Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal of Trojans and Zero.Access Rootkit on 32-bit Win XP SP3


  • This topic is locked This topic is locked
10 replies to this topic

#1 Gan Dinga

Gan Dinga

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 11 March 2012 - 08:18 AM

Greetings,

I hope someone can help me with this issue. My 32-bit Windows XP SP3 computer got infected with Trojan viruses. The computer had Norton Antivirus (not sure if the latest) and had the latest Microsoft updates, including the Malicious Software Removal Tool updates. I think I clicked on the wrong place/advertisement on a website by mistake. After I noticed something was wrong. I went to several forums and followed what they recommended. I then downloaded Microsoft Security Essentials (MSE) from another computer and installed in using safe-mode. MSE found several of the following Trojan viruses:
Trojan:Win32/sirefef.p
Trojan:Win32/Conedex.A
Trojan:Win32/Conedex.B
Trojan:Win32/Conedex.C
Trojan:Win32/sirefef.j
Trojan:Win32/sirefef.n
Trojan:Win64/sirefef.E
TrojanDropper:Win32/sirefef.B
TrojanDropper:Win32/sirefef.N

I thought all was good and clean but MSE kept detecting them when I logged in normally. I went to the Microsoft Answers forum and followed one of the recommendations of downloading and using Malwarebytes, TDSSKiller along with RKill (which I ran first to stops exe's that run unnoticed on the background, if I am not mistaken).

Malwarebytes found the following:
Rootkit.Agent
Rootkit.Zeroaccess

TDSSKiller found the following:
Virus.Win32.Rloader.a


A friend of mine told me about running Combofix and recommended to run it just to be sure all was clean. I have heard great things about Combofix and I ran it and at the beginning there was a message saying more or less that the trojan/rootkit was at the tcp/ip stack and that it would be a bit difficult to remove the rootkit/trojan. Anyway, Combofix ran anyway and at the end there was a log. I was curious and after coming to your website and further reading about Combofix, I realized I should have only ran it if recommended/told to do so by one of the experts on your forums. I apologize for not knowing better and going ahead without completely reading the instructions. Now I don't know if I did the right thing or if I further damaged my computer by running Combofix without the approval or recommendation from an expert. After running Combofix I have only turned the computer in safe-mode. I will post the log file that was generated anyway since, for what I read, it has to be examined as well. I will wait for instructions.

ComboFix 12-03-04.02 - GAN 03/05/2012 9:14.1.2 - x86 NETWORK
Running from: c:\documents and settings\GAN\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\GAN\Local Settings\Application Data\2d3ecfa1\U
c:\documents and settings\GAN\Local Settings\Application Data\2d3ecfa1\U\80000000.@
c:\documents and settings\GAN\Local Settings\Application Data\assembly\tmp
c:\documents and settings\All Users\Application Data\Microsoft\corecon\1.0\1033\NonSDKAddonLangVer.dll
c:\documents and settings\All Users\Application Data\Microsoft\corecon\1.0\1033\SDKAddonLangVer.dll
c:\documents and settings\All Users\Application Data\Microsoft\corecon\1.0\addons\NonSDKAddonVer.dll
c:\documents and settings\All Users\Application Data\Microsoft\corecon\1.0\addons\SDKAddonVer.dll
c:\documents and settings\All Users\Application Data\Microsoft\corecon\1.0\SDKFilesVer.dll
c:\windows\$NtUninstallKB7520$
c:\windows\$NtUninstallKB7520$\2559811717
c:\windows\$NtUninstallKB7520$\759091105\@
c:\windows\$NtUninstallKB7520$\759091105\L\rohepcid
c:\windows\$NtUninstallKB7520$\759091105\loader.tlb
c:\windows\$NtUninstallKB7520$\759091105\U\@00000001
c:\windows\$NtUninstallKB7520$\759091105\U\@000000c0
c:\windows\$NtUninstallKB7520$\759091105\U\@000000cb
c:\windows\$NtUninstallKB7520$\759091105\U\@000000cf
c:\windows\$NtUninstallKB7520$\759091105\U\@80000000
c:\windows\$NtUninstallKB7520$\759091105\U\@800000c0
c:\windows\$NtUninstallKB7520$\759091105\U\@800000cb
c:\windows\$NtUninstallKB7520$\759091105\U\@800000cf
c:\windows\system32\dds_log_trash.cmd
c:\windows\system32\drivers\npf.sys
c:\windows\system32\html
c:\windows\system32\html\calendar.html
c:\windows\system32\html\calendarbottom.html
c:\windows\system32\html\calendartop.html
c:\windows\system32\html\crystalexportdialog.htm
c:\windows\system32\html\crystalprinthost.html
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\Packet.dll
c:\windows\system32\SET6E7.tmp
c:\windows\system32\SET6EA.tmp
c:\windows\system32\SET6EE.tmp
c:\windows\system32\SET6F0.tmp
c:\windows\system32\SET6F6.tmp
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-02-05 to 2012-03-05 )))))))))))))))))))))))))))))))
.
.
2012-03-05 13:16 . 2012-03-05 13:16 -------- d-----w- c:\documents and settings\GAN\Application Data\Reallusion
2012-03-05 13:16 . 2012-03-05 13:16 -------- d-----w- c:\documents and settings\GAN\Application Data\tmp
2012-03-05 12:59 . 2012-03-05 12:59 -------- d-----w- c:\documents and settings\GAN\Application Data\SUPERAntiSpyware.com
2012-03-05 12:57 . 2012-03-05 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-05 11:44 . 2012-03-05 11:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-05 11:13 . 2012-03-05 11:13 -------- d-----w- c:\documents and settings\GAN\Application Data\Malwarebytes
2012-03-05 11:13 . 2012-03-05 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-05 11:13 . 2012-03-05 11:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-05 11:13 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-05 10:10 . 2012-02-08 03:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F6EC4EB1-0388-4997-BEEC-E1D90E6670E7}\mpengine.dll
2012-02-29 19:29 . 2012-02-08 03:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-29 17:39 . 2012-02-29 17:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-02-28 17:59 . 2012-02-28 18:01 -------- d-----w- c:\documents and settings\TEMP.TINKER02.000
2012-02-28 17:47 . 2008-04-14 12:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-28 17:47 . 2008-04-14 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-26 07:27 . 2012-02-26 07:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-02-25 12:27 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-25 12:18 . 2012-02-25 12:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-02-25 12:18 . 2012-02-25 12:18 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-25 11:02 . 2012-03-05 14:23 -------- d-sh--w- c:\documents and settings\GAN\Local Settings\Application Data\2d3ecfa1
2012-02-20 10:55 . 2012-02-20 10:58 -------- d-----w- C:\WP7
2012-02-19 20:49 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2012-02-19 20:48 . 2012-02-19 20:48 -------- d-----w- c:\windows\Logs
2012-02-19 20:48 . 2012-02-19 20:48 -------- d-----w- c:\program files\Microsoft Mathematics
2012-02-15 15:17 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 15:17 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-05 11:44 . 2008-04-14 00:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-02-20 12:09 . 2011-05-14 15:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:54 . 2008-04-25 16:16 1869056 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2011-11-29 15:41 . 2011-05-09 17:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-11-03 4823416]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-22 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-22 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-22 150040]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2009-01-19 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-11 148888]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-12 2220032]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"LXCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-03-25 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\GAN\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Seagate Product Registration.lnk - c:\documents and settings\GAN\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2010-10-3 1731736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\GAN\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Norton Internet Security\\Engine\\16.8.3.6\\ccSvcHst.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008030.006\SymEFA.sys [10/11/2011 1:49 PM 310320]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [9/11/2009 2:28 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [9/11/2009 2:28 AM 41760]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [6/24/2011 2:46 PM 104752]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [7/19/2011 12:18 PM 116016]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008030.006\BHDrvx86.sys [10/11/2011 1:49 PM 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008030.006\cchpx86.sys [10/11/2011 1:49 PM 467592]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101222.001\IDSXpx86.sys [12/23/2010 3:37 PM 341944]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [7/23/2011 3:10 AM 158000]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [7/23/2011 3:05 AM 93488]
S1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [10/6/2009 6:49 PM 8576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/5/2012 6:13 AM 652360]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [10/11/2011 1:49 PM 117648]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/11/2009 2:28 AM 112512]
S3 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe -service --> c:\windows\system32\lxcicoms.exe -service [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/5/2012 6:13 AM 20464]
S3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [9/11/2009 2:28 AM 141376]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [9/11/2009 2:28 AM 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [9/11/2009 2:28 AM 235840]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 8:24 PM 48128]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 3:53 PM 55664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 11:16 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 2:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 2:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1363331802-1333022373-1063898969-1005Core.job
- c:\documents and settings\GAN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-12 21:57]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1363331802-1333022373-1063898969-1005UA.job
- c:\documents and settings\GAN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-12 21:57]
.
2012-03-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-03-05 c:\windows\Tasks\User_Feed_Synchronization-{B70B763A-24A5-433E-8097-8DB7C1EB5DD3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\GAN\Application Data\Mozilla\Firefox\Profiles\ireib5c9.default\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-73881919.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-05 09:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1363331802-1333022373-1063898969-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%R%*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1363331802-1333022373-1063898969-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%R%*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1363331802-1333022373-1063898969-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1363331802-1333022373-1063898969-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1080)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
.
**************************************************************************
.
Completion time: 2012-03-05 09:30:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-05 14:30
.
Pre-Run: 73,173,803,008 bytes free
Post-Run: 75,209,605,120 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 001D2983C50317A41C4DCEFFBF8D833E


