Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv infection. Can not boot xp


  • This topic is locked This topic is locked
9 replies to this topic

#1 planttec

planttec

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 27 January 2012 - 02:59 AM

Hi
Yesterday Norton 360 flashed up a message saying something like
tidserv found, norton can not remove. click here for manual removal.

on clicking I was taken to the tidserv removal tool and downloaded it
Opened the download and followed the instruction and let the computer shut itself down for restart and scan
Now the computer just gets to log in screen and when i enter my password the screen then goes black and it just seems to spool through the start up process but never lets me log in.

As with many other computer users I am no genius and have little knowledge of diagnostics

Much of the information on my computer is critical to my business but I didnt back up on a regular basis.

Some help on sorting out the issues involved would be greatly appreciated.

Many thanks

BC AdBot (Login to Remove)

 


#2 planttec

planttec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 27 January 2012 - 07:07 AM

UPDATE
Following the use of a recomended MBRfix I can now log onto my user account, administrator, and have managed to execute the DDS and GMER logs which are listed below

DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 8:50:47 on 2012-01-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2740 [GMT 0:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\BBSvc.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\LGScsiCommandService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\lxeccoms.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\7digital Download Manager\7digital Download Manager.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.bing.com
uDefault_Page_URL = hxxp://www.msn.com
uWindow Title = Internet Explorer, optimized for Bing and MSN
mDefault_Page_URL = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: HistoryTriggerBHO Class: {21a88cb9-84d2-4020-a2d1-b25a21034884} - c:\program files\lg electronics\lg pc suite iv\linkair\LinkAirBrowserHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: WebCGMHlprObj Class: {56b38f40-4e70-11d4-a076-0080ad86ba2f} - c:\windows\system32\cgmopenbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [LG LinkAir]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [lxecmon.exe] "c:\program files\lexmark pro800-pro900 series\lxecmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro800-pro900 series\ezprint.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Lexmark Pro800-Pro900 Series Fax Server] "c:\program files\lexmark pro800-pro900 series\fm3032.exe" /s
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [B2C_AGENT] c:\documents and settings\all users\application data\lgmobileax\b2c_client\B2CNotiAgent.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\7digit~1.lnk - c:\program files\7digital download manager\7digital Download Manager.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} - hxxp://www.illicitencounters.com/js/core/ImageUploader/ImageUploader7.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\o04w27pt.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-7 56208]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-5-24 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-5-24 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120121.002\BHDrvx86.sys [2012-1-23 820344]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-6 214024]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-7 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-7 164112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-5-24 136312]
R2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-6-17 54760]
R2 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [2011-6-6 47616]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-5-24 130008]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-5-6 635416]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-7 931640]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-5-6 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-5-6 149600]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120124.005\IDSXpx86.sys [2011-12-15 356280]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [2009-9-29 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [2009-9-29 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [2009-9-29 12928]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120125.033\NAVENG.SYS [2012-1-26 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120125.033\NAVEX15.SYS [2012-1-26 1576312]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-7-19 21520]
S2 0303421277112476mcinstcleanup;McAfee Application Installer Cleanup (0303421277112476);c:\docume~1\admini~1\locals~1\temp\030342~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\030342~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-17 136176]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2011-3-22 193192]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 FlashUSB;FlashUSB;c:\windows\system32\drivers\FlashUSB.sys [2011-12-6 16896]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-17 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2010-5-6 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2010-5-6 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-5-6 34248]
.
=============== Created Last 30 ================
.
2012-01-27 12:21:11 123904 ----a-w- C:\MbrFix.exe
2012-01-11 15:40:11 -------- d-----w- c:\program files\common files\Vectric
2012-01-11 15:40:06 -------- d-----w- c:\documents and settings\all users\application data\Vectric
2012-01-11 15:39:57 -------- d-----w- c:\program files\Aspire Trial Edition 3.5
2012-01-11 15:28:18 -------- d-----w- c:\program files\PhotoVCarve Trial
2012-01-04 00:48:42 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-29 14:08:23 -------- d-----w- c:\documents and settings\administrator\application data\PTC
2011-12-29 14:05:16 -------- d-----w- c:\program files\PTC
.
==================== Find3M ====================
.
2012-01-26 16:38:17 94208 ----a-w- c:\windows\DUMP7ea5.tmp
2012-01-26 16:29:35 94208 ----a-w- c:\windows\DUMP7d6d.tmp
2012-01-11 15:26:35 3350 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 08:05:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\SET8.tmp
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\SET7.tmp
2011-11-07 21:28:38 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
.
============= FINISH: 8:51:27.81 ===============


GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-27 12:01:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST350041 rev.HP34
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xA8583080]
SSDT 8A01E930 ZwConnectPort
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xA8583BDE]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys ZwCreateThread [0xA87E95E0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xA8583DD6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xA85875AC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xA85875DE]
SSDT 8A104290 ZwLoadDriver
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xA8587740]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xA8583CF6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xA85831F6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xA85833EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xA858351C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xA85876B6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xA8587620]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xA8587652]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xA8587684]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xA8583026]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xA8583E7C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xA8587544]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xA8582FC0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xA8582EE8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xA8582F30]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C60 805044FC 4 Bytes JMP CF34CF02
.text ntkrnlpa.exe!ZwCallbackReturn + 2DE4 80504680 4 Bytes [EA, 33, 58, A8]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FE8 80504884 8 Bytes CALL B0F8A0B7
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\DRIVERS\netbt.sys suspicious PE modification
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[780] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00445210 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A80001
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[780] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 71AE001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[780] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 719E0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[780] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71A20022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414D50 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A70001
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71A10022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71AE0022
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01A0000A
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01A1000A
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0192000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A861D000-A8637000 (106496 bytes)

