Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty TDSS


  • This topic is locked This topic is locked
18 replies to this topic

#1 grizchicago

grizchicago

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 24 October 2011 - 07:43 PM

So I have been infected with a fairly nasty version of the TDSS virus aka the google redirect virus. I have tried using TDSSKiller but my variant is blocking it, I have tried renaming the file and changing the extension, to no avail. Please help


******UPDATE********* I Ran dds.com and I have posted the logs from it...

Attached Files


Edited by grizchicago, 24 October 2011 - 07:49 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:35 AM

Posted 25 October 2011 - 02:18 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 grizchicago

grizchicago
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 25 October 2011 - 09:24 PM

Gringo,

The following is the ComboFix log. It took about 90 minutes to run. I have not really used the computer since my intial post, but I am still being re-directed by google searches. I should also metnion that in addition to the TDSS virus, we were infected by another, Windows Restore virus. I believe it has been removed but I am still experiencing performance issues. I tried running rkill before contacting you, but was unable to get it to execute and I cannot boot the computer in Safe Mode. Please advise on next steps.

Thanks

ComboFix 11-10-25.04 - Grisamore Family 10/25/2011 19:41:38.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1182 [GMT -5:00]
Running from: c:\documents and settings\Grisamore Family\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Grisamore Family\Application Data\Grisamore Family3SQLite3.dll
c:\documents and settings\Grisamore Family\Application Data\Grisamore Familylog.dat
c:\documents and settings\Grisamore Family\Application Data\Start
c:\documents and settings\Grisamore Family\Application Data\Start\temp_20E5ACDA\flash.10.0.32.18.ocx
c:\documents and settings\Kristen\Application Data\Dealio
c:\documents and settings\Kristen\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Kristen\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Sam\Application Data\Dealio
c:\documents and settings\Sam\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Sam\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\windows\dasetup.log
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\Adobe After Effects CS4.exe
c:\windows\wpe pro.INI
H:\autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-09-26 to 2011-10-26 )))))))))))))))))))))))))))))))
.
.
2011-10-24 02:28 . 2011-10-24 02:29 -------- d-----w- c:\program files\Paint.NET
2011-10-23 17:43 . 2011-09-01 16:38 767952 ----a-w- c:\windows\BDTSupport.dll
2011-10-23 17:43 . 2011-09-01 16:39 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-10-23 17:43 . 2011-09-01 16:39 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-10-23 17:43 . 2011-09-01 16:39 2189264 ----a-w- c:\windows\PCTBDCore.dll
2011-10-23 17:39 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-10-23 17:39 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-10-23 17:39 . 2011-07-19 14:18 252712 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-10-23 17:39 . 2011-08-23 16:45 326688 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-10-23 17:39 . 2011-03-02 16:39 162200 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-10-23 17:38 . 2011-08-18 14:31 184536 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-10-23 17:38 . 2011-07-19 14:23 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-10-23 17:38 . 2011-10-23 18:26 -------- d-----w- c:\program files\PC Tools Security
2011-10-23 03:09 . 2011-10-23 03:09 -------- d-----w- c:\program files\ESET
2011-10-20 02:10 . 2011-10-20 02:10 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-10-20 02:09 . 2011-10-20 02:09 -------- d-----w- c:\program files\Common Files\xing shared
2011-10-20 02:09 . 2011-10-20 02:09 150696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-10-20 02:08 . 2011-10-20 02:08 107008 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-10-19 04:14 . 2011-10-19 04:14 -------- d-----w- C:\Docu
2011-10-19 02:08 . 2011-10-22 04:42 -------- d-----w- c:\program files\YTDSETUP
2011-10-19 02:08 . 2011-07-07 18:26 17280 ----a-w- c:\windows\system32\roboot.exe
2011-10-19 02:08 . 2011-10-19 02:08 -------- d-----w- c:\program files\RegClean Pro
2011-10-19 01:57 . 2011-10-19 01:57 -------- d-----w- c:\windows\system32\drivers\NSM\0202000.026
2011-10-17 06:45 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-17 06:45 . 2011-10-17 06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-17 04:19 . 2011-10-17 04:19 -------- d-----w- c:\windows\system32\drivers\N360
2011-10-17 04:19 . 2011-10-17 04:19 -------- d-----w- c:\program files\Norton 360
2011-10-17 00:34 . 2011-10-17 00:34 -------- d-----w- c:\program files\Bonjour
2011-10-07 22:05 . 2011-10-07 22:05 323624 ----a-w- c:\windows\system32\wiaaut.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-21 16:12 . 2011-05-29 05:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 02:08 . 2006-08-22 18:20 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-10-20 02:08 . 2006-08-22 18:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-10-17 04:21 . 2008-09-24 15:19 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-17 04:21 . 2008-09-24 15:19 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2006-02-28 12:00 1858944 ------w- c:\windows\system32\win32k.sys
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-22 23:48 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2006-02-28 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 23:38 . 2011-09-16 01:44 132744 ----a-w- c:\windows\system32\drivers\NOF\0202000.01A\ccsetx86.sys
2011-10-02 18:09 . 2011-03-24 02:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2011-03-10 77656]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-18 4615552]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2011-06-08 822456]
"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2011-04-14 12036968]