I guess that the only sure-safe way to surf the web is by creating a virtual environment. How can I be certain that my computer is completely free of trojans, rootkits, etc. after this incident? Do I need to rebuild my computer and surf the web using virtual software.

Thank you so much for your time and help.

Gan

BC AdBot (Login to Remove)

 


#2 Will Watts

Will Watts

  • Malware Response Team
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 12 March 2012 - 10:11 AM

Hi Gan Dinga, welcome to Bleeping Computer.

You may have removed all active malware through the various tools already run, we'll check for anything further on your machine and remove any remaining remnants.

---------------------------------

Please post the TDSSKiller log, you will find this at the root drive, which is typically C:\. For example: C:\TDSSKiller.2.7.7.0_date_time_log.txt
If you find multiple logs, please attach them to your next reply.

---------------------------------

Download GMER Rootkit Scanner from here and Save it to your Desktop.
  • Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
  • First, gmer will run a short, initial scan.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


------------------------------------------------------

#3 Gan Dinga

Gan Dinga
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 13 March 2012 - 10:05 PM

Someguy201,

Thank you for your help, quick reply and detailed instructions. My apologies for the delay, for some reason I was expecting an email notification and also did not think the reply would be that quick. I am pasting/posting the first TDSSKiller log and the others I will attach as instructed. I also ran Gmer as you instructed and I am attaching the Gmer file as well. Here is the first TDssKiller log:

06:38:35.0671 0512 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
06:38:35.0671 0512 ============================================================
06:38:35.0671 0512 Current date / time: 2012/03/05 06:38:35.0671
06:38:35.0671 0512 SystemInfo:
06:38:35.0671 0512
06:38:35.0671 0512 OS Version: 5.1.2600 ServicePack: 3.0
06:38:35.0671 0512 Product type: Workstation
06:38:35.0671 0512 ComputerName: TINKER02
06:38:35.0671 0512 UserName: GAN
06:38:35.0671 0512 Windows directory: C:\WINDOWS
06:38:35.0671 0512 System windows directory: C:\WINDOWS
06:38:35.0671 0512 Processor architecture: Intel x86
06:38:35.0671 0512 Number of processors: 2
06:38:35.0671 0512 Page size: 0x1000
06:38:35.0671 0512 Boot type: Safe boot with network
06:38:35.0671 0512 ============================================================
06:38:36.0171 0512 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
06:38:36.0171 0512 \Device\Harddisk0\DR0:
06:38:36.0171 0512 MBR used
06:38:36.0171 0512 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x2541A2B0
06:38:36.0250 0512 Initialize success
06:38:36.0250 0512 ============================================================
06:38:42.0093 0508 ============================================================
06:38:42.0093 0508 Scan started
06:38:42.0093 0508 Mode: Manual;
06:38:42.0093 0508 ============================================================
06:38:42.0671 0508 Abiosdsk - ok
06:38:42.0765 0508 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
06:38:42.0765 0508 abp480n5 - ok
06:38:42.0812 0508 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
06:38:42.0828 0508 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
06:38:42.0828 0508 ACPI ( Virus.Win32.Rloader.a ) - infected
06:38:42.0828 0508 ACPI - detected Virus.Win32.Rloader.a (0)
06:38:42.0843 0508 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
06:38:42.0843 0508 ACPIEC - ok
06:38:42.0906 0508 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
06:38:42.0906 0508 adpu160m - ok
06:38:42.0968 0508 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
06:38:42.0968 0508 aec - ok
06:38:43.0015 0508 AESTAud (f21d5e93a94514be9f5b6ebf74a696b2) C:\WINDOWS\system32\drivers\AESTAud.sys
06:38:43.0015 0508 AESTAud - ok
06:38:43.0078 0508 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
06:38:43.0078 0508 AFD - ok
06:38:43.0093 0508 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
06:38:43.0093 0508 agp440 - ok
06:38:43.0109 0508 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
06:38:43.0125 0508 agpCPQ - ok
06:38:43.0125 0508 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
06:38:43.0125 0508 Aha154x - ok
06:38:43.0187 0508 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
06:38:43.0187 0508 aic78u2 - ok
06:38:43.0203 0508 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
06:38:43.0203 0508 aic78xx - ok
06:38:43.0250 0508 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
06:38:43.0250 0508 AliIde - ok
06:38:43.0265 0508 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
06:38:43.0265 0508 alim1541 - ok
06:38:43.0281 0508 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
06:38:43.0281 0508 amdagp - ok
06:38:43.0312 0508 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
06:38:43.0312 0508 amsint - ok
06:38:43.0359 0508 ApfiltrService (fb7c669774ffcacd77b5969ee5d9a19b) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
06:38:43.0375 0508 ApfiltrService - ok
06:38:43.0406 0508 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
06:38:43.0406 0508 Arp1394 - ok
06:38:43.0453 0508 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
06:38:43.0453 0508 asc - ok
06:38:43.0484 0508 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
06:38:43.0484 0508 asc3350p - ok
06:38:43.0500 0508 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
06:38:43.0500 0508 asc3550 - ok
06:38:43.0546 0508 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
06:38:43.0562 0508 AsyncMac - ok
06:38:43.0593 0508 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
06:38:43.0609 0508 atapi - ok
06:38:43.0609 0508 Atdisk - ok
06:38:43.0656 0508 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
06:38:43.0656 0508 Atmarpc - ok
06:38:43.0687 0508 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
06:38:43.0687 0508 audstub - ok
06:38:43.0796 0508 BCM43XX (fe4ed785396eaa554c561992106a35fa) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
06:38:43.0828 0508 BCM43XX - ok
06:38:43.0859 0508 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
06:38:43.0859 0508 Beep - ok
06:38:43.0953 0508 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\WINDOWS\System32\Drivers\NIS\1008030.006\BHDrvx86.sys
06:38:43.0968 0508 BHDrvx86 - ok
06:38:44.0015 0508 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
06:38:44.0015 0508 cbidf - ok
06:38:44.0031 0508 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
06:38:44.0031 0508 cbidf2k - ok
06:38:44.0093 0508 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
06:38:44.0093 0508 CCDECODE - ok
06:38:44.0156 0508 ccHP (3182b846490dc4d71fabd4a8cb6b73ea) C:\WINDOWS\System32\Drivers\NIS\1008030.006\ccHPx86.sys
06:38:44.0156 0508 ccHP - ok
06:38:44.0171 0508 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
06:38:44.0171 0508 cd20xrnt - ok
06:38:44.0203 0508 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
06:38:44.0203 0508 Cdaudio - ok
06:38:44.0218 0508 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
06:38:44.0218 0508 Cdfs - ok
06:38:44.0265 0508 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
06:38:44.0265 0508 Cdrom - ok
06:38:44.0281 0508 Changer - ok
06:38:44.0328 0508 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
06:38:44.0343 0508 CmBatt - ok
06:38:44.0343 0508 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
06:38:44.0343 0508 CmdIde - ok
06:38:44.0359 0508 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
06:38:44.0359 0508 Compbatt - ok
06:38:44.0406 0508 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
06:38:44.0406 0508 Cpqarray - ok
06:38:44.0437 0508 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
06:38:44.0437 0508 dac2w2k - ok
06:38:44.0453 0508 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
06:38:44.0453 0508 dac960nt - ok
06:38:44.0500 0508 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
06:38:44.0500 0508 Disk - ok
06:38:44.0562 0508 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
06:38:44.0562 0508 DLABMFSM - ok
06:38:44.0593 0508 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
06:38:44.0593 0508 DLABOIOM - ok
06:38:44.0593 0508 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
06:38:44.0609 0508 DLACDBHM - ok
06:38:44.0625 0508 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
06:38:44.0625 0508 DLADResM - ok
06:38:44.0640 0508 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
06:38:44.0656 0508 DLAIFS_M - ok
06:38:44.0656 0508 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