---- Files - GMER 1.0.15 ----

File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-agl 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-agl\agl.aglmga 13396 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-agl\jsx.aglmga 10675 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-agl\obsolete.aglmga 1667 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-explorer 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-explorer\explorer.aglmga 1812 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-navigator 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-navigator\navigator.aglmga 2533 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-server 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\addition-server\server.aglmga 1024 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\browser.aglmgb 1594 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\chtml 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\chtml\chtml-imode10.dtd 16615 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\chtml\chtml-imode20.dtd 16616 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\chtml\chtml-imode30.dtd 16617 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\chtml\chtml-imode40.dtd 16618 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\chtml\chtml-imode50.dtd 16619 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\chtml\chtml.dtd 14142 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\elements.aglmga 53655 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\entities.aglmga 8559 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html.aglmgb 4672 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html3 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html3\html32.dtd 21812 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4\Explorer5Mac.dtd 48517 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4\Explorer5Win.dtd 48517 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4\Gecko.dtd 44706 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4\html401-frames.dtd 47956 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4\html401-strict.dtd 35670 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4\html401-transitional.dtd 46742 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4\Netscape4.dtd 36020 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\html4\Netscape6.dtd 44227 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml1 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml1\xhtml-lat1.ent 11985 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml1\xhtml-special.ent 4223 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml1\xhtml-symbol.ent 14369 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml1\xhtml1-frameset.dtd 34215 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml1\xhtml1-strict.dtd 27043 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml1\xhtml1-transitional.dtd 33442 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-qname-1.mod 9948 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-ruby-1.mod 7099 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-script-1.mod 2240 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-ssismap-1.mod 1187 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-struct-1.mod 3752 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-style-1.mod 1627 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-table-1.mod 9854 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-text-1.mod 1864 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml11-flat.dtd 157625 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml11-model-1.mod 6970 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml11.cat 1523 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml11.dtd 10608 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-attribs-1.mod 1983 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-base-1.mod 1803 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-bdo-1.mod 1618 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-blkphras-1.mod 4413 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-blkpres-1.mod 1308 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-blkstruct-1.mod 1677 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-charent-1.mod 1379 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-csismap-1.mod 3685 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-datatypes-1.mod 2826 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-edit-1.mod 2044 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-events-1.mod 4286 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-form-1.mod 9220 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-framework-1.mod 3274 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-hypertext-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-image-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-inlphras-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-inlpres-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-inlstruct-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-inlstyle-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-legacy-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-link-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-list-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-meta-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-notations-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-object-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-param-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtml11\xhtml-pres-1.mod 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtmlBasic1 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\html\xhtmlMobile1 0 bytes
File C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MarkupGlue\internal 0 bytes

---- EOF - GMER 1.0.15 ----

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 30 January 2012 - 11:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#4 planttec

planttec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 31 January 2012 - 12:57 AM

