Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious software svchost.exe, google redirect, and Unknown


  • This topic is locked This topic is locked
9 replies to this topic

#1 ScoobysDoo

ScoobysDoo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 23 January 2012 - 09:59 PM

I first became aware of this problem when my computer started to slow down significantly. Here's a list of problems that I have noticed during the past 2 weeks. This computer is a Windows Xp Sony Vaio labtop.

1. CPU Usage at 99%, caused by svchost.exe - slows down computer significantly
2. Norton removed 3 trojan files and blocked several attacks by "malicious tool kit website 13"
3. Anti-Malware program removed 3 infected files.
4. Google searches on Firefox are redirected to AskTheCrew related websites - I believe this is a browser embedded virus.
5. Computer can't restart and can't go into hibernation mode.
6. Clock on the bottom right hand corner of the computer does not update, sometimes stuck at a specific time for a long period of time.
7. Startup time of computer after reboot takes at least 8 minutes and sometimes stay permanently frozen.
7. Gmer.exe scan failed to finish and was terminated by the computer. The computer then restarted on its own.

Thank you in advance for taking the time to look into my computer's problems.

Below is the DDS.txt Data.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_25
Run by Yi Fang at 16:20:38 on 2012-01-23
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.1014.165 [GMT -6:00]
.
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\conime.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.princetonreview.com/StudentTools.aspx
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyServer = proxy.swmed.edu:3128
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\19.2.0.10\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\19.2.0.10\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\19.2.0.10\coIEPlg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON NX410 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifca.exe /fu "c:\windows\temp\E_S703.tmp" /EF "HKCU"
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\ahead\data\xtras\mssysmgr.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: QQ
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{78FCDE8B-FCC3-4A58-A2BC-4D3D5B81274E} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: karna.dat
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\yi fang\application data\mozilla\firefox\profiles\tdbeki59.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.ftp - proxy.swmed.edu
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - proxy.swmed.edu
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - proxy.swmed.edu
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - proxy.swmed.edu
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - proxy.swmed.edu
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\yi fang\application data\mozilla\firefox\profiles\tdbeki59.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\yi fang\application data\mozilla\firefox\profiles\tdbeki59.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\yi fang\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\yi fang\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1302000.00a\symds.sys [2011-11-13 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1302000.00a\symefa.sys [2011-11-13 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\bashdefs\20111223.001\BHDrvx86.sys [2011-11-30 820344]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1302000.00a\ccsetx86.sys [2011-11-13 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1302000.00a\ironx86.sys [2011-11-13 149624]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.2.0.10\ccsvchst.exe [2011-11-13 138760]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-6 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-1-23 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\ipsdefs\20120120.002\IDSXpx86.sys [2012-1-20 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\virusdefs\20120123.002\naveng.sys [2012-1-23 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\virusdefs\20120123.002\navex15.sys [2012-1-23 1576312]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-15 226304]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-15 29184]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
.
=============== File Associations ===============
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2012-01-16 21:30:25 -------- d-----w- c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2012-01-14 16:03:04 57856 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
2012-01-14 16:03:04 57856 ----a-w- c:\windows\system32\spoolsv.exe
.
==================== Find3M ====================
.
2011-12-22 05:01:56 2829 ----a-w- c:\windows\War3Unin.pif
2011-12-22 05:01:56 139264 ----a-w- c:\windows\War3Unin.exe
2011-11-13 23:47:00 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-11-13 23:47:00 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-19 00:26:29 11702 ----a-w- c:\program files\common files\itaxenini.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541010G9SA00 rev.MBZOC65D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x868042C6
user & kernel MBR OK
.
============= FINISH: 16:27:23.01 ===============

Attached Files


Edited by ScoobysDoo, 23 January 2012 - 10:23 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:26 AM

Posted 23 January 2012 - 10:04 PM

Hello ScoobysDoo,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



1.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.


2.
Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes.


3.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Edited by fireman4it, 23 January 2012 - 10:04 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 ScoobysDoo

ScoobysDoo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 23 January 2012 - 10:18 PM

Thank you so much fireman4it for the quick reply and help!

I currently have Norton Anti-Virus, should I disable it's features during this procedure or keep it on?