06:38:44.0656 0508 DLAOPIOM - ok
06:38:44.0687 0508 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
06:38:44.0703 0508 DLAPoolM - ok
06:38:44.0718 0508 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
06:38:44.0718 0508 DLARTL_M - ok
06:38:44.0734 0508 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
06:38:44.0750 0508 DLAUDFAM - ok
06:38:44.0765 0508 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
06:38:44.0765 0508 DLAUDF_M - ok
06:38:44.0812 0508 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
06:38:44.0828 0508 dmboot - ok
06:38:44.0859 0508 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
06:38:44.0890 0508 dmio - ok
06:38:44.0890 0508 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
06:38:44.0906 0508 dmload - ok
06:38:44.0984 0508 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
06:38:44.0984 0508 DMusic - ok
06:38:45.0031 0508 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
06:38:45.0031 0508 dpti2o - ok
06:38:45.0062 0508 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
06:38:45.0062 0508 drmkaud - ok
06:38:45.0078 0508 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
06:38:45.0078 0508 DRVMCDB - ok
06:38:45.0093 0508 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
06:38:45.0093 0508 DRVNDDM - ok
06:38:45.0203 0508 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
06:38:45.0203 0508 eeCtrl - ok
06:38:45.0250 0508 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
06:38:45.0250 0508 Fastfat - ok
06:38:45.0281 0508 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
06:38:45.0281 0508 Fdc - ok
06:38:45.0296 0508 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
06:38:45.0296 0508 Fips - ok
06:38:45.0312 0508 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
06:38:45.0312 0508 Flpydisk - ok
06:38:45.0328 0508 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
06:38:45.0328 0508 FltMgr - ok
06:38:45.0359 0508 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
06:38:45.0359 0508 Fs_Rec - ok
06:38:45.0375 0508 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
06:38:45.0375 0508 Ftdisk - ok
06:38:45.0406 0508 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
06:38:45.0406 0508 Gpc - ok
06:38:45.0421 0508 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
06:38:45.0421 0508 HDAudBus - ok
06:38:45.0453 0508 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
06:38:45.0453 0508 hidusb - ok
06:38:45.0500 0508 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
06:38:45.0500 0508 hpn - ok
06:38:45.0546 0508 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
06:38:45.0562 0508 HTTP - ok
06:38:45.0578 0508 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
06:38:45.0578 0508 i2omgmt - ok
06:38:45.0609 0508 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
06:38:45.0609 0508 i2omp - ok
06:38:45.0656 0508 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
06:38:45.0656 0508 i8042prt - ok
06:38:45.0828 0508 ialm (66a685b05066683621920bc14a45cfe8) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
06:38:45.0937 0508 ialm - ok
06:38:45.0968 0508 iaStor (baabb0301949774a66b955c65319635a) C:\WINDOWS\system32\drivers\iaStor.sys
06:38:45.0968 0508 iaStor - ok
06:38:46.0093 0508 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20101222.001\IDSxpx86.sys
06:38:46.0093 0508 IDSxpx86 - ok
06:38:46.0109 0508 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
06:38:46.0109 0508 Imapi - ok
06:38:46.0140 0508 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
06:38:46.0140 0508 ini910u - ok
06:38:46.0171 0508 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
06:38:46.0171 0508 IntelIde - ok
06:38:46.0187 0508 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
06:38:46.0187 0508 intelppm - ok
06:38:46.0234 0508 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
06:38:46.0234 0508 Ip6Fw - ok
06:38:46.0265 0508 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
06:38:46.0281 0508 IpFilterDriver - ok
06:38:46.0281 0508 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
06:38:46.0281 0508 IpInIp - ok
06:38:46.0328 0508 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
06:38:46.0328 0508 IpNat - ok
06:38:46.0343 0508 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
06:38:46.0343 0508 IPSec - ok
06:38:46.0359 0508 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
06:38:46.0359 0508 IRENUM - ok
06:38:46.0406 0508 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
06:38:46.0406 0508 isapnp - ok
06:38:46.0437 0508 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
06:38:46.0437 0508 Kbdclass - ok
06:38:46.0468 0508 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
06:38:46.0468 0508 kbdhid - ok
06:38:46.0484 0508 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
06:38:46.0500 0508 kmixer - ok
06:38:46.0531 0508 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
06:38:46.0531 0508 KSecDD - ok
06:38:46.0562 0508 lbrtfdc - ok
06:38:46.0625 0508 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
06:38:46.0625 0508 MBAMProtector - ok
06:38:46.0671 0508 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
06:38:46.0671 0508 mnmdd - ok
06:38:46.0687 0508 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
06:38:46.0687 0508 Modem - ok
06:38:46.0734 0508 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
06:38:46.0734 0508 Mouclass - ok
06:38:46.0765 0508 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
06:38:46.0765 0508 mouhid - ok
06:38:46.0781 0508 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
06:38:46.0781 0508 MountMgr - ok
06:38:46.0828 0508 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
06:38:46.0828 0508 MpFilter - ok
06:38:46.0859 0508 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
06:38:46.0859 0508 mraid35x - ok
06:38:46.0890 0508 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
06:38:46.0890 0508 MRxDAV - ok
06:38:46.0937 0508 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
06:38:46.0937 0508 MRxSmb - ok
06:38:46.0968 0508 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
06:38:46.0968 0508 Msfs - ok
06:38:47.0062 0508 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
06:38:47.0078 0508 MSKSSRV - ok
06:38:47.0109 0508 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
06:38:47.0109 0508 MSPCLOCK - ok
06:38:47.0125 0508 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
06:38:47.0125 0508 MSPQM - ok
06:38:47.0156 0508 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
06:38:47.0156 0508 mssmbios - ok
06:38:47.0203 0508 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
06:38:47.0203 0508 MSTEE - ok
06:38:47.0234 0508 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
06:38:47.0250 0508 Mup - ok
06:38:47.0296 0508 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
06:38:47.0296 0508 NABTSFEC - ok
06:38:47.0390 0508 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20101223.002\NAVENG.SYS