Hi Nasdaq,
Thank you for your assistance.
Below are the logs requested

TDSS
05:44:15.0250 5244 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
05:44:15.0296 5244 ============================================================
05:44:15.0296 5244 Current date / time: 2012/01/31 05:44:15.0296
05:44:15.0296 5244 SystemInfo:
05:44:15.0296 5244
05:44:15.0296 5244 OS Version: 5.1.2600 ServicePack: 3.0
05:44:15.0296 5244 Product type: Workstation
05:44:15.0296 5244 ComputerName: PTML1
05:44:15.0296 5244 UserName: Administrator
05:44:15.0296 5244 Windows directory: C:\WINDOWS
05:44:15.0296 5244 System windows directory: C:\WINDOWS
05:44:15.0296 5244 Processor architecture: Intel x86
05:44:15.0296 5244 Number of processors: 2
05:44:15.0296 5244 Page size: 0x1000
05:44:15.0296 5244 Boot type: Normal boot
05:44:15.0296 5244 ============================================================
05:44:15.0765 5244 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
05:44:16.0312 5244 Drive \Device\Harddisk6\DR12 - Size: 0x774700000 (29.82 Gb), SectorSize: 0x200, Cylinders: 0xF34, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
05:44:16.0312 5244 \Device\Harddisk0\DR0:
05:44:16.0312 5244 MBR used
05:44:16.0312 5244 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A380580
05:44:16.0312 5244 \Device\Harddisk6\DR12:
05:44:16.0312 5244 MBR used
05:44:16.0343 5244 Initialize success
05:44:16.0343 5244 ============================================================
05:44:19.0125 2884 ============================================================
05:44:19.0125 2884 Scan started
05:44:19.0125 2884 Mode: Manual;
05:44:19.0125 2884 ============================================================
05:44:19.0390 2884 Abiosdsk - ok
05:44:19.0406 2884 abp480n5 - ok
05:44:19.0468 2884 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
05:44:19.0468 2884 ac97intc - ok
05:44:19.0500 2884 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
05:44:19.0500 2884 ACPI - ok
05:44:19.0546 2884 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
05:44:19.0546 2884 ACPIEC - ok
05:44:19.0625 2884 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
05:44:19.0625 2884 adpu160m - ok
05:44:19.0656 2884 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
05:44:19.0656 2884 adpu320 - ok
05:44:19.0718 2884 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
05:44:19.0718 2884 aec - ok
05:44:19.0765 2884 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
05:44:19.0765 2884 AFD - ok
05:44:19.0796 2884 Aha154x - ok
05:44:19.0812 2884 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
05:44:19.0828 2884 aic78u2 - ok
05:44:19.0859 2884 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
05:44:19.0859 2884 aic78xx - ok
05:44:19.0859 2884 AliIde - ok
05:44:19.0875 2884 amsint - ok
05:44:19.0875 2884 asc - ok
05:44:19.0890 2884 asc3350p - ok
05:44:19.0906 2884 asc3550 - ok
05:44:19.0937 2884 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
05:44:19.0937 2884 AsyncMac - ok
05:44:20.0015 2884 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
05:44:20.0015 2884 atapi - ok
05:44:20.0046 2884 Atdisk - ok
05:44:20.0046 2884 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
05:44:20.0046 2884 Atmarpc - ok
05:44:20.0109 2884 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
05:44:20.0109 2884 audstub - ok
05:44:20.0140 2884 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
05:44:20.0140 2884 Beep - ok
05:44:20.0343 2884 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120121.002\BHDrvx86.sys
05:44:20.0359 2884 BHDrvx86 - ok
05:44:20.0421 2884 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
05:44:20.0421 2884 cbidf2k - ok
05:44:20.0453 2884 cd20xrnt - ok
05:44:20.0468 2884 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
05:44:20.0468 2884 Cdaudio - ok
05:44:20.0500 2884 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
05:44:20.0500 2884 Cdfs - ok
05:44:20.0546 2884 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
05:44:20.0546 2884 Cdrom - ok
05:44:20.0578 2884 Changer - ok
05:44:20.0593 2884 CmdIde - ok
05:44:20.0609 2884 Cpqarray - ok
05:44:20.0625 2884 dac2w2k - ok
05:44:20.0625 2884 dac960nt - ok
05:44:20.0640 2884 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
05:44:20.0640 2884 Disk - ok
05:44:20.0687 2884 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
05:44:20.0703 2884 dmboot - ok
05:44:20.0734 2884 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
05:44:20.0734 2884 dmio - ok
05:44:20.0765 2884 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
05:44:20.0765 2884 dmload - ok
05:44:20.0781 2884 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
05:44:20.0781 2884 DMusic - ok
05:44:20.0906 2884 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
05:44:20.0906 2884 dpti2o - ok
05:44:20.0953 2884 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
05:44:20.0953 2884 drmkaud - ok
05:44:21.0031 2884 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
05:44:21.0031 2884 E100B - ok
05:44:21.0078 2884 e1kexpress (90700eb149c8ee9fd8f61821e7d4b8fe) C:\WINDOWS\system32\DRIVERS\e1k5132.sys
05:44:21.0078 2884 e1kexpress - ok
05:44:21.0203 2884 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
05:44:21.0203 2884 eeCtrl - ok
05:44:21.0234 2884 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
05:44:21.0234 2884 EraserUtilRebootDrv - ok
05:44:21.0328 2884 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
05:44:21.0328 2884 Fastfat - ok
05:44:21.0359 2884 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
05:44:21.0359 2884 Fdc - ok
05:44:21.0484 2884 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
05:44:21.0484 2884 Fips - ok
05:44:21.0531 2884 FlashUSB (5575ee5823de1558f8486eb4e33ffa99) C:\WINDOWS\system32\DRIVERS\FlashUSB.sys
05:44:21.0531 2884 FlashUSB - ok
05:44:21.0578 2884 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
05:44:21.0578 2884 Flpydisk - ok
05:44:21.0609 2884 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
05:44:21.0625 2884 FltMgr - ok
05:44:21.0703 2884 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
05:44:21.0703 2884 fssfltr - ok
05:44:21.0750 2884 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