"MusicManager"="c:\documents and settings\Grisamore Family\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2011-09-14 13128704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 9129984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"nwiz"="nwiz.exe" [2006-08-12 1519616]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"anon_proxy_server"="c:\program files\Anon Proxy Server\htdocs\anon_proxy_server\pserver.exe" [2008-01-28 94208]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-10-20 273528]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-09-01 247760]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-06 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-07 22:33 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:TCP"= 5000:TCP:AresChatServer
"59110:TCP"= 59110:TCP:Pando Media Booster
"59110:UDP"= 59110:UDP:Pando Media Booster
"56189:TCP"= 56189:TCP:Pando Media Booster
"56189:UDP"= 56189:UDP:Pando Media Booster
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"4897:TCP"= 4897:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/23/2011 12:39 PM 326688]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [10/23/2011 12:39 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [10/23/2011 12:39 PM 656320]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [10/16/2011 11:21 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [10/16/2011 11:21 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys [10/14/2011 6:10 PM 818808]
R1 ccSet_NOF;Norton Online Settings Manager;c:\windows\system32\drivers\NOF\0202000.01A\ccsetx86.sys [9/15/2011 8:44 PM 132744]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [1/24/2011 9:48 PM 22312]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [10/23/2011 12:38 PM 184536]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [10/16/2011 11:21 PM 136312]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/7/2010 12:54 AM 116608]
R2 anon_proxy_config;anon_proxy_config;c:\program files\Anon Proxy Server\bin\Apache.exe [1/9/2007 7:17 AM 20539]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [10/23/2011 12:43 PM 337872]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [10/16/2011 11:20 PM 130008]
R2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.2.0.26\ccsvchst.exe [9/15/2011 8:44 PM 138760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [9/8/2010 11:23 PM 632792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/17/2011 12:14 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111022.030\IDSXpx86.sys [10/25/2011 4:53 AM 356280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:14 AM 135664]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [9/29/2010 11:16 PM 401920]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:14 AM 135664]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [4/29/2011 3:22 PM 36928]
S3 PTQHBUS;PANTECH Handset HSUSB Composite Device(MSM6290);c:\windows\system32\drivers\PTQHBUS.sys [7/4/2011 10:55 AM 55056]
S3 PTQHMDM;PANTECH HSUSB Modem(MSM6290);c:\windows\system32\drivers\PTQHMDM.sys [7/4/2011 10:55 AM 161040]
S3 PTQHVSP;PANTECH HSUSB Diagnostic Serial Port(MSM6290);c:\windows\system32\drivers\PTQHVSP.sys [7/4/2011 10:55 AM 161040]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [10/23/2011 12:38 PM 371472]
S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSM\0202000.026\symrdr.sys [10/18/2011 8:17 PM 196600]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:14]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:14]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1870647804-938687962-1617214411-1005Core.job
- c:\documents and settings\Grisamore Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-20 21:46]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1870647804-938687962-1617214411-1005UA.job
- c:\documents and settings\Grisamore Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-20 21:46]
.
2011-10-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1870647804-938687962-1617214411-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1870647804-938687962-1617214411-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1870647804-938687962-1617214411-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1870647804-938687962-1617214411-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1870647804-938687962-1617214411-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1870647804-938687962-1617214411-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1870647804-938687962-1617214411-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1870647804-938687962-1617214411-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-25 c:\windows\Tasks\RegClean Pro_DEFAULT.job
- c:\program files\RegClean Pro\RegCleanPro.exe [2011-10-19 18:26]
.
2011-10-20 c:\windows\Tasks\RegClean Pro_UPDATES.job
- c:\program files\RegClean Pro\RegCleanPro.exe [2011-10-19 18:26]
.
2011-10-25 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-09-09 21:33]
.
2011-10-26 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-02-02 00:17]
.
2011-10-26 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-06-09 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Grisamore Family\Application Data\Mozilla\Firefox\Profiles\oigh03mr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-25 20:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-23MHB0 rev.03.01C03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-1d
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NOF]
"ImagePath"="\"c:\program files\Norton Online\Engine\2.2.0.26\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.2.0.26\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,dc,db,f4,29,28,5e,46,ae,c9,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,dc,db,f4,29,28,5e,46,ae,c9,c5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1276)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
- - - - - - - > 'lsass.exe'(1340)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(5872)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2011-10-25 21:10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-26 02:10
.
Pre-Run: 12,289,916,928 bytes free
Post-Run: 11,972,993,024 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 06E8001717A4674327BAAB8FEA77898F

