Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TrojanZeroaccess!kmem


  • This topic is locked This topic is locked
33 replies to this topic

#1 UpstateBodhi

UpstateBodhi

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 25 January 2012 - 06:52 PM

Hi - problems began at the beginning of this month. svchost crashing and high CPU usage, print spool is disabled (Windows couldnot start the spooler service on local computer - Error 2 The system cannot find the file specified), USB ports (Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)) - Firefox loads in memory but no GUI ... then Vista Home Security 2012 took over - was looking for a solution on this forum and Norton (Norton 360 wasn't detecting it at first), then I guess Norton did an update and automatic scan: got result - qtj.exe (Fake Cloud AV2012) This threat has been removed - no further action is needed

Still had broken registry keys - some new ones - got a fix for exe file associations from Norton forum - 2 days ago Norton apparently caught up again: 1/21/12

TrojanZeroaccess!kmem requires manual removal- Review - get help

c:\windows\system32\ntos

Full Path: c:\windows\system32\ntos
____________________________

I contacted live chat on Norton, and was told to download Norton Power Eraser (which I did) and run it, but didn't give me any help about how to fix the registry entries, so I'm hesitant to do that until I know more. Was advised on the Norton Community forum: "please go to a protected Malware Removal forum that have people who are able to use, script and read logs from tools I also use to remove Zeroaccess if still present in anyway, Then if still no ability to use PS/2 or USB ports, see which file or registry entry is wrong {or missing)".

So - need advice on how to proceed - fix registry problems first? Run NPE first? Some better way? Scan with GMER took 14 hours - alert at finish that a rootkit was detected (log attached) - also, I ran a chkdsk (scheduled at restart) and it was unable to access the volume - the D: partition is fine - I'm guessing that the rootkit's hidden partition would cause that? Reeeally want to get this off my machine. I've never had such a serious infection on a computer. Hopefully won't have to do a full system recovery. Thanks
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by BG at 4:30:12 on 2012-01-25
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3327.1745 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Windows\mHotkey.exe
C:\Windows\System32\rundll32.exe
C:\Windows\vVX1000.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Acer\Empowering Technology\eLock\autolockprocess\AutoLockProcess.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Windows\System32\SysMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\Webshots\Webshots.scr
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxddcoms.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\2.bin\ASKTBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\2.bin\ASKTBAR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [????r]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [?????????] ??????????????e
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Acer Tour]
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [eRecoveryService]
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [LXDDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXDDtime.dll,_RunDLLEntry@16
mRun: [CHotkey] mHotkey.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [AutoLockProcess] c:\acer\empowering technology\elock\autolockprocess\autolockprocess.exe
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
StartupFolder: c:\users\bg\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\bg\appdata\roaming\micros~1\windows\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.12/uploader2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{59491320-FDB5-405E-AD8F-A5AA7722D0C3} : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\bg\appdata\roaming\mozilla\firefox\profiles\2oqwy19m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\bg\appdata\roaming\mozilla\firefox\profiles\2oqwy19m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\bg\appdata\roaming\mozilla\firefox\profiles\2oqwy19m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\bg\appdata\roaming\mozilla\firefox\profiles\2oqwy19m.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 eLock2BurnerLockDriver;Disk Performance Monitor Filter Driver;c:\windows\system32\drivers\eLock2burnerlockdriver.sys [2007-8-8 22824]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-11-18 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-11-18 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20111221.003\BHDrvx86.sys [2011-12-21 819320]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120124.005\IDSvix86.sys [2011-12-15 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-11-18 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys [2011-11-18 331384]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\drivers\eLock2FSCTLDriver.sys [2007-8-8 85800]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-19 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-1-29 45848]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccsvchst.exe [2011-11-18 130008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9c252859103b0;Google Update Service (gupdate1c9c252859103b0);c:\program files\google\update\GoogleUpdate.exe [2009-4-21 133104]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-21 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Ransher;Ransher; [x]
.
=============== Created Last 30 ================
.
2012-01-20 20:43:43 1409 ----a-w- c:\windows\QTFont.for
2012-01-04 14:02:01 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-01-04 00:48:42 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-01-04 17:45:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 15:59:48 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 20:23:34 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47:03 66560 ----a-w- c:\windows\system32\packager.dll
2011-11-18 05:49:41 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-17 06:48:37 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-11-16 16:23:44 377344 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 16:23:08 72704 ----a-w- c:\windows\system32\secur32.dll
2011-11-16 16:23:05 278528 ----a-w- c:\windows\system32\schannel.dll
2011-11-16 16:21:57 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2011-11-16 14:12:25 9728 ----a-w- c:\windows\system32\lsass.exe
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-28 03:50:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_ rev.V5DO -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x878DEFF0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x81E5F912] -> \Device\Harddisk0\DR0[0x8648D8E0]
3 CLASSPNP[0x8B1B38B3] -> ntkrnlpa!IofCallDriver[0x81E5F912] -> [0x8495B1E0]
\Driver\00001495[0x86B40870] -> IRP_MJ_CREATE -> 0x878DEFF0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\0000005f -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725025VLA#4&311ed49&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 4:34:42.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:40 PM

Posted 27 January 2012 - 01:31 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 UpstateBodhi

UpstateBodhi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 29 January 2012 - 03:38 AM

1/29/12 - 12:45 AM - Disabling Norton 360 - running ComboFix

Said Norton was still running, though I had disabled both the smart firewall and auto protect

- went into Norton settings and turned off everything I could find

Went ahead with scan- did briefly display it had found rootkit - Trojan Zero Access - asked

to reboot - OK - scanned again - Completed stage _1 - _50 at 1:45 AM then stopped - blinking

cursor in Administrator: Auto Scan window - blank desktop with mouse pointer
3 AM - pressed Enter - nothing - rebooted
scheduled chkdsk again showed "Cannot Access C: Volume" like it has been - rebooted to normal

state - no log in C: Sector, but there is a folder called ComboFix that seems to be a copy of

"Computer"