05:44:21.0750 2884 Fs_Rec - ok
05:44:21.0765 2884 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
05:44:21.0765 2884 Ftdisk - ok
05:44:21.0812 2884 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
05:44:21.0812 2884 GEARAspiWDM - ok
05:44:21.0890 2884 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
05:44:21.0890 2884 Gpc - ok
05:44:21.0953 2884 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
05:44:21.0953 2884 HDAudBus - ok
05:44:22.0000 2884 HECI (88a67c34e37186665e916fd347b50d19) C:\WINDOWS\system32\DRIVERS\HECI.sys
05:44:22.0000 2884 HECI - ok
05:44:22.0062 2884 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
05:44:22.0062 2884 HidUsb - ok
05:44:22.0093 2884 hpn - ok
05:44:22.0140 2884 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
05:44:22.0140 2884 HTTP - ok
05:44:22.0171 2884 i2omgmt - ok
05:44:22.0171 2884 i2omp - ok
05:44:22.0187 2884 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
05:44:22.0187 2884 i8042prt - ok
05:44:22.0203 2884 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
05:44:22.0218 2884 i81x - ok
05:44:22.0281 2884 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
05:44:22.0281 2884 iAimFP0 - ok
05:44:22.0312 2884 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
05:44:22.0312 2884 iAimFP1 - ok
05:44:22.0312 2884 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
05:44:22.0312 2884 iAimFP2 - ok
05:44:22.0359 2884 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
05:44:22.0359 2884 iAimFP3 - ok
05:44:22.0390 2884 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
05:44:22.0390 2884 iAimFP4 - ok
05:44:22.0421 2884 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
05:44:22.0421 2884 iAimFP5 - ok
05:44:22.0453 2884 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
05:44:22.0453 2884 iAimFP6 - ok
05:44:22.0468 2884 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
05:44:22.0468 2884 iAimFP7 - ok
05:44:22.0484 2884 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
05:44:22.0484 2884 iAimTV0 - ok
05:44:22.0500 2884 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
05:44:22.0515 2884 iAimTV1 - ok
05:44:22.0515 2884 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
05:44:22.0515 2884 iAimTV3 - ok
05:44:22.0531 2884 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
05:44:22.0531 2884 iAimTV4 - ok
05:44:22.0546 2884 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
05:44:22.0546 2884 iAimTV5 - ok
05:44:22.0546 2884 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
05:44:22.0546 2884 iAimTV6 - ok
05:44:22.0656 2884 ialm (d0190bbb1b577589548aba94e66d6838) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
05:44:22.0718 2884 ialm - ok
05:44:22.0765 2884 iaStor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\DRIVERS\iaStor.sys
05:44:22.0765 2884 iaStor - ok
05:44:22.0968 2884 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120124.005\IDSxpx86.sys
05:44:22.0968 2884 IDSxpx86 - ok
05:44:23.0031 2884 IFXTPM (91c5e9f49f32110ced27e2f902fad607) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
05:44:23.0031 2884 IFXTPM - ok
05:44:23.0187 2884 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
05:44:23.0187 2884 Imapi - ok
05:44:23.0218 2884 ini910u - ok
05:44:23.0312 2884 IntcAzAudAddService (744a7507d7a69a2a54638b8e5b630c0b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
05:44:23.0343 2884 IntcAzAudAddService - ok
05:44:23.0390 2884 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
05:44:23.0390 2884 IntelIde - ok
05:44:23.0437 2884 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
05:44:23.0437 2884 intelppm - ok
05:44:23.0437 2884 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
05:44:23.0437 2884 Ip6Fw - ok
05:44:23.0453 2884 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
05:44:23.0453 2884 IpFilterDriver - ok
05:44:23.0453 2884 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
05:44:23.0453 2884 IpInIp - ok
05:44:23.0484 2884 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
05:44:23.0484 2884 IpNat - ok
05:44:23.0500 2884 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
05:44:23.0500 2884 IPSec - ok
05:44:23.0515 2884 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
05:44:23.0515 2884 IRENUM - ok
05:44:23.0578 2884 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
05:44:23.0578 2884 isapnp - ok
05:44:23.0625 2884 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
05:44:23.0625 2884 Iviaspi - ok
05:44:23.0656 2884 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
05:44:23.0656 2884 Kbdclass - ok
05:44:23.0687 2884 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
05:44:23.0687 2884 kmixer - ok
05:44:23.0734 2884 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
05:44:23.0734 2884 KSecDD - ok
05:44:23.0781 2884 lbrtfdc - ok
05:44:23.0859 2884 LgBttPort (4dd47b5af0b24871ebb9efc012a7474e) C:\WINDOWS\system32\DRIVERS\lgbtport.sys
05:44:23.0859 2884 LgBttPort - ok
05:44:23.0921 2884 lgbusenum (1d038ca6c529203087a990e5e97887b4) C:\WINDOWS\system32\DRIVERS\lgbtbus.sys
05:44:23.0921 2884 lgbusenum - ok
05:44:23.0984 2884 LGVMODEM (26f1976a330195d62a6224c76968cf0d) C:\WINDOWS\system32\DRIVERS\lgvmodem.sys
05:44:24.0000 2884 LGVMODEM - ok
05:44:24.0093 2884 MfeAVFK (64b96de8c492bd435372d9130a535f1d) C:\WINDOWS\system32\drivers\MfeAVFK.sys
05:44:24.0093 2884 MfeAVFK - ok
05:44:24.0156 2884 MfeBOPK (078e87a89d36cc3516f19d5fb518bddc) C:\WINDOWS\system32\drivers\MfeBOPK.sys
05:44:24.0156 2884 MfeBOPK - ok
05:44:24.0218 2884 mfehidk (168c565101fd5b9db694efdec91fafa9) C:\WINDOWS\system32\drivers\mfehidk.sys
05:44:24.0218 2884 mfehidk - ok
05:44:24.0250 2884 MfeRKDK (e0842f67dc9bc4d21d1e319610ebe9e5) C:\WINDOWS\system32\drivers\MfeRKDK.sys
05:44:24.0250 2884 MfeRKDK - ok
05:44:24.0250 2884 mfetdik (43a7acbbd70ecd62f0b63486c72089a3) C:\WINDOWS\system32\drivers\mfetdik.sys
05:44:24.0250 2884 mfetdik - ok
05:44:24.0343 2884 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
05:44:24.0343 2884 mnmdd - ok
05:44:24.0390 2884 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
05:44:24.0390 2884 Modem - ok
05:44:24.0421 2884 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
05:44:24.0421 2884 Mouclass - ok