06:38:47.0406 0508 NAVENG - ok
06:38:47.0453 0508 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20101223.002\NAVEX15.SYS
06:38:47.0468 0508 NAVEX15 - ok
06:38:47.0500 0508 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
06:38:47.0500 0508 NDIS - ok
06:38:47.0515 0508 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
06:38:47.0515 0508 NdisIP - ok
06:38:47.0562 0508 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
06:38:47.0562 0508 NdisTapi - ok
06:38:47.0609 0508 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
06:38:47.0609 0508 Ndisuio - ok
06:38:47.0625 0508 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
06:38:47.0625 0508 NdisWan - ok
06:38:47.0687 0508 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
06:38:47.0687 0508 NDProxy - ok
06:38:47.0703 0508 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
06:38:47.0703 0508 NetBIOS - ok
06:38:47.0765 0508 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
06:38:47.0765 0508 NetBT - ok
06:38:47.0843 0508 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
06:38:47.0843 0508 NIC1394 - ok
06:38:47.0921 0508 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
06:38:47.0921 0508 NPF - ok
06:38:47.0953 0508 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
06:38:47.0953 0508 Npfs - ok
06:38:48.0031 0508 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
06:38:48.0031 0508 Ntfs - ok
06:38:48.0062 0508 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
06:38:48.0062 0508 Null - ok
06:38:48.0093 0508 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
06:38:48.0093 0508 NwlnkFlt - ok
06:38:48.0125 0508 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
06:38:48.0125 0508 NwlnkFwd - ok
06:38:48.0187 0508 O2MDGRDR (4f8d4b1233af48b30f4fdc76a8865cfa) C:\WINDOWS\system32\DRIVERS\o2mdg.sys
06:38:48.0187 0508 O2MDGRDR - ok
06:38:48.0250 0508 O2SDGRDR (928b7612b65e82d68d489a1474c98b37) C:\WINDOWS\system32\DRIVERS\o2sdg.sys
06:38:48.0250 0508 O2SDGRDR - ok
06:38:48.0312 0508 OEM13Afx (58f478fd0115012ceec75fb73628901c) C:\WINDOWS\system32\Drivers\OEM13Afx.sys
06:38:48.0312 0508 OEM13Afx - ok
06:38:48.0343 0508 OEM13Vfx (86326062a90494bdd79ce383511d7d69) C:\WINDOWS\system32\DRIVERS\OEM13Vfx.sys
06:38:48.0343 0508 OEM13Vfx - ok
06:38:48.0375 0508 OEM13Vid (12539b57ed05de7552403a12b3e0161c) C:\WINDOWS\system32\DRIVERS\OEM13Vid.sys
06:38:48.0390 0508 OEM13Vid - ok
06:38:48.0421 0508 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
06:38:48.0421 0508 ohci1394 - ok
06:38:48.0484 0508 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
06:38:48.0484 0508 Parport - ok
06:38:48.0500 0508 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
06:38:48.0500 0508 PartMgr - ok
06:38:48.0515 0508 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
06:38:48.0515 0508 ParVdm - ok
06:38:48.0546 0508 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
06:38:48.0546 0508 PCI - ok
06:38:48.0578 0508 PCIDump - ok
06:38:48.0609 0508 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
06:38:48.0625 0508 PCIIde - ok
06:38:48.0640 0508 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
06:38:48.0640 0508 Pcmcia - ok
06:38:48.0656 0508 PDCOMP - ok
06:38:48.0671 0508 PDFRAME - ok
06:38:48.0687 0508 PDRELI - ok
06:38:48.0703 0508 PDRFRAME - ok
06:38:48.0734 0508 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
06:38:48.0734 0508 perc2 - ok
06:38:48.0765 0508 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
06:38:48.0765 0508 perc2hib - ok
06:38:48.0843 0508 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
06:38:48.0843 0508 PptpMiniport - ok
06:38:48.0875 0508 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
06:38:48.0875 0508 PSched - ok
06:38:48.0890 0508 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
06:38:48.0890 0508 Ptilink - ok
06:38:48.0921 0508 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
06:38:48.0921 0508 PxHelp20 - ok
06:38:48.0953 0508 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
06:38:48.0953 0508 ql1080 - ok
06:38:48.0968 0508 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
06:38:48.0968 0508 Ql10wnt - ok
06:38:49.0000 0508 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
06:38:49.0000 0508 ql12160 - ok
06:38:49.0015 0508 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
06:38:49.0015 0508 ql1240 - ok
06:38:49.0031 0508 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
06:38:49.0031 0508 ql1280 - ok
06:38:49.0062 0508 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
06:38:49.0062 0508 RasAcd - ok
06:38:49.0093 0508 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
06:38:49.0093 0508 Rasl2tp - ok
06:38:49.0109 0508 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
06:38:49.0109 0508 RasPppoe - ok
06:38:49.0140 0508 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
06:38:49.0140 0508 Raspti - ok
06:38:49.0156 0508 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
06:38:49.0171 0508 Rdbss - ok
06:38:49.0171 0508 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
06:38:49.0171 0508 RDPCDD - ok
06:38:49.0203 0508 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
06:38:49.0218 0508 rdpdr - ok
06:38:49.0265 0508 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
06:38:49.0281 0508 RDPWD - ok
06:38:49.0296 0508 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
06:38:49.0296 0508 redbook - ok
06:38:49.0390 0508 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\WINDOWS\system32\DRIVERS\RsFx0103.sys
06:38:49.0390 0508 RsFx0103 - ok
06:38:49.0468 0508 RTLE8023xp (6fc7ddf3b8d94fba7ac664452d6478d4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
06:38:49.0468 0508 RTLE8023xp - ok
06:38:49.0531 0508 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
06:38:49.0531 0508 sbp2port - ok
06:38:49.0609 0508 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
06:38:49.0609 0508 sdbus - ok
06:38:49.0656 0508 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
06:38:49.0656 0508 Secdrv - ok
06:38:49.0718 0508 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
06:38:49.0718 0508 Serial - ok
06:38:49.0781 0508 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
06:38:49.0781 0508 Sfloppy - ok
06:38:49.0812 0508 Simbad - ok
06:38:49.0828 0508 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
06:38:49.0828 0508 sisagp - ok
06:38:49.0890 0508 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
06:38:49.0890 0508 SLIP - ok
06:38:49.0937 0508 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
06:38:49.0953 0508 Sparrow - ok
06:38:50.0015 0508 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
06:38:50.0015 0508 splitter - ok
06:38:50.0062 0508 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
06:38:50.0062 0508 sr - ok
06:38:50.0171 0508 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\WINDOWS\System32\Drivers\NIS\1008030.006\SRTSP.SYS
06:38:50.0171 0508 SRTSP - ok