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:35 AM

Posted 26 October 2011 - 09:00 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 grizchicago

grizchicago
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 26 October 2011 - 07:34 PM

Gringo,

The TDSS killer ran and it looks like it found one Rootkit. Here is the log. I have not used the computer for anything else, so I cannot comment on current performance. Thanks and please advise next steps.

Griz

15:33:50.0484 7260 TDSS rootkit removing tool 2.6.13.0 Oct 25 2011 13:56:21
15:33:51.0187 7260 ============================================================
15:33:51.0187 7260 Current date / time: 2011/10/26 15:33:51.0187
15:33:51.0187 7260 SystemInfo:
15:33:51.0187 7260
15:33:51.0187 7260 OS Version: 5.1.2600 ServicePack: 3.0
15:33:51.0187 7260 Product type: Workstation
15:33:51.0187 7260 ComputerName: UPSTAIRS
15:33:51.0187 7260 UserName: Grisamore Family
15:33:51.0187 7260 Windows directory: C:\WINDOWS
15:33:51.0187 7260 System windows directory: C:\WINDOWS
15:33:51.0187 7260 Processor architecture: Intel x86
15:33:51.0187 7260 Number of processors: 2
15:33:51.0187 7260 Page size: 0x1000
15:33:51.0187 7260 Boot type: Normal boot
15:33:51.0187 7260 ============================================================
15:33:53.0437 7260 Initialize success
15:33:59.0921 4972 ============================================================
15:33:59.0921 4972 Scan started
15:33:59.0921 4972 Mode: Manual;
15:33:59.0921 4972 ============================================================
15:34:00.0500 4972 Abiosdsk - ok
15:34:00.0531 4972 abp480n5 - ok
15:34:00.0578 4972 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:34:00.0593 4972 ACPI - ok
15:34:00.0640 4972 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:34:00.0656 4972 ACPIEC - ok
15:34:00.0656 4972 adpu160m - ok
15:34:00.0703 4972 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:34:00.0703 4972 aec - ok
15:34:00.0750 4972 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:34:00.0765 4972 AFD - ok
15:34:00.0765 4972 Aha154x - ok
15:34:00.0781 4972 aic78u2 - ok
15:34:00.0796 4972 aic78xx - ok
15:34:00.0812 4972 AliIde - ok
15:34:00.0828 4972 amsint - ok
15:34:00.0859 4972 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:34:00.0859 4972 Arp1394 - ok
15:34:00.0875 4972 asc - ok
15:34:00.0890 4972 asc3350p - ok
15:34:00.0906 4972 asc3550 - ok
15:34:00.0953 4972 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:34:00.0968 4972 AsyncMac - ok
15:34:00.0968 4972 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:34:00.0984 4972 atapi - ok
15:34:00.0984 4972 Atdisk - ok
15:34:01.0031 4972 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:34:01.0031 4972 Atmarpc - ok
15:34:01.0078 4972 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:34:01.0078 4972 audstub - ok
15:34:01.0187 4972 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:34:01.0203 4972 Beep - ok
15:34:01.0375 4972 BHDrvx86 (fe57ab6683f48264d1cd36f5d5ee95a8) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys
15:34:01.0406 4972 BHDrvx86 - ok
15:34:01.0437 4972 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
15:34:01.0437 4972 BthEnum - ok
15:34:01.0484 4972 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
15:34:01.0500 4972 BTHMODEM - ok
15:34:01.0531 4972 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
15:34:01.0531 4972 BthPan - ok
15:34:01.0578 4972 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
15:34:01.0609 4972 BTHPORT - ok
15:34:01.0703 4972 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
15:34:01.0718 4972 BTHUSB - ok
15:34:01.0875 4972 catchme - ok
15:34:01.0937 4972 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:34:01.0937 4972 cbidf2k - ok
15:34:02.0015 4972 ccSet_NOF (2b2f9b4a08190334a9c36446b208bae9) C:\WINDOWS\system32\drivers\NOF\0202000.01A\ccSetx86.sys
15:34:02.0015 4972 ccSet_NOF - ok
15:34:02.0031 4972 cd20xrnt - ok
15:34:02.0078 4972 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:34:02.0078 4972 Cdaudio - ok
15:34:02.0171 4972 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:34:02.0171 4972 Cdfs - ok
15:34:02.0328 4972 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:34:02.0328 4972 Cdrom - ok
15:34:02.0343 4972 Changer - ok
15:34:02.0359 4972 CmdIde - ok
15:34:02.0375 4972 Cpqarray - ok
15:34:02.0390 4972 dac2w2k - ok
15:34:02.0406 4972 dac960nt - ok
15:34:02.0437 4972 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:34:02.0437 4972 Disk - ok
15:34:02.0484 4972 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:34:02.0515 4972 dmboot - ok
15:34:02.0562 4972 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:34:02.0562 4972 dmio - ok
15:34:02.0593 4972 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:34:02.0593 4972 dmload - ok
15:34:02.0640 4972 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:34:02.0640 4972 DMusic - ok
15:34:02.0656 4972 dpti2o - ok
15:34:02.0687 4972 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:34:02.0687 4972 drmkaud - ok
15:34:02.0718 4972 DSI_SiUSBXp_3_1 (bc9c2ef22ee0320c079e3ff9b4d29951) C:\WINDOWS\system32\drivers\DSI_SiUSBXp_3_1.sys
15:34:02.0734 4972 DSI_SiUSBXp_3_1 - ok
15:34:02.0781 4972 e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
15:34:02.0781 4972 e1express - ok
15:34:02.0937 4972 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
15:34:02.0968 4972 eeCtrl - ok
15:34:03.0062 4972 ElRawDisk (b8eac99b14772bdc36ca963aed109fa2) C:\WINDOWS\system32\drivers\dddsk.sys
15:34:03.0062 4972 ElRawDisk - ok
15:34:03.0109 4972 ENTECH (fd9fc82f134b1c91004ffc76a5ae494b) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
15:34:03.0109 4972 ENTECH - ok
15:34:03.0156 4972 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
15:34:03.0156 4972 EraserUtilRebootDrv - ok
15:34:03.0218 4972 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:34:03.0218 4972 Fastfat - ok
15:34:03.0234 4972 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
15:34:03.0250 4972 Fdc - ok