05:44:24.0468 2884 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
05:44:24.0468 2884 mouhid - ok
05:44:24.0515 2884 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
05:44:24.0515 2884 MountMgr - ok
05:44:24.0531 2884 mraid35x - ok
05:44:24.0546 2884 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
05:44:24.0546 2884 MRxDAV - ok
05:44:24.0593 2884 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
05:44:24.0609 2884 MRxSmb - ok
05:44:24.0640 2884 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
05:44:24.0640 2884 Msfs - ok
05:44:24.0687 2884 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
05:44:24.0687 2884 MSKSSRV - ok
05:44:24.0718 2884 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
05:44:24.0718 2884 MSPCLOCK - ok
05:44:24.0718 2884 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
05:44:24.0718 2884 MSPQM - ok
05:44:24.0734 2884 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
05:44:24.0734 2884 mssmbios - ok
05:44:24.0843 2884 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
05:44:24.0859 2884 Mup - ok
05:44:24.0890 2884 NAL (d02734423b59b3ac14cdfe91e9665ff0) C:\WINDOWS\system32\Drivers\iqvw32.sys
05:44:24.0906 2884 NAL - ok
05:44:25.0078 2884 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120125.033\NAVENG.SYS
05:44:25.0078 2884 NAVENG - ok
05:44:25.0140 2884 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120125.033\NAVEX15.SYS
05:44:25.0140 2884 NAVEX15 - ok
05:44:25.0234 2884 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
05:44:25.0234 2884 NDIS - ok
05:44:25.0281 2884 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
05:44:25.0281 2884 NdisTapi - ok
05:44:25.0296 2884 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
05:44:25.0296 2884 Ndisuio - ok
05:44:25.0343 2884 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
05:44:25.0343 2884 NdisWan - ok
05:44:25.0390 2884 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
05:44:25.0437 2884 NDProxy - ok
05:44:25.0453 2884 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
05:44:25.0453 2884 NetBIOS - ok
05:44:25.0468 2884 NetBT (f12a874588e995c4dc9ee7be11dd561a) C:\WINDOWS\system32\DRIVERS\netbt.sys
05:44:25.0468 2884 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: f12a874588e995c4dc9ee7be11dd561a, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d
05:44:25.0468 2884 NetBT ( Virus.Win32.ZAccess.l ) - infected
05:44:25.0468 2884 NetBT - detected Virus.Win32.ZAccess.l (0)
05:44:25.0484 2884 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
05:44:25.0484 2884 Npfs - ok
05:44:25.0515 2884 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
05:44:25.0515 2884 Ntfs - ok
05:44:25.0531 2884 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
05:44:25.0531 2884 Null - ok
05:44:25.0562 2884 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
05:44:25.0562 2884 NwlnkFlt - ok
05:44:25.0578 2884 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
05:44:25.0578 2884 NwlnkFwd - ok
05:44:25.0593 2884 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
05:44:25.0593 2884 P3 - ok
05:44:25.0656 2884 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
05:44:25.0671 2884 Parport - ok
05:44:25.0687 2884 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
05:44:25.0687 2884 PartMgr - ok
05:44:25.0703 2884 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
05:44:25.0703 2884 ParVdm - ok
05:44:25.0703 2884 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
05:44:25.0718 2884 PCI - ok
05:44:25.0718 2884 PCIDump - ok
05:44:25.0734 2884 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
05:44:25.0734 2884 PCIIde - ok
05:44:25.0750 2884 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
05:44:25.0750 2884 Pcmcia - ok
05:44:25.0750 2884 PDCOMP - ok
05:44:25.0796 2884 PDFRAME - ok
05:44:25.0796 2884 PDRELI - ok
05:44:25.0812 2884 PDRFRAME - ok
05:44:25.0812 2884 perc2 - ok
05:44:25.0828 2884 perc2hib - ok
05:44:25.0875 2884 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
05:44:25.0875 2884 PptpMiniport - ok
05:44:25.0875 2884 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
05:44:25.0890 2884 PSched - ok
05:44:25.0953 2884 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
05:44:25.0953 2884 Ptilink - ok
05:44:25.0968 2884 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
05:44:25.0984 2884 PxHelp20 - ok
05:44:25.0984 2884 ql1080 - ok
05:44:25.0984 2884 Ql10wnt - ok
05:44:26.0000 2884 ql12160 - ok
05:44:26.0000 2884 ql1240 - ok
05:44:26.0015 2884 ql1280 - ok
05:44:26.0109 2884 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
05:44:26.0109 2884 RapportCerberus_34302 - ok
05:44:26.0203 2884 RapportEI (5074fe56c70b31909c6b3129280c4cf2) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
05:44:26.0203 2884 RapportEI - ok
05:44:26.0203 2884 RapportKELL (d6c7c196ad59375e9dde68d70db6e7a1) C:\WINDOWS\system32\Drivers\RapportKELL.sys
05:44:26.0203 2884 RapportKELL - ok
05:44:26.0234 2884 RapportPG (1205f9ccc78d152a5cc509f5ee32800d) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
05:44:26.0234 2884 RapportPG - ok
05:44:26.0281 2884 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
05:44:26.0281 2884 RasAcd - ok
05:44:26.0296 2884 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
05:44:26.0296 2884 Rasl2tp - ok
05:44:26.0296 2884 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
05:44:26.0312 2884 RasPppoe - ok
05:44:26.0312 2884 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
05:44:26.0312 2884 Raspti - ok
05:44:26.0328 2884 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
05:44:26.0328 2884 Rdbss - ok
05:44:26.0343 2884 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
05:44:26.0343 2884 RDPCDD - ok
05:44:26.0343 2884 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
05:44:26.0359 2884 rdpdr - ok
05:44:26.0390 2884 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
05:44:26.0406 2884 RDPWD - ok
05:44:26.0421 2884 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
05:44:26.0421 2884 redbook - ok
05:44:26.0453 2884 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
05:44:26.0453 2884 regi - ok
05:44:26.0484 2884 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
05:44:26.0484 2884 Secdrv - ok
