Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zero Access Rootkit Activity 4 and Tidserv Activity 2


  • This topic is locked This topic is locked
33 replies to this topic

#1 Gary Viva

Gary Viva

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 19 February 2012 - 09:03 PM

Running on a WinXP Pro SP3 system with Norton Internet Security (NIS). NIS reports that the system is infected with Zero Access Rootkit Activity 4 and Tidserv Activity 2 and offers manual removal instructions but I've tried those and the don't work.

The dds.txt output file appears below. The attach.txt from DDS and the output from GMER (ark.txt) are attached.

Thanks for your help,
Gary

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Owner at 16:09:39 on 2012-02-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.814 [GMT -8:00]
.
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.nytimes.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.7.0.13\ips\IPSBHO.DLL
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [CameraApplicationLauncher] c:\program files\lenovo\camera center\bin\CameraApplicationLaunchpadLauncher.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
LSP: mswsock.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.101
TCP: Interfaces\{1F320C76-48ED-4C22-A994-FA4EA7D8F7F6} : DhcpNameServer = 192.168.0.101
TCP: Interfaces\{BDF8BB09-1FD5-4681-A02A-97C58E8DDF77} : DhcpNameServer = 192.168.0.101
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\unxm5r2m.default\
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207000.00d\symds.sys [2012-2-4 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207000.00d\symefa.sys [2012-2-4 744568]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20120207.003\BHDrvx86.sys [2012-2-9 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys [2012-2-4 136312]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2007-12-5 46144]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-6-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-6-21 47640]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.0.13\ccsvchst.exe [2012-2-4 130008]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-8-14 10896]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-12-5 520192]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [2009-1-7 72448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-4 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20120214.003\IDSXpx86.sys [2012-2-15 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20120215.004\NAVENG.SYS [2012-2-15 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20120215.004\NAVEX15.SYS [2012-2-15 1576312]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\fixzeroaccess.sys --> c:\windows\system32\drivers\FixZeroAccess.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys --> c:\windows\system32\drivers\nis\1108000.005\ccHPx86.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-5 136176]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2007-12-5 260672]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-8-16 245760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-5 136176]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-02-15 19:07:03 -------- d-----w- c:\documents and settings\owner\application data\PCDr
2012-02-14 22:55:35 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-14 22:36:21 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2012-02-14 22:36:21 -------- d-----w- c:\documents and settings\owner\application data\FixTDSS
2012-02-14 17:54:19 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-14 17:38:41 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-14 17:38:41 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-14 04:51:24 -------- d-sha-r- C:\cmdcons
2012-02-14 04:48:39 98816 ----a-w- c:\windows\sed.exe
2012-02-14 04:48:39 518144 ----a-w- c:\windows\SWREG.exe
2012-02-14 04:48:39 256000 ----a-w- c:\windows\PEV.exe
2012-02-14 04:48:39 208896 ----a-w- c:\windows\MBR.exe
2012-02-14 03:59:50 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-14 02:51:45 -------- d-----w- c:\documents and settings\owner\application data\FixZeroAccess
2012-02-12 19:46:30 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 19:32:27 744568 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symefa.sys
2012-02-04 19:32:27 516216 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\srtsp.sys
2012-02-04 19:32:27 50168 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\srtspx.sys
2012-02-04 19:32:27 369784 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symtdi.sys
2012-02-04 19:32:27 340088 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symds.sys
2012-02-04 19:32:27 331384 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symtdiv.sys
2012-02-04 19:32:27 299640 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symnets.sys
2012-02-04 19:32:27 136312 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys
2012-02-04 19:32:10 -------- d-----w- c:\windows\system32\drivers\nis\1207000.00D
.
==================== Find3M ====================
.
2012-02-14 04:28:52 75264 ----a-w- c:\windows\system32\drivers\ipsec.svs
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29:56 1868544 ------w- c:\windows\system32\win32k.sys
2011-11-23 04:08:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 16:10:08.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:22 AM

Posted 20 February 2012 - 01:27 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 20 February 2012 - 01:28 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Gary Viva

Gary Viva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 20 February 2012 - 02:17 AM

Thanks so much for your help, Gringo.

I downloaded and ran Combofix.exe after disabling Norton Internet Security. The AutoScan command window opened and after a while a message box with the title ROOTKIT appeared. It said "Rootkit is detected. Be patient as this may take some moments." The message box had an "OK" button but, before I could push it, the message box was dismissed and another message box appeared with the title "Rootkit !!". The text of the message box was "ComboFix has detected the presence of rootkit activity and needs to reboot the machine." There was an OK button and I pushed it. The machine rebooted and began running ComboFix. ComboFix ran for some time and then indicated that it was rebooting windows which it did. This time it opened a command window that said "Preparing Log Report. Do not run any programs until ComboFix has finished." Then, it display "Almost done . ." and indicated that a log would pop up and the log was located at c:\combofix.txt When it finished, it displayed the following log:

ComboFix 12-02-19.02 - Owner 02/19/2012 22:55:24.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1395 [GMT -8:00]
Running from: c:\temp\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\09ce0ed7-58db-4be9-b311-80b4fd9fd9bc.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\0b2769c8-99f3-4a8f-b749-eca9816d1c9d.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\0e53a45b-5a41-43e5-96ab-776b00e48a6e.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\16eed067-40d8-4239-8470-9de370bfcc4b.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\283cdc40-c633-4749-b3ad-8eb5e8b11b5c.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\434b795d-fe06-4495-801e-fa92d93babbc.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\4506fabd-988f-4627-a1de-44b2f1093b08.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\54874b0a-fb04-44ef-ad2b-c957aafea033.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\562ad818-216b-4d77-8b40-834630104d2c.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\60e1ddc2-8de1-4bd0-8e65-4c3d56791c8e.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\6caa3aae-ef7a-46e1-8cf0-de07c37a32af.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\746b3523-df66-4ed9-beaa-88464b84933f.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\7d08b206-22ae-4429-9e22-772698e3ca65.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\7e36c7b4-f4c8-4324-9887-9cab89169ef6.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\83db0f34-4452-4946-92c2-31dcd99767dd.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\90110d4d-0aa3-42f8-b48a-92aebd9d59f3.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\96963609-8feb-4f10-b100-425cef18a0db.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\97d3cc32-549b-4646-bc59-82ebb82b5d11.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\9ad80016-92d9-41a4-9436-c44907366397.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\b34a10f6-a592-424f-af97-b051783f9dd2.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\b52e5bed-821a-41fc-9d4b-24d443ee0ad9.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\b96355f5-a46b-48d0-a3f2-b41eed57de73.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\bead45d2-b2dc-44e3-94f8-c7de6979be60.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\d754c4cc-ae68-4d17-afb7-55002296e1e2.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\d97b7615-5719-44f8-a032-b5cae54a0299.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\ec6735a3-9204-4734-bb0f-5859e58b13b2.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\f1d18230-9731-47f0-b9f4-b537abcbb39c.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\f45a4f6c-32c1-48c0-9ee9-e840f397e395.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\f64109b2-74cc-4638-ae17-228b7886774b.dll
c:\documents and settings\All Users\Application Data\PCDr\5849\AddOnDownloaded\fd85aea7-408e-4ff8-bdca-73b1320e8b27.dll
c:\windows\$NtUninstallKB18610$
c:\windows\$NtUninstallKB18610$\2163198045\@
c:\windows\$NtUninstallKB18610$\2163198045\cfg.ini
c:\windows\$NtUninstallKB18610$\2163198045\Desktop.ini
c:\windows\$NtUninstallKB18610$\2163198045\L\hvmonmrs
c:\windows\$NtUninstallKB18610$\2163198045\U\00000001.@
c:\windows\$NtUninstallKB18610$\2163198045\U\00000002.@
c:\windows\$NtUninstallKB18610$\2163198045\U\00000004.@
c:\windows\$NtUninstallKB18610$\2163198045\U\80000000.@
c:\windows\$NtUninstallKB18610$\2163198045\U\80000004.@
c:\windows\$NtUninstallKB18610$\2163198045\U\80000032.@
c:\windows\$NtUninstallKB18610$\2163198045\version
c:\windows\$NtUninstallKB18610$\3902606452
.
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-20 01:57 . 2012-02-20 01:57 -------- d-----w- C:\f68bceab87d919661998652195af51
2012-02-20 00:05 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-20 00:05 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 19:07 . 2012-02-15 19:09 -------- d-----w- c:\documents and settings\Owner\Application Data\PCDr
2012-02-14 22:36 . 2012-02-14 22:36 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2012-02-14 22:36 . 2012-02-14 22:36 -------- d-----w- c:\documents and settings\Owner\Application Data\FixTDSS
2012-02-14 17:54 . 2012-02-14 04:39 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-14 17:38 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-14 17:38 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-14 03:59 . 2012-02-14 04:43 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-14 02:51 . 2012-02-14 02:51 -------- d-----w- c:\documents and settings\Owner\Application Data\FixZeroAccess
2012-02-12 19:46 . 2012-02-20 06:41 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 19:32 . 2012-02-06 23:30 -------- d-----w- c:\windows\system32\drivers\NIS\1207000.00D
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-14 04:28 . 2012-02-14 04:54 75264 ----a-w- c:\windows\system32\drivers\ipsec.svs
2011-11-25 21:57 . 2006-04-30 06:55 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29 . 2006-04-30 06:55 1868544 ------w- c:\windows\system32\win32k.sys
2011-11-23 04:08 . 2011-05-13 15:33 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-08-23 23:44 . 2009-08-23 23:44 28488 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-08-23 23:44 . 2009-08-23 23:44 185232 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2012-02-20 06:42 . 2011-06-22 03:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-31 2937528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-10 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-10 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-06-08 60192]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-02-13 66928]
"TpShocks"="TpShocks.exe" [2007-11-22 181536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-26 243248]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-12-03 176128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-07 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-07 137752]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-01-10 144728]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-01-10 124248]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2008-01-04 16384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-02-19 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-02-19 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-11-30 2872632]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-18 81920]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-19 1044480]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-01-12 63048]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-1 576104]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
[BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-06-08 20:05 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 23:54 89600 ------w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2007-12-14 07:36 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\program files\\Skype\\Phone\\skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58015:TCP"= 58015:TCP:Pando Media Booster
"58015:UDP"= 58015:UDP:Pando Media Booster
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207000.00D\symds.sys [2/4/2012 11:32 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207000.00D\symefa.sys [2/4/2012 11:32 AM 744568]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120215.001\BHDrvx86.sys [2/19/2012 4:24 PM 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207000.00D\ironx86.sys [2/4/2012 11:32 AM 136312]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [12/5/2007 4:42 PM 46144]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [6/8/2011 12:04 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/11/2011 6:04 PM 12856]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.0.13\ccsvchst.exe [2/4/2012 11:32 AM 130008]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [8/14/2007 3:46 PM 10896]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [12/5/2007 5:17 PM 520192]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [1/7/2009 12:25 PM 72448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/4/2012 11:32 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120214.003\IDSXpx86.sys [2/15/2012 10:35 AM 356280]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/22/2007 2:59 PM 30336]
S0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys --> c:\windows\system32\drivers\FixZeroAccess.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys --> c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2011 3:58 PM 136176]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [12/5/2007 4:42 PM 260672]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [8/16/2011 6:41 PM 245760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2011 3:58 PM 136176]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
PAR1284
uphclean
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 23:58]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 23:58]
.
2012-02-15 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:54]
.
2012-02-15 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-01-07 16:30]
.
2012-02-20 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.0.101
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\unxm5r2m.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-19 23:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB18610$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\LMIinit.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(964)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
.
- - - - - - - > 'explorer.exe'(5120)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\program files\PC-Doctor\PcdToolbar584923.dll
c:\windows\system32\ieframe.dll
c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
c:\windows\system32\igfxdev.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-02-19 23:09:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 07:09
ComboFix2.txt 2012-02-14 21:19
ComboFix3.txt 2012-02-14 14:26
.
Pre-Run: 8,096,133,120 bytes free
Post-Run: 8,868,724,736 bytes free
.
- - End Of File - - B9D2C58171DC3F56E581E648963060B6

When the system came back up, NIS indicated "Auto-Protect is processing security risk Trojan.ADH.2" It then asked me to check the NIS security history. It appears that combofix.exe was quarantined because Trojan.ADH.2 was detected in it by NIS.

Everything else appears normal so far. However, I haven't run an NIS Full System Scan since combofix ran. Are there additional steps that you'd like me to follow?

Thanks,
Gary

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:22 AM

Posted 20 February 2012 - 02:30 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Gary Viva

Gary Viva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 20 February 2012 - 03:02 AM

Hi, Gringo --

While running aswMBR, NIS popped up with a message indicating the Tidserv Activity 2 was still present. Also, there was an MBR.dat binary file created. Please advise if you need this and how I can get it to you.