Here is the log of my MBRCHECK

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E3000 \WINDOWS\system32\hal.dll
0x8560F000 \WINDOWS\system32\KDCOM.DLL
0xF7A92000 \WINDOWS\system32\BOOTVID.dll
0xF754F000 ACPI.sys
0xF7B7E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF753E000 pci.sys
0xF767E000 ohci1394.sys
0xF768E000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF769E000 isapnp.sys
0xF7A96000 compbatt.sys
0xF7A9A000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C46000 pciide.sys
0xF78FE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7520000 pcmcia.sys
0xF76AE000 MountMgr.sys
0xF7501000 ftdisk.sys
0xF7A9E000 ACPIEC.sys
0xF7C47000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7906000 PartMgr.sys
0xF76BE000 VolSnap.sys
0xF74E9000 atapi.sys
0xF74D8000 SI3132.sys
0xF74C0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF76CE000 disk.sys
0xF76DE000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74A0000 fltMgr.sys
0xF7449000 SYMDS.SYS
0xF7437000 sr.sys
0xF7356000 SYMEFA.SYS
0xF7AA2000 SiWinAcc.sys
0xF76EE000 PxHelp20.sys
0xF733F000 KSecDD.sys
0xF72B2000 Ntfs.sys
0xF7285000 NDIS.sys
0xF7B80000 SiRemFil.sys
0xF726A000 Mup.sys
0xF782E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7232000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6B40000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6B2C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6B06000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF69A9000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xF7A7E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6986000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A86000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF783E000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6949000 \SystemRoot\system32\drivers\ti21sony.sys
0xF6921000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7916000 \SystemRoot\System32\Drivers\SonyNC.sys
0xF784E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF793E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6907000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xF7946000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF785E000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF786E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF787E000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF68E4000 \SystemRoot\system32\DRIVERS\ks.sys
0xF722A000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF788E000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xF7222000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xF7CD2000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF789E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF720D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF68CD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF78AE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF78BE000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF794E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF68BC000 \SystemRoot\system32\DRIVERS\psched.sys
0xF78CE000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF795E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7956000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF688B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF78DE000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BEC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF680A000 \SystemRoot\system32\DRIVERS\update.sys
0xF71ED000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF78EE000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xF770E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA6BB000 \SystemRoot\system32\drivers\sthda.sys
0xAA699000 \SystemRoot\system32\drivers\portcls.sys
0xF773E000 \SystemRoot\system32\drivers\drmk.sys
0xAA667000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xAA573000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xAA4C2000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7966000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6D1B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7BF0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA97DE000 \SystemRoot\system32\drivers\NIS\1302000.00A\ccSetx86.sys
0xA97B7000 \SystemRoot\system32\drivers\NIS\1302000.00A\Ironx86.SYS
0xF7BF6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CC5000 \SystemRoot\System32\Drivers\Null.SYS
0xF798E000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7996000 \SystemRoot\System32\drivers\vga.sys
0xF7BF8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BFA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79A6000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79AE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7B66000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9784000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA972C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA96CF000 \SystemRoot\System32\Drivers\NIS\1302000.00A\SYMTDI.SYS
0xA96AE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA9688000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xF6D0B000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF6CFB000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA9605000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120120.002\IDSxpx86.sys
0xA95DD000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA95BB000 \SystemRoot\System32\drivers\afd.sys
0xF6CEB000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF6CDB000 \SystemRoot\system32\drivers\NIS\1302000.00A\SRTSPX.SYS
0xA94F0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9481000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6CCB000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9423000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA9405000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xF7D01000 \SystemRoot\system32\DRIVERS\DMICall.sys
0xA9339000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20111223.001\BHDrvx86.sys
0xF7201000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xF777E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA92F9000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7C0E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF668A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF79E6000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7DCA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF7A36000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA91B1000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA90C9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8DBC000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9059000 \SystemRoot\system32\drivers\sysaudio.sys
0xA8981000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA88F0000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8979000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA87D1000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8711000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xA7B49000 \??\C:\WINDOWS\system32\Drivers\PROCEXP151.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 59):
0 System Idle Process
4 System
804 C:\WINDOWS\system32\smss.exe
876 csrss.exe
900 C:\WINDOWS\system32\winlogon.exe
948 C:\WINDOWS\system32\services.exe
968 C:\WINDOWS\system32\lsass.exe
1136 C:\WINDOWS\system32\svchost.exe
1220 svchost.exe
1280 C:\WINDOWS\system32\svchost.exe
1388 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1448 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1576 svchost.exe
1628 svchost.exe
1804 C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
636 C:\WINDOWS\explorer.exe
684 C:\WINDOWS\system32\spoolsv.exe
740 C:\WINDOWS\system32\ctfmon.exe
1320 C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
1380 C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
1504 C:\Program Files\Sony\ISB Utility\ISBMgr.exe
1556 C:\WINDOWS\system32\igfxpers.exe
1564 C:\WINDOWS\system32\hkcmd.exe
1468 C:\Program Files\Apoint\Apoint.exe
1720 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1728 C:\WINDOWS\ehome\ehtray.exe
1640 C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
2008 C:\Program Files\Apoint\ApntEx.exe
2032 C:\WINDOWS\system32\conime.exe
216 svchost.exe
236 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
252 C:\WINDOWS\ehome\ehrecvr.exe
352 C:\WINDOWS\ehome\ehSched.exe
476 C:\Program Files\Java\jre6\bin\jqs.exe
548 C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
1356 C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ccsvchst.exe
1664 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2072 C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
2224 svchost.exe
2508 C:\WINDOWS\system32\svchost.exe
2652 C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ccsvchst.exe
2816 C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
3124 C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
3208 igfxext.exe
3232 C:\Program Files\Viewpoint\Common\ViewpointService.exe
3264 igfxsrvc.exe
3288 C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
3332 mcrdsvc.exe
3700 C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
2328 C:\WINDOWS\ehome\ehmsas.exe
2456 C:\WINDOWS\system32\dllhost.exe
3492 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
3664 alg.exe
2956 C:\WINDOWS\system32\wuauclt.exe
2464 C:\Program Files\Mozilla Firefox\firefox.exe
1976 C:\Program Files\Mozilla Firefox\plugin-container.exe
3916 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
3936 C:\Documents and Settings\Yi Fang\Desktop\procexp.exe
3948 C:\Documents and Settings\Yi Fang\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`c01a2400 (NTFS)

PhysicalDrive0 Model Number: HTS541010G9SA00, Rev: MBZOC65D

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Results of the Listparts scan

ListParts by Farbar
Ran by Yi Fang on 23-01-2012 at 21:10:19
Windows XP (X86)
Running From: C:\Documents and Settings\Yi Fang\Desktop
************************************************************

========================= Memory info ======================

Percentage of memory in use: 86%
Total physical RAM: 1014.09 MB
Available physical RAM: 138.84 MB
Total Pagefile: 2436.32 MB
Available Pagefile: 1580.42 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.46 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:86.16 GB) (Free:37.27 GB) NTFS ==>[Drive with boot components (Windows XP)]

There are no fixed disks to show.