05:44:26.0515 2884 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
05:44:26.0515 2884 serenum - ok
05:44:26.0531 2884 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
05:44:26.0531 2884 Serial - ok
05:44:26.0562 2884 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
05:44:26.0562 2884 Sfloppy - ok
05:44:26.0578 2884 Simbad - ok
05:44:26.0578 2884 Sparrow - ok
05:44:26.0593 2884 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
05:44:26.0593 2884 splitter - ok
05:44:26.0640 2884 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
05:44:26.0640 2884 sr - ok
05:44:26.0718 2884 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS
05:44:26.0718 2884 SRTSP - ok
05:44:26.0734 2884 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS
05:44:26.0734 2884 SRTSPX - ok
05:44:26.0781 2884 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
05:44:26.0781 2884 Srv - ok
05:44:26.0828 2884 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
05:44:26.0828 2884 StillCam - ok
05:44:26.0843 2884 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
05:44:26.0843 2884 swenum - ok
05:44:26.0875 2884 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
05:44:26.0875 2884 swmidi - ok
05:44:26.0921 2884 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
05:44:26.0921 2884 symc810 - ok
05:44:26.0968 2884 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
05:44:26.0968 2884 symc8xx - ok
05:44:27.0078 2884 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS
05:44:27.0078 2884 SymDS - ok
05:44:27.0109 2884 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS
05:44:27.0109 2884 SymEFA - ok
05:44:27.0125 2884 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
05:44:27.0125 2884 SymEvent - ok
05:44:27.0171 2884 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS
05:44:27.0171 2884 SymIRON - ok
05:44:27.0203 2884 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
05:44:27.0203 2884 Symmpi - ok
05:44:27.0250 2884 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMTDI.SYS
05:44:27.0250 2884 SYMTDI - ok
05:44:27.0250 2884 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
05:44:27.0250 2884 sym_hi - ok
05:44:27.0265 2884 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
05:44:27.0265 2884 sym_u3 - ok
05:44:27.0296 2884 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
05:44:27.0296 2884 sysaudio - ok
05:44:27.0359 2884 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
05:44:27.0359 2884 Tcpip - ok
05:44:27.0390 2884 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
05:44:27.0406 2884 TDPIPE - ok
05:44:27.0437 2884 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
05:44:27.0437 2884 TDTCP - ok
05:44:27.0468 2884 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
05:44:27.0468 2884 TermDD - ok
05:44:27.0500 2884 TosIde - ok
05:44:27.0562 2884 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
05:44:27.0562 2884 Udfs - ok
05:44:27.0562 2884 ultra - ok
05:44:27.0609 2884 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
05:44:27.0609 2884 USBAAPL - ok
05:44:27.0656 2884 usbbus (8ef48ff1c23b1ce6f96d09a45959eb20) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
05:44:27.0656 2884 usbbus - ok
05:44:27.0671 2884 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
05:44:27.0671 2884 usbccgp - ok
05:44:27.0718 2884 UsbDiag (a0e24c5c2d0cff04bbd3753a72fae80b) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
05:44:27.0718 2884 UsbDiag - ok
05:44:27.0750 2884 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
05:44:27.0750 2884 usbehci - ok
05:44:27.0781 2884 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
05:44:27.0781 2884 usbhub - ok
05:44:27.0828 2884 USBModem (cc09a1132b1f6a8362107cc134e90d0b) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
05:44:27.0843 2884 USBModem - ok
05:44:27.0859 2884 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
05:44:27.0859 2884 usbprint - ok
05:44:27.0890 2884 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
05:44:27.0890 2884 usbscan - ok
05:44:27.0921 2884 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
05:44:27.0921 2884 USBSTOR - ok
05:44:27.0953 2884 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
05:44:27.0953 2884 usbuhci - ok
05:44:28.0015 2884 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
05:44:28.0015 2884 VgaSave - ok
05:44:28.0078 2884 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
05:44:28.0078 2884 ViaIde - ok
05:44:28.0109 2884 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
05:44:28.0109 2884 VolSnap - ok
05:44:28.0171 2884 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
05:44:28.0171 2884 Wanarp - ok
05:44:28.0187 2884 WDICA - ok
05:44:28.0234 2884 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
05:44:28.0234 2884 wdmaud - ok
05:44:28.0281 2884 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
05:44:28.0281 2884 WmiAcpi - ok
05:44:28.0328 2884 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
05:44:28.0328 2884 WpdUsb - ok
05:44:28.0343 2884 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
05:44:28.0343 2884 WudfPf - ok
05:44:28.0375 2884 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
05:44:28.0375 2884 WudfRd - ok
05:44:28.0390 2884 MBR (0x1B8) (92a0110a64c3262c5f5df2032e989dce) \Device\Harddisk0\DR0
05:44:28.0453 2884 \Device\Harddisk0\DR0 - ok
05:44:28.0453 2884 MBR (0x1B8) (c261fc8351b95a0bcf4044fa7ee393c9) \Device\Harddisk6\DR12
05:44:30.0328 2884 \Device\Harddisk6\DR12 - ok
05:44:30.0343 2884 Boot (0x1200) (36126811897cdcb5e0fa8c70b7c64bb3) \Device\Harddisk0\DR0\Partition0
05:44:30.0343 2884 \Device\Harddisk0\DR0\Partition0 - ok
05:44:30.0343 2884 ============================================================
05:44:30.0343 2884 Scan finished
05:44:30.0343 2884 ============================================================
05:44:30.0343 5452 Detected object count: 1
05:44:30.0343 5452 Actual detected object count: 1
05:45:21.0468 5452 C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
05:45:22.0781 5452 Backup copy found, using it..
05:45:22.0781 5452 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
05:45:24.0109 5452 NetBT ( Virus.Win32.ZAccess.l ) - User select action: Cure
05:45:47.0890 5028 Deinitialize success


