Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer may be infected


  • This topic is locked This topic is locked
20 replies to this topic

#1 OnlyZuul

OnlyZuul

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 01 April 2012 - 02:53 AM

Recently I noticed that my computer just randomly was getting attacked and this kept popping from Norton Bloodhound.MalPE . I've been noticing slow start-ups and it takes longer to load pages. And, weird thing is that just a few minutes ago the computer just rebooted itself and got a blue screen. Should have gotten the error codes, but I didn't. I need help in finding out what is going on with the computer. Any help appreciated.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 06 April 2012 - 10:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 OnlyZuul

OnlyZuul
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 06 April 2012 - 05:52 PM

Initially when I wrote this post the computer was getting bloodhound warnings, but I did a malwarebytes scan and I'm not sure if it got it all. Also, the computer is still sluggish. At this point, it'd be great to know if there is anything hidden anywhere. I have attached the following three logs, DDS, Defogger and Gmer. Thanks for your help.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Owner at 12:37:51 on 2012-04-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1276 [GMT -7:00]
.
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Freecorder\FLVSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Norton 360\Engine\6.1.2.10\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton 360\Engine\6.1.2.10\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?ilc=21
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre1.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre1.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\6.1.2.10\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\6.1.2.10\ips\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {af6ac4f2-9825-4fb6-a600-92bc5361f209} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\6.1.2.10\coIEPlg.dll
TB: {af6ac4f2-9825-4fb6-a600-92bc5361f209} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EKAiO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239119270551
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\204m6qut.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=433&sr=0&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\owner\desktop\veetle\player\npvlc.dll
FF - plugin: c:\documents and settings\owner\desktop\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0601020.00a\symds.sys [2012-3-23 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0601020.00a\symefa.sys [2012-3-23 905336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\bashdefs\20120317.002\BHDrvx86.sys [2012-3-19 820856]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\0601020.00a\ccsetx86.sys [2012-3-23 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0601020.00a\ironx86.sys [2012-3-23 149624]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-12-25 8440]
R2 N360;Norton 360;c:\program files\norton 360\engine\6.1.2.10\ccsvchst.exe [2012-3-23 138232]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-3-12 2348352]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-13 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-13 399416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-25 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\ipsdefs\20120405.002\IDSXpx86.sys [2012-4-5 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-8 20464]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\virusdefs\20120406.002\NAVENG.SYS [2012-4-6 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\virusdefs\20120406.002\NAVEX15.SYS [2012-4-6 1576312]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-14 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-8 652360]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-3-29 1691480]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-12-25 11237]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-14 136176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2012-04-02 23:35:58 151552 ----a-w- c:\program files\mozilla firefox\plugins\nppopcaploader.dll
2012-03-30 21:50:32 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 21:45:02 -------- d-----w- c:\documents and settings\owner\local settings\application data\Secunia PSI
2012-03-30 21:43:33 -------- d-----w- c:\program files\Secunia
2012-03-29 18:11:22 359016 ----a-w- c:\windows\vncutil.exe
2012-03-29 18:11:20 55912 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2012-03-29 18:11:20 129640 ----a-w- c:\windows\RtkAudioService.exe
2012-03-29 18:11:19 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2012-03-29 18:11:19 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2012-03-28 20:12:09 4111704 ----a-w- c:\windows\system32\GameMon.des
2012-03-28 20:11:59 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2012-03-28 20:11:59 4682 ----a-w- c:\windows\system32\npptNT2.sys
2012-03-28 20:11:49 -------- d-----w- c:\program files\common files\INCA Shared
2012-03-23 20:09:46 388216 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symtdi.sys
2012-03-23 20:09:46 345208 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symtdiv.sys
2012-03-23 20:09:45 905336 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symefa.sys
2012-03-23 20:09:45 574584 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\srtsp.sys
2012-03-23 20:09:45 340088 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symds.sys
2012-03-23 20:09:45 32888 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\srtspx.sys
2012-03-23 20:09:45 318584 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symnets.sys
2012-03-23 20:09:45 149624 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\ironx86.sys
2012-03-23 20:09:45 132744 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\ccsetx86.sys
2012-03-23 20:09:18 4782 ----a-w- c:\windows\system32\drivers\n360\0601020.00a\symvtcer.dat
2012-03-23 20:09:18 -------- d-----w- c:\windows\system32\drivers\n360\0601020.00A
2012-03-17 21:01:16 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-17 21:01:16 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-15 05:07:00 -------- d-----w- c:\program files\iPod
2012-03-12 21:37:16 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-03-12 21:37:16 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-03-10 21:36:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
==================== Find3M ====================
.
2012-04-06 16:31:05 292700 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-04-06 16:31:05 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-04-06 16:26:28 292700 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-03-30 21:50:32 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-23 20:09:48 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-03-23 20:09:48 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-10 21:36:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-15 18:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 18:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-10 04:10:00 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-02-10 04:10:00 5918720 ----a-w- c:\windows\system32\nvcuda.dll
2012-02-10 04:10:00 4309760 ----a-w- c:\windows\system32\nv4_disp.dll
2012-02-10 04:10:00 2522944 ----a-w- c:\windows\system32\nvcuvid.dll
2012-02-10 04:10:00 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-02-10 04:10:00 2292224 ----a-w- c:\windows\system32\nvapi.dll
2012-02-10 04:10:00 18620416 ----a-w- c:\windows\system32\nvoglnt.dll
2012-02-10 04:10:00 17534976 ----a-w- c:\windows\system32\nvcompiler.dll
2012-02-10 04:10:00 13415040 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-02-10 03:04:29 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-02-10 03:04:21 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-02-10 03:04:21 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-02-10 03:04:20 15494464 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-10 03:04:19 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 12:38:22.23 ===============