****** End Of Log ******

Results of the aswMBR test

aswMBR version 0.9.9.1509 Copyright© 2011 AVAST Software
Run date: 2012-01-23 21:12:35
-----------------------------
21:12:35.656 OS Version: Windows 5.1.2600 Service Pack 2
21:12:35.656 Number of processors: 2 586 0xE08
21:12:35.656 ComputerName: YI UserName:
21:12:37.609 Initialize success
21:12:49.344 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
21:12:49.344 Disk 0 Vendor: HTS541010G9SA00 MBZOC65D Size: 95396MB BusType: 3
21:12:49.359 Disk 1 \Device\Harddisk1\DR3 -> \Device\00000096
21:12:49.359 Disk 1 Vendor: ( Size: 95396MB BusType: 0
21:12:49.375 Device \Driver\atapi -> DriverStartIo 867d72c6
21:12:49.375 Disk 0 MBR read error 0
21:12:49.375 Disk 0 MBR scan
21:12:49.390 Disk 0 unknown MBR code
21:12:49.390 MBR BIOS signature not found 0
21:12:49.406 Disk 0 scanning sectors +195366465
21:12:49.469 Disk 0 scanning C:\WINDOWS\system32\drivers
21:12:59.531 Service scanning
21:13:01.922 Modules scanning
21:13:32.703 Disk 0 trace - called modules:
21:13:32.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867d749f]<<
21:13:32.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f63ab8]
21:13:32.765 3 CLASSPNP.SYS[f76df05b] -> nt!IofCallDriver -> \Device\0000008e[0x86f659e8]
21:13:32.781 5 ACPI.sys[f7555620] -> nt!IofCallDriver -> [0x86ef5940]
21:13:32.797 \Driver\atapi[0x86b79360] -> IRP_MJ_CREATE -> 0x867d749f
21:13:32.812 Scan finished successfully
21:13:46.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Yi Fang\Desktop\MBR.dat"
21:13:46.375 The log file has been saved successfully to "C:\Documents and Settings\Yi Fang\Desktop\aswMBR.txt"

Edited by ScoobysDoo, 23 January 2012 - 10:22 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:26 AM

Posted 24 January 2012 - 02:11 AM

Hello,


Please disable Norton during fixing of your machine.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 ScoobysDoo

ScoobysDoo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 24 January 2012 - 11:16 AM

Thank you again for your help. After running through both programs, the computer seems to be running better. I'll play around it more to see if anything comes up.

The TDSSKiller.exe found and removed 1 object. Below is the TDSS file report.