aswMBR Log

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-31 05:51:26
-----------------------------
05:51:26.953 OS Version: Windows 5.1.2600 Service Pack 3
05:51:26.953 Number of processors: 2 586 0x170A
05:51:26.953 ComputerName: PTML1 UserName:
05:51:28.937 Initialize success
05:51:42.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
05:51:43.000 Disk 0 Vendor: ST350041 HP34 Size: 476940MB BusType: 3
05:51:43.031 Disk 0 MBR read successfully
05:51:43.031 Disk 0 MBR scan
05:51:43.031 Disk 0 Windows VISTA default MBR code
05:51:43.031 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476928 MB offset 2048
05:51:43.031 Disk 0 scanning sectors +976752000
05:51:43.109 Disk 0 scanning C:\WINDOWS\system32\drivers
05:51:48.859 Service scanning
05:51:50.390 Modules scanning
05:51:56.203 Disk 0 trace - called modules:
05:51:56.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
05:51:56.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b7337a8]
05:51:56.218 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000075[0x8b735710]
05:51:56.218 5 ACPI.sys[b9f68620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8b714028]
05:51:56.218 Scan finished successfully
05:52:15.812 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
05:52:15.828 The log file has been saved successfully to "E:\aswMBR.txt"

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 31 January 2012 - 10:03 AM

Good work.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#6 planttec

planttec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 31 January 2012 - 11:11 AM

Hi again Nasdaq,
Thanks for all your help once more.
I managed to run ComboFix although it had to reboot the machine twice and I wasnt sure I would get back into windows.
However, I did and eventually ComboFix did its thing, log results below

ComboFix 12-01-30.02 - Administrator 31/01/2012 15:40:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2977 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\My Documents\~WRL4067.tmp
c:\documents and settings\Administrator\WINDOWS
c:\windows\$NtUninstallKB36532$
c:\windows\$NtUninstallKB36532$\2845714218\@
c:\windows\$NtUninstallKB36532$\2845714218\bckfg.tmp
c:\windows\$NtUninstallKB36532$\2845714218\cfg.ini
c:\windows\$NtUninstallKB36532$\2845714218\Desktop.ini
c:\windows\$NtUninstallKB36532$\2845714218\keywords
c:\windows\$NtUninstallKB36532$\2845714218\kwrd.dll
c:\windows\$NtUninstallKB36532$\2845714218\L\ktrspibc
c:\windows\$NtUninstallKB36532$\2845714218\U\00000001.@
c:\windows\$NtUninstallKB36532$\2845714218\U\00000002.@
c:\windows\$NtUninstallKB36532$\2845714218\U\00000004.@
c:\windows\$NtUninstallKB36532$\2845714218\U\80000000.@
c:\windows\$NtUninstallKB36532$\2845714218\U\80000004.@
c:\windows\$NtUninstallKB36532$\2845714218\U\80000032.@
c:\windows\$NtUninstallKB36532$\3154875543
c:\windows\system32\SET1B2.tmp
c:\windows\system32\SET1B4.tmp
c:\windows\system32\SET1C0.tmp
c:\windows\system32\SET1F9.tmp
c:\windows\system32\SET1FB.tmp
c:\windows\system32\SET1FE.tmp
c:\windows\system32\SET7.tmp
c:\windows\system32\SET8.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 15:25 . 2012-01-31 15:35 -------- d-----w- c:\windows\system32\drivers\N360\0502000.00D
2012-01-31 10:27 . 2008-04-14 05:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-01-31 10:27 . 2008-04-14 05:41 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2012-01-31 10:27 . 2008-04-14 00:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-31 10:27 . 2008-04-14 00:09 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-01-31 05:45 . 2012-01-31 05:45 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-27 12:21 . 2010-09-20 13:39 123904 ----a-w- C:\MbrFix.exe
2012-01-27 06:47 . 2012-01-27 06:47 -------- d-----w- c:\documents and settings\PTML\Application Data\Pro800-Pro900 Series
2012-01-27 06:43 . 2012-01-27 06:43 -------- d-----w- c:\documents and settings\Vince\Application Data\Pro800-Pro900 Series
2012-01-11 15:40 . 2012-01-11 15:40 -------- d-----w- c:\program files\Common Files\Vectric
2012-01-11 15:40 . 2012-01-11 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Vectric
2012-01-11 15:39 . 2012-01-11 15:40 -------- d-----w- c:\program files\Aspire Trial Edition 3.5
2012-01-11 15:28 . 2012-01-11 15:28 -------- d-----w- c:\program files\PhotoVCarve Trial
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 05:46 . 2008-04-14 09:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-01-26 16:38 . 2010-05-06 15:05 94208 ----a-w- c:\windows\DUMP7ea5.tmp
2012-01-26 16:29 . 2010-05-06 15:05 94208 ----a-w- c:\windows\DUMP7d6d.tmp
2012-01-11 15:26 . 2010-06-18 15:13 3350 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2011-11-25 21:57 . 2008-04-14 09:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 09:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 08:05 . 2011-05-18 05:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35 . 2008-04-14 09:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-14 09:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-14 09:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-07 21:28 . 2011-11-07 21:28 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-04 19:20 . 2008-04-14 09:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-14 09:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-14 09:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-14 09:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2008-04-14 09:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2008-04-14 09:00 1292288 ----a-w- c:\windows\system32\quartz.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-17 39408]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-06-18 563736]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2011-01-23 148280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2009-10-01 316072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-09-28 404568]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
7digital Download Manager.lnk - c:\program files\7digital Download Manager\7digital Download Manager.exe [2011-10-27 142336]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-6-18 108544]
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2011-11-5 142336]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\windows\\system32\\lxeccoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [07/11/2011 21:28 56208]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\symds.sys [31/01/2012 15:26 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\symefa.sys [31/01/2012 15:26 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120121.002\BHDrvx86.sys [23/01/2012 23:25 820344]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 17:08 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [07/11/2011 21:28 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/11/2011 21:28 164112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\ironx86.sys [31/01/2012 15:26 136312]
R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [21/10/2011 15:23 196176]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [13/10/2011 17:21 249648]
R2 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [06/06/2011 13:37 47616]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.0.13\ccsvchst.exe [31/01/2012 15:26 130008]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [06/05/2010 15:17 635416]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/11/2011 21:28 931640]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [18/04/2007 03:09 11032]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [06/05/2010 15:12 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [06/05/2010 15:01 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/01/2012 08:36 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120128.002\IDSXpx86.sys [31/01/2012 15:28 356280]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [18/12/2007 17:46 44800]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 07:11 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 07:11 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 07:11 12928]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [19/07/2011 08:11 21520]
S2 0303421277112476mcinstcleanup;McAfee Application Installer Cleanup (0303421277112476);c:\docume~1\ADMINI~1\LOCALS~1\Temp\030342~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\030342~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17/06/2010 12:15 136176]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [22/03/2011 22:45 193192]
S3 FlashUSB;FlashUSB;c:\windows\system32\drivers\FlashUSB.sys [06/12/2011 06:01 16896]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [17/06/2010 12:15 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 12:49 227232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 12:15]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 12:15]
.
2012-01-30 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\progra~1\NORTON~3\Engine\301~1.8\Nss.exe [2011-01-20 23:47]
.
2012-01-31 c:\windows\Tasks\User_Feed_Synchronization-{87E39089-12F0-4B56-A5ED-10E88DA683FB}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 192.168.2.1
DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} - hxxp://www.illicitencounters.com/js/core/ImageUploader/ImageUploader7.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o04w27pt.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-LG LinkAir - (no file)
SafeBoot-43458097.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 15:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\lxeccoms.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2012-01-31 16:00:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-31 16:00
.
Pre-Run: 300,274,950,144 bytes free
Post-Run: 300,400,304,128 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D12411EC14712D66B54751AE211E9F56