15:34:03.0265 4972 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:34:03.0265 4972 Fips - ok
15:34:03.0296 4972 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:34:03.0296 4972 Flpydisk - ok
15:34:03.0328 4972 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
15:34:03.0328 4972 FltMgr - ok
15:34:03.0375 4972 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:34:03.0375 4972 Fs_Rec - ok
15:34:03.0468 4972 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:34:03.0515 4972 Ftdisk - ok
15:34:03.0609 4972 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
15:34:03.0609 4972 GEARAspiWDM - ok
15:34:03.0671 4972 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:34:03.0687 4972 Gpc - ok
15:34:03.0765 4972 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:34:03.0843 4972 HDAudBus - ok
15:34:03.0875 4972 HECI (f971d05559ce11ee22af7a7dce6bcfad) C:\WINDOWS\system32\DRIVERS\HECI.sys
15:34:03.0875 4972 HECI - ok
15:34:03.0906 4972 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:34:03.0906 4972 hidusb - ok
15:34:03.0921 4972 hpn - ok
15:34:03.0968 4972 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:34:03.0984 4972 HPZid412 - ok
15:34:04.0000 4972 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:34:04.0000 4972 HPZipr12 - ok
15:34:04.0031 4972 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:34:04.0031 4972 HPZius12 - ok
15:34:04.0078 4972 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:34:04.0109 4972 HTTP - ok
15:34:04.0187 4972 i2omgmt - ok
15:34:04.0203 4972 i2omp - ok
15:34:04.0234 4972 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:34:04.0250 4972 i8042prt - ok
15:34:04.0531 4972 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111025.030\IDSxpx86.sys
15:34:04.0546 4972 IDSxpx86 - ok
15:34:04.0578 4972 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:34:04.0578 4972 Imapi - ok
15:34:04.0593 4972 ini910u - ok
15:34:04.0609 4972 IntelIde - ok
15:34:04.0656 4972 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:34:04.0656 4972 intelppm - ok
15:34:04.0687 4972 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
15:34:04.0687 4972 Ip6Fw - ok
15:34:04.0765 4972 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:34:04.0765 4972 IpFilterDriver - ok
15:34:04.0796 4972 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:34:04.0796 4972 IpInIp - ok
15:34:04.0843 4972 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:34:04.0859 4972 IpNat - ok
15:34:04.0906 4972 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:34:04.0906 4972 IPSec - ok
15:34:04.0953 4972 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:34:04.0953 4972 IRENUM - ok
15:34:04.0984 4972 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:34:05.0000 4972 isapnp - ok
15:34:05.0031 4972 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:34:05.0031 4972 Kbdclass - ok
15:34:05.0078 4972 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:34:05.0078 4972 kbdhid - ok
15:34:05.0140 4972 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:34:05.0140 4972 kmixer - ok
15:34:05.0187 4972 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:34:05.0187 4972 KSecDD - ok
15:34:05.0250 4972 L8042Kbd (d1968dea7baff4a917858c384339cec8) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
15:34:05.0250 4972 L8042Kbd - ok
15:34:05.0296 4972 lbrtfdc - ok
15:34:05.0343 4972 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
15:34:05.0359 4972 LHidFilt - ok
15:34:05.0375 4972 LHidKe (6a255dcbb15d429a545d0f8fc1427970) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
15:34:05.0390 4972 LHidKe - ok
15:34:05.0406 4972 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
15:34:05.0406 4972 LMouFilt - ok
15:34:05.0437 4972 LMouKE (e468833fcb45eced741ba18c5e6116e8) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
15:34:05.0437 4972 LMouKE - ok
15:34:05.0484 4972 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys
15:34:05.0500 4972 MCSTRM - ok
15:34:05.0531 4972 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:34:05.0546 4972 mnmdd - ok
15:34:05.0578 4972 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:34:05.0593 4972 Modem - ok
15:34:05.0625 4972 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
15:34:05.0625 4972 motmodem - ok
15:34:05.0656 4972 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:34:05.0656 4972 Mouclass - ok
15:34:05.0671 4972 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:34:05.0687 4972 mouhid - ok
15:34:05.0687 4972 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:34:05.0703 4972 MountMgr - ok
15:34:05.0703 4972 mraid35x - ok
15:34:05.0765 4972 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:34:05.0765 4972 MRxDAV - ok
15:34:05.0859 4972 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:34:05.0875 4972 MRxSmb - ok
15:34:05.0906 4972 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:34:05.0906 4972 Msfs - ok
15:34:05.0953 4972 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:34:05.0953 4972 MSKSSRV - ok
15:34:05.0968 4972 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:34:05.0984 4972 MSPCLOCK - ok
15:34:06.0000 4972 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:34:06.0000 4972 MSPQM - ok
15:34:06.0046 4972 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:34:06.0046 4972 mssmbios - ok
15:34:06.0078 4972 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:34:06.0078 4972 Mup - ok
15:34:06.0125 4972 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
15:34:06.0125 4972 NAL - ok
15:34:06.0406 4972 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20111026.002\NAVENG.SYS
15:34:06.0406 4972 NAVENG - ok
15:34:06.0484 4972 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20111026.002\NAVEX15.SYS
15:34:06.0500 4972 NAVEX15 - ok
15:34:06.0593 4972 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:34:06.0609 4972 NDIS - ok
15:34:06.0656 4972 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:34:06.0656 4972 NdisTapi - ok