Gary

23:34:38.0000 5296 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
23:34:39.0062 5296 ============================================================
23:34:39.0062 5296 Current date / time: 2012/02/19 23:34:39.0062
23:34:39.0062 5296 SystemInfo:
23:34:39.0062 5296
23:34:39.0062 5296 OS Version: 5.1.2600 ServicePack: 3.0
23:34:39.0062 5296 Product type: Workstation
23:34:39.0062 5296 ComputerName: LENOVO-C18A9B51
23:34:39.0062 5296 UserName: Owner
23:34:39.0062 5296 Windows directory: C:\WINDOWS
23:34:39.0062 5296 System windows directory: C:\WINDOWS
23:34:39.0062 5296 Processor architecture: Intel x86
23:34:39.0062 5296 Number of processors: 2
23:34:39.0062 5296 Page size: 0x1000
23:34:39.0062 5296 Boot type: Normal boot
23:34:39.0062 5296 ============================================================
23:34:39.0703 5296 Drive \Device\Harddisk0\DR0 - Size: 0xEE8156000 (59.63 Gb), SectorSize: 0x200, Cylinders: 0x204E, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
23:34:39.0703 5296 \Device\Harddisk0\DR0:
23:34:39.0703 5296 MBR used
23:34:39.0703 5296 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x6F4C800
23:34:39.0703 5296 Initialize success
23:34:39.0703 5296 ============================================================
23:34:57.0359 4160 ============================================================
23:34:57.0359 4160 Scan started
23:34:57.0359 4160 Mode: Manual;
23:34:57.0359 4160 ============================================================
23:34:57.0671 4160 5U875UVC (37e62b1d2ba075e3ad7ab30c873cefa6) C:\WINDOWS\system32\DRIVERS\5U875.sys
23:34:57.0671 4160 5U875UVC - ok
23:34:57.0687 4160 Abiosdsk - ok
23:34:57.0703 4160 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
23:34:57.0703 4160 abp480n5 - ok
23:34:57.0734 4160 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
23:34:57.0734 4160 ac97intc - ok
23:34:57.0750 4160 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:34:57.0765 4160 ACPI - ok
23:34:57.0781 4160 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
23:34:57.0781 4160 ACPIEC - ok
23:34:57.0812 4160 ADIHdAudAddService (ec0c9249eb089b7c46c16c9fae7df789) C:\WINDOWS\system32\drivers\ADIHdAud.sys
23:34:57.0828 4160 ADIHdAudAddService - ok
23:34:57.0843 4160 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
23:34:57.0859 4160 adpu160m - ok
23:34:57.0875 4160 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
23:34:57.0875 4160 AEAudio - ok
23:34:57.0890 4160 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:34:57.0906 4160 aec - ok
23:34:57.0906 4160 AegisP - ok
23:34:57.0937 4160 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
23:34:57.0937 4160 AFD - ok
23:34:57.0953 4160 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
23:34:57.0953 4160 agp440 - ok
23:34:57.0984 4160 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
23:34:57.0984 4160 agpCPQ - ok
23:34:58.0000 4160 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
23:34:58.0000 4160 Aha154x - ok
23:34:58.0015 4160 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
23:34:58.0015 4160 aic78u2 - ok
23:34:58.0031 4160 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
23:34:58.0046 4160 aic78xx - ok
23:34:58.0062 4160 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
23:34:58.0062 4160 AliIde - ok
23:34:58.0078 4160 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
23:34:58.0078 4160 alim1541 - ok
23:34:58.0109 4160 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
23:34:58.0109 4160 amdagp - ok
23:34:58.0125 4160 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
23:34:58.0125 4160 amsint - ok
23:34:58.0140 4160 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
23:34:58.0140 4160 ANC - ok
23:34:58.0156 4160 ApfiltrService (baaa6516aec2622b8fba6165ff5d68c2) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
23:34:58.0171 4160 ApfiltrService - ok
23:34:58.0187 4160 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
23:34:58.0187 4160 asc - ok
23:34:58.0218 4160 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
23:34:58.0218 4160 asc3350p - ok
23:34:58.0234 4160 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
23:34:58.0234 4160 asc3550 - ok
23:34:58.0265 4160 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:34:58.0265 4160 AsyncMac - ok
23:34:58.0281 4160 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:34:58.0281 4160 atapi - ok
23:34:58.0296 4160 Atdisk - ok
23:34:58.0328 4160 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:34:58.0328 4160 Atmarpc - ok
23:34:58.0343 4160 atmeltpm (dbf0d7e2df33b469eb55406fea759350) C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
23:34:58.0343 4160 atmeltpm - ok
23:34:58.0359 4160 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:34:58.0359 4160 audstub - ok
23:34:58.0390 4160 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:34:58.0390 4160 Beep - ok
23:34:58.0421 4160 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120215.001\BHDrvx86.sys
23:34:58.0437 4160 BHDrvx86 - ok
23:34:58.0500 4160 BTKRNL (6d23a08a656e1c230d697d1a0d63c491) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
23:34:58.0515 4160 BTKRNL - ok
23:34:58.0546 4160 BTWUSB (ad7f4b81a3f8d330dd8382b7cf4df341) C:\WINDOWS\system32\Drivers\btwusb.sys
23:34:58.0546 4160 BTWUSB - ok
23:34:58.0546 4160 catchme - ok
23:34:58.0562 4160 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
23:34:58.0562 4160 cbidf - ok
23:34:58.0578 4160 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:34:58.0593 4160 cbidf2k - ok
23:34:58.0593 4160 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
23:34:58.0609 4160 CCDECODE - ok
23:34:58.0609 4160 ccHP - ok
23:34:58.0625 4160 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
23:34:58.0625 4160 cd20xrnt - ok
23:34:58.0656 4160 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:34:58.0656 4160 Cdaudio - ok
23:34:58.0671 4160 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:34:58.0671 4160 Cdfs - ok
23:34:58.0687 4160 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:34:58.0687 4160 Cdrom - ok
23:34:58.0703 4160 Changer - ok
23:34:58.0718 4160 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
23:34:58.0718 4160 CmBatt - ok
23:34:58.0734 4160 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
23:34:58.0734 4160 CmdIde - ok
23:34:58.0750 4160 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
23:34:58.0750 4160 Compbatt - ok
23:34:58.0781 4160 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
23:34:58.0781 4160 Cpqarray - ok
23:34:58.0796 4160 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
23:34:58.0796 4160 dac2w2k - ok
23:34:58.0812 4160 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
23:34:58.0812 4160 dac960nt - ok
23:34:58.0828 4160 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:34:58.0843 4160 Disk - ok
23:34:58.0875 4160 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:34:58.0890 4160 dmboot - ok
23:34:58.0906 4160 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:34:58.0906 4160 dmio - ok
23:34:58.0921 4160 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:34:58.0921 4160 dmload - ok
23:34:58.0937 4160 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:34:58.0937 4160 DMusic - ok
23:34:58.0953 4160 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
23:34:58.0953 4160 dpti2o - ok
23:34:58.0968 4160 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:34:58.0968 4160 drmkaud - ok
23:34:58.0984 4160 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
23:34:59.0000 4160 E100B - ok
23:34:59.0015 4160 e1express (b1e9161ba28d5b826e49a1d0ded7fcc4) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
23:34:59.0015 4160 e1express - ok
23:34:59.0031 4160 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
23:34:59.0046 4160 eeCtrl - ok
23:34:59.0046 4160 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
23:34:59.0046 4160 EraserUtilRebootDrv - ok
23:34:59.0078 4160 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:34:59.0078 4160 Fastfat - ok
23:34:59.0093 4160 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:34:59.0093 4160 Fdc - ok
23:34:59.0109 4160 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:34:59.0109 4160 Fips - ok
23:34:59.0125 4160 FixZeroAccess - ok
23:34:59.0140 4160 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:34:59.0140 4160 Flpydisk - ok
23:34:59.0156 4160 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:34:59.0156 4160 FltMgr - ok
23:34:59.0171 4160 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:34:59.0171 4160 Fs_Rec - ok
23:34:59.0187 4160 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:34:59.0203 4160 Ftdisk - ok
23:34:59.0203 4160 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:34:59.0218 4160 GEARAspiWDM - ok
23:34:59.0218 4160 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:34:59.0234 4160 Gpc - ok
23:34:59.0250 4160 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:34:59.0250 4160 HDAudBus - ok