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 12:52 on 06/04/2012 (Owner)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-06 15:41:51
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250410AS rev.3.AAC
Running: 7yypukrf.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwldipob.sys


---- System - GMER 1.0.15 ----

SSDT 898E4F70 ZwAlertResumeThread
SSDT 898BF218 ZwAlertThread
SSDT 898C5778 ZwAllocateVirtualMemory
SSDT 898E4138 ZwAssignProcessToJobObject
SSDT 89945250 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB3BD6D40]
SSDT 898E46E0 ZwCreateMutant
SSDT 898BEF38 ZwCreateSymbolicLinkObject
SSDT 8989B660 ZwCreateThread
SSDT 898E4218 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB3BD6FC0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB3BD7680]
SSDT 8989BB70 ZwDuplicateObject
SSDT 898BF968 ZwFreeVirtualMemory
SSDT 898E47B0 ZwImpersonateAnonymousToken
SSDT 89DA45E8 ZwImpersonateThread
SSDT 8993B408 ZwLoadDriver
SSDT 898BF868 ZwMapViewOfSection
SSDT 898E4600 ZwOpenEvent
SSDT 898F0630 ZwOpenProcess
SSDT 8989BA90 ZwOpenProcessToken
SSDT 898E4440 ZwOpenSection
SSDT 898F0540 ZwOpenThread
SSDT 898BE008 ZwProtectVirtualMemory
SSDT 898BF2F8 ZwResumeThread
SSDT 898BF598 ZwSetContextThread
SSDT 898BF698 ZwSetInformationProcess
SSDT 898E42F8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB3BD7910]
SSDT 898E4520 ZwSuspendProcess
SSDT 898BF3D8 ZwSuspendThread
SSDT 898EFD40 ZwTerminateProcess
SSDT 898BF4B8 ZwTerminateThread
SSDT 898BF788 ZwUnmapViewOfSection
SSDT 898C56A8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D50 805045EC 4 Bytes CALL B2DA2036
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB668A3C0, 0x95AECA, 0xE8000020]
? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[3008] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 06 April 2012 - 06:59 PM

Let's start by looking for rootkits

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then aswMBR


Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 OnlyZuul

OnlyZuul
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 06 April 2012 - 08:32 PM