15:34:06.0687 4972 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:34:06.0703 4972 Ndisuio - ok
15:34:06.0734 4972 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:34:06.0750 4972 NdisWan - ok
15:34:06.0796 4972 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:34:06.0796 4972 NDProxy - ok
15:34:06.0859 4972 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:34:06.0859 4972 NetBIOS - ok
15:34:06.0937 4972 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:34:06.0937 4972 NetBT - ok
15:34:06.0984 4972 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:34:07.0000 4972 NIC1394 - ok
15:34:07.0031 4972 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:34:07.0046 4972 Npfs - ok
15:34:07.0078 4972 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:34:07.0140 4972 Ntfs - ok
15:34:07.0187 4972 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
15:34:07.0203 4972 NuidFltr - ok
15:34:07.0218 4972 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:34:07.0218 4972 Null - ok
15:34:07.0390 4972 nv (5645072033c2e51386e91bc137c0beb5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:34:07.0531 4972 nv - ok
15:34:07.0562 4972 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:34:07.0562 4972 NwlnkFlt - ok
15:34:07.0593 4972 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:34:07.0593 4972 NwlnkFwd - ok
15:34:07.0625 4972 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:34:07.0625 4972 ohci1394 - ok
15:34:07.0640 4972 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
15:34:07.0640 4972 Parport - ok
15:34:07.0656 4972 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:34:07.0656 4972 PartMgr - ok
15:34:07.0703 4972 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:34:07.0703 4972 ParVdm - ok
15:34:07.0765 4972 PCAMPR5 - ok
15:34:07.0796 4972 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:34:07.0812 4972 PCI - ok
15:34:07.0812 4972 PCIDump - ok
15:34:07.0843 4972 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:34:07.0843 4972 PCIIde - ok
15:34:07.0859 4972 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:34:07.0875 4972 Pcmcia - ok
15:34:07.0921 4972 PCTCore (55e00ae13bb55e66030f2eb429a33156) C:\WINDOWS\system32\drivers\PCTCore.sys
15:34:07.0937 4972 PCTCore - ok
15:34:07.0984 4972 pctDS (f820b4c61d1e591325b679d479d4eea4) C:\WINDOWS\system32\drivers\pctDS.sys
15:34:08.0000 4972 pctDS - ok
15:34:08.0062 4972 pctEFA (acc8c15f3d59f17c5d903ff1de3b43d3) C:\WINDOWS\system32\drivers\pctEFA.sys
15:34:08.0093 4972 pctEFA - ok
15:34:08.0140 4972 PCTSD (c718f517b49b23d456b4a70789035df5) C:\WINDOWS\system32\Drivers\PCTSD.sys
15:34:08.0156 4972 PCTSD - ok
15:34:08.0171 4972 PDCOMP - ok
15:34:08.0171 4972 PDFRAME - ok
15:34:08.0187 4972 PDRELI - ok
15:34:08.0203 4972 PDRFRAME - ok
15:34:08.0218 4972 perc2 - ok
15:34:08.0218 4972 perc2hib - ok
15:34:08.0265 4972 pfc (da86016f0672ada925f589ede715f185) C:\WINDOWS\system32\drivers\pfc.sys
15:34:08.0265 4972 pfc - ok
15:34:08.0312 4972 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:34:08.0328 4972 PptpMiniport - ok
15:34:08.0359 4972 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:34:08.0359 4972 PSched - ok
15:34:08.0406 4972 PsSdk41 (0c234a4a2fbab98e5e1bafaf3e3e403a) C:\WINDOWS\system32\Drivers\pssdk41.sys
15:34:08.0421 4972 PsSdk41 - ok
15:34:08.0468 4972 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:34:08.0484 4972 Ptilink - ok
15:34:08.0531 4972 PTQHBUS (f4e13daa6a40755914f87c57b139d0be) C:\WINDOWS\system32\DRIVERS\PTQHBUS.sys
15:34:08.0531 4972 PTQHBUS - ok
15:34:08.0578 4972 PTQHMDM (66dac2bd1ce1c91c22ac9fa278e1e035) C:\WINDOWS\system32\DRIVERS\PTQHMDM.sys
15:34:08.0578 4972 PTQHMDM - ok
15:34:08.0625 4972 PTQHVSP (53dd3005d3b4b99709220213d33d4be3) C:\WINDOWS\system32\DRIVERS\PTQHVSP.sys
15:34:08.0625 4972 PTQHVSP - ok
15:34:08.0687 4972 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
15:34:08.0687 4972 PxHelp20 - ok
15:34:08.0703 4972 ql1080 - ok
15:34:08.0718 4972 Ql10wnt - ok
15:34:08.0734 4972 ql12160 - ok
15:34:08.0734 4972 ql1240 - ok
15:34:08.0750 4972 ql1280 - ok
15:34:08.0781 4972 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:34:08.0781 4972 RasAcd - ok
15:34:08.0828 4972 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:34:08.0828 4972 Rasl2tp - ok
15:34:08.0843 4972 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:34:08.0859 4972 RasPppoe - ok
15:34:08.0890 4972 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:34:08.0890 4972 Raspti - ok
15:34:08.0937 4972 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:34:08.0937 4972 Rdbss - ok
15:34:08.0953 4972 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:34:08.0953 4972 RDPCDD - ok
15:34:09.0000 4972 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
15:34:09.0015 4972 RDPWD - ok
15:34:09.0062 4972 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:34:09.0062 4972 redbook - ok
15:34:09.0109 4972 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
15:34:09.0109 4972 RFCOMM - ok
15:34:09.0218 4972 SABProcEnum - ok
15:34:09.0281 4972 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
15:34:09.0281 4972 SASDIFSV - ok
15:34:09.0312 4972 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
15:34:09.0312 4972 SASENUM - ok
15:34:09.0343 4972 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
15:34:09.0343 4972 SASKUTIL - ok
15:34:09.0421 4972 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:34:09.0421 4972 Secdrv - ok
15:34:09.0468 4972 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:34:09.0468 4972 serenum - ok
15:34:09.0515 4972 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
15:34:09.0515 4972 Serial - ok
15:34:09.0562 4972 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:34:09.0562 4972 Sfloppy - ok
15:34:09.0625 4972 sfng32 (5fe18fff6fbcf218290042009eab023d) C:\WINDOWS\system32\drivers\sfng32.sys
15:34:09.0640 4972 sfng32 - ok
15:34:09.0656 4972 Simbad - ok
15:34:09.0671 4972 Sparrow - ok
15:34:09.0718 4972 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:34:09.0718 4972 splitter - ok