23:34:59.0265 4160 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:34:59.0265 4160 HidUsb - ok
23:34:59.0281 4160 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
23:34:59.0296 4160 hpn - ok
23:34:59.0312 4160 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:34:59.0312 4160 HTTP - ok
23:34:59.0328 4160 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
23:34:59.0328 4160 i2omgmt - ok
23:34:59.0343 4160 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
23:34:59.0343 4160 i2omp - ok
23:34:59.0359 4160 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:34:59.0359 4160 i8042prt - ok
23:34:59.0500 4160 ialm (06b71441957b48a4866de2fe27cb79c8) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
23:34:59.0625 4160 ialm - ok
23:34:59.0656 4160 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\WINDOWS\system32\DRIVERS\iaStor.sys
23:34:59.0656 4160 iaStor - ok
23:34:59.0671 4160 IBMPMDRV (931af21653dd91cd85270a2b31f87eeb) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
23:34:59.0671 4160 IBMPMDRV - ok
23:34:59.0687 4160 IBMTPCHK (083d095fed4b01fff9d501b98d50db68) C:\WINDOWS\system32\Drivers\IBMBLDID.sys
23:34:59.0687 4160 IBMTPCHK - ok
23:34:59.0703 4160 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120214.003\IDSxpx86.sys
23:34:59.0718 4160 IDSxpx86 - ok
23:34:59.0734 4160 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:34:59.0734 4160 Imapi - ok
23:34:59.0750 4160 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
23:34:59.0750 4160 ini910u - ok
23:34:59.0765 4160 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:34:59.0765 4160 IntelIde - ok
23:34:59.0781 4160 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:34:59.0796 4160 intelppm - ok
23:34:59.0796 4160 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:34:59.0812 4160 Ip6Fw - ok
23:34:59.0828 4160 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:34:59.0828 4160 IpFilterDriver - ok
23:34:59.0843 4160 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:34:59.0843 4160 IpInIp - ok
23:34:59.0859 4160 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:34:59.0859 4160 IpNat - ok
23:34:59.0890 4160 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:34:59.0890 4160 IPSec - ok
23:34:59.0906 4160 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:34:59.0906 4160 IRENUM - ok
23:34:59.0937 4160 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:34:59.0937 4160 isapnp - ok
23:34:59.0953 4160 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:34:59.0953 4160 Kbdclass - ok
23:34:59.0968 4160 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:34:59.0968 4160 kbdhid - ok
23:35:00.0000 4160 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:35:00.0000 4160 kmixer - ok
23:35:00.0015 4160 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:35:00.0015 4160 KSecDD - ok
23:35:00.0046 4160 lbrtfdc - ok
23:35:00.0062 4160 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
23:35:00.0078 4160 LMIInfo - ok
23:35:00.0093 4160 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
23:35:00.0109 4160 lmimirr - ok
23:35:00.0125 4160 LMIRfsClientNP - ok
23:35:00.0140 4160 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
23:35:00.0140 4160 LMIRfsDriver - ok
23:35:00.0171 4160 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:35:00.0171 4160 mnmdd - ok
23:35:00.0187 4160 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:35:00.0187 4160 Modem - ok
23:35:00.0203 4160 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:35:00.0218 4160 Mouclass - ok
23:35:00.0234 4160 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:35:00.0234 4160 mouhid - ok
23:35:00.0250 4160 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:35:00.0250 4160 MountMgr - ok
23:35:00.0265 4160 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
23:35:00.0265 4160 mraid35x - ok
23:35:00.0281 4160 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:35:00.0296 4160 MRxDAV - ok
23:35:00.0312 4160 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:35:00.0328 4160 MRxSmb - ok
23:35:00.0359 4160 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:35:00.0359 4160 Msfs - ok
23:35:00.0375 4160 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:35:00.0375 4160 MSKSSRV - ok
23:35:00.0406 4160 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:35:00.0406 4160 MSPCLOCK - ok
23:35:00.0421 4160 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:35:00.0421 4160 MSPQM - ok
23:35:00.0437 4160 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:35:00.0437 4160 mssmbios - ok
23:35:00.0468 4160 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
23:35:00.0468 4160 MSTEE - ok
23:35:00.0484 4160 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:35:00.0484 4160 Mup - ok
23:35:00.0500 4160 MXOPSWD (c29f284ff7ab4ed38ce419a9424e52a2) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
23:35:00.0500 4160 MXOPSWD - ok
23:35:00.0531 4160 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
23:35:00.0531 4160 NABTSFEC - ok
23:35:00.0546 4160 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20120219.016\NAVENG.SYS
23:35:00.0546 4160 NAVENG - ok
23:35:00.0593 4160 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20120219.016\NAVEX15.SYS
23:35:00.0625 4160 NAVEX15 - ok
23:35:00.0640 4160 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:35:00.0656 4160 NDIS - ok
23:35:00.0671 4160 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
23:35:00.0671 4160 NdisIP - ok
23:35:00.0687 4160 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:35:00.0687 4160 NdisTapi - ok
23:35:00.0703 4160 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:35:00.0703 4160 Ndisuio - ok
23:35:00.0718 4160 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:35:00.0734 4160 NdisWan - ok
23:35:00.0750 4160 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:35:00.0750 4160 NDProxy - ok
23:35:00.0765 4160 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:35:00.0765 4160 NetBIOS - ok
23:35:00.0781 4160 NetBT (40e65c560013869f14eceb904f15390d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:35:00.0796 4160 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 40e65c560013869f14eceb904f15390d, Fake md5: d3e1e88cbabb15ad235d8bee1edc602a
23:35:00.0796 4160 NetBT ( Virus.Win32.ZAccess.c ) - infected
23:35:00.0796 4160 NetBT - detected Virus.Win32.ZAccess.c (0)
23:35:00.0890 4160 NETw4x32 (9eb7001200bc53dad5bc531f0e58970e) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
23:35:00.0953 4160 NETw4x32 - ok
23:35:00.0968 4160 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:35:00.0968 4160 Npfs - ok
23:35:01.0000 4160 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:35:01.0015 4160 Ntfs - ok
23:35:01.0046 4160 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:35:01.0046 4160 Null - ok
23:35:01.0125 4160 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
23:35:01.0171 4160 nv - ok
23:35:01.0187 4160 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:35:01.0187 4160 NwlnkFlt - ok
23:35:01.0203 4160 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:35:01.0218 4160 NwlnkFwd - ok
23:35:01.0234 4160 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:35:01.0250 4160 Parport - ok
23:35:01.0265 4160 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:35:01.0265 4160 PartMgr - ok
23:35:01.0281 4160 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:35:01.0281 4160 ParVdm - ok
23:35:01.0296 4160 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:35:01.0312 4160 PCI - ok
23:35:01.0328 4160 PCIDump - ok
23:35:01.0343 4160 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:35:01.0343 4160 PCIIde - ok
23:35:01.0359 4160 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:35:01.0359 4160 Pcmcia - ok
23:35:01.0375 4160 PDCOMP - ok
23:35:01.0406 4160 PDFRAME - ok
23:35:01.0421 4160 PDRELI - ok
23:35:01.0437 4160 PDRFRAME - ok
23:35:01.0453 4160 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
23:35:01.0453 4160 perc2 - ok
23:35:01.0468 4160 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
23:35:01.0468 4160 perc2hib - ok
23:35:01.0500 4160 pmem - ok
23:35:01.0531 4160 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:35:01.0531 4160 PptpMiniport - ok
23:35:01.0562 4160 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
23:35:01.0562 4160 Processor - ok
23:35:01.0578 4160 PROCEXP151 - ok
23:35:01.0593 4160 psadd (f8a25f1dd8b2c332cbc663e3579566e7) C:\WINDOWS\system32\DRIVERS\psadd.sys
23:35:01.0609 4160 psadd - ok
23:35:01.0625 4160 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:35:01.0625 4160 PSched - ok
23:35:01.0640 4160 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:35:01.0640 4160 Ptilink - ok
23:35:01.0656 4160 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:35:01.0656 4160 PxHelp20 - ok
23:35:01.0671 4160 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
23:35:01.0687 4160 ql1080 - ok
23:35:01.0703 4160 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
23:35:01.0703 4160 Ql10wnt - ok