06:38:50.0203 0508 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\WINDOWS\system32\drivers\NIS\1008030.006\SRTSPX.SYS
06:38:50.0203 0508 SRTSPX - ok
06:38:50.0265 0508 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
06:38:50.0281 0508 Srv - ok
06:38:50.0375 0508 STHDA (5849f5d472a676ace7224fc2c656f4b2) C:\WINDOWS\system32\drivers\sthda.sys
06:38:50.0406 0508 STHDA - ok
06:38:50.0453 0508 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
06:38:50.0453 0508 streamip - ok
06:38:50.0484 0508 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
06:38:50.0484 0508 swenum - ok
06:38:50.0500 0508 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
06:38:50.0500 0508 swmidi - ok
06:38:50.0546 0508 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
06:38:50.0546 0508 symc810 - ok
06:38:50.0562 0508 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
06:38:50.0562 0508 symc8xx - ok
06:38:50.0578 0508 SYMDNS - ok
06:38:50.0609 0508 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\WINDOWS\system32\drivers\NIS\1008030.006\SYMEFA.SYS
06:38:50.0625 0508 SymEFA - ok
06:38:50.0687 0508 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
06:38:50.0687 0508 SymEvent - ok
06:38:50.0703 0508 SYMFW - ok
06:38:50.0718 0508 SYMIDS - ok
06:38:50.0781 0508 SymIM (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
06:38:50.0781 0508 SymIM - ok
06:38:50.0781 0508 SymIMMP (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
06:38:50.0796 0508 SymIMMP - ok
06:38:50.0812 0508 SYMNDIS - ok
06:38:50.0828 0508 SYMREDRV - ok
06:38:50.0859 0508 SYMTDI (26bc80ec79d7ba478249c266cbdf17b4) C:\WINDOWS\System32\Drivers\NIS\1008030.006\SYMTDI.SYS
06:38:50.0859 0508 SYMTDI - ok
06:38:50.0890 0508 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
06:38:50.0890 0508 sym_hi - ok
06:38:50.0906 0508 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
06:38:50.0906 0508 sym_u3 - ok
06:38:50.0953 0508 SynTP (a10d781153bb23036b474ffedb448266) C:\WINDOWS\system32\DRIVERS\SynTP.sys
06:38:50.0953 0508 SynTP - ok
06:38:51.0015 0508 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
06:38:51.0015 0508 sysaudio - ok
06:38:51.0093 0508 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
06:38:51.0109 0508 Tcpip - ok
06:38:51.0140 0508 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
06:38:51.0140 0508 TDPIPE - ok
06:38:51.0140 0508 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
06:38:51.0140 0508 TDTCP - ok
06:38:51.0187 0508 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
06:38:51.0187 0508 TermDD - ok
06:38:51.0218 0508 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
06:38:51.0218 0508 TosIde - ok
06:38:51.0281 0508 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
06:38:51.0281 0508 Udfs - ok
06:38:51.0328 0508 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
06:38:51.0328 0508 ultra - ok
06:38:51.0375 0508 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
06:38:51.0375 0508 Update - ok
06:38:51.0468 0508 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
06:38:51.0468 0508 usbaudio - ok
06:38:51.0484 0508 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
06:38:51.0484 0508 usbccgp - ok
06:38:51.0500 0508 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
06:38:51.0500 0508 usbehci - ok
06:38:51.0562 0508 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
06:38:51.0562 0508 usbhub - ok
06:38:51.0625 0508 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
06:38:51.0625 0508 usbprint - ok
06:38:51.0687 0508 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
06:38:51.0687 0508 usbscan - ok
06:38:51.0765 0508 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
06:38:51.0765 0508 USBSTOR - ok
06:38:51.0796 0508 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
06:38:51.0796 0508 usbuhci - ok
06:38:51.0859 0508 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
06:38:51.0859 0508 usbvideo - ok
06:38:51.0937 0508 VBoxDrv (30c64b663efebc34c0070838bcca32ef) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
06:38:51.0937 0508 VBoxDrv - ok
06:38:51.0968 0508 VBoxNetAdp (3d4b1f1f81ef8813348c01081f8b2a17) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
06:38:51.0968 0508 VBoxNetAdp - ok
06:38:51.0968 0508 VBoxNetFlt (634b2797abf28158d1667500c78ce6d1) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
06:38:51.0984 0508 VBoxNetFlt - ok
06:38:52.0015 0508 VBoxUSBMon (6aeaf649ef06dbb3f83efe2249472e38) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
06:38:52.0015 0508 VBoxUSBMon - ok
06:38:52.0062 0508 vcdrom (bfa4ae30b3ac10e9223830bf103f5a3f) C:\WINDOWS\system32\drivers\VCdRom.sys
06:38:52.0062 0508 vcdrom - ok
06:38:52.0093 0508 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
06:38:52.0093 0508 VgaSave - ok
06:38:52.0140 0508 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
06:38:52.0140 0508 viaagp - ok
06:38:52.0156 0508 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
06:38:52.0156 0508 ViaIde - ok
06:38:52.0187 0508 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
06:38:52.0187 0508 VolSnap - ok
06:38:52.0359 0508 VSPerfDrv100 (5a2ddc5411a092bedb1a07755e087784) C:\Program Files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys
06:38:52.0375 0508 VSPerfDrv100 - ok
06:38:52.0515 0508 VSPerfDrv90 (0bd123313159cb8963d7a0404f7d96a5) C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys
06:38:52.0515 0508 VSPerfDrv90 - ok
06:38:52.0562 0508 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
06:38:52.0562 0508 Wanarp - ok
06:38:52.0625 0508 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
06:38:52.0625 0508 Wdf01000 - ok
06:38:52.0640 0508 WDICA - ok
06:38:52.0703 0508 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
06:38:52.0703 0508 wdmaud - ok
06:38:52.0859 0508 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
06:38:52.0859 0508 WSTCODEC - ok
06:38:52.0921 0508 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
06:38:52.0921 0508 WudfPf - ok
06:38:52.0984 0508 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
06:38:53.0000 0508 WudfRd - ok
06:38:53.0078 0508 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0
06:38:53.0140 0508 \Device\Harddisk0\DR0 - ok
06:38:53.0156 0508 Boot (0x1200) (718dd1f67e6768132acfa937f70688dc) \Device\Harddisk0\DR0\Partition0
06:38:53.0171 0508 \Device\Harddisk0\DR0\Partition0 - ok
06:38:53.0171 0508 ============================================================
06:38:53.0171 0508 Scan finished
06:38:53.0171 0508 ============================================================
06:38:53.0187 0576 Detected object count: 1
06:38:53.0187 0576 Actual detected object count: 1
06:44:15.0968 0576 C:\WINDOWS\system32\DRIVERS\ACPI.sys - copied to quarantine
06:44:17.0437 0576 Backup copy found, using it..
06:44:17.0468 0576 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
06:44:17.0468 0576 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
06:44:27.0015 0504 Deinitialize success