Still no printer - "Windows cannot open add printer - the local print spooler service is not

running"

Try running ComboFix again? What should I enable again in Norton (turned on Smart Firewall)?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:40 PM

Posted 29 January 2012 - 03:43 AM

run combofix again


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 UpstateBodhi

UpstateBodhi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 30 January 2012 - 01:29 PM

1/30/12 - 7 AM

Running ComboFix again - Again reported Norton 360 as "active" - "OK" to run anyway
Rootkit/Trojan ZeroAccess detected in TCP/IP stack - restart - OK
Backing up registry - Scanning for infected files
Completed Stage_1 - 7:15 AM
Completed Stage_50 - 7:30 AM
8:00 AM - Windows Calendar reminder opened (reminders are set for 8AM) - dismissed - closed calendar
10:40 AM - manually rebooted - unable to open Task Mgr with Ctrl+Alt+Del - CPU near 100% -

waited - opened Task Mgr - only app running is Acer Empowering Technology (computer app that

came with) - had disabled it in startup batch to free up resources, but after virus

infection reset to normal startup
11 AM - running ComboFix again - again shows Norton as active (still disabled - LiveUpdate

too) - again detected rootkit - reboot - calendar opened again (?) - another registry backup

- again ran to Stage_50 @11:25
Noon - manually restarted

Yesterday the computer seemed to be running more smoothly, though still have disabled drivers. No crashes of Host Service or blue screens, etc. - didn't have Norton enabled, except firewall. I've noticed a lot of "blocked access" for Windows Host Service and Acer Empowering Technology in the Security History in Norton, and was wondering if that's an issue (only started using Norton 360 in Nov. - before that I had NIS without these problems - I did use a removal tool before installing 360). Thought rootkit may have been removed, but it registered again on ComboFix scan - I'm ready to try Norton Power Eraser, or FixZeroAccess (downloaded from Norton malware removal tools site)- unless you have another fix?

Just now:

Problem Event Name: APPCRASH
Application Name: svchost.exe
Application Version: 6.0.6001.18000
Application Timestamp: 47918b89
Fault Module Name: jvm.dll
Fault Module Version: 19.0.0.9
Fault Module Timestamp: 4cddfd7f
Exception Code: c0000005
Exception Offset: 000ca9b2
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033
Additional Information 1: 2719
Additional Information 2: e82aa1ef83088ea55ab51ad7de10fd03
Additional Information 3: 743b
Additional Information 4: b0a663956c5a0361b14402aea149da90

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:40 PM

Posted 30 January 2012 - 02:52 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 UpstateBodhi

UpstateBodhi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 31 January 2012 - 05:24 AM

While I was away from the computer - Norton 360 real time scanner detected and took action on 2 threats - the second one with all the registry actions is what concerns me the most - still haven't run tdsskiller - will do so later, but I thought I should report these to you.

I'm assuming I should disable Norton to run tdsskiller as well? Thanks

Full Path: Not Available
____________________________
____________________________
On computers as of:
1/31/2012 at 3:38:28 AM
Last Used:
1/31/2012 at 3:38:28 AM
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Origin
Downloaded from URL Not Available

Source File:
java.exe
File Created:
oleda0.9440217652563156.exe
____________________________
File Actions
File: c:\windows\temp\oleda0.9440217652563156.exe
Removed
____________________________
Network Actions
Event: Hosts file modification: c:\Windows\System32\drivers\etc\hosts (Performed by

c:\windows\temp\oleda0.9440217652563156.exe, PID:872)
No action taken
Event: Network activity (Performed by c:\windows\temp\oleda0.9440217652563156.exe, PID:872)
No action taken
Event: Auto-Protect triggered (Performed by c:\windows\temp\oleda0.9440217652563156.exe,

PID:872)
No action taken
____________________________
System Settings Actions
Event: Process start (Performed by c:\windows\temp\oleda0.9440217652563156.exe, PID:872)
No action taken
Event: PE file creation: c:\windows\temp\2bad.tmp (Performed by

c:\windows\temp\oleda0.9440217652563156.exe, PID:872)
No action taken
Event: PE file creation: c:\windows\temp\2bae.tmp (Performed by

c:\windows\temp\oleda0.9440217652563156.exe, PID:872)
No action taken
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available
____________________________
****************************************************************************
Full Path: c:\windows\temp\2bae.tmp
____________________________
____________________________
On computers as of:
1/31/2012 at 3:37:47 AM
Last Used:
1/31/2012 at 3:41:16 AM
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.
____________________________
Origin
Downloaded from URL Not Available

Source File:
2bae.tmp
____________________________
File Actions
File: c:\windows\temp\2bae.tmp
Removed
Event: Running process: C:\Windows\System32\rundll32.exe
Terminated
____________________________
Registry Actions
Registry change: HKEY_CLASSES_ROOT\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{18898424-E3AB-4BA9-8E8D-5434B1CECA75}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{BAD263C7-B253-43D9-A1F7-25A1010E24E2}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}
Removed
Registry change: HKEY_CLASSES_ROOT\MSEvents.MSEvents
Removed
Registry change: HKEY_CLASSES_ROOT\MSEvents.MSEvents.1
Removed
Registry change: HKEY_CLASSES_ROOT\IEpl.IEpl
Removed
Registry change: HKEY_CLASSES_ROOT\IEpl.IEPl.1
Removed
Registry change: HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater
Removed
Registry change: HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1
Removed
Registry change: HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib
Removed
Registry change: HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1
Removed
Registry change: HKEY_CLASSES_ROOT\RawExecAction.RawExecAction
Removed
Registry change: HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{18898424-E3AB-4BA9-8E8D-5434B1CECA75}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-A602-5812EB50A834}
Removed
Registry change:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{827DC836-DD9F-A602-5812EB50A834}
Removed
Registry change:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{BAD263C7-B253-43D9-A1F7-25A1010E24E2}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks->

{BAD263C7-B253-43D9-A1F7-25A1010E24E2}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{ad4cf565-e98a-4da6-9c75-61a2218fc774}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{ad4cf565-e98a-4da6-9c75-61a2218fc774}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-