18:18:03.0968 4912 TDSS rootkit removing tool 2.7.26.0 Apr 4 2012 19:52:02
18:18:05.0937 4912 ============================================================
18:18:05.0937 4912 Current date / time: 2012/04/06 18:18:05.0937
18:18:05.0937 4912 SystemInfo:
18:18:05.0937 4912
18:18:05.0937 4912 OS Version: 5.1.2600 ServicePack: 3.0
18:18:05.0937 4912 Product type: Workstation
18:18:05.0937 4912 ComputerName: THECUBE
18:18:05.0937 4912 UserName: Owner
18:18:05.0937 4912 Windows directory: C:\WINDOWS
18:18:05.0937 4912 System windows directory: C:\WINDOWS
18:18:05.0937 4912 Processor architecture: Intel x86
18:18:05.0937 4912 Number of processors: 2
18:18:05.0937 4912 Page size: 0x1000
18:18:05.0937 4912 Boot type: Normal boot
18:18:05.0937 4912 ============================================================
18:18:09.0500 4912 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:18:09.0531 4912 \Device\Harddisk0\DR0:
18:18:09.0531 4912 MBR used
18:18:09.0531 4912 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
18:18:09.0578 4912 Initialize success
18:18:09.0578 4912 ============================================================
18:18:33.0328 3452 ============================================================
18:18:33.0328 3452 Scan started
18:18:33.0328 3452 Mode: Manual;
18:18:33.0328 3452 ============================================================
18:18:34.0515 3452 Abiosdsk - ok
18:18:35.0093 3452 abp480n5 - ok
18:18:35.0687 3452 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:18:35.0796 3452 ACPI - ok
18:18:36.0296 3452 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:18:36.0312 3452 ACPIEC - ok
18:18:36.0953 3452 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
18:18:37.0000 3452 AdobeFlashPlayerUpdateSvc - ok
18:18:37.0421 3452 adpu160m - ok
18:18:37.0968 3452 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:18:38.0062 3452 aec - ok
18:18:38.0625 3452 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:18:38.0734 3452 AFD - ok
18:18:39.0171 3452 Aha154x - ok
18:18:39.0593 3452 aic78u2 - ok
18:18:40.0015 3452 aic78xx - ok
18:18:40.0484 3452 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:18:40.0484 3452 Alerter - ok
18:18:40.0921 3452 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:18:40.0921 3452 ALG - ok
18:18:41.0343 3452 AliIde - ok
18:18:42.0812 3452 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
18:18:43.0906 3452 Ambfilt - ok
18:18:44.0562 3452 AmdLLD - ok
18:18:45.0250 3452 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
18:18:45.0312 3452 AmdPPM - ok
18:18:45.0859 3452 amsint - ok
18:18:46.0187 3452 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:18:46.0187 3452 Apple Mobile Device - ok
18:18:46.0734 3452 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
18:18:46.0828 3452 AppMgmt - ok
18:18:47.0250 3452 asc - ok
18:18:47.0703 3452 asc3350p - ok
18:18:48.0125 3452 asc3550 - ok
18:18:48.0421 3452 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:18:48.0453 3452 aspnet_state - ok
18:18:49.0000 3452 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:18:49.0000 3452 AsyncMac - ok
18:18:49.0515 3452 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:18:49.0515 3452 atapi - ok
18:18:49.0921 3452 Atdisk - ok
18:18:50.0406 3452 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:18:50.0437 3452 Atmarpc - ok
18:18:50.0906 3452 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:18:50.0937 3452 AudioSrv - ok
18:18:51.0421 3452 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:18:51.0421 3452 audstub - ok
18:18:51.0859 3452 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:18:51.0875 3452 Beep - ok
18:18:52.0531 3452 BHDrvx86 (eb7f1f1dfa95c25d762c22d3cf13d4e0) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20120317.002\BHDrvx86.sys
18:18:53.0000 3452 BHDrvx86 - ok
18:18:53.0718 3452 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:18:54.0015 3452 BITS - ok
18:18:54.0531 3452 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
18:18:54.0781 3452 Bonjour Service - ok
18:18:55.0296 3452 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:18:55.0359 3452 Browser - ok
