+ 2011-02-02 07:59 . 2011-02-02 07:59 2067456 c:\windows\system32\dllcache\lhmstscx.dll
+ 2007-05-09 11:48 . 2011-08-22 23:41 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2011-07-08 17:59 . 2011-07-08 17:59 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2010-09-23 19:55 . 2010-09-23 19:55 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2011-07-08 17:59 . 2011-07-08 17:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2010-09-23 19:55 . 2010-09-23 19:55 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-07-07 16:02 . 2011-07-07 16:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2010-09-23 06:26 . 2010-09-23 06:26 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2011-07-07 16:02 . 2011-07-07 16:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2011-07-08 17:59 . 2011-07-08 17:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2010-09-23 19:55 . 2010-09-23 19:55 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 1210880 c:\windows\ie8updates\KB2586448-IE8\urlmon.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 5957120 c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
+ 2011-10-19 17:13 . 2010-09-10 05:50 1986560 c:\windows\ie8updates\KB2586448-IE8\iertutil.dll
+ 2008-10-15 05:50 . 2010-12-09 15:14 2194816 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 05:50 . 2010-12-09 15:14 2029056 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 05:50 . 2010-12-09 15:14 2071424 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 05:50 . 2010-12-09 15:14 2150912 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2011-10-19 17:08 . 2011-10-19 17:08 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_b304c7f8\System.dll
+ 2011-10-19 17:08 . 2011-10-19 17:08 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_6a927b24\System.Xml.dll
+ 2011-10-19 17:08 . 2011-10-19 17:08 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_f07890f1\System.Windows.Forms.dll
+ 2011-10-19 17:08 . 2011-10-19 17:08 1466368 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_70f8f41b\System.Design.dll
+ 2011-10-19 17:08 . 2011-10-19 17:08 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_63ff40b8\mscorlib.dll
- 2010-09-30 14:14 . 2010-09-30 14:14 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2011-10-19 17:07 . 2011-10-19 17:07 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2010-09-30 14:14 . 2010-09-30 14:14 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-10-19 17:07 . 2011-10-19 17:07 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2006-06-17 12:53 . 2011-10-05 14:09 48324552 c:\windows\system32\MRT.exe
+ 2006-11-08 02:03 . 2011-08-23 21:41 11081728 c:\windows\system32\ieframe.dll
+ 2007-05-09 11:48 . 2011-08-23 21:41 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-07-13 02:49 . 2011-07-13 02:49 11459584 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2572067\M2572067Uninstall.msp
+ 2011-07-12 19:50 . 2011-07-12 19:50 17555968 c:\windows\Installer\3e6c6e.msp
+ 2011-10-19 17:13 . 2010-09-10 05:50 11080192 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll
.
-- Instantané actualisé --
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 20:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:34 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-07-30 07:08 143360 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
2004-01-05 22:34 40960 ----a-w- c:\windows\vsnpstd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-15 11:51 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SMR210;Symantec SMR Utility Service 2.1.0;c:\windows\system32\drivers\SMR210.SYS [10/12/11 09:24 83064]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [05/23/11 13:34 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [05/23/11 13:34 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys [10/14/11 19:10 818808]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [05/23/11 13:34 136312]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/12/10 06:49 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [08/03/07 15:09 12856]
R2 MSSQL$PAIEPC;MSSQL$PAIEPC;c:\program files\Microsoft SQL Server\MSSQL$PAIEPC\Binn\sqlservr.exe -sPAIEPC --> c:\program files\Microsoft SQL Server\MSSQL$PAIEPC\Binn\sqlservr.exe -sPAIEPC [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Fichiers communs\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [08/08/11 02:59 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111019.030\IDSXpx86.sys [10/19/11 22:04 356280]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\CONTRO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\CONTRO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\CONTRO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\CONTRO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate1ca411d58378d40;Service Google Update (gupdate1ca411d58378d40);c:\program files\Google\Update\GoogleUpdate.exe [09/29/09 11:56 133104]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [09/29/09 11:56 133104]
.
--- Autres Services/Pilotes en mémoire ---
.
*NewlyCreated* - 51627947
*Deregistered* - 51627947
.
Contenu du dossier 'Tâches planifiées'
.
2011-10-19 c:\windows\Tasks\bu_bert.job
- C:\bu_bert.bat [2007-07-05 14:01]
.
2011-10-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
2011-10-16 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.4\DriverRobot.exe [2009-09-30 14:22]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 15:55]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 15:55]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.sympatico.ca/defaultf.aspx?lang=fr-CA
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: Interfaces\{F7BC2B6C-44B5-4B70-A34F-00FB81375E32}: NameServer = 90.0.0.2,198.235.216.134
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/CPCViewAX_060503/CpcViewAX.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-20 10:22
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
Binary file raw_enum.dat matches
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Heure de fin: 2011-10-20 10:26:46
ComboFix-quarantined-files.txt 2011-10-20 14:26
ComboFix2.txt 2011-10-19 16:33
.
Avant-CF: 66 076 057 600 octets libres
Après-CF: 66 069 336 064 octets libres
.
- - End Of File - - A87539B56DEA26F91FA5ABD09837A394



Norton still detects the threat. Besides that, everything looks normal.

Thanks

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 20 October 2011 - 01:05 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.5 - Français
Java 2 Runtime Environment, SE v1.4.2_14
Java™ 6 Update 7


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 23 October 2011 - 02:03 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Mel_P

Mel_P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 24 October 2011 - 07:19 AM

I'm sorry I was out of the office for the weekend. I will do what you told me on the last post and I'll reply today.

Thanks,

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 24 October 2011 - 01:27 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Mel_P

Mel_P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 24 October 2011 - 02:12 PM

The MBAM log :

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Version de la base de données: 8013

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/24/11 15:23:18
mbam-log-2011-10-24 (15-23-18).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 235423
Temps écoulé: 7 minute(s), 3 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 2
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Value: 24d1ca9a-a864-4f7b-86fe-495eb56529d8 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Value: 7bde84a2-f58f-46ec-9eac-f1f90fead080 -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)



The HiJackThis Log :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:33:45, on 10/24/11
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PAIEPC\Binn\sqlservr.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/defaultf.aspx?lang=fr-CA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.1.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.1.0.29\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} (CPC View ax Control) - http://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/CPCViewAX_060503/CpcViewAX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Sanfacon.local
O17 - HKLM\Software\..\Telephony: DomainName = Sanfacon.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7BC2B6C-44B5-4B70-A34F-00FB81375E32}: NameServer = 90.0.0.2,198.235.216.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Sanfacon.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Sanfacon.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service Google Update (gupdate1ca411d58378d40) (gupdate1ca411d58378d40) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Service Google Update (gupdatem) (gupdatem) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 10179 bytes




The only thing 'weird' is that the Java update didn't seem to work and the Java clearing of the cache seemed to have gone very fast, so I'm not sure those 2 things 'worked'

Thanks,

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 24 October 2011 - 06:10 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Mel_P

Mel_P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 25 October 2011 - 08:43 AM

Here's the ESET Log :

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=7dc076226df7f34d86f36e694c2d6d53
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-25 01:50:40
# local_time=2011-10-25 09:50:40 (-0500, Est (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777213 100 84 190281 70123221 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=60320
# found=1
# cleaned=0
# scan_time=3544
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.AJL trojan (unable to clean) 00000000000000000000000000000000 I


Thanks

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 25 October 2011 - 12:28 PM

Hello

The Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users