08:46:41.0947 3932 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
08:46:43.0946 3932 ============================================================
08:46:43.0946 3932 Current date / time: 2012/01/24 08:46:43.0946
08:46:43.0946 3932 SystemInfo:
08:46:43.0946 3932
08:46:43.0946 3932 OS Version: 5.1.2600 ServicePack: 2.0
08:46:43.0946 3932 Product type: Workstation
08:46:43.0946 3932 ComputerName: YI
08:46:43.0946 3932 UserName: Yi Fang
08:46:43.0946 3932 Windows directory: C:\WINDOWS
08:46:43.0946 3932 System windows directory: C:\WINDOWS
08:46:43.0946 3932 Processor architecture: Intel x86
08:46:43.0946 3932 Number of processors: 2
08:46:43.0946 3932 Page size: 0x1000
08:46:43.0946 3932 Boot type: Normal boot
08:46:43.0946 3932 ============================================================
08:47:03.0116 3932 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:47:03.0429 3932 Initialize success
08:47:19.0443 2288 ============================================================
08:47:19.0443 2288 Scan started
08:47:19.0443 2288 Mode: Manual;
08:47:19.0443 2288 ============================================================
08:47:23.0364 2288 Abiosdsk - ok
08:47:24.0786 2288 abp480n5 - ok
08:47:26.0395 2288 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:47:26.0442 2288 ACPI - ok
08:47:27.0395 2288 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
08:47:27.0426 2288 ACPIEC - ok
08:47:30.0691 2288 adpu160m - ok
08:47:32.0332 2288 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
08:47:32.0457 2288 aec - ok
08:47:36.0003 2288 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
08:47:36.0019 2288 AegisP - ok
08:47:36.0659 2288 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
08:47:36.0784 2288 AFD - ok
08:47:39.0815 2288 Aha154x - ok
08:47:55.0829 2288 aic78u2 - ok
08:48:09.0859 2288 aic78xx - ok
08:48:10.0140 2288 AliIde - ok
08:48:10.0249 2288 amsint - ok
08:48:14.0343 2288 ApfiltrService (b21fcbc58cb13bac70f74b5ac5da7409) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
08:48:14.0452 2288 ApfiltrService - ok
08:48:15.0374 2288 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:48:15.0374 2288 Arp1394 - ok
08:48:16.0249 2288 asc - ok
08:48:17.0030 2288 asc3350p - ok
08:48:20.0576 2288 asc3550 - ok
08:48:21.0904 2288 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
08:48:21.0936 2288 ASPI32 - ok
08:48:22.0639 2288 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:48:22.0654 2288 AsyncMac - ok
08:48:23.0592 2288 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:48:23.0592 2288 atapi - ok
08:48:30.0357 2288 Atdisk - ok
08:48:30.0685 2288 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:48:30.0778 2288 Atmarpc - ok
08:48:30.0935 2288 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:48:30.0935 2288 audstub - ok
08:48:30.0966 2288 Beep - ok
08:48:31.0732 2288 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20111223.001\BHDrvx86.sys
08:48:31.0935 2288 BHDrvx86 - ok
08:48:32.0700 2288 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:48:32.0700 2288 cbidf2k - ok
08:48:33.0950 2288 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:48:34.0059 2288 CCDECODE - ok
08:48:34.0559 2288 ccSet_NIS (2b2f9b4a08190334a9c36446b208bae9) C:\WINDOWS\system32\drivers\NIS\1302000.00A\ccSetx86.sys
08:48:34.0575 2288 ccSet_NIS - ok
08:48:34.0669 2288 cd20xrnt - ok
08:48:34.0887 2288 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:48:34.0887 2288 Cdaudio - ok
08:48:36.0465 2288 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
08:48:36.0512 2288 Cdfs - ok
08:48:37.0996 2288 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:48:37.0996 2288 Cdrom - ok
08:48:38.0043 2288 Changer - ok
08:48:38.0200 2288 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:48:38.0262 2288 CmBatt - ok
08:48:38.0278 2288 CmdIde - ok
08:48:38.0371 2288 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:48:38.0371 2288 Compbatt - ok
08:48:38.0450 2288 Cpqarray - ok
08:48:38.0715 2288 dac2w2k - ok
08:48:38.0762 2288 dac960nt - ok
08:48:38.0981 2288 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
08:48:38.0996 2288 Disk - ok
08:48:39.0574 2288 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
08:48:39.0699 2288 dmboot - ok
08:48:39.0981 2288 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
08:48:39.0981 2288 DMICall - ok
08:48:40.0637 2288 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
08:48:40.0637 2288 dmio - ok
08:48:40.0981 2288 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:48:41.0059 2288 dmload - ok
08:48:41.0777 2288 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
08:48:41.0777 2288 DMusic - ok
08:48:46.0027 2288 dpti2o - ok
08:48:47.0292 2288 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
08:48:47.0292 2288 drmkaud - ok
08:48:47.0511 2288 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
08:48:47.0574 2288 E100B - ok
08:48:48.0464 2288 e1express (389cf2cded384be477c3b3f15747d495) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
08:48:48.0605 2288 e1express - ok
08:48:54.0698 2288 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
08:48:55.0088 2288 eeCtrl - ok
08:48:57.0494 2288 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
08:48:57.0526 2288 Fastfat - ok
08:48:58.0369 2288 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
08:48:58.0400 2288 Fdc - ok
08:48:59.0369 2288 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
08:48:59.0385 2288 Fips - ok
08:48:59.0666 2288 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:48:59.0713 2288 Flpydisk - ok
08:49:00.0322 2288 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:49:00.0322 2288 FltMgr - ok
08:49:00.0494 2288 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
08:49:00.0572 2288 FsVga - ok
08:49:00.0760 2288 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:49:00.0791 2288 Fs_Rec - ok
08:49:01.0244 2288 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:49:01.0322 2288 Ftdisk - ok
08:49:01.0681 2288 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
08:49:01.0713 2288 GEARAspiWDM - ok
08:49:04.0462 2288 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:49:04.0494 2288 Gpc - ok
08:49:05.0868 2288 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:49:05.0947 2288 HDAudBus - ok
08:49:07.0196 2288 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:49:07.0196 2288 hidusb - ok
08:49:08.0524 2288 hpn - ok
08:49:08.0649 2288 HSFHWAZL (acc46dda7fece95a253ae88cea172e12) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
08:49:08.0649 2288 HSFHWAZL - ok
08:49:09.0181 2288 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
08:49:09.0337 2288 HSF_DPV - ok
08:49:10.0118 2288 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
08:49:10.0165 2288 HTTP - ok
08:49:10.0227 2288 i2omgmt - ok
08:49:10.0243 2288 i2omp - ok
08:49:10.0321 2288 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:49:10.0337 2288 i8042prt - ok
08:49:10.0696 2288 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
08:49:11.0274 2288 ialm - ok
08:49:12.0024 2288 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120120.002\IDSxpx86.sys
08:49:12.0040 2288 IDSxpx86 - ok
08:49:12.0477 2288 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:49:12.0477 2288 Imapi - ok
08:49:12.0508 2288 ini910u - ok
08:49:12.0540 2288 IntelIde - ok
08:49:12.0618 2288 intelppm (db8a1859cf9e48914dcc0a7206d87be5) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:49:12.0618 2288 intelppm - ok
08:49:12.0665 2288 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:49:12.0665 2288 Ip6Fw - ok