18:18:56.0031 3452 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:18:56.0046 3452 cbidf2k - ok
18:18:56.0812 3452 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:18:56.0828 3452 CCDECODE - ok
18:18:57.0375 3452 ccSet_N360 (599e7f6259a127c174c49938d2aa6a60) C:\WINDOWS\system32\drivers\N360\0601020.00A\ccSetx86.sys
18:18:57.0671 3452 ccSet_N360 - ok
18:18:58.0093 3452 cd20xrnt - ok
18:18:58.0765 3452 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:18:58.0781 3452 Cdaudio - ok
18:18:59.0343 3452 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:18:59.0390 3452 Cdfs - ok
18:19:00.0078 3452 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:19:00.0125 3452 Cdrom - ok
18:19:00.0781 3452 Changer - ok
18:19:01.0218 3452 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:19:01.0218 3452 CiSvc - ok
18:19:01.0953 3452 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:19:01.0984 3452 ClipSrv - ok
18:19:02.0328 3452 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:19:02.0390 3452 clr_optimization_v2.0.50727_32 - ok
18:19:03.0062 3452 CmdIde - ok
18:19:03.0500 3452 COMSysApp - ok
18:19:04.0468 3452 Cpqarray - ok
18:19:05.0437 3452 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:19:05.0546 3452 CryptSvc - ok
18:19:06.0109 3452 dac2w2k - ok
18:19:06.0953 3452 dac960nt - ok
18:19:07.0937 3452 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:19:08.0187 3452 DcomLaunch - ok
18:19:08.0781 3452 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:19:08.0984 3452 Dhcp - ok
18:19:09.0484 3452 Diag69xp (9afd0211790bb60ca4453e95e2fcfa34) C:\WINDOWS\system32\Drivers\Diag69xp.sys
18:19:09.0500 3452 Diag69xp - ok
18:19:09.0968 3452 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:19:10.0000 3452 Disk - ok
18:19:10.0421 3452 dmadmin - ok
18:19:11.0359 3452 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:19:11.0843 3452 dmboot - ok
18:19:12.0375 3452 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:19:12.0468 3452 dmio - ok
18:19:12.0906 3452 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:19:12.0921 3452 dmload - ok
18:19:13.0359 3452 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:19:13.0390 3452 dmserver - ok
18:19:13.0859 3452 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:19:13.0890 3452 DMusic - ok
18:19:14.0468 3452 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:19:14.0500 3452 Dnscache - ok
18:19:15.0281 3452 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:19:15.0406 3452 Dot3svc - ok
18:19:15.0968 3452 dpti2o - ok
18:19:16.0546 3452 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:19:16.0562 3452 drmkaud - ok
18:19:17.0000 3452 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:19:17.0015 3452 EapHost - ok
18:19:17.0359 3452 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
18:19:17.0593 3452 eeCtrl - ok
18:19:17.0734 3452 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
18:19:17.0796 3452 EraserUtilRebootDrv - ok
18:19:18.0250 3452 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:19:18.0265 3452 ERSvc - ok
18:19:18.0781 3452 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:19:18.0781 3452 Eventlog - ok
18:19:19.0343 3452 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:19:19.0484 3452 EventSystem - ok
18:19:20.0140 3452 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:19:20.0218 3452 Fastfat - ok
18:19:20.0734 3452 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:19:20.0812 3452 FastUserSwitchingCompatibility - ok
18:19:21.0265 3452 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:19:21.0281 3452 Fdc - ok
18:19:21.0750 3452 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:19:21.0765 3452 Fips - ok
18:19:22.0250 3452 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:19:22.0265 3452 Flpydisk - ok
18:19:22.0765 3452 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:19:22.0843 3452 FltMgr - ok
18:19:23.0093 3452 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:19:23.0140 3452 FontCache3.0.0.0 - ok
18:19:23.0750 3452 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:19:23.0765 3452 Fs_Rec - ok
18:19:24.0312 3452 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:19:24.0515 3452 Ftdisk - ok