B8E8-2E29EA78EB03}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-

8BF3-865C0929FBEB}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-

B9BE-85C0E3F75B6A}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-

5812EB50A834}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-

9D61-C8EE60378401}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-

93EB-2059F4EEF4D1}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-

AC06-58DCAA52A4D1}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-

8E8D-5434B1CECA75}
Removed
Registry change: HKEY_USERS\S-1-5-19

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}
Removed
Registry change: HKEY_USERS\S-1-5-20

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}
Removed
Registry change:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-

B765-54FAD4BDA166}
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->80b0514a
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->BM838362d6
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run-

>WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run-

>WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run-

>WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\WindowsUpd
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\SysUpd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\SysUpd
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}
Removed
Registry change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\DomainService
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\aldd
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\aldd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\aldd
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\aldd
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\aldd
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\rdfa
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\rdfa
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\rdfa
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\rdfa
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\rdfa
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\CAC
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\CAC
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\CAC
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\CAC
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\CAC
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\contim
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\contim
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\contim
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\contim
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\contim
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\affltid
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\affltid
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\affltid
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\affltid
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\affltid
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\FCOVM
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\RemoveRP
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\80b043c4
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer-

>80b051e5
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\cs41275
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\cs41275
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\cs41275
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\cs41275
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\cs41275
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\fias4013
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\fias4013
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\fias4013
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\fias4013
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\fias4013
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\fias4018
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\fias4018
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\fias4018
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\fias4018
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\fias4018
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\fias4052n
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\fias4052n
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1000

\Software\Microsoft\fias4052n
Removed
Registry change: HKEY_USERS\S-1-5-21-1285482466-3156500135-3391944794-1001

\Software\Microsoft\fias4052n
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\fias4052n
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kiruvogi
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\zowayisa
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\zowayisa
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File

Execution Options\MSASCui.exe
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File

Execution Options\MpCmdRun.exe
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File

Execution Options\MsMpEng.exe
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File

Execution Options\msseces.exe
Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-

>SFCDisable:0
Removed
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa->Authentication

Packages:...
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\-

>Check_Associations:yes
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer-

>DisableFirstRunCustomize:0
Removed
____________________________
File Thumbprint - SHA:
2c6b5707a7f0e54ee7c13ed7cdb2d4ad7ae40382e24d2594fe553fe4f9a4af0c
____________________________
File Thumbprint - MD5:
fa74012c96a19c31cfb2f029c329bfe3
____________________________
**************************************************************************

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:40 PM

Posted 31 January 2012 - 08:30 AM

Ok run TDSSkiller when you get the chance


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 UpstateBodhi

UpstateBodhi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 02 February 2012 - 04:04 AM

OK - ran TDSSKiller - Updated - ran update after unzip - 2 logs

Also - Chkdsk ran on reboot - able to directly access C:\ this time - seems to have fixed a disk sector - still can't find print spool file, and USB readers can't load
Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)

*******************************************************

01:47:12.0625 0172 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
01:47:22.0277 0172 Perform update action was selected
01:47:22.0285 5984 Deinitialize success