15:34:09.0734 4972 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:34:09.0734 4972 sr - ok
15:34:09.0812 4972 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSP.SYS
15:34:09.0828 4972 SRTSP - ok
15:34:09.0875 4972 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS
15:34:09.0875 4972 SRTSPX - ok
15:34:09.0953 4972 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:34:09.0953 4972 Srv - ok
15:34:10.0093 4972 STHDA (784b73bd9d1c0fba6ca96e8976f4b0e6) C:\WINDOWS\system32\drivers\sthda.sys
15:34:10.0140 4972 STHDA - ok
15:34:10.0187 4972 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
15:34:10.0187 4972 StillCam - ok
15:34:10.0203 4972 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:34:10.0203 4972 swenum - ok
15:34:10.0250 4972 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:34:10.0250 4972 swmidi - ok
15:34:10.0265 4972 symc810 - ok
15:34:10.0281 4972 symc8xx - ok
15:34:10.0359 4972 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS
15:34:10.0375 4972 SymDS - ok
15:34:10.0500 4972 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS
15:34:10.0515 4972 SymEFA - ok
15:34:10.0578 4972 SymEvent (98d28d08e68145fb550ee7670b43baf2) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
15:34:10.0578 4972 SymEvent - ok
15:34:10.0656 4972 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS
15:34:10.0671 4972 SymIRON - ok
15:34:10.0718 4972 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A} (a4e35857dda02a96ce92b98fe4708c29) C:\WINDOWS\System32\Drivers\NSM\0202000.026\SymRdr.SYS
15:34:10.0734 4972 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A} - ok
15:34:10.0796 4972 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMTDI.SYS
15:34:10.0812 4972 SYMTDI - ok
15:34:10.0843 4972 sym_hi - ok
15:34:10.0859 4972 sym_u3 - ok
15:34:10.0921 4972 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:34:10.0921 4972 sysaudio - ok
15:34:10.0984 4972 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:34:11.0000 4972 Tcpip - ok
15:34:11.0046 4972 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:34:11.0046 4972 TDPIPE - ok
15:34:11.0093 4972 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:34:11.0093 4972 TDTCP - ok
15:34:11.0125 4972 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:34:11.0140 4972 TermDD - ok
15:34:11.0187 4972 TIEHDUSB (a1124ebc672aa3ae1b327096c1dcc346) C:\WINDOWS\system32\drivers\tiehdusb.sys
15:34:11.0187 4972 TIEHDUSB - ok
15:34:11.0203 4972 TosIde - ok
15:34:11.0234 4972 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:34:11.0234 4972 Udfs - ok
15:34:11.0250 4972 ultra - ok
15:34:11.0296 4972 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:34:11.0343 4972 Update - ok
15:34:11.0375 4972 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
15:34:11.0390 4972 USBAAPL - ok
15:34:11.0421 4972 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
15:34:11.0421 4972 usbaudio - ok
15:34:11.0468 4972 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:34:11.0468 4972 usbccgp - ok
15:34:11.0515 4972 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:34:11.0515 4972 usbehci - ok
15:34:11.0562 4972 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:34:11.0562 4972 usbhub - ok
15:34:11.0593 4972 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:34:11.0593 4972 usbprint - ok
15:34:11.0640 4972 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:34:11.0640 4972 usbscan - ok
15:34:11.0703 4972 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:34:11.0703 4972 USBSTOR - ok
15:34:11.0750 4972 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:34:11.0750 4972 usbuhci - ok
15:34:11.0781 4972 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:34:11.0796 4972 VgaSave - ok
15:34:11.0921 4972 ViaIde - ok
15:34:11.0984 4972 vmm (817da66b1b889fad1dbf669e0e2f3228) C:\WINDOWS\system32\Drivers\vmm.sys
15:34:12.0000 4972 vmm - ok
15:34:12.0046 4972 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:34:12.0046 4972 VolSnap - ok
15:34:12.0203 4972 VPCNetS2 (2abe8281db609d8bb1bd1b2f93800d5f) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
15:34:12.0203 4972 VPCNetS2 - ok
15:34:12.0562 4972 W8335XP (7455b3c11a1d6a844b53febdb58646e9) C:\WINDOWS\system32\DRIVERS\WG311v3XP.sys
15:34:12.0703 4972 W8335XP - ok
15:34:13.0015 4972 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:34:13.0078 4972 Wanarp - ok
15:34:13.0234 4972 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
15:34:13.0250 4972 Wdf01000 - ok
15:34:13.0265 4972 WDICA - ok
15:34:13.0312 4972 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:34:13.0312 4972 wdmaud - ok
15:34:13.0375 4972 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
15:34:13.0375 4972 WpdUsb - ok
15:34:13.0406 4972 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:34:13.0406 4972 WS2IFSL - ok
15:34:13.0453 4972 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:34:13.0453 4972 WudfPf - ok
15:34:13.0484 4972 WUDFRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\WUDFRd.sys
15:34:13.0484 4972 WUDFRd - ok
15:34:13.0515 4972 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
15:34:13.0515 4972 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - infected
15:34:13.0515 4972 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
15:34:13.0515 4972 Boot (0x1200) (fcbe5fcb0986d4f16da0571700fd4813) \Device\Harddisk0\DR0\Partition0
15:34:13.0515 4972 \Device\Harddisk0\DR0\Partition0 - ok
15:34:13.0515 4972 ============================================================
15:34:13.0515 4972 Scan finished
15:34:13.0515 4972 ============================================================
15:34:13.0531 7836 Detected object count: 1
15:34:13.0531 7836 Actual detected object count: 1
15:34:42.0609 7836 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - will be cured on reboot
15:34:42.0609 7836 \Device\Harddisk0\DR0 - ok
15:34:42.0609 7836 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - User select action: Cure
15:34:52.0781 1408 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:35 AM