18:19:25.0234 3452 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:19:25.0250 3452 GEARAspiWDM - ok
18:19:25.0828 3452 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:19:25.0859 3452 Gpc - ok
18:19:26.0109 3452 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:19:26.0109 3452 gupdate - ok
18:19:26.0203 3452 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:19:26.0203 3452 gupdatem - ok
18:19:26.0718 3452 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:19:26.0812 3452 HDAudBus - ok
18:19:27.0015 3452 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:19:27.0031 3452 helpsvc - ok
18:19:27.0421 3452 HidServ - ok
18:19:27.0906 3452 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:19:27.0921 3452 HidUsb - ok
18:19:28.0375 3452 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:19:28.0421 3452 hkmsvc - ok
18:19:28.0875 3452 hpn - ok
18:19:29.0484 3452 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:19:29.0640 3452 HTTP - ok
18:19:30.0093 3452 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:19:30.0109 3452 HTTPFilter - ok
18:19:30.0531 3452 i2omgmt - ok
18:19:30.0953 3452 i2omp - ok
18:19:31.0437 3452 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:19:31.0484 3452 i8042prt - ok
18:19:32.0187 3452 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:19:32.0750 3452 idsvc - ok
18:19:33.0125 3452 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20120406.002\IDSxpx86.sys
18:19:33.0140 3452 IDSxpx86 - ok
18:19:33.0703 3452 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:19:33.0718 3452 Imapi - ok
18:19:34.0250 3452 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:19:34.0343 3452 ImapiService - ok
18:19:34.0968 3452 ini910u - ok
18:19:39.0281 3452 IntcAzAudAddService (55920481a44fa7bdde5fc1b9e02c7c2a) C:\WINDOWS\system32\drivers\RtkHDAud.sys
18:19:43.0062 3452 IntcAzAudAddService - ok
18:19:43.0500 3452 IntelIde - ok
18:19:43.0984 3452 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:19:44.0000 3452 Ip6Fw - ok
18:19:44.0796 3452 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:19:44.0828 3452 IpFilterDriver - ok
18:19:45.0531 3452 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:19:45.0593 3452 IpInIp - ok
18:19:46.0328 3452 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:19:46.0453 3452 IpNat - ok
18:19:47.0046 3452 iPod Service (ce004777b92dea56fe14ec900d20baa4) C:\Program Files\iPod\bin\iPodService.exe
18:19:47.0531 3452 iPod Service - ok
18:19:48.0031 3452 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:19:48.0109 3452 IPSec - ok
18:19:48.0687 3452 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:19:48.0703 3452 IRENUM - ok
18:19:49.0312 3452 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:19:49.0359 3452 isapnp - ok
18:19:49.0593 3452 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
18:19:49.0609 3452 JavaQuickStarterService - ok
18:19:50.0109 3452 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:19:50.0125 3452 Kbdclass - ok
18:19:50.0718 3452 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:19:50.0812 3452 kmixer - ok
18:19:51.0265 3452 Kodak AiO Network Discovery Service (27277a11db52fefae5b01dc8fb570b28) C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
18:19:51.0437 3452 Kodak AiO Network Discovery Service - ok
18:19:51.0984 3452 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:19:52.0031 3452 KSecDD - ok
18:19:52.0546 3452 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:19:52.0609 3452 lanmanserver - ok
18:19:53.0125 3452 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:19:53.0203 3452 lanmanworkstation - ok
18:19:53.0687 3452 LANPkt (8bbfbf256493035ae6105b334fce99df) C:\WINDOWS\system32\DRIVERS\LANPkt.sys
18:19:53.0703 3452 LANPkt - ok
18:19:54.0171 3452 lbrtfdc - ok
18:19:54.0718 3452 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:19:54.0734 3452 LmHosts - ok
18:19:55.0218 3452 lxce_device - ok
18:19:55.0890 3452 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
18:19:55.0906 3452 MBAMProtector - ok
18:19:56.0453 3452 MBAMService (056b19651bd7b7ce5f89a3ac46dbdc08) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