******************************

01:49:36.0574 4648 TDSS rootkit removing tool 2.7.9.0 Feb 1 2012 09:28:49
01:49:36.0931 4648 ============================================================
01:49:36.0931 4648 Current date / time: 2012/02/02 01:49:36.0931
01:49:36.0931 4648 SystemInfo:
01:49:36.0931 4648
01:49:36.0931 4648 OS Version: 6.0.6002 ServicePack: 2.0
01:49:36.0931 4648 Product type: Workstation
01:49:36.0931 4648 ComputerName: BG-PC
01:49:36.0932 4648 UserName: BG
01:49:36.0932 4648 Windows directory: C:\Windows
01:49:36.0932 4648 System windows directory: C:\Windows
01:49:36.0932 4648 Processor architecture: Intel x86
01:49:36.0932 4648 Number of processors: 2
01:49:36.0932 4648 Page size: 0x1000
01:49:36.0932 4648 Boot type: Normal boot
01:49:36.0932 4648 ============================================================
01:49:37.0374 4648 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
01:49:37.0434 4648 \Device\Harddisk0\DR0:
01:49:37.0434 4648 MBR used
01:49:37.0434 4648 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x6, StartLBA 0xDAA87C, BlocksNum 0xE265279
01:49:37.0434 4648 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xF00FAF5, BlocksNum 0xE1B4A8C
01:49:37.0517 4648 Initialize success
01:49:37.0517 4648 ============================================================
01:50:01.0126 6124 ============================================================
01:50:01.0126 6124 Scan started
01:50:01.0126 6124 Mode: Manual;
01:50:01.0126 6124 ============================================================
01:50:02.0785 6124 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
01:50:02.0790 6124 ACPI - ok
01:50:02.0956 6124 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
01:50:02.0964 6124 adp94xx - ok
01:50:03.0015 6124 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
01:50:03.0021 6124 adpahci - ok
01:50:03.0125 6124 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
01:50:03.0128 6124 adpu160m - ok
01:50:03.0175 6124 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
01:50:03.0178 6124 adpu320 - ok
01:50:03.0315 6124 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
01:50:03.0320 6124 AFD - ok
01:50:03.0441 6124 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
01:50:03.0442 6124 agp440 - ok
01:50:03.0473 6124 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
01:50:03.0475 6124 aic78xx - ok
01:50:03.0505 6124 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
01:50:03.0507 6124 aliide - ok
01:50:03.0626 6124 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
01:50:03.0629 6124 amdagp - ok
01:50:03.0652 6124 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
01:50:03.0653 6124 amdide - ok
01:50:03.0696 6124 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
01:50:03.0697 6124 AmdK7 - ok
01:50:03.0808 6124 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
01:50:03.0810 6124 AmdK8 - ok
01:50:03.0935 6124 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
01:50:03.0937 6124 arc - ok
01:50:03.0994 6124 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
01:50:03.0996 6124 arcsas - ok
01:50:04.0125 6124 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
01:50:04.0159 6124 AsyncMac - ok
01:50:04.0213 6124 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
01:50:04.0214 6124 atapi - ok
01:50:04.0420 6124 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
01:50:04.0422 6124 Beep - ok
01:50:04.0682 6124 BHDrvx86 (9d14d76e4e7b9b2ead17149011db2b11) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111221.003\BHDrvx86.sys
01:50:04.0695 6124 BHDrvx86 - ok
01:50:04.0839 6124 blbdrive - ok
01:50:04.0896 6124 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
01:50:04.0898 6124 bowser - ok
01:50:05.0056 6124 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
01:50:05.0058 6124 BrFiltLo - ok
01:50:05.0089 6124 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
01:50:05.0090 6124 BrFiltUp - ok
01:50:05.0201 6124 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
01:50:05.0204 6124 Brserid - ok
01:50:05.0222 6124 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
01:50:05.0224 6124 BrSerWdm - ok
01:50:05.0334 6124 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
01:50:05.0336 6124 BrUsbMdm - ok
01:50:05.0357 6124 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
01:50:05.0358 6124 BrUsbSer - ok
01:50:05.0466 6124 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
01:50:05.0471 6124 BTHMODEM - ok
01:50:05.0613 6124 BVRPMPR5 (18e0f9c1e7ec4aae40b3f67eab0aee99) C:\Windows\system32\drivers\BVRPMPR5.SYS
01:50:05.0615 6124 BVRPMPR5 - ok
01:50:05.0703 6124 catchme - ok
01:50:05.0824 6124 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
01:50:05.0826 6124 cdfs - ok
01:50:05.0880 6124 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
01:50:05.0882 6124 cdrom - ok
01:50:06.0011 6124 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
01:50:06.0012 6124 circlass - ok
01:50:06.0058 6124 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
01:50:06.0065 6124 CLFS - ok
01:50:06.0171 6124 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
01:50:06.0173 6124 cmdide - ok
01:50:06.0198 6124 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
01:50:06.0199 6124 Compbatt - ok
01:50:06.0231 6124 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
01:50:06.0232 6124 crcdisk - ok
01:50:06.0277 6124 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
01:50:06.0279 6124 Crusoe - ok
01:50:06.0424 6124 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
01:50:06.0426 6124 DfsC - ok
01:50:06.0589 6124 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
01:50:06.0591 6124 disk - ok
01:50:06.0715 6124 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
01:50:06.0716 6124 drmkaud - ok
01:50:06.0767 6124 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
01:50:06.0778 6124 DXGKrnl - ok
01:50:06.0885 6124 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
01:50:06.0887 6124 E1G60 - ok
01:50:06.0976 6124 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
01:50:06.0979 6124 Ecache - ok
01:50:07.0098 6124 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
01:50:07.0105 6124 eeCtrl - ok
01:50:07.0239 6124 eLock2BurnerLockDriver (7ba06eb0eb5a6db3f79b58319a0b9695) C:\Windows\system32\DRIVERS\eLock2BurnerLockDriver.sys
01:50:07.0240 6124 eLock2BurnerLockDriver - ok
01:50:07.0326 6124 eLock2FSCTLDriver (71d64fdeedab736037b30ec63282cdd9) C:\Windows\system32\DRIVERS\eLock2FSCTLDriver.sys
01:50:07.0328 6124 eLock2FSCTLDriver - ok
01:50:07.0422 6124 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
01:50:07.0428 6124 elxstor - ok
01:50:07.0537 6124 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
01:50:07.0540 6124 EraserUtilRebootDrv - ok
01:50:07.0693 6124 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
01:50:07.0698 6124 exfat - ok
01:50:07.0721 6124 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
01:50:07.0726 6124 fastfat - ok
01:50:07.0840 6124 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
01:50:07.0841 6124 fdc - ok
01:50:07.0891 6124 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
01:50:07.0892 6124 FileInfo - ok
01:50:08.0015 6124 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
01:50:08.0016 6124 Filetrace - ok
01:50:08.0046 6124 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
01:50:08.0048 6124 flpydisk - ok
01:50:08.0116 6124 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
01:50:08.0119 6124 FltMgr - ok
01:50:08.0266 6124 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