I will wait for further instructions. Thanks again.

Gan

Attached Files



#4 Will Watts

Will Watts

  • Malware Response Team
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 14 March 2012 - 06:36 AM

Hi Gan Dinga,

Please log into Normal Mode and delete your existing copy of Combofix.exe

Download a new copy from here Link 1 and place it on your desktop. Run Combofix again, upon reboot log back into Normal Mode. Please post up the log produced.

#5 Gan Dinga

Gan Dinga
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 14 March 2012 - 02:23 PM

Hello again someguy201,

I followed your instructions and ran the new copy of Combofix in Normal Mode. The computer did not reboot nor asked me for a reboot, it just opened a log file. Here I am posting the content of that log file.

ComboFix 12-03-14.01 - GAN 03/14/2012 14:49:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2242 [GMT -4:00]
Running from: c:\documents and settings\GAN\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-14 18:47 . 2012-03-14 18:47 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{39313D07-20D9-4DF7-AE16-4E6DB671F79F}\MpKslb620b9e3.sys
2012-03-14 18:40 . 2012-02-08 03:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{39313D07-20D9-4DF7-AE16-4E6DB671F79F}\mpengine.dll
2012-03-05 13:16 . 2012-03-05 13:16 -------- d-----w- c:\documents and settings\GAN\Application Data\Reallusion
2012-03-05 13:16 . 2012-03-05 13:16 -------- d-----w- c:\documents and settings\GAN\Application Data\tmp
2012-03-05 12:59 . 2012-03-05 12:59 -------- d-----w- c:\documents and settings\GAN\Application Data\SUPERAntiSpyware.com
2012-03-05 12:57 . 2012-03-05 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-05 11:44 . 2012-03-05 11:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-05 11:13 . 2012-03-05 11:13 -------- d-----w- c:\documents and settings\GAN\Application Data\Malwarebytes
2012-03-05 11:13 . 2012-03-05 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-05 11:13 . 2012-03-05 11:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-05 11:13 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-29 19:29 . 2012-02-08 03:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-29 17:39 . 2012-02-29 17:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-02-28 17:59 . 2012-02-28 18:01 -------- d-----w- c:\documents and settings\TEMP.TINKER02.000
2012-02-28 17:47 . 2008-04-14 12:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-28 17:47 . 2008-04-14 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-26 07:27 . 2012-02-26 07:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-02-25 12:27 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-25 12:18 . 2012-02-25 12:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-02-25 12:18 . 2012-02-25 12:18 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-25 11:02 . 2012-03-05 14:23 -------- d-sh--w- c:\documents and settings\GAN\Local Settings\Application Data\2d3ecfa1
2012-02-20 10:55 . 2012-02-20 10:58 -------- d-----w- C:\WP7
2012-02-19 20:49 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2012-02-19 20:48 . 2012-02-19 20:48 -------- d-----w- c:\windows\Logs
2012-02-19 20:48 . 2012-02-19 20:48 -------- d-----w- c:\program files\Microsoft Mathematics
2012-02-15 15:17 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 15:17 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-05 11:44 . 2008-04-14 00:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-02-20 12:09 . 2011-05-14 15:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:54 . 2008-04-25 16:16 1869056 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2011-11-29 15:41 . 2011-05-09 17:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-05_14.25.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-14 18:31 . 2012-03-14 18:31 16384 c:\windows\temp\Perflib_Perfdata_458.dat
+ 2012-03-14 19:30 . 2012-03-14 19:30 16384 c:\windows\temp\Perflib_Perfdata_23c.dat
+ 2011-05-21 14:32 . 2012-03-11 14:32 1984 c:\windows\system32\d3d9caps.dat
+ 2008-04-25 16:16 . 2012-03-14 18:38 595724 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2012-03-14 18:38 123094 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-11-03 4823416]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-22 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-22 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-22 150040]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2009-01-19 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-11 148888]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-12 2220032]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"LXCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-03-25 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\GAN\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Seagate Product Registration.lnk - c:\documents and settings\GAN\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2010-10-3 1731736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\GAN\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Norton Internet Security\\Engine\\16.8.3.6\\ccSvcHst.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008030.006\SymEFA.sys [10/11/2011 2:49 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008030.006\BHDrvx86.sys [10/11/2011 2:49 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008030.006\cchpx86.sys [10/11/2011 2:49 PM 467592]
R1 MpKslb620b9e3;MpKslb620b9e3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{39313D07-20D9-4DF7-AE16-4E6DB671F79F}\MpKslb620b9e3.sys [3/14/2012 2:47 PM 29904]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [7/23/2011 4:10 AM 158000]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [7/23/2011 4:05 AM 93488]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [10/6/2009 7:49 PM 8576]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/5/2012 7:13 AM 652360]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [10/11/2011 2:49 PM 117648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/11/2009 3:28 AM 112512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/5/2012 7:13 AM 20464]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [9/11/2009 3:28 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [9/11/2009 3:28 AM 41760]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [9/11/2009 3:28 AM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [9/11/2009 3:28 AM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [9/11/2009 3:28 AM 235840]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [6/24/2011 3:46 PM 104752]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [7/19/2011 1:18 PM 116016]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101222.001\IDSXpx86.sys [12/23/2010 4:37 PM 341944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe -service --> c:\windows\system32\lxcicoms.exe -service [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 9:24 PM 48128]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 4:53 PM 55664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 12:16 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 11:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLB620B9E3
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1363331802-1333022373-1063898969-1005Core.job
- c:\documents and settings\GAN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-12 21:57]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1363331802-1333022373-1063898969-1005UA.job
- c:\documents and settings\GAN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-12 21:57]
.
2012-03-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-03-14 c:\windows\Tasks\User_Feed_Synchronization-{B70B763A-24A5-433E-8097-8DB7C1EB5DD3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\GAN\Application Data\Mozilla\Firefox\Profiles\ireib5c9.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 14:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1363331802-1333022373-1063898969-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%R%*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1363331802-1333022373-1063898969-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X%R%*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1363331802-1333022373-1063898969-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1363331802-1333022373-1063898969-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2780)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-14 15:02:35
ComboFix-quarantined-files.txt 2012-03-14 19:02
ComboFix2.txt 2012-03-05 14:30
.
Pre-Run: 71,958,994,944 bytes free
Post-Run: 71,943,954,432 bytes free
.
- - End Of File - - 3AABE6564E72884A72BAACA7F6D0EAA7