18:19:56.0875 3452 MBAMService - ok
18:19:57.0296 3452 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:19:57.0328 3452 Messenger - ok
18:19:57.0796 3452 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:19:57.0796 3452 mnmdd - ok
18:19:58.0250 3452 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:19:58.0281 3452 mnmsrvc - ok
18:19:58.0765 3452 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:19:58.0781 3452 Modem - ok
18:20:00.0265 3452 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
18:20:01.0421 3452 Monfilt - ok
18:20:02.0171 3452 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:20:02.0187 3452 Mouclass - ok
18:20:02.0671 3452 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:20:02.0671 3452 mouhid - ok
18:20:03.0375 3452 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:20:03.0390 3452 MountMgr - ok
18:20:04.0046 3452 mraid35x - ok
18:20:04.0578 3452 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:20:05.0140 3452 MRxDAV - ok
18:20:06.0375 3452 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:20:06.0687 3452 MRxSmb - ok
18:20:07.0312 3452 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:20:07.0328 3452 MSDTC - ok
18:20:07.0984 3452 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:20:08.0015 3452 Msfs - ok
18:20:08.0406 3452 MSIServer - ok
18:20:09.0078 3452 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:20:09.0078 3452 MSKSSRV - ok
18:20:09.0531 3452 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:20:09.0531 3452 MSPCLOCK - ok
18:20:09.0968 3452 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:20:09.0968 3452 MSPQM - ok
18:20:10.0437 3452 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:20:10.0453 3452 mssmbios - ok
18:20:10.0906 3452 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:20:10.0921 3452 MSTEE - ok
18:20:11.0437 3452 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:20:11.0546 3452 Mup - ok
18:20:12.0031 3452 MxlW2k (485bede9be0c37c0d95ef9f9a44ce04b) C:\WINDOWS\system32\drivers\MxlW2k.sys
18:20:12.0046 3452 MxlW2k - ok
18:20:12.0359 3452 N360 (7a02f128a454bb22e300f3f80bc1bd22) C:\Program Files\Norton 360\Engine\6.1.2.10\ccSvcHst.exe
18:20:12.0375 3452 N360 - ok
18:20:12.0921 3452 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:20:12.0968 3452 NABTSFEC - ok
18:20:13.0593 3452 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:20:13.0781 3452 napagent - ok
18:20:14.0000 3452 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\VirusDefs\20120406.020\NAVENG.SYS
18:20:14.0000 3452 NAVENG - ok
18:20:15.0156 3452 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\VirusDefs\20120406.020\NAVEX15.SYS
18:20:15.0171 3452 NAVEX15 - ok
18:20:15.0984 3452 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:20:16.0109 3452 NDIS - ok
18:20:16.0640 3452 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:20:16.0640 3452 NdisIP - ok
18:20:17.0156 3452 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:20:17.0156 3452 NdisTapi - ok
18:20:17.0656 3452 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:20:17.0671 3452 Ndisuio - ok
18:20:18.0156 3452 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:20:18.0203 3452 NdisWan - ok
18:20:18.0703 3452 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:20:18.0718 3452 NDProxy - ok
18:20:19.0187 3452 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:20:19.0203 3452 NetBIOS - ok
18:20:19.0750 3452 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:20:19.0843 3452 NetBT - ok
18:20:20.0328 3452 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:20:20.0390 3452 NetDDE - ok
18:20:20.0468 3452 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:20:20.0468 3452 NetDDEdsdm - ok
18:20:20.0890 3452 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:20.0906 3452 Netlogon - ok
18:20:21.0406 3452 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:20:21.0531 3452 Netman - ok
18:20:21.0890 3452 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:20:21.0968 3452 NetTcpPortSharing - ok
18:20:22.0531 3452 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:20:22.0734 3452 Nla - ok
18:20:23.0203 3452 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:20:23.0218 3452 Npfs - ok