Also ran the security check and again the log, a much shorter one is here:-

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Norton 360
McAfee Security Scan Plus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 22
Java version out of date!
Adobe Reader X (10.1.2)
Mozilla Firefox (3.6.13) Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````


You ask what problems persist?
On the surface I have none as I can now boot into windows easily enough but I am a little wary of doing anything sensitive on the internet as I dont know if the virus has now been eliminated.
How will I know that it is safe to use the computer again?

Thank you once more for all your help
Nigel

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 01 February 2012 - 09:21 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 22


===

On the surface I have none as I can now boot into windows easily enough but I am a little wary of doing anything sensitive on the internet as I dont know if the virus has now been eliminated.
How will I know that it is safe to use the computer again?


We cannot be 100% sure that your computer is clean.

I suggest you change all your passwords just in case your computer was compromised.

===

You can execute this additional removal tool.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
===

When all is well then:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#8 planttec

planttec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 02 February 2012 - 01:26 AM

Hi Nasdaq,

Thank you again for all your help.
I updated java as reccomended and ran the ESET Scanner.

I made a bit of an error and inadvertently stopped the process part way through by using the wrong keyboard whilst using 2 machines at once.
At the time of stopping the scanner 4 threats had been found and fixed. One was a Java related virus and the others were various adware with one rootkit virus

I have run the Scanner again and the results are below

E:\freecom1\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Nigel Marks\Local Settings\Temporary Internet Files\Content.IE5\U1701GRY\felso[1].php HTML/ScrInject.B.Gen virus deleted - quarantined
E:\freecom1\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Nigel Marks\Local Settings\Temporary Internet Files\Content.IE5\7SH5VWG4\felso[1].php HTML/ScrInject.B.Gen virus deleted - quarantined
E:\freecom1\vaioh\sage\0134726aa\cab1276530a\013726a\dreamweaver files\New Folder (2)\downloads\M31.exe probably a variant of Win32/Adware.Agent.CZTDWWN application deleted - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv281.jar-35b5240a-75c32fa4.zip a variant of Java/TrojanDownloader.OpenStream.C trojan deleted - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Administrator\Local Settings\Temp\jkill.exe Win32/ProcKill application cleaned by deleting - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Administrator\Local Settings\Temp\sp.html JS/StartPage.X trojan cleaned by deleting - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\all_ebooks_deal\ebooks4.zip probably a variant of Win32/Agent.GQRSLPX trojan deleted - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Nigel Marks\Desktop\drive e\DivXPro502GAINBundle.exe Win32/Adware.Gator application cleaned by deleting - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Nigel Marks\Desktop\drive e\DOWNLOADS\getrt45d.exe Win32/Adware.Gator.Trickler application deleted - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Nigel Marks\Desktop\drive e\DOWNLOADS\klitekpp210e.exe probably a variant of Win32/TrojanDownloader.VB.IRCSLWN trojan deleted - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Nigel Marks\Desktop\drive e\DOWNLOADS\M31.exe probably a variant of Win32/Adware.Agent.CZTDWWN application deleted - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Nigel Marks\Local Settings\Temporary Internet Files\Content.IE5\7SH5VWG4\felso[1].php HTML/ScrInject.B.Gen virus deleted - quarantined
K:\Local Disk\Users\Nigel Marks\Desktop\DESKTOP\Nigel Marks\Local Settings\Temporary Internet Files\Content.IE5\U1701GRY\felso[1].php HTML/ScrInject.B.Gen virus deleted - quarantined

I didnt have to uninstall the Combofix tool as Norton 360 took care of that after identifying it as a "Trojan ADH2" Virus???? Is that normal?

All now seems well but I will be very careful when using the computer in future and will probably not use it it for sensitive internet activity such as banking etc.

I really can not thank you enough for the time you have spent with me on this and enabling me to gain control of my computer again. If I had lost all the information on it that would have been disasterous for me.
Thank you so much
All the very best
Nigel

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 02 February 2012 - 11:37 AM

Glad we could help.

I didnt have to uninstall the Combofix tool as Norton 360 took care of that after identifying it as a "Trojan ADH2" Virus???? Is that normal?


Some tools used by ComboFix are flagged by Virus software as malware. It's not so.

Delete any remaining folders and Icons associated with this tool.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 PM

Posted 08 February 2012 - 11:11 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users