Thank you.

Gan

#6 Will Watts

Will Watts

  • Malware Response Team
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 14 March 2012 - 03:09 PM

Hi Gan Dinga, things are looking better now. It looks like TDSSKiller and the other tools have done most the work already. :)

We'll do a few more checks to make sure there are no remaining remnants.

You have this program installed, Malwarebytes Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
--------------------------------------

It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
------------------------------------------------------

#7 Gan Dinga

Gan Dinga
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 15 March 2012 - 09:44 PM

Hello someguy201,

Those are great news! Thank you.

I updated and ran Malwarebytes Anti-Malware (MBAM) and nothing was found. Here is the log report:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.15.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
GAN :: TINKER02 [administrator]

Protection: Disabled

3/15/2012 11:00:10 AM
mbam-log-2012-03-15 (11-00-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243777
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


I then ran ESET Online Scanner and it found the following:

C:\Documents and Settings\GAN\My Documents\Downloads\media.player.codec.pack.v4.0.0.setup.exe a variant of Win32/Toolbar.Widgi application
C:\Qoobox\Quarantine\C\Documents and Settings\GAN\Local Settings\Application Data\2d3ecfa1\U\80000000.@.vir probably a variant of Win32/Sirefef.DV trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP288\A0065859.dll Win32/Sirefef.DA trojan
C:\TDSSKiller_Quarantine\05.03.2012_06.38.35\rtkt0000\svc0000\tsk0000.dta Win32/Agent.SUC.Gen trojan


Thanks

Gan

#8 Will Watts

Will Watts

  • Malware Response Team
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 16 March 2012 - 08:08 AM

Hi Gan Dinga,

Those ESET results are nothing to worry about, two of them are in the Quarantine folders of tools we have run, the System Volume Information and Qoobox results will be deleted when we uninstall Combofix. The only result we need to deal with is the first one. Please navigate to the following location and delete the file in RED:

C:\Documents and Settings\GAN\My Documents\Downloads\media.player.codec.pack.v4.0.0.setup.exe

------------------------------------------------------

Please download Temp File Cleaner and save it to your desktop.
  • Save any unsaved work. TFC will close all open application windows.
  • Dobule click on TFC.exe to run it.
  • Your desktop will disappear, this is normal, it will return.
  • If prompted, click "Yes" to reboot.
------------------------------------------------------

Disconnect from the internet and disable your AntiVirus temporarily.

Go to Posted Image -> Run -> copy/paste in the following single line command & click OK


ComboFix /Uninstall


This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.
------------------------------------------------------

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SOFTWARE
You need an antivirus that is continually updated and a good firewall. In Windows Vista and 7, the Windows inbuilt firewall is usually sufficient, but XP users are recommended to have a good 3rd party firewall. However, be very wary with any security software that is advertised in popups. They are not only usually of no use, but often have malware in them. If you ever have doubts about the legitimacy of an anti-spyware or anti-virus program, it is best to post your question in our General Security forum.

Remember never to install more than one AntiVirus program as they will conflict with each other.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam, and helps to protect your computer against online threats when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT and has an add-on available for all major browsers.

  • Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. The Plus Version has more features, and you can read Winpatrol's FAQ if you run into any problems.

  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Windows Vista users see here, and Windows 7 users see here. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

  • ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    Vista/Windows 7 users - see this link for proper setup of Erunt Automatically Backup your Windows Vista Registry daily using ERUNT - The Winhelponline Blog

SPYWARE PREVENTION

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?
Think Prevention

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Please respond to this thread one more time so we can mark this issue as resolved.

#9 Gan Dinga

Gan Dinga
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 16 March 2012 - 11:50 AM

Hello someguy201,

I have done as you instructed in your last post. I assume that my computer is now 100% free of trojans/rootkit/viruses. Seems I no longer have any problems with this. I also know that it is a constant battle against people who want to do harm and we always have to be on alert mode.

Thank you SOOOO much for your great help, detailed instructions and thoroughness. I thought it would be more difficult to do all this on my own but you sure made it easy with the clear and precise instructions, and not to mention, your quick replies.

The advice and links you have sent will be extremely useful (I was going to ask you about what to do (I have heard about virtualization, etc.) but you sent those links about free programs-- some I have never heard of-- with a description. I will check them out. I have to say I also learned a lot and will be forever grateful for your help. Great success to you.

Thank you so much again

Gan

#10 Will Watts

Will Watts

  • Malware Response Team
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 16 March 2012 - 07:17 PM

You're welcome! :thumbsup:

#11 Will Watts

Will Watts

  • Malware Response Team
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 16 March 2012 - 07:17 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users