01:50:08.0292 6124 Fs_Rec - ok
01:50:08.0362 6124 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
01:50:08.0364 6124 gagp30kx - ok
01:50:08.0463 6124 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\Windows\system32\Drivers\GEARAspiWDM.sys
01:50:08.0464 6124 GEARAspiWDM - ok
01:50:08.0633 6124 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
01:50:08.0638 6124 HdAudAddService - ok
01:50:08.0737 6124 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
01:50:08.0754 6124 HDAudBus - ok
01:50:08.0847 6124 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
01:50:08.0848 6124 HidBth - ok
01:50:08.0880 6124 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
01:50:08.0881 6124 HidIr - ok
01:50:08.0926 6124 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
01:50:08.0927 6124 HidUsb - ok
01:50:09.0044 6124 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
01:50:09.0045 6124 HpCISSs - ok
01:50:09.0097 6124 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
01:50:09.0106 6124 HTTP - ok
01:50:09.0210 6124 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
01:50:09.0211 6124 i2omp - ok
01:50:09.0355 6124 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
01:50:09.0357 6124 i8042prt - ok
01:50:09.0388 6124 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
01:50:09.0393 6124 iaStorV - ok
01:50:09.0619 6124 IDSVix86 (b6662611e8fa3a71473c4a9bd0d23755) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120201.002\IDSvix86.sys
01:50:09.0626 6124 IDSVix86 - ok
01:50:09.0736 6124 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
01:50:09.0738 6124 iirsp - ok
01:50:09.0807 6124 int15 (9d64201c9e5ac8d1f088762ba00ff3ab) C:\Acer\Empowering Technology\eRecovery\int15.sys
01:50:09.0808 6124 int15 - ok
01:50:09.0957 6124 IntcAzAudAddService (a47b2875680ad67b35c6150bd0203056) C:\Windows\system32\drivers\RTKVHDA.sys
01:50:09.0983 6124 IntcAzAudAddService - ok
01:50:10.0095 6124 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
01:50:10.0096 6124 intelide - ok
01:50:10.0114 6124 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
01:50:10.0116 6124 intelppm - ok
01:50:10.0173 6124 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
01:50:10.0174 6124 IpFilterDriver - ok
01:50:10.0289 6124 IpInIp - ok
01:50:10.0324 6124 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
01:50:10.0326 6124 IPMIDRV - ok
01:50:10.0415 6124 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
01:50:10.0442 6124 IPNAT - ok
01:50:10.0559 6124 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
01:50:10.0560 6124 IRENUM - ok
01:50:10.0624 6124 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
01:50:10.0627 6124 isapnp - ok
01:50:10.0724 6124 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
01:50:10.0728 6124 iScsiPrt - ok
01:50:10.0820 6124 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
01:50:10.0821 6124 iteatapi - ok
01:50:10.0882 6124 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
01:50:10.0886 6124 iteraid - ok
01:50:11.0031 6124 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
01:50:11.0033 6124 kbdclass - ok
01:50:11.0125 6124 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
01:50:11.0127 6124 kbdhid - ok
01:50:11.0263 6124 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
01:50:11.0271 6124 KSecDD - ok
01:50:11.0391 6124 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
01:50:11.0392 6124 lltdio - ok
01:50:11.0486 6124 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
01:50:11.0487 6124 LMIInfo - ok
01:50:11.0620 6124 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\Windows\system32\DRIVERS\lmimirr.sys
01:50:11.0621 6124 lmimirr - ok
01:50:11.0703 6124 LMIRfsClientNP - ok
01:50:11.0744 6124 LMIRfsDriver (622704763da924c1565344e8c7d6ca4d) C:\Windows\system32\drivers\LMIRfsDriver.sys
01:50:11.0745 6124 LMIRfsDriver - ok
01:50:11.0817 6124 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
01:50:11.0819 6124 LSI_FC - ok
01:50:11.0906 6124 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
01:50:11.0909 6124 LSI_SAS - ok
01:50:11.0967 6124 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
01:50:11.0969 6124 LSI_SCSI - ok
01:50:12.0080 6124 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
01:50:12.0084 6124 luafv - ok
01:50:12.0139 6124 MCSTRM - ok
01:50:12.0259 6124 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
01:50:12.0261 6124 megasas - ok
01:50:12.0313 6124 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
01:50:12.0315 6124 Modem - ok
01:50:12.0395 6124 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
01:50:12.0429 6124 monitor - ok
01:50:12.0523 6124 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
01:50:12.0525 6124 mouclass - ok
01:50:12.0594 6124 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
01:50:12.0628 6124 mouhid - ok
01:50:12.0721 6124 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
01:50:12.0746 6124 MountMgr - ok
01:50:12.0807 6124 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
01:50:12.0809 6124 mpio - ok
01:50:12.0906 6124 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
01:50:12.0908 6124 mpsdrv - ok
01:50:12.0967 6124 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
01:50:12.0969 6124 Mraid35x - ok
01:50:13.0063 6124 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
01:50:13.0067 6124 MRxDAV - ok
01:50:13.0145 6124 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
01:50:13.0147 6124 mrxsmb - ok
01:50:13.0222 6124 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
01:50:13.0235 6124 mrxsmb10 - ok
01:50:13.0368 6124 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
01:50:13.0370 6124 mrxsmb20 - ok
01:50:13.0402 6124 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
01:50:13.0403 6124 msahci - ok
01:50:13.0471 6124 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
01:50:13.0473 6124 msdsm - ok
01:50:13.0559 6124 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
01:50:13.0561 6124 Msfs - ok
01:50:13.0649 6124 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
01:50:13.0650 6124 msisadrv - ok
01:50:13.0729 6124 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
01:50:13.0730 6124 MSKSSRV - ok
01:50:13.0819 6124 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
01:50:13.0821 6124 MSPCLOCK - ok
01:50:13.0888 6124 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
01:50:13.0890 6124 MSPQM - ok
01:50:13.0969 6124 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
01:50:14.0003 6124 MsRPC - ok
01:50:14.0139 6124 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
01:50:14.0141 6124 mssmbios - ok
01:50:14.0199 6124 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
01:50:14.0217 6124 MSTEE - ok
01:50:14.0283 6124 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
01:50:14.0300 6124 Mup - ok
01:50:14.0427 6124 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
01:50:14.0430 6124 NativeWifiP - ok
01:50:14.0621 6124 NAVENG (862f55824ac81295837b0ab63f91071f) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120201.003\NAVENG.SYS
01:50:14.0646 6124 NAVENG - ok
01:50:14.0916 6124 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120201.003\NAVEX15.SYS
01:50:14.0939 6124 NAVEX15 - ok
01:50:15.0086 6124 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
01:50:15.0096 6124 NDIS - ok
01:50:15.0287 6124 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
01:50:15.0288 6124 NdisTapi - ok
01:50:15.0341 6124 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
01:50:15.0343 6124 Ndisuio - ok