23:35:01.0718 4160 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
23:35:01.0718 4160 ql12160 - ok
23:35:01.0734 4160 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
23:35:01.0734 4160 ql1240 - ok
23:35:01.0750 4160 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
23:35:01.0765 4160 ql1280 - ok
23:35:01.0781 4160 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:35:01.0781 4160 RasAcd - ok
23:35:01.0796 4160 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:35:01.0796 4160 Rasl2tp - ok
23:35:01.0906 4160 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:35:01.0906 4160 RasPppoe - ok
23:35:01.0937 4160 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:35:01.0937 4160 Raspti - ok
23:35:01.0953 4160 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:35:01.0968 4160 Rdbss - ok
23:35:01.0984 4160 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:35:01.0984 4160 RDPCDD - ok
23:35:02.0000 4160 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:35:02.0015 4160 rdpdr - ok
23:35:02.0031 4160 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
23:35:02.0046 4160 RDPWD - ok
23:35:02.0062 4160 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:35:02.0062 4160 redbook - ok
23:35:02.0093 4160 s24trans (c26a053e4db47f6cdd8653c83aaf22ee) C:\WINDOWS\system32\DRIVERS\s24trans.sys
23:35:02.0109 4160 s24trans - ok
23:35:02.0140 4160 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:35:02.0140 4160 Secdrv - ok
23:35:02.0156 4160 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:35:02.0156 4160 serenum - ok
23:35:02.0187 4160 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:35:02.0187 4160 Serial - ok
23:35:02.0218 4160 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:35:02.0218 4160 Sfloppy - ok
23:35:02.0250 4160 Shockprf (a3aee791db8c73882f4503bfaacd8c9e) C:\WINDOWS\system32\DRIVERS\Apsx86.sys
23:35:02.0250 4160 Shockprf - ok
23:35:02.0265 4160 Simbad - ok
23:35:02.0281 4160 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
23:35:02.0281 4160 sisagp - ok
23:35:02.0296 4160 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
23:35:02.0312 4160 SLIP - ok
23:35:02.0312 4160 smihlp (8b098d7113f39ab9c51d071bf0ff11f6) C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
23:35:02.0328 4160 smihlp - ok
23:35:02.0359 4160 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
23:35:02.0359 4160 Sparrow - ok
23:35:02.0375 4160 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:35:02.0375 4160 splitter - ok
23:35:02.0406 4160 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:35:02.0406 4160 sr - ok
23:35:02.0437 4160 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\NIS\1207000.00D\SRTSP.SYS
23:35:02.0453 4160 SRTSP - ok
23:35:02.0468 4160 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NIS\1207000.00D\SRTSPX.SYS
23:35:02.0484 4160 SRTSPX - ok
23:35:02.0500 4160 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:35:02.0515 4160 Srv - ok
23:35:02.0546 4160 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
23:35:02.0546 4160 streamip - ok
23:35:02.0562 4160 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:35:02.0562 4160 swenum - ok
23:35:02.0578 4160 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:35:02.0593 4160 swmidi - ok
23:35:02.0609 4160 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
23:35:02.0609 4160 symc810 - ok
23:35:02.0625 4160 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
23:35:02.0640 4160 symc8xx - ok
23:35:02.0656 4160 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NIS\1207000.00D\SYMDS.SYS
23:35:02.0671 4160 SymDS - ok
23:35:02.0703 4160 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NIS\1207000.00D\SYMEFA.SYS
23:35:02.0734 4160 SymEFA - ok
23:35:02.0750 4160 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
23:35:02.0750 4160 SymEvent - ok
23:35:02.0781 4160 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NIS\1207000.00D\Ironx86.SYS
23:35:02.0781 4160 SymIRON - ok
23:35:02.0812 4160 SYMTDI (336cace58f0359d5cbb1ae6b8a2fb205) C:\WINDOWS\System32\Drivers\NIS\1207000.00D\SYMTDI.SYS
23:35:02.0828 4160 SYMTDI - ok
23:35:02.0843 4160 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
23:35:02.0843 4160 sym_hi - ok
23:35:02.0859 4160 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
23:35:02.0859 4160 sym_u3 - ok
23:35:02.0875 4160 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:35:02.0890 4160 sysaudio - ok
23:35:02.0921 4160 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:35:02.0921 4160 Tcpip - ok
23:35:02.0953 4160 TcUsb (07d174a992ab0ea6001f390de1afa27b) C:\WINDOWS\system32\Drivers\tcusb.sys
23:35:02.0953 4160 TcUsb - ok
23:35:02.0968 4160 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:35:02.0968 4160 TDPIPE - ok
23:35:02.0984 4160 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:35:02.0984 4160 TDTCP - ok
23:35:03.0000 4160 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:35:03.0015 4160 TermDD - ok
23:35:03.0031 4160 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
23:35:03.0046 4160 TosIde - ok
23:35:03.0062 4160 TPDIGIMN (639ba7b37f25054cf5e82604e736d250) C:\WINDOWS\system32\DRIVERS\ApsHM86.sys
23:35:03.0062 4160 TPDIGIMN - ok
23:35:03.0078 4160 TPHKDRV - ok
23:35:03.0093 4160 TPPWRIF - ok
23:35:03.0125 4160 TSMAPIP (f10f36e20448a5500a5f83f67ee4aad4) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
23:35:03.0125 4160 TSMAPIP - ok
23:35:03.0156 4160 tvtfilter (49258a02a1e8d304ed88b0f1c56b1738) C:\WINDOWS\system32\DRIVERS\tvtfilter.sys
23:35:03.0156 4160 tvtfilter - ok
23:35:03.0171 4160 TVTI2C (8ab24d4b7da715c2c80455137910e792) C:\WINDOWS\system32\DRIVERS\Tvti2c.sys
23:35:03.0171 4160 TVTI2C - ok
23:35:03.0203 4160 tvtumon (930b8b8ef659a714cf1c755928b8850c) C:\WINDOWS\system32\DRIVERS\tvtumon.sys
23:35:03.0203 4160 tvtumon - ok
23:35:03.0218 4160 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:35:03.0218 4160 Udfs - ok
23:35:03.0250 4160 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
23:35:03.0250 4160 ultra - ok
23:35:03.0281 4160 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:35:03.0281 4160 Update - ok
23:35:03.0312 4160 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
23:35:03.0312 4160 USBAAPL - ok
23:35:03.0328 4160 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:35:03.0343 4160 usbccgp - ok
23:35:03.0359 4160 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:35:03.0359 4160 usbehci - ok
23:35:03.0375 4160 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:35:03.0375 4160 usbhub - ok
23:35:03.0390 4160 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:35:03.0406 4160 usbprint - ok
23:35:03.0421 4160 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:35:03.0421 4160 usbscan - ok
23:35:03.0437 4160 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:35:03.0437 4160 USBSTOR - ok
23:35:03.0453 4160 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:35:03.0453 4160 usbuhci - ok
23:35:03.0484 4160 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
23:35:03.0484 4160 usbvideo - ok
23:35:03.0500 4160 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:35:03.0500 4160 VgaSave - ok
23:35:03.0515 4160 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
23:35:03.0515 4160 viaagp - ok
23:35:03.0546 4160 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
23:35:03.0546 4160 ViaIde - ok
23:35:03.0562 4160 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:35:03.0562 4160 VolSnap - ok
23:35:03.0593 4160 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:35:03.0593 4160 Wanarp - ok
23:35:03.0625 4160 Wdf01000 (8b35229d2761bc8ed526cb69e4f6685e) C:\WINDOWS\system32\Drivers\wdf01000.sys
23:35:03.0640 4160 Wdf01000 - ok
23:35:03.0656 4160 WDICA - ok
23:35:03.0671 4160 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:35:03.0671 4160 wdmaud - ok
23:35:03.0734 4160 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
23:35:03.0734 4160 WS2IFSL - ok
23:35:03.0765 4160 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
23:35:03.0765 4160 WSTCODEC - ok
23:35:03.0781 4160 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:35:03.0781 4160 WudfPf - ok
23:35:03.0812 4160 MBR (0x1B8) (764dd92810ee41ca0642387d56f71739) \Device\Harddisk0\DR0
23:35:03.0828 4160 \Device\Harddisk0\DR0 - ok
23:35:03.0828 4160 Boot (0x1200) (8eed07a9e27106406776fbd67b80914b) \Device\Harddisk0\DR0\Partition0
23:35:03.0828 4160 \Device\Harddisk0\DR0\Partition0 - ok
23:35:03.0828 4160 ============================================================
23:35:03.0828 4160 Scan finished
23:35:03.0828 4160 ============================================================
23:35:03.0843 0352 Detected object count: 1
23:35:03.0843 0352 Actual detected object count: 1
23:35:15.0296 0352 C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
23:35:20.0578 0352 Backup copy found, using it..
23:35:20.0593 0352 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
23:35:21.0484 0352 NetBT ( Virus.Win32.ZAccess.c ) - User select action: Cure
23:35:33.0359 5764 Deinitialize success

aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-19 23:40:28
-----------------------------
23:40:28.906 OS Version: Windows 5.1.2600 Service Pack 3
23:40:28.906 Number of processors: 2 586 0xF0B
23:40:28.906 ComputerName: LENOVO-C18A9B51 UserName: Owner
23:40:29.500 Initialize success
23:44:52.250 AVAST engine defs: 12021901
23:45:46.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:45:46.687 Disk 0 Vendor: SAMSUNG_ PS10 Size: 61057MB BusType: 3
23:45:46.687 Disk 0 MBR read successfully
23:45:46.703 Disk 0 MBR scan
23:45:46.703 Disk 0 unknown MBR code
23:45:46.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 56985 MB offset 2048
23:45:46.718 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 4070 MB offset 116707328
23:45:46.734 Disk 0 scanning sectors +125042688
23:45:46.750 Disk 0 scanning C:\WINDOWS\system32\drivers
23:45:52.468 File: C:\WINDOWS\system32\drivers\ipsec.sys **INFECTED** Win32:Sirefef-JQ [Trj]
23:45:52.906 File: C:\WINDOWS\system32\drivers\mrxsmb.sys_backup **INFECTED** Win32:Aluroot-B [Rtk]
23:45:55.890 Disk 0 trace - called modules:
23:45:55.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x94f1dfc0]<<
23:45:55.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac09738]
23:45:55.906 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x860325f8]
23:45:55.906 \Driver\00002464[0x89b81670] -> IRP_MJ_CREATE -> 0x94f1dfc0
23:45:56.109 AVAST engine scan C:\WINDOWS
23:46:00.000 AVAST engine scan C:\WINDOWS\system32
23:48:00.718 AVAST engine scan C:\WINDOWS\system32\drivers
23:48:07.421 File: C:\WINDOWS\system32\drivers\ipsec.sys **INFECTED** Win32:Sirefef-JQ [Trj]
23:48:08.000 File: C:\WINDOWS\system32\drivers\mrxsmb.sys_backup **INFECTED** Win32:Aluroot-B [Rtk]
23:48:14.015 AVAST engine scan C:\Documents and Settings\Owner
23:49:03.953 File: C:\Documents and Settings\Owner\Application Data\FixTDSS\Archive\afd.sys **INFECTED** Win32:Sirefef-JQ [Trj]
23:52:19.875 AVAST engine scan C:\Documents and Settings\All Users
23:53:47.281 Scan finished successfully
23:54:52.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
23:54:52.734 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:22 AM