Posted 26 October 2011 - 08:36 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files\Ask.com


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 grizchicago

grizchicago
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 27 October 2011 - 12:00 AM

Gringo,

The following is the report from ComboFix. Since this is all I have done, I have nothing to report on the computer's performance. Please advise on next steps.

Thanks,

Griz

ComboFix 11-10-26.08 - Grisamore Family 10/26/2011 22:36:00.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1260 [GMT -5:00]
Running from: c:\documents and settings\Grisamore Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Grisamore Family\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Grisamore Family\Start Menu\Programs\System Restore
c:\documents and settings\Grisamore Family\System
c:\documents and settings\Grisamore Family\System\win_qs8.jqx
c:\documents and settings\Grisamore Family\WINDOWS
C:\Images
c:\images\DirCfg.ini
c:\program files\Ask.com
c:\program files\Ask.com\assets\oobe\b.png
c:\program files\Ask.com\assets\oobe\bl.png
c:\program files\Ask.com\assets\oobe\br.png
c:\program files\Ask.com\assets\oobe\l.png
c:\program files\Ask.com\assets\oobe\pointer.png
c:\program files\Ask.com\assets\oobe\r.png
c:\program files\Ask.com\assets\oobe\t.png
c:\program files\Ask.com\assets\oobe\tl.png
c:\program files\Ask.com\assets\oobe\tr.png
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_2758.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\install
.
.
((((((((((((((((((((((((( Files Created from 2011-09-27 to 2011-10-27 )))))))))))))))))))))))))))))))
.
.
2011-10-24 02:28 . 2011-10-24 02:29 -------- d-----w- c:\program files\Paint.NET
2011-10-23 17:43 . 2011-09-01 16:38 767952 ----a-w- c:\windows\BDTSupport.dll
2011-10-23 17:43 . 2011-09-01 16:39 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-10-23 17:43 . 2011-09-01 16:39 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-10-23 17:43 . 2011-09-01 16:39 2189264 ----a-w- c:\windows\PCTBDCore.dll
2011-10-23 17:39 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-10-23 17:39 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-10-23 17:39 . 2011-07-19 14:18 252712 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-10-23 17:39 . 2011-08-23 16:45 326688 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-10-23 17:39 . 2011-03-02 16:39 162200 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-10-23 17:38 . 2011-08-18 14:31 184536 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-10-23 17:38 . 2011-07-19 14:23 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-10-23 17:38 . 2011-10-23 18:26 -------- d-----w- c:\program files\PC Tools Security
2011-10-23 03:09 . 2011-10-23 03:09 -------- d-----w- c:\program files\ESET
2011-10-20 02:10 . 2011-10-20 02:10 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-10-20 02:09 . 2011-10-20 02:09 -------- d-----w- c:\program files\Common Files\xing shared
2011-10-20 02:09 . 2011-10-20 02:09 150696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-10-20 02:08 . 2011-10-20 02:08 107008 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-10-19 04:14 . 2011-10-19 04:14 -------- d-----w- C:\Docu
2011-10-19 02:08 . 2011-10-22 04:42 -------- d-----w- c:\program files\YTDSETUP
2011-10-19 02:08 . 2011-07-07 18:26 17280 ----a-w- c:\windows\system32\roboot.exe
2011-10-19 02:08 . 2011-10-19 02:08 -------- d-----w- c:\program files\RegClean Pro
2011-10-19 01:57 . 2011-10-19 01:57 -------- d-----w- c:\windows\system32\drivers\NSM\0202000.026
2011-10-17 06:45 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-17 06:45 . 2011-10-17 06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-17 04:19 . 2011-10-17 04:19 -------- d-----w- c:\windows\system32\drivers\N360
2011-10-17 04:19 . 2011-10-17 04:19 -------- d-----w- c:\program files\Norton 360
2011-10-17 00:34 . 2011-10-17 00:34 -------- d-----w- c:\program files\Bonjour
2011-10-07 22:05 . 2011-10-07 22:05 323624 ----a-w- c:\windows\system32\wiaaut.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-21 16:12 . 2011-05-29 05:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 02:08 . 2006-08-22 18:20 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-10-20 02:08 . 2006-08-22 18:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-10-17 04:21 . 2008-09-24 15:19 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-17 04:21 . 2008-09-24 15:19 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2006-02-28 12:00 1858944 ------w- c:\windows\system32\win32k.sys
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-22 23:48 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2006-02-28 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 23:38 . 2011-09-16 01:44 132744 ----a-w- c:\windows\system32\drivers\NOF\0202000.01A\ccsetx86.sys
2011-10-02 18:09 . 2011-03-24 02:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-26_01.47.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-26 20:40 . 2011-10-26 20:40 16384 c:\windows\Temp\Perflib_Perfdata_b8c.dat
+ 2011-10-26 20:38 . 2011-10-26 20:38 16384 c:\windows\Temp\Perflib_Perfdata_b44.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2011-03-10 77656]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-18 4615552]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2011-06-08 822456]
"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2011-04-14 12036968]
"MusicManager"="c:\documents and settings\Grisamore Family\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2011-09-14 13128704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 9129984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"nwiz"="nwiz.exe" [2006-08-12 1519616]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"anon_proxy_server"="c:\program files\Anon Proxy Server\htdocs\anon_proxy_server\pserver.exe" [2008-01-28 94208]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-10-20 273528]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-09-01 247760]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-06 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-07 22:33 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:TCP"= 5000:TCP:AresChatServer
"59110:TCP"= 59110:TCP:Pando Media Booster
"59110:UDP"= 59110:UDP:Pando Media Booster
"56189:TCP"= 56189:TCP:Pando Media Booster
"56189:UDP"= 56189:UDP:Pando Media Booster
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"4897:TCP"= 4897:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/23/2011 12:39 PM 326688]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [10/23/2011 12:39 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [10/23/2011 12:39 PM 656320]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [10/16/2011 11:21 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [10/16/2011 11:21 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys [10/14/2011 6:10 PM 818808]
R1 ccSet_NOF;Norton Online Settings Manager;c:\windows\system32\drivers\NOF\0202000.01A\ccsetx86.sys [9/15/2011 8:44 PM 132744]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [1/24/2011 9:48 PM 22312]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [10/23/2011 12:38 PM 184536]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [10/16/2011 11:21 PM 136312]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/7/2010 12:54 AM 116608]
R2 anon_proxy_config;anon_proxy_config;c:\program files\Anon Proxy Server\bin\Apache.exe [1/9/2007 7:17 AM 20539]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [10/23/2011 12:43 PM 337872]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [10/16/2011 11:20 PM 130008]
R2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.2.0.26\ccsvchst.exe [9/15/2011 8:44 PM 138760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [9/8/2010 11:23 PM 632792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/17/2011 12:14 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111026.030\IDSXpx86.sys [10/26/2011 6:01 PM 356280]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:14 AM 135664]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [9/29/2010 11:16 PM 401920]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:14 AM 135664]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [4/29/2011 3:22 PM 36928]
S3 PTQHBUS;PANTECH Handset HSUSB Composite Device(MSM6290);c:\windows\system32\drivers\PTQHBUS.sys [7/4/2011 10:55 AM 55056]
S3 PTQHMDM;PANTECH HSUSB Modem(MSM6290);c:\windows\system32\drivers\PTQHMDM.sys [7/4/2011 10:55 AM 161040]
S3 PTQHVSP;PANTECH HSUSB Diagnostic Serial Port(MSM6290);c:\windows\system32\drivers\PTQHVSP.sys [7/4/2011 10:55 AM 161040]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [10/23/2011 12:38 PM 371472]
S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSM\0202000.026\symrdr.sys [10/18/2011 8:17 PM 196600]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:14]
.
2011-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:14]
.
2011-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1870647804-938687962-1617214411-1005Core.job
- c:\documents and settings\Grisamore Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-20 21:46]
.
2011-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1870647804-938687962-1617214411-1005UA.job
- c:\documents and settings\Grisamore Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-20 21:46]
.
2011-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1870647804-938687962-1617214411-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1870647804-938687962-1617214411-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1870647804-938687962-1617214411-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1870647804-938687962-1617214411-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1870647804-938687962-1617214411-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1870647804-938687962-1617214411-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1870647804-938687962-1617214411-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1870647804-938687962-1617214411-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 18:40]
.
2011-10-26 c:\windows\Tasks\RegClean Pro_DEFAULT.job
- c:\program files\RegClean Pro\RegCleanPro.exe [2011-10-19 18:26]
.
2011-10-27 c:\windows\Tasks\RegClean Pro_UPDATES.job
- c:\program files\RegClean Pro\RegCleanPro.exe [2011-10-19 18:26]
.
2011-10-26 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2010-09-09 21:33]
.
2011-10-27 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-06-09 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Grisamore Family\Application Data\Mozilla\Firefox\Profiles\oigh03mr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-26 23:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NOF]
"ImagePath"="\"c:\program files\Norton Online\Engine\2.2.0.26\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.2.0.26\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,dc,db,f4,29,28,5e,46,ae,c9,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,dc,db,f4,29,28,5e,46,ae,c9,c5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1240)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
- - - - - - - > 'lsass.exe'(1328)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2011-10-26 23:21:14
ComboFix-quarantined-files.txt 2011-10-27 04:21
ComboFix2.txt 2011-10-26 02:10
.
Pre-Run: 13,363,703,808 bytes free
Post-Run: 13,385,687,040 bytes free
.
- - End Of File - - 072C4ED2FB6F00A3B1E8EA22AF6CB282