01:50:15.0503 6124 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
01:50:15.0507 6124 NdisWan - ok
01:50:15.0552 6124 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
01:50:15.0570 6124 NDProxy - ok
01:50:15.0694 6124 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
01:50:15.0695 6124 NetBIOS - ok
01:50:15.0744 6124 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
01:50:15.0749 6124 netbt - ok
01:50:15.0902 6124 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
01:50:15.0904 6124 nfrd960 - ok
01:50:15.0986 6124 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
01:50:15.0988 6124 Npfs - ok
01:50:16.0131 6124 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
01:50:16.0132 6124 nsiproxy - ok
01:50:16.0217 6124 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
01:50:16.0258 6124 Ntfs - ok
01:50:16.0372 6124 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
01:50:16.0373 6124 NTIDrvr - ok
01:50:16.0415 6124 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
01:50:16.0419 6124 ntrigdigi - ok
01:50:16.0512 6124 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
01:50:16.0515 6124 Null - ok
01:50:16.0776 6124 nvlddmkm (ff58c7a7da6116c1f71e883cb088d598) C:\Windows\system32\DRIVERS\nvlddmkm.sys
01:50:17.0068 6124 nvlddmkm - ok
01:50:17.0172 6124 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
01:50:17.0174 6124 nvraid - ok
01:50:17.0212 6124 nvstor (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\DRIVERS\nvstor.sys
01:50:17.0214 6124 nvstor - ok
01:50:17.0256 6124 nvstor32 (dc5f166422beebf195e3e4bb8ab4ee22) C:\Windows\system32\drivers\nvstor32.sys
01:50:17.0258 6124 nvstor32 - ok
01:50:17.0410 6124 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
01:50:17.0414 6124 nv_agp - ok
01:50:17.0432 6124 NwlnkFlt - ok
01:50:17.0458 6124 NwlnkFwd - ok
01:50:17.0515 6124 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
01:50:17.0516 6124 ohci1394 - ok
01:50:17.0653 6124 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
01:50:17.0655 6124 Parport - ok
01:50:17.0693 6124 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
01:50:17.0694 6124 partmgr - ok
01:50:17.0807 6124 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
01:50:17.0808 6124 Parvdm - ok
01:50:17.0849 6124 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
01:50:17.0853 6124 pci - ok
01:50:17.0996 6124 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
01:50:17.0997 6124 pciide - ok
01:50:18.0030 6124 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
01:50:18.0034 6124 pcmcia - ok
01:50:18.0139 6124 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
01:50:18.0152 6124 PEAUTH - ok
01:50:18.0254 6124 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
01:50:18.0257 6124 PptpMiniport - ok
01:50:18.0366 6124 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
01:50:18.0368 6124 Processor - ok
01:50:18.0442 6124 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
01:50:18.0444 6124 PSched - ok
01:50:18.0563 6124 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
01:50:18.0576 6124 ql2300 - ok
01:50:18.0615 6124 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
01:50:18.0620 6124 ql40xx - ok
01:50:18.0758 6124 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
01:50:18.0759 6124 QWAVEdrv - ok
01:50:18.0835 6124 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
01:50:18.0868 6124 RasAcd - ok
01:50:18.0995 6124 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
01:50:18.0997 6124 Rasl2tp - ok
01:50:19.0044 6124 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
01:50:19.0046 6124 RasPppoe - ok
01:50:19.0104 6124 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
01:50:19.0106 6124 RasSstp - ok
01:50:19.0198 6124 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
01:50:19.0203 6124 rdbss - ok
01:50:19.0240 6124 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
01:50:19.0257 6124 RDPCDD - ok
01:50:19.0348 6124 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
01:50:19.0354 6124 rdpdr - ok
01:50:19.0483 6124 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
01:50:19.0484 6124 RDPENCDD - ok
01:50:19.0565 6124 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
01:50:19.0572 6124 RDPWD - ok
01:50:19.0708 6124 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
01:50:19.0709 6124 rspndr - ok
01:50:19.0747 6124 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
01:50:19.0749 6124 sbp2port - ok
01:50:19.0797 6124 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
01:50:19.0798 6124 secdrv - ok
01:50:19.0888 6124 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
01:50:19.0889 6124 Serenum - ok
01:50:19.0946 6124 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
01:50:19.0949 6124 Serial - ok
01:50:20.0048 6124 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
01:50:20.0049 6124 sermouse - ok
01:50:20.0110 6124 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
01:50:20.0111 6124 sffdisk - ok
01:50:20.0129 6124 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
01:50:20.0130 6124 sffp_mmc - ok
01:50:20.0200 6124 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
01:50:20.0201 6124 sffp_sd - ok
01:50:20.0237 6124 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
01:50:20.0238 6124 sfloppy - ok
01:50:20.0271 6124 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
01:50:20.0274 6124 sisagp - ok
01:50:20.0363 6124 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
01:50:20.0364 6124 SiSRaid2 - ok
01:50:20.0414 6124 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
01:50:20.0417 6124 SiSRaid4 - ok
01:50:20.0530 6124 Smb (0f474ff2d374209e59e91fbd5cff479c) C:\Windows\system32\DRIVERS\smb.sys
01:50:20.0533 6124 Smb ( Virus.Win32.ZAccess.k ) - infected
01:50:20.0533 6124 Smb - detected Virus.Win32.ZAccess.k (0)
01:50:20.0616 6124 smserial (c8a58fc905c9184fa70e37f71060c64d) C:\Windows\system32\DRIVERS\smserial.sys
01:50:20.0632 6124 smserial - ok
01:50:20.0738 6124 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
01:50:20.0739 6124 spldr - ok
01:50:20.0854 6124 SRTSP (83726cf02eced69138948083e06b6eac) C:\Windows\System32\Drivers\N360\0502000.00D\SRTSP.SYS
01:50:20.0863 6124 SRTSP - ok
01:50:20.0933 6124 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\Windows\system32\drivers\N360\0502000.00D\SRTSPX.SYS
01:50:20.0935 6124 SRTSPX - ok
01:50:21.0008 6124 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
01:50:21.0014 6124 srv - ok
01:50:21.0107 6124 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
01:50:21.0110 6124 srv2 - ok
01:50:21.0221 6124 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
01:50:21.0224 6124 srvnet - ok
01:50:21.0286 6124 StMp3Rec (833ac40f6e7be17951d6d9a956829547) C:\Windows\system32\Drivers\StMp3Rec.sys
01:50:21.0288 6124 StMp3Rec - ok
01:50:21.0416 6124 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
01:50:21.0421 6124 swenum - ok
01:50:21.0475 6124 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
01:50:21.0478 6124 Symc8xx - ok
01:50:21.0604 6124 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\Windows\system32\drivers\N360\0502000.00D\SYMDS.SYS
01:50:21.0609 6124 SymDS - ok
01:50:21.0663 6124 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\Windows\system32\drivers\N360\0502000.00D\SYMEFA.SYS
01:50:21.0673 6124 SymEFA - ok
01:50:21.0767 6124 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\Windows\system32\Drivers\SYMEVENT.SYS
01:50:21.0769 6124 SymEvent - ok
01:50:21.0867 6124 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\Windows\system32\drivers\N360\0502000.00D\Ironx86.SYS