Posted 20 February 2012 - 03:06 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
ipsec.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Gary Viva

Gary Viva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 20 February 2012 - 03:11 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 00:09 on 20/02/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\Documents and Settings\Owner\Application Data\FixTDSS\Archive\ipsec.sys --a---- 75264 bytes [22:36 14/02/2012] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\Documents and Settings\Owner\Application Data\FixZeroAccess\Archive\ipsec.sys --a---- 75264 bytes [02:51 14/02/2012] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [09:52 26/01/2009] [12:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ERDNT\cache\ipsec.sys --a---- 75264 bytes [14:24 14/02/2012] [04:28 14/02/2012] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [17:07 11/01/2009] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\dllcache\ipsec.sys --a---- 75264 bytes [06:55 30/04/2006] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [06:55 30/04/2006] [19:19 13/04/2008] 19DD19FB992D6BF67811913B6FEAE577

-= EOF =-

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:22 AM

Posted 20 February 2012 - 03:16 AM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 

FCopy::
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Gary Viva

Gary Viva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 20 February 2012 - 03:23 AM

I have started running ComboFix again in the manner described in your most recent post. A message box came up indicating I was infected with ZeroAccess rootkit and explaining that this was particularly difficult. I clicked okay and it seems to be running again. I'm going to bed now but I'll check it in the AM and post the log.

Thank you again for your help.

Gary

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:22 AM

Posted 20 February 2012 - 03:29 AM

see you later today then


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Gary Viva

Gary Viva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 20 February 2012 - 09:41 AM

Hi, Gringo --

ComboFix ran overnight. The log is pasted below. However, the computer can no longer get an IP address from the DHCP server. The Windows Event Log shows Error 4311 on NetBT "Initialization failed because the device driver could not be created" and numerous other errors that I can describe if you need them. Anyway, here is the ComboFix.txt file. Please advise.

Thanks,
Gary

ComboFix 12-02-19.02 - Owner 02/20/2012 0:47.5.2 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB18610$\2163198045\@
c:\windows\$NtUninstallKB18610$\2163198045\cfg.ini
c:\windows\$NtUninstallKB18610$\2163198045\Desktop.ini
c:\windows\$NtUninstallKB18610$\2163198045\L\hvmonmrs
c:\windows\$NtUninstallKB18610$\2163198045\U\00000001.@
c:\windows\$NtUninstallKB18610$\2163198045\U\00000002.@
c:\windows\$NtUninstallKB18610$\2163198045\U\00000004.@
c:\windows\$NtUninstallKB18610$\2163198045\U\80000000.@
c:\windows\$NtUninstallKB18610$\2163198045\U\80000004.@
c:\windows\$NtUninstallKB18610$\2163198045\U\80000032.@
c:\windows\$NtUninstallKB18610$\2163198045\version
c:\windows\$NtUninstallKB18610$\924940867
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\ipsec.sys --> c:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-20 08:39 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-02-20 01:57 . 2012-02-20 01:57 -------- d-----w- C:\f68bceab87d919661998652195af51
2012-02-20 00:05 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-20 00:05 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 19:07 . 2012-02-15 19:09 -------- d-----w- c:\documents and settings\Owner\Application Data\PCDr
2012-02-14 22:36 . 2012-02-14 22:36 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2012-02-14 22:36 . 2012-02-14 22:36 -------- d-----w- c:\documents and settings\Owner\Application Data\FixTDSS
2012-02-14 17:54 . 2012-02-14 04:39 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-14 17:38 . 2012-02-20 07:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-14 17:38 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-14 03:59 . 2012-02-20 07:35 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-14 02:51 . 2012-02-14 02:51 -------- d-----w- c:\documents and settings\Owner\Application Data\FixZeroAccess
2012-02-12 19:46 . 2012-02-20 07:39 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 19:32 . 2012-02-06 23:30 -------- d-----w- c:\windows\system32\drivers\NIS\1207000.00D
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-14 04:28 . 2012-02-14 04:54 75264 ----a-w- c:\windows\system32\drivers\ipsec.svs
2011-11-25 21:57 . 2006-04-30 06:55 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29 . 2006-04-30 06:55 1868544 ------w- c:\windows\system32\win32k.sys
2011-11-23 04:08 . 2011-05-13 15:33 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-08-23 23:44 . 2009-08-23 23:44 28488 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-08-23 23:44 . 2009-08-23 23:44 185232 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2012-02-20 06:42 . 2011-06-22 03:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-31 2937528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-10 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-10 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-06-08 60192]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-02-13 66928]
"TpShocks"="TpShocks.exe" [2007-11-22 181536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-26 243248]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-12-03 176128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-07 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-07 137752]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-01-10 144728]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-01-10 124248]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2008-01-04 16384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-02-19 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-02-19 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-11-30 2872632]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-18 81920]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-19 1044480]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-01-12 63048]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-1 576104]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
[BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-06-08 20:05 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 23:54 89600 ------w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2007-12-14 07:36 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\program files\\Skype\\Phone\\skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58015:TCP"= 58015:TCP:Pando Media Booster
"58015:UDP"= 58015:UDP:Pando Media Booster
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207000.00D\symds.sys [2/4/2012 11:32 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207000.00D\symefa.sys [2/4/2012 11:32 AM 744568]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120215.001\BHDrvx86.sys [2/19/2012 4:24 PM 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207000.00D\ironx86.sys [2/4/2012 11:32 AM 136312]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [12/5/2007 4:42 PM 46144]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [6/8/2011 12:04 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/11/2011 6:04 PM 12856]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.0.13\ccsvchst.exe [2/4/2012 11:32 AM 130008]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [8/14/2007 3:46 PM 10896]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [12/5/2007 5:17 PM 520192]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [1/7/2009 12:25 PM 72448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/4/2012 11:32 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120214.003\IDSXpx86.sys [2/15/2012 10:35 AM 356280]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/22/2007 2:59 PM 30336]
S0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys --> c:\windows\system32\drivers\FixZeroAccess.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys --> c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2011 3:58 PM 136176]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [12/5/2007 4:42 PM 260672]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [8/16/2011 6:41 PM 245760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2011 3:58 PM 136176]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
PAR1284
uphclean
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 23:58]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 23:58]
.
2012-02-15 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:54]
.
2012-02-20 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-01-07 16:30]
.
2012-02-20 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.0.101
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\unxm5r2m.default\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-22015186.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 06:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB18610$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\LMIinit.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(964)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
.
- - - - - - - > 'explorer.exe'(1400)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\program files\PC-Doctor\PcdToolbar584923.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-02-20 06:23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 14:23
ComboFix2.txt 2012-02-20 07:09
ComboFix3.txt 2012-02-14 21:19
ComboFix4.txt 2012-02-14 14:26
.
Pre-Run: 8,544,382,976 bytes free
Post-Run: 8,909,037,568 bytes free
.
- - End Of File - - CF78691C82CCC9E4772C6704F211E194