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:35 AM

Posted 27 October 2011 - 12:34 AM

Hello


check out the computer and let me know how things are and if all is working


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:35 AM

Posted 30 October 2011 - 02:55 PM

how did things go



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 grizchicago

grizchicago
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 30 October 2011 - 03:10 PM

Everything seems to be going well. I have not expirienced any redirects since.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:35 AM

Posted 30 October 2011 - 04:14 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.3
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 grizchicago

grizchicago
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 30 October 2011 - 10:46 PM

Gringo,

Thanks for your continued support with this problem. The computer has been stable since my last post a few days ago. I have not had any redirects or random audio playing. The computer also has not randomly locked up on me. I'm not sure if your procedures had anything to do with this, but at least once a day previously the computer would freeze up and I would have to reboot. I also took your advice and removed the Frostwire P2P filesharing program. The following are the logs you requested. I look forward to your reply on next steps.

Griz

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:40:42 PM, on 10/30/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Anon Proxy Server\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Anon Proxy Server\bin\Apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Norton Online\Engine\2.2.0.26\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Online\Engine\2.2.0.26\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Anon Proxy Server\htdocs\anon_proxy_server\pserver.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\PC Tools Security\BDT\FGuard.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Garmin\ANT Agent\ANT Agent.exe
C:\Documents and Settings\Grisamore Family\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.1.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Norton Safety Minder BHO - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\2.2.0.38\coIEPlg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.1.0.29\coIEPlg.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [anon_proxy_server] "C:\Program Files\Anon Proxy Server\htdocs\anon_proxy_server\pserver.exe" -run
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCTools FGuard] C:\Program Files\PC Tools Security\BDT\FGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ANT Agent] C:\Program Files\Garmin\ANT Agent\ANT Agent.exe
O4 - HKCU\..\Run: [MusicManager] "C:\Documents and Settings\Grisamore Family\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_2_0_0_71.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.gatx.com/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194399880281
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188346599578
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/swf/feedingfrenzy/SproutLauncher.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: anon_proxy_config - Apache Software Foundation - C:\Program Files\Anon Proxy Server\bin\Apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
O23 - Service: Norton Online (NOF) - Symantec Corporation - C:\Program Files\Norton Online\Engine\2.2.0.26\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 16683 bytes

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8049

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/30/2011 10:35:30 PM
mbam-log-2011-10-30 (22-35-30).txt

Scan type: Quick scan
Objects scanned: 226317
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:35 AM

Posted 30 October 2011 - 10:56 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
      O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
      O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
      O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
      O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
      O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
      O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
      O4 - HKCU\..\Run: [MusicManager] "C:\Documents and Settings\Grisamore Family\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:35 AM

Posted 01 November 2011 - 11:47 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 grizchicago

grizchicago
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 02 November 2011 - 08:49 PM

Sorry for the delay. I had trouble with the Eset scan. I forgot that I had previously installed it and so everytime I tried to download it it just hung. I finally got the scan to run last night and it took many hours. The following are the scan logs from Eset and Mbam:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=d9d3a97267ebb945809c09f9e9ef476e
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-10-23 07:47:19
# local_time=2011-10-23 02:47:19 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777173 100 84 0 69915834 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=326772
# found=5
# cleaned=5
# scan_time=16304
C:\Documents and Settings\Grisamore Family\My Documents\Downloads\flvconverter_free.exe Win32/Adware.OneStep application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Search Settings\SearchSettings.dll Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Search Settings\SearchSettings.exe Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Search Settings\SearchSettingsRes409.dll Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=d9d3a97267ebb945809c09f9e9ef476e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-11-02 05:59:31
# local_time=2011-11-02 12:59:31 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777189 100 84 359759 70766624 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=334953
# found=15
# cleaned=0
# scan_time=23045
C:\Documents and Settings\Grisamore Family\.frostwire5\updates\frostwire-5.1.4.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\Application Data\FrostWire\.AppSpecialShare\frostwire-5.0.8.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\Application Data\OpenCandy\OpenCandy_DF67E1301DB4445E802ACB958BCB4988\LatestDLMgr.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\Desktop\frostwire-4.21.3.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\My Documents\Downloads\flstudio_10.0_online.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\My Documents\Downloads\frostwire-4.21.3.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Grisamore Family\My Documents\Downloads\Sony Vegas 10 Keygen + Patch.rar multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F319918C-1703-425F-B3F3-05F2ACD6C3BC}\RP1424\A0436968.exe probably a variant of Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F319918C-1703-425F-B3F3-05F2ACD6C3BC}\RP1424\A0436969.dll Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F319918C-1703-425F-B3F3-05F2ACD6C3BC}\RP1424\A0436970.exe Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F319918C-1703-425F-B3F3-05F2ACD6C3BC}\RP1424\A0436971.dll Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I


MAB log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8049

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/30/2011 10:35:30 PM
mbam-log-2011-10-30 (22-35-30).txt

Scan type: Quick scan
Objects scanned: 226317
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users