01:50:21.0870 6124 SymIRON - ok
01:50:22.0025 6124 SYMTDIv (d42a7229e333af725f1445f785e4658d) C:\Windows\System32\Drivers\N360\0502000.00D\SYMTDIV.SYS
01:50:22.0031 6124 SYMTDIv - ok
01:50:22.0127 6124 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
01:50:22.0129 6124 Sym_hi - ok
01:50:22.0143 6124 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
01:50:22.0145 6124 Sym_u3 - ok
01:50:22.0220 6124 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
01:50:22.0232 6124 Tcpip - ok
01:50:22.0396 6124 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
01:50:22.0403 6124 Tcpip6 - ok
01:50:22.0536 6124 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
01:50:22.0538 6124 tcpipreg - ok
01:50:22.0581 6124 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
01:50:22.0583 6124 TDPIPE - ok
01:50:22.0710 6124 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
01:50:22.0713 6124 TDTCP - ok
01:50:22.0765 6124 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
01:50:22.0768 6124 tdx - ok
01:50:22.0912 6124 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
01:50:22.0937 6124 TermDD - ok
01:50:23.0006 6124 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
01:50:23.0008 6124 tssecsrv - ok
01:50:23.0104 6124 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
01:50:23.0106 6124 tunmp - ok
01:50:23.0159 6124 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
01:50:23.0161 6124 tunnel - ok
01:50:23.0260 6124 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
01:50:23.0263 6124 uagp35 - ok
01:50:23.0298 6124 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\Windows\system32\drivers\UBHelper.sys
01:50:23.0299 6124 UBHelper - ok
01:50:23.0430 6124 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
01:50:23.0438 6124 udfs - ok
01:50:23.0518 6124 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
01:50:23.0520 6124 uliagpkx - ok
01:50:23.0624 6124 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
01:50:23.0631 6124 uliahci - ok
01:50:23.0663 6124 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
01:50:23.0666 6124 UlSata - ok
01:50:23.0786 6124 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
01:50:23.0789 6124 ulsata2 - ok
01:50:23.0833 6124 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
01:50:23.0835 6124 umbus - ok
01:50:23.0989 6124 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
01:50:23.0991 6124 usbaudio - ok
01:50:24.0040 6124 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
01:50:24.0042 6124 usbccgp - ok
01:50:24.0169 6124 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
01:50:24.0172 6124 usbcir - ok
01:50:24.0220 6124 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
01:50:24.0255 6124 usbehci - ok
01:50:24.0402 6124 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
01:50:24.0406 6124 usbhub - ok
01:50:24.0433 6124 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
01:50:24.0434 6124 usbohci - ok
01:50:24.0551 6124 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
01:50:24.0552 6124 usbprint - ok
01:50:24.0588 6124 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
01:50:24.0589 6124 usbscan - ok
01:50:24.0628 6124 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
01:50:24.0630 6124 USBSTOR - ok
01:50:24.0745 6124 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
01:50:24.0746 6124 usbuhci - ok
01:50:24.0802 6124 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
01:50:24.0803 6124 vga - ok
01:50:24.0843 6124 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
01:50:24.0875 6124 VgaSave - ok
01:50:24.0968 6124 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
01:50:24.0971 6124 viaagp - ok
01:50:24.0997 6124 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
01:50:25.0000 6124 ViaC7 - ok
01:50:25.0038 6124 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
01:50:25.0040 6124 viaide - ok
01:50:25.0148 6124 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
01:50:25.0150 6124 volmgr - ok
01:50:25.0200 6124 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
01:50:25.0206 6124 volmgrx - ok
01:50:25.0271 6124 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
01:50:25.0296 6124 volsnap - ok
01:50:25.0404 6124 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
01:50:25.0418 6124 vsmraid - ok
01:50:25.0586 6124 VX1000 (2fbf9e882fc28a315a86aa1f831c144e) C:\Windows\system32\DRIVERS\VX1000.sys
01:50:25.0616 6124 VX1000 - ok
01:50:25.0729 6124 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
01:50:25.0730 6124 WacomPen - ok
01:50:25.0793 6124 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
01:50:25.0795 6124 Wanarp - ok
01:50:25.0810 6124 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
01:50:25.0812 6124 Wanarpv6 - ok
01:50:25.0911 6124 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
01:50:25.0913 6124 Wd - ok
01:50:25.0978 6124 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
01:50:25.0988 6124 Wdf01000 - ok
01:50:26.0176 6124 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
01:50:26.0177 6124 WmiAcpi - ok
01:50:26.0274 6124 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
01:50:26.0276 6124 WpdUsb - ok
01:50:26.0399 6124 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
01:50:26.0417 6124 ws2ifsl - ok
01:50:26.0613 6124 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
01:50:26.0631 6124 yukonwlh - ok
01:50:26.0666 6124 MBR (0x1B8) (797f0b8d59d9f0eb53160fed99a57ed8) \Device\Harddisk0\DR0
01:50:26.0686 6124 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
01:50:26.0686 6124 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
01:50:26.0711 6124 Boot (0x1200) (9a63a0cf366ffa15d5a9767b7e6a8acc) \Device\Harddisk0\DR0\Partition0
01:50:26.0737 6124 \Device\Harddisk0\DR0\Partition0 - ok
01:50:26.0767 6124 Boot (0x1200) (3f6f29ef8f472f2c6c03ddb665d3e65c) \Device\Harddisk0\DR0\Partition1
01:50:26.0769 6124 \Device\Harddisk0\DR0\Partition1 - ok
01:50:26.0770 6124 ============================================================
01:50:26.0770 6124 Scan finished
01:50:26.0770 6124 ============================================================
01:50:26.0818 4140 Detected object count: 2
01:50:26.0818 4140 Actual detected object count: 2
01:52:41.0144 4140 C:\Windows\system32\DRIVERS\smb.sys - copied to quarantine
01:52:41.0226 4140 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\Windows\system32\drivers\smb.sys) error 1813
01:53:05.0182 4140 Backup copy found, using it..
01:53:05.0275 4140 C:\Windows\system32\DRIVERS\smb.sys - will be cured on reboot
01:53:15.0775 4140 Smb ( Virus.Win32.ZAccess.k ) - User select action: Cure
01:53:21.0361 4140 \Device\Harddisk0\DR0\# - copied to quarantine
01:53:21.0362 4140 \Device\Harddisk0\DR0 - copied to quarantine
01:53:21.0469 4140 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
01:53:21.0472 4140 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
01:53:21.0481 4140 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
01:53:21.0485 4140 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
01:53:21.0488 4140 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
01:53:21.0491 4140 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
01:53:21.0498 4140 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
01:53:21.0502 4140 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine
01:53:21.0556 4140 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
01:53:21.0558 4140 \Device\Harddisk0\DR0 - ok
01:53:21.0560 4140 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
01:54:34.0026 2380 Deinitialize success