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:22 AM

Posted 20 February 2012 - 03:42 PM

Hello


rerun aswMBR and then run this for me and send me both reports



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Gary Viva

Gary Viva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 20 February 2012 - 03:57 PM

Hi, Gringo --

I'm not sure what you mean by "both reports" for aswMBR. There was only one report produced. Do you mean the one that I sent from the last time I ran aswMBR or what? Anyway, here are the logs requested.

Thanks again,
Gary

aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-19 23:40:28
-----------------------------
23:40:28.906 OS Version: Windows 5.1.2600 Service Pack 3
23:40:28.906 Number of processors: 2 586 0xF0B
23:40:28.906 ComputerName: LENOVO-C18A9B51 UserName: Owner
23:40:29.500 Initialize success
23:44:52.250 AVAST engine defs: 12021901
23:45:46.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:45:46.687 Disk 0 Vendor: SAMSUNG_ PS10 Size: 61057MB BusType: 3
23:45:46.687 Disk 0 MBR read successfully
23:45:46.703 Disk 0 MBR scan
23:45:46.703 Disk 0 unknown MBR code
23:45:46.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 56985 MB offset 2048
23:45:46.718 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 4070 MB offset 116707328
23:45:46.734 Disk 0 scanning sectors +125042688
23:45:46.750 Disk 0 scanning C:\WINDOWS\system32\drivers
23:45:52.468 File: C:\WINDOWS\system32\drivers\ipsec.sys **INFECTED** Win32:Sirefef-JQ [Trj]
23:45:52.906 File: C:\WINDOWS\system32\drivers\mrxsmb.sys_backup **INFECTED** Win32:Aluroot-B [Rtk]
23:45:55.890 Disk 0 trace - called modules:
23:45:55.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x94f1dfc0]<<
23:45:55.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac09738]
23:45:55.906 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x860325f8]
23:45:55.906 \Driver\00002464[0x89b81670] -> IRP_MJ_CREATE -> 0x94f1dfc0
23:45:56.109 AVAST engine scan C:\WINDOWS
23:46:00.000 AVAST engine scan C:\WINDOWS\system32
23:48:00.718 AVAST engine scan C:\WINDOWS\system32\drivers
23:48:07.421 File: C:\WINDOWS\system32\drivers\ipsec.sys **INFECTED** Win32:Sirefef-JQ [Trj]
23:48:08.000 File: C:\WINDOWS\system32\drivers\mrxsmb.sys_backup **INFECTED** Win32:Aluroot-B [Rtk]
23:48:14.015 AVAST engine scan C:\Documents and Settings\Owner
23:49:03.953 File: C:\Documents and Settings\Owner\Application Data\FixTDSS\Archive\afd.sys **INFECTED** Win32:Sirefef-JQ [Trj]
23:52:19.875 AVAST engine scan C:\Documents and Settings\All Users
23:53:47.281 Scan finished successfully
23:54:52.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
23:54:52.734 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-20 12:44:29
-----------------------------
12:44:29.015 OS Version: Windows 5.1.2600 Service Pack 3
12:44:29.015 Number of processors: 2 586 0xF0B
12:44:29.015 ComputerName: LENOVO-C18A9B51 UserName: Owner
12:44:29.328 Initialize success
12:44:35.046 AVAST engine download error: 0
12:46:12.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
12:46:12.859 Disk 0 Vendor: SAMSUNG_ PS10 Size: 61057MB BusType: 3
12:46:12.859 Disk 0 MBR read successfully
12:46:12.859 Disk 0 MBR scan
12:46:12.859 Disk 0 unknown MBR code
12:46:12.859 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 56985 MB offset 2048
12:46:12.859 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 4070 MB offset 116707328
12:46:12.875 Disk 0 scanning sectors +125042688
12:46:12.875 Disk 0 scanning C:\WINDOWS\system32\drivers
12:46:14.171 Service scanning
12:46:17.750 Modules scanning
12:46:20.312 Disk 0 trace - called modules:
12:46:20.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
12:46:20.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac0f030]
12:46:20.312 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000084[0x8ac1d910]
12:46:20.312 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a6a6030]
12:46:20.312 Scan finished successfully
12:47:03.640 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
12:47:03.640 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR1.txt"


Farbar Service Scanner Version: 14-02-2012
Ran by Owner (administrator) on 20-02-2012 at 12:52:00
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(11) Tcpip(3)
0x0B000000040000000100000002000000030000000B0000000A0000000900000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:22 AM

Posted 20 February 2012 - 05:09 PM

Make sure, your settings are correct.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol version 4 (TCP/IPv4), make sure it is checked, and then click Properties
6. Make sure Obtain an IP Address Automatically and Obtain DNS server address Automatically are checked.
7. Click on "Advanced" button and make sure "IP Settings" tab looks like this:
Posted Image
Make sure "DNS" tab looks like this:
Posted Image
Make sure "WINS" tab looks like this:
Posted Image
8. Still in Control Panel double click on "Internet options" then "Connections" tab then "LAN Settings" button. Make sure "Automatically detect settings" is checked.
If you made any changes OK your way out.
Restart computer.

------------------------------------------------

If that doesn't work...
Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

------------------------------------------

If that doesn't work, bypass router, and connect computer straight to the modem.

---------------------------------------------

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Restart computer.

-------------------------------------------------------

If that doesn't work...
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.


----------------------------------------



If that doesn't work...
Download, install, and run WinSockFix: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml (doesn't work in Vista and 7)
Restart computer, and check again.


-------------------------------------------------------------

If that doesn't work...
Download Dial-A-Fix (DAF) (doesn't work in Vista and 7):
http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles

Have XP CD available in case DAF needs a file. Likely not!

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here, one at a time, do the below:

Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Restart computer.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Gary Viva

Gary Viva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 20 February 2012 - 05:18 PM

I verified all of the settings and rebooted and now I have internet connectivity back. However, NIS just popped up and said that I'm infected with ZeroAccess Rootkit Activity 4.

Please advise.

thanks,
Gary




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users