08:49:12.0727 2288 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:49:12.0727 2288 IpFilterDriver - ok
08:49:12.0758 2288 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:49:12.0758 2288 IpInIp - ok
08:49:12.0883 2288 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:49:12.0883 2288 IpNat - ok
08:49:12.0946 2288 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:49:12.0946 2288 IPSec - ok
08:49:13.0211 2288 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:49:13.0211 2288 IRENUM - ok
08:49:13.0321 2288 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:49:13.0321 2288 isapnp - ok
08:49:13.0430 2288 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:49:13.0430 2288 Kbdclass - ok
08:49:13.0508 2288 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
08:49:13.0508 2288 kbdhid - ok
08:49:13.0618 2288 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
08:49:13.0618 2288 kmixer - ok
08:49:13.0664 2288 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
08:49:13.0680 2288 KSecDD - ok
08:49:13.0711 2288 lbrtfdc - ok
08:49:13.0852 2288 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
08:49:13.0852 2288 mdmxsdk - ok
08:49:14.0118 2288 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
08:49:14.0118 2288 MHNDRV - ok
08:49:14.0180 2288 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:49:14.0180 2288 mnmdd - ok
08:49:14.0274 2288 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
08:49:14.0274 2288 Modem - ok
08:49:14.0352 2288 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:49:14.0352 2288 Mouclass - ok
08:49:14.0508 2288 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:49:14.0508 2288 mouhid - ok
08:49:14.0664 2288 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
08:49:14.0696 2288 MountMgr - ok
08:49:15.0102 2288 mraid35x - ok
08:49:15.0149 2288 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:49:15.0149 2288 MRxDAV - ok
08:49:15.0461 2288 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:49:15.0539 2288 MRxSmb - ok
08:49:15.0930 2288 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
08:49:15.0930 2288 Msfs - ok
08:49:16.0008 2288 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:49:16.0008 2288 MSKSSRV - ok
08:49:16.0274 2288 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:49:16.0274 2288 MSPCLOCK - ok
08:49:16.0320 2288 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
08:49:16.0320 2288 MSPQM - ok
08:49:16.0367 2288 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:49:16.0383 2288 mssmbios - ok
08:49:16.0445 2288 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
08:49:16.0445 2288 MSTEE - ok
08:49:16.0461 2288 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
08:49:16.0477 2288 Mup - ok
08:49:17.0805 2288 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
08:49:17.0836 2288 MXOPSWD - ok
08:49:18.0070 2288 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:49:18.0070 2288 NABTSFEC - ok
08:49:19.0086 2288 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120123.002\NAVENG.SYS
08:49:19.0179 2288 NAVENG - ok
08:49:20.0445 2288 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120123.002\NAVEX15.SYS
08:49:20.0539 2288 NAVEX15 - ok
08:49:20.0882 2288 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
08:49:20.0882 2288 NDIS - ok
08:49:20.0961 2288 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:49:20.0961 2288 NdisIP - ok
08:49:21.0023 2288 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:49:21.0023 2288 NdisTapi - ok
08:49:21.0117 2288 Ndisuio (eefa1ce63805d2145978621be5c6d955) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:49:21.0117 2288 Ndisuio - ok
08:49:21.0132 2288 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:49:21.0148 2288 NdisWan - ok
08:49:21.0211 2288 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
08:49:21.0211 2288 NDProxy - ok
08:49:21.0289 2288 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:49:21.0289 2288 NetBIOS - ok
08:49:21.0351 2288 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:49:21.0367 2288 NetBT - ok
08:49:21.0648 2288 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:49:21.0664 2288 NIC1394 - ok
08:49:21.0742 2288 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
08:49:21.0773 2288 Npfs - ok
08:49:22.0273 2288 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
08:49:22.0289 2288 Ntfs - ok
08:49:22.0382 2288 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:49:22.0382 2288 Null - ok
08:49:22.0992 2288 nv (57e81d1fde97bb98f7373bce2f4ffb21) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
08:49:23.0710 2288 nv - ok
08:49:24.0070 2288 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:49:24.0132 2288 NwlnkFlt - ok
08:49:24.0179 2288 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:49:24.0241 2288 NwlnkFwd - ok
08:49:24.0335 2288 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:49:24.0335 2288 ohci1394 - ok
08:49:24.0398 2288 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
08:49:24.0398 2288 Parport - ok
08:49:24.0429 2288 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
08:49:24.0429 2288 PartMgr - ok
08:49:24.0632 2288 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:49:24.0679 2288 ParVdm - ok
08:49:25.0116 2288 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
08:49:25.0116 2288 PCI - ok
08:49:25.0132 2288 PCIDump - ok
08:49:25.0288 2288 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:49:25.0288 2288 PCIIde - ok
08:49:25.0335 2288 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:49:25.0351 2288 Pcmcia - ok
08:49:25.0382 2288 PDCOMP - ok
08:49:25.0398 2288 PDFRAME - ok
08:49:25.0413 2288 PDRELI - ok
08:49:26.0288 2288 PDRFRAME - ok
08:49:26.0304 2288 perc2 - ok
08:49:26.0366 2288 perc2hib - ok
08:49:26.0491 2288 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:49:26.0491 2288 PptpMiniport - ok
08:49:26.0522 2288 PROCEXP151 - ok
08:49:26.0538 2288 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
08:49:26.0538 2288 PSched - ok
08:49:26.0647 2288 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:49:26.0647 2288 Ptilink - ok
08:49:26.0866 2288 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:49:26.0866 2288 PxHelp20 - ok
08:49:26.0960 2288 ql1080 - ok
08:49:26.0976 2288 Ql10wnt - ok
08:49:26.0991 2288 ql12160 - ok
08:49:27.0007 2288 ql1240 - ok
08:49:27.0022 2288 ql1280 - ok
08:49:27.0163 2288 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:49:27.0163 2288 RasAcd - ok
08:49:27.0491 2288 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:49:27.0491 2288 Rasl2tp - ok
08:49:27.0554 2288 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:49:27.0554 2288 RasPppoe - ok
08:49:27.0710 2288 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:49:27.0710 2288 Raspti - ok
08:49:27.0929 2288 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:49:27.0929 2288 Rdbss - ok
08:49:28.0085 2288 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:49:28.0085 2288 RDPCDD - ok
08:49:28.0163 2288 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:49:28.0163 2288 rdpdr - ok
08:49:28.0335 2288 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
08:49:28.0350 2288 RDPWD - ok
08:49:28.0444 2288 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:49:28.0475 2288 redbook - ok
08:49:29.0085 2288 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
08:49:29.0132 2288 s24trans - ok
08:49:29.0397 2288 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:49:29.0397 2288 Secdrv - ok
08:49:29.0475 2288 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