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:40 PM

Posted 02 February 2012 - 08:47 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 UpstateBodhi

UpstateBodhi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 02 February 2012 - 12:42 PM

Hey! I just noticed that combofix.exe was deleted from my desktop. I'll download again, but question... It updated last time when I ran it. If I run in Safe Mode (without networking) should I just run it as is?

Another question - at this point - I got blocked by a website yesterday saying that my computer was infected, so I'd need to log in using those graphic text type-ins (forget the term at the moment). Didn't know if it was really their security measures, or another fake generated by this virus. I've been avoiding logging onto my bank acct. etc, but I maintain 2 websites for a local non-profit - did some updating uploaded to ftp. Just concerned that the websites may get infected, though I don't see any of those files coming up. Also, is this bad enough that I should be concerned about identity theft? Call my bank etc.? All my passwords are in a password-protected Word doc, and I've been using Identity Safe for the less sensitive log-ins, and cards for purchase info - supposedly encrypted and safe. Just wondering how serious this infection is beyond screwing up my computer. - If this belongs in another topic, let me know. Thanks

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:40 PM

Posted 02 February 2012 - 12:52 PM

yes go ahead and run it as is

with any major infect I would change all online passwords and keep a close eye on things



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 UpstateBodhi

UpstateBodhi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 02 February 2012 - 06:14 PM

OK - ran combofix in safe mode - had a little problem on the reboot, but turned off and got into Safe Mode on second try - generated log below:


ComboFix 12-02-02.02 - BG 02/02/2012 17:38:32.4.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3327.2931 [GMT -5:00]
Running from: c:\users\BG\Desktop\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
c:\programdata\vlc-1.0.5-win32.exe
c:\programdata\vlc-1.1.0-win32.exe
c:\programdata\vlc-1.1.5-win32.exe
c:\users\BG\AppData\Local\Axialis\pssp0001.swf
c:\windows\$NtUninstallKB15637$
c:\windows\bwUnin-6.1.4.61-8876480L.exe
c:\windows\system32\rnaph.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
.
.
2012-02-02 22:53 . 2012-02-02 22:53 -------- d-----w- c:\users\BG\AppData\Local\temp
2012-02-02 22:53 . 2012-02-02 22:53 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2012-02-02 22:53 . 2012-02-02 22:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-02 06:59 . 2012-02-02 06:59 -------- d-----w- C:\found.000
2012-02-02 06:52 . 2012-02-02 06:52 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-31 04:10 . 2012-01-31 08:44 -------- d-----w- c:\windows\system32\drivers\N360\0502000.00D
2012-01-20 20:43 . 2012-01-20 20:43 1409 ----a-w- c:\windows\QTFont.for
2012-01-04 14:02 . 2012-01-04 14:02 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-02 06:55 . 2009-09-04 06:18 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2012-01-04 17:45 . 2011-05-21 04:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37 . 2011-12-18 12:33 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 05:49 . 2011-11-18 05:49 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-08 14:42 . 2011-12-18 12:34 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-21 07:24 . 2012-01-04 10:56 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-08-25 03:52 . 2007-11-03 08:29 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"?????????"="??????????????e" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-23 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-02-12 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-02-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-13 312240]
"LXDDCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [2007-01-22 102400]
"CHotkey"="mHotkey.exe" [2002-08-02 473600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"AutoLockProcess"="c:\acer\Empowering Technology\eLock\autolockprocess\autolockprocess.exe" [2007-04-09 143360]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-11-23 319488]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568]
.
c:\users\BG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2007-6-24 157000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-1-6 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1285482466-3156500135-3391944794-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R0 64258075;64258075;c:\windows\system32\drivers\54763691.sys [x]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-26 20:24]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-21 07:26]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-21 07:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\BG\AppData\Roaming\Mozilla\Firefox\Profiles\2oqwy19m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
SafeBoot-64258075.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-02 17:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDDCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Smb]
"ImagePath"="system32\drivers\tskBAA7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-02-02 17:56:47
ComboFix-quarantined-files.txt 2012-02-02 22:56
.
Pre-Run: 51,328,671,744 bytes free
Post-Run: 51,287,912,448 bytes free
.
- - End Of File - - 91C7DD704FD254302C5A639711F170E1

#14 UpstateBodhi

UpstateBodhi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 02 February 2012 - 06:17 PM

Norton deleted ComboFix as a virus before (quick scan) - I'll turn auto-protect off until you say

Edited by UpstateBodhi, 02 February 2012 - 06:22 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:40 PM

Posted 02 February 2012 - 10:07 PM

Hello


how are things running now?


run this in normal mode and if it does not run then try safe mode again.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users