08:49:29.0475 2288 Serial - ok
08:49:29.0585 2288 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
08:49:29.0585 2288 Sfloppy - ok
08:49:29.0866 2288 SI3132 (716a724a447c559f122ea140d636fa48) C:\WINDOWS\system32\DRIVERS\SI3132.sys
08:49:29.0866 2288 SI3132 - ok
08:49:29.0881 2288 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
08:49:29.0881 2288 SiFilter - ok
08:49:29.0913 2288 Simbad - ok
08:49:29.0960 2288 SiRemFil (62fd549acf2943f89612a8777295fa57) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
08:49:29.0991 2288 SiRemFil - ok
08:49:30.0584 2288 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:49:30.0647 2288 SLIP - ok
08:49:31.0006 2288 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys
08:49:31.0006 2288 SNC - ok
08:49:31.0194 2288 SonyImgF (fb77021110eaa16ea6e0961c844ef0d2) C:\WINDOWS\system32\DRIVERS\SonyImgF.sys
08:49:31.0194 2288 SonyImgF - ok
08:49:31.0209 2288 Sparrow - ok
08:49:31.0381 2288 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
08:49:31.0397 2288 splitter - ok
08:49:31.0522 2288 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys
08:49:31.0600 2288 sptd - ok
08:49:31.0944 2288 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
08:49:31.0944 2288 sr - ok
08:49:32.0178 2288 SRTSP (2c5fbf6a00a4a3dcf643e46e8acb20c2) C:\WINDOWS\System32\Drivers\NIS\1302000.00A\SRTSP.SYS
08:49:32.0194 2288 SRTSP - ok
08:49:32.0256 2288 SRTSPX (9034ea58552b55f370e5293a7175c5ac) C:\WINDOWS\system32\drivers\NIS\1302000.00A\SRTSPX.SYS
08:49:32.0287 2288 SRTSPX - ok
08:49:32.0584 2288 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
08:49:32.0584 2288 Srv - ok
08:49:32.0928 2288 STHDA (c80ec509026f6cc88486742083386ff6) C:\WINDOWS\system32\drivers\sthda.sys
08:49:32.0944 2288 STHDA - ok
08:49:33.0022 2288 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:49:33.0053 2288 streamip - ok
08:49:33.0131 2288 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:49:33.0162 2288 swenum - ok
08:49:33.0881 2288 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
08:49:33.0881 2288 swmidi - ok
08:49:33.0928 2288 symc810 - ok
08:49:33.0943 2288 symc8xx - ok
08:49:34.0100 2288 SymDS (690fa0e61b90084c4d9a721bd4f3d779) C:\WINDOWS\system32\drivers\NIS\1302000.00A\SYMDS.SYS
08:49:34.0115 2288 SymDS - ok
08:49:34.0334 2288 SymEFA (fc6d4a81b3611693f4e14e75908b6767) C:\WINDOWS\system32\drivers\NIS\1302000.00A\SYMEFA.SYS
08:49:34.0350 2288 SymEFA - ok
08:49:34.0584 2288 SymEvent (98d28d08e68145fb550ee7670b43baf2) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
08:49:34.0600 2288 SymEvent - ok
08:49:34.0615 2288 SymIM - ok
08:49:34.0631 2288 SymIMMP - ok
08:49:34.0865 2288 SymIRON (39c35ddbb570e9f334f239248e4de34d) C:\WINDOWS\system32\drivers\NIS\1302000.00A\Ironx86.SYS
08:49:34.0865 2288 SymIRON - ok
08:49:35.0037 2288 SYMTDI (aaae36e8235dab7da8a64bd10de281e5) C:\WINDOWS\System32\Drivers\NIS\1302000.00A\SYMTDI.SYS
08:49:35.0053 2288 SYMTDI - ok
08:49:35.0381 2288 sym_hi - ok
08:49:35.0412 2288 sym_u3 - ok
08:49:35.0568 2288 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
08:49:35.0568 2288 sysaudio - ok
08:49:36.0193 2288 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:49:36.0209 2288 Tcpip - ok
08:49:36.0381 2288 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:49:36.0381 2288 TDPIPE - ok
08:49:36.0428 2288 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
08:49:36.0443 2288 TDTCP - ok
08:49:36.0490 2288 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:49:36.0490 2288 TermDD - ok
08:49:36.0881 2288 ti21sony (26587ce8e6c6f16b8b4e7e2c16fa00bf) C:\WINDOWS\system32\drivers\ti21sony.sys
08:49:36.0928 2288 ti21sony - ok
08:49:37.0209 2288 TosIde - ok
08:49:37.0287 2288 tosporte (6a404454c6133e749be33892eb6ffa35) C:\WINDOWS\system32\DRIVERS\tosporte.sys
08:49:37.0334 2288 tosporte - ok
08:49:38.0912 2288 Tosrfbd (e4901804c4d8d613fa3560de2c2e0261) C:\WINDOWS\system32\Drivers\tosrfbd.sys
08:49:38.0927 2288 Tosrfbd - ok
08:49:39.0021 2288 Tosrfbnp (613e09572f4c5b92ca6be8bdc4cc5b7d) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
08:49:39.0021 2288 Tosrfbnp - ok
08:49:39.0115 2288 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys
08:49:39.0146 2288 Tosrfcom - ok
08:49:39.0334 2288 Tosrfhid (7726332391d8fca1a491a17f592fd6b3) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
08:49:39.0365 2288 Tosrfhid - ok
08:49:39.0896 2288 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
08:49:39.0912 2288 tosrfnds - ok
08:49:40.0083 2288 Tosrfusb (7414a6461bc83a22b0ae009ace3e375b) C:\WINDOWS\system32\Drivers\tosrfusb.sys
08:49:40.0083 2288 Tosrfusb - ok
08:49:40.0162 2288 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
08:49:40.0177 2288 Udfs - ok
08:49:40.0208 2288 ultra - ok
08:49:41.0177 2288 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
08:49:41.0193 2288 Update - ok
08:49:42.0052 2288 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
08:49:42.0052 2288 usbaudio - ok
08:49:42.0130 2288 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:49:42.0161 2288 usbccgp - ok
08:49:42.0630 2288 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:49:42.0630 2288 usbehci - ok
08:49:42.0677 2288 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:49:42.0724 2288 usbhub - ok
08:49:42.0896 2288 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:49:42.0896 2288 usbprint - ok
08:49:43.0083 2288 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:49:43.0083 2288 usbstor - ok
08:49:43.0114 2288 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:49:43.0114 2288 usbuhci - ok
08:49:43.0255 2288 usbvm321 (c7f4158ea3915f4194aee233ff8d4728) C:\WINDOWS\system32\Drivers\usbvm321.sys
08:49:43.0271 2288 usbvm321 - ok
08:49:43.0958 2288 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
08:49:43.0958 2288 VgaSave - ok
08:49:44.0021 2288 ViaIde - ok
08:49:44.0099 2288 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
08:49:44.0099 2288 VolSnap - ok
08:49:44.0755 2288 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
08:49:44.0833 2288 w39n51 - ok
08:49:45.0239 2288 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:49:45.0317 2288 Wanarp - ok
08:49:45.0536 2288 WDICA - ok
08:49:45.0661 2288 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
08:49:45.0708 2288 wdmaud - ok
08:49:46.0458 2288 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
08:49:46.0473 2288 winachsf - ok
08:49:46.0645 2288 wlluc48 (dca17912a1926ae427537648fc0e74d5) C:\WINDOWS\system32\DRIVERS\wlluc48.sys
08:49:46.0645 2288 wlluc48 - ok
08:49:47.0208 2288 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:49:47.0270 2288 WSTCODEC - ok
08:49:47.0567 2288 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
08:49:47.0614 2288 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
08:49:47.0614 2288 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
08:49:47.0692 2288 Boot (0x1200) (3b5d759b72386666f9b36171d0cdf862) \Device\Harddisk0\DR0\Partition0
08:49:47.0692 2288 \Device\Harddisk0\DR0\Partition0 - ok
08:49:47.0692 2288 ============================================================
08:49:47.0692 2288 Scan finished
08:49:47.0692 2288 ============================================================
08:49:47.0723 2248 Detected object count: 1
08:49:47.0723 2248 Actual detected object count: 1
09:05:41.0738 2248 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
09:05:42.0284 2248 \Device\Harddisk0\DR0 - ok
09:05:42.0284 2248 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
09:06:03.0501 3244 Deinitialize success

Below is the Combofix text file. Somehow the program ran in Chinese, but I managed to piece together what to do based on the protocol you provided.


ComboFix 12-01-23.02 - Yi Fang 4/2012 Tue 9:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.1014.563 [GMT -6:00]
执行位置: c:\documents and settings\Yi Fang\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
Error: Cfiles.dat
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Yi Fang\WINDOWS
c:\windows\fipatesago.exe
c:\windows\kb835221.exe
c:\windows\kb913800.exe
c:\windows\windows-kb870669-x86-enu.exe
c:\windows\windowsinstaller-kb893803-v2-x86.exe
c:\windows\windowsxp-kb307154-x86-enu.exe
c:\windows\windowsxp-kb873339-x86-enu.exe
c:\windows\windowsxp-kb884018-x86-enu.exe
c:\windows\windowsxp-kb884575-x86-enu.exe
c:\windows\windowsxp-kb885250-x86-enu.exe
c:\windows\windowsxp-kb885835-x86-enu.exe
c:\windows\windowsxp-kb885836-x86-enu.exe
c:\windows\windowsxp-kb886185-x86-enu.exe
c:\windows\windowsxp-kb887472-x86-enu.exe
c:\windows\windowsxp-kb887742-x86-enu.exe
c:\windows\windowsxp-kb888113-x86-enu.exe
c:\windows\windowsxp-kb888239-x86-enu.exe
c:\windows\windowsxp-kb888302-x86-enu.exe
c:\windows\windowsxp-kb888321-x86-enu.exe
c:\windows\windowsxp-kb890046-x86-enu.exe
c:\windows\windowsxp-kb890859-x86-enu.exe
c:\windows\windowsxp-kb891781-x86-enu.exe
c:\windows\WindowsXP-KB893056-x86-ENU.exe
c:\windows\windowsxp-kb893066-v2-x86-enu.exe
c:\windows\windowsxp-kb893357-v2-x86-enu.exe
c:\windows\windowsxp-kb893756-x86-enu.exe
c:\windows\windowsxp-kb894391-x86-enu.exe
c:\windows\windowsxp-kb896358-x86-enu.exe
c:\windows\windowsxp-kb896422-x86-enu.exe
c:\windows\windowsxp-kb896423-x86-enu.exe
c:\windows\windowsxp-kb896424-x86-enu.exe
c:\windows\windowsxp-kb896428-x86-enu.exe
c:\windows\windowsxp-kb896688-x86-enu.exe
c:\windows\windowsxp-kb896727-x86-enu.exe
c:\windows\windowsxp-kb899587-x86-enu.exe
c:\windows\windowsxp-kb899588-x86-enu.exe
c:\windows\windowsxp-kb899589-x86-enu.exe
c:\windows\windowsxp-kb899591-x86-enu.exe
c:\windows\windowsxp-kb900725-x86-enu.exe
c:\windows\windowsxp-kb901017-x86-enu.exe
c:\windows\windowsxp-kb901214-x86-enu.exe
c:\windows\windowsxp-kb902400-x86-enu.exe
c:\windows\windowsxp-kb903235-x86-enu.exe
c:\windows\windowsxp-kb904706-x86-enu.exe
c:\windows\windowsxp-kb905414-x86-enu.exe
c:\windows\windowsxp-kb905749-x86-enu.exe
c:\windows\windowsxp-kb905915-x86-enu.exe
c:\windows\windowsxp-kb908519-x86-enu.exe
c:\windows\windowsxp-kb909667-x86-enu.exe
c:\windows\windowsxp-kb910437-x86-enu.exe
c:\windows\windowsxp-kb910728-x86-enu.exe
c:\windows\windowsxp-kb912919-x86-enu.exe
c:\windows\windowsxp-kb912945-x86-enu.exe
.
.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TDSSSERV
.
.
((((((((((((((((((((((((( 2011-12-24 至 2012-01-24 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-01-17 23:06 . 2012-01-17 23:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-16 21:30 . 2012-01-16 21:40 -------- d-----w- c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2012-01-14 23:35 . 2012-01-14 23:35 -------- d-s---w- c:\documents and settings\LocalService\UserData
2012-01-14 18:00 . 2012-01-14 18:00 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-14 16:03 . 2004-08-10 12:00 57856 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
2012-01-14 16:03 . 2004-08-10 12:00 57856 ----a-w- c:\windows\system32\spoolsv.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-22 05:01 . 2011-12-22 04:50 2829 ----a-w- c:\windows\War3Unin.pif
2011-12-22 05:01 . 2011-12-22 04:50 139264 ----a-w- c:\windows\War3Unin.exe
2011-11-13 23:47 . 2010-11-15 02:05 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-11-13 23:47 . 2010-11-15 02:05 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-19 00:26 . 2008-10-19 00:26 11702 ----a-w- c:\program files\Common Files\itaxenini.dll
2011-12-05 01:33 . 2011-05-17 20:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-14 217088]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExecAfterFirstBoot]
2005-03-16 19:22 204800 ----a-w- c:\windows\SONYSYS\EFlyer\ExecAfterFirstBoot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-10 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-10 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2005-10-12 05:36 151552 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:*:Disabled:Warcraft
"6113:TCP"= 6113:TCP:*:Disabled:Warcraft 3
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1302000.00A\symds.sys [11/13/2011 6:03 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1302000.00A\symefa.sys [11/13/2011 6:03 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 8:25 PM 820344]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NIS\1302000.00A\ccsetx86.sys [11/13/2011 6:03 PM 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1302000.00A\ironx86.sys [11/13/2011 6:03 PM 149624]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\19.2.0.10\ccsvchst.exe [11/13/2011 6:02 PM 138760]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/6/2007 11:15 PM 24652]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120120.002\IDSXpx86.sys [1/20/2012 5:16 AM 356280]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [3/15/2006 5:57 PM 226304]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [3/15/2006 5:57 PM 29184]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/26/2009 8:56 PM 717296]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.princetonreview.com/StudentTools.aspx
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyServer = proxy.swmed.edu:3128
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: QQ
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Yi Fang\Application Data\Mozilla\Firefox\Profiles\tdbeki59.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.ftp - proxy.swmed.edu
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - proxy.swmed.edu
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - proxy.swmed.edu
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - proxy.swmed.edu
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - proxy.swmed.edu
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
.
.
------- 文件类型 -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-mxomssmenu - c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe
SafeBoot-TDSSmxoe.sys
MSConfigStartUp-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 09:57
Windows 5.1.2600 Service Pack 2 NTFS
.
扫描被隐藏的进程 。。。
.
扫描被隐藏的启动组 。。。
.
扫描被隐藏的文件 。。。
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\??*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\VESWinlogon.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
完成时间: 2012-01-24 10:03:03 - 电脑已重新启动
ComboFix-quarantined-files.txt 2012-01-24 16:02
.
Pre-Run: 39,826,931,712 bytes free
Post-Run: 40,851,013,632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3D5643DC82BF2E96D762EF39E9AB51CD

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:26 AM

Posted 24 January 2012 - 01:01 PM

Hello,

Glad to here your machine is running better. Lets update Java and run a couple other scanners to make sure there are no leftovers.

1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

3.
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 ScoobysDoo

ScoobysDoo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 24 January 2012 - 08:17 PM

Thanks again fireman4it for your continual help.

Here is the MBAM log, nothing was detected from this scan.


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.24.05

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Yi Fang :: YI [administrator]

1/24/2012 1:18:52 PM
mbam-log-2012-01-24 (13-18-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183677
Time elapsed: 8 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


And I ran the ESET Online scan twice, nothing was found. Sorry I couldn't find how to post the log as the Export feature was not presented to me.

From these two scans, does this mean by computer is infection free? Everything seems to be running much much faster! :thumbsup:


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:26 AM

Posted 24 January 2012 - 09:19 PM

Hello, ScoobysDoo.
Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".



Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



One of the most common questions found when cleaning malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are not practicing Safe Internet, you are not running the proper security software or that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer to help reduce the chance of being infected again in the future.

Do not use P2P programs
Peer-to-peer or file-sharing programs (such as uTorrent, Limewire and Bitorrent) are probably the primary route of infection nowadays. These programs allow file sharing between users as the name(s) suggest. It is almost impossible to know whether the file you’re downloading through P2P programs is safe.

It is therefore possible to be infected by downloading infected files via peer-to-peer programs and so I recommend that you do not use these programs. Should you wish to use them, they must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

In addition, P2P programs facilitate cyber crime and help distribute pirated software, movies and other illegal material.

Practice Safe Internet
Another one of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.

Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know who is themselves infected with malware which is trying to infect everyone in their address book. A key thing to look out for here is: does the email sound as though it’s from the person you know? Often, the email may simply have a web link or a “Run this file to make your PC run fast” message in it.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop-ups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. Removal instructions for a lot of these "rogues" can be found here.
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you, or will download a file to your PC without your knowledge. You can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake. DO NOT click on these windows, instead close them by finding the open window on your http://en.wikipedia.org/wiki/Taskbar#Screenshots '>Taskbar, right click and chose close.
  • Do not visit pornographic websites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do, as this can often form part of their funding.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link you should message back to the person asking if it is legit.
  • Stay away from Warez and Crack sites! As with Peer-2-Peer programs, in addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download files from a site, and are not sure if they are legitimate, you can use tools such as BitDefender Traffic Light, Norton Safe Web, or McAfee SiteAdvisor to look up info on the site and stay protected against malicious sites. Please be sure to only choose and install one of those tool bars.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
    Sometimes even legitimate programs will try to bundle extra, unwanted, software with the program you want - this is done to raise money for the program. Be sure to untick any boxes which may indicate that other programs will be downloaded.

Keep Windows up-to-date
Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure.

  • Windows XP users
    You should visit Windows Update to check for the latest updates to your system. The latest service pack (SP3) can be obtained directly from Microsoft here.
  • Windows Vista users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP2) can be obtained directly from Microsoft here.
  • Windows 7 users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP1) can be obtained directly from Microsoft here


Keep your browser secure
Most modern browsers have come on in leaps and bounds with their inbuilt, default security. The best way to keep your browser secure nowadays is simply to keep it up-to-date.

The latest versions of the three common browsers can be found below:

Use an AntiVirus Software
It is very important that your computer has an up-to-date anti-virus software on it which has a real-time agent running. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources, a couple of free Anti-Virus programs you may be interested in are Microsoft Security Essentials and Avast.

It is imperative that you update your Antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

All versions of Windows starting from XP have an in-built firewall. With Windows XP this firewall will protect you from incoming traffic (i.e. hackers). Starting with Windows Vista, the firewall was beefed up to also protect you against outgoing traffic (i.e. malicious programs installed on your machine should be blocked from sending data, such as your bank details and passwords, out).

In addition, if you connect to the internet via a router, this will normally have a firewall in-built.

Some people will recommend installing a different firewall (instead of the Windows’ built one), this is personal choice, but the message is to definitely have one! For a tutorial on Firewalls and a listing of some available ones see this link: Understanding and Using Firewalls

Install an Anti-Malware program
Recommended, and free, Anti-Malware programs are Malwarebytes Anti-Malware and SuperAntiSpyware.

You should regularly (perhaps once a week) scan your computer with an Anti-Malware program just as you would with an antivirus software.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is very important to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities (such as Adobe Reader and Java). You can check these by visiting Secunia Software Inspector.

Follow this list and your potential for being infected again will reduce dramatically.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 ScoobysDoo

ScoobysDoo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 24 January 2012 - 10:42 PM

I followed your instructions to the letter. Thanks again for your help! I've sent you a small token of appreciation, let's keep this great service up! :thumbsup: :clapping:

Edited by ScoobysDoo, 24 January 2012 - 10:42 PM.


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:26 AM

Posted 24 January 2012 - 11:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users