18:20:23.0609 3452 npggsvc - ok
18:20:24.0468 3452 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:20:24.0890 3452 Ntfs - ok
18:20:25.0453 3452 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:25.0453 3452 NtLmSsp - ok
18:20:26.0218 3452 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:20:26.0484 3452 NtmsSvc - ok
18:20:26.0968 3452 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:20:26.0984 3452 Null - ok
18:20:35.0343 3452 nv (0dc79b60cedc3a8854c27b3c6e4b3414) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:20:43.0390 3452 nv - ok
18:20:43.0953 3452 NVSvc (971b4344aba9b79ed0e9d0bb2a5283c1) C:\WINDOWS\system32\nvsvc32.exe
18:20:43.0984 3452 NVSvc - ok
18:20:45.0640 3452 nvUpdatusService (4cde6d8e0a07dce9e568f58a5dc8086c) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
18:20:47.0265 3452 nvUpdatusService - ok
18:20:47.0781 3452 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:20:47.0828 3452 NwlnkFlt - ok
18:20:48.0390 3452 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:20:48.0437 3452 NwlnkFwd - ok
18:20:48.0953 3452 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
18:20:49.0296 3452 odserv - ok
18:20:49.0453 3452 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:20:49.0593 3452 ose - ok
18:20:50.0265 3452 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:20:50.0343 3452 Parport - ok
18:20:50.0859 3452 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:20:50.0875 3452 PartMgr - ok
18:20:51.0390 3452 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:20:51.0390 3452 ParVdm - ok
18:20:52.0109 3452 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:20:52.0171 3452 PCI - ok
18:20:52.0859 3452 PCIDump - ok
18:20:53.0437 3452 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:20:53.0468 3452 PCIIde - ok
18:20:54.0062 3452 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:20:54.0140 3452 Pcmcia - ok
18:20:54.0562 3452 PDCOMP - ok
18:20:54.0984 3452 PDFRAME - ok
18:20:55.0406 3452 PDRELI - ok
18:20:55.0843 3452 PDRFRAME - ok
18:20:56.0265 3452 perc2 - ok
18:20:56.0687 3452 perc2hib - ok
18:20:57.0187 3452 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:20:57.0187 3452 PlugPlay - ok
18:20:57.0671 3452 PnkBstrA (831883b107684301f48ace752c963984) C:\WINDOWS\system32\PnkBstrA.exe
18:20:57.0671 3452 PnkBstrA - ok
18:20:58.0171 3452 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:58.0171 3452 PolicyAgent - ok
18:20:58.0671 3452 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:20:58.0703 3452 PptpMiniport - ok
18:20:59.0156 3452 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
18:20:59.0187 3452 Processor - ok
18:20:59.0578 3452 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:59.0593 3452 ProtectedStorage - ok
18:21:00.0171 3452 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:21:00.0218 3452 PSched - ok
18:21:00.0875 3452 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
18:21:00.0921 3452 PSI - ok
18:21:01.0546 3452 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:21:01.0593 3452 Ptilink - ok
18:21:02.0093 3452 ql1080 - ok
18:21:02.0515 3452 Ql10wnt - ok
18:21:02.0984 3452 ql12160 - ok
18:21:03.0500 3452 ql1240 - ok
18:21:04.0046 3452 ql1280 - ok
18:21:04.0484 3452 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:21:04.0484 3452 RasAcd - ok
18:21:04.0984 3452 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:21:05.0046 3452 RasAuto - ok
18:21:05.0796 3452 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:21:05.0828 3452 Rasl2tp - ok
18:21:06.0609 3452 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:21:06.0718 3452 RasMan - ok
18:21:07.0468 3452 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:21:07.0500 3452 RasPppoe - ok
18:21:07.0937 3452 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:21:07.0953 3452 Raspti - ok
18:21:08.0765 3452 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:21:08.0875 3452 Rdbss - ok
18:21:09.0531 3452 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:21:09.0531 3452 RDPCDD - ok
18:21:10.0875 3452 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:21:11.0093 3452 rdpdr - ok
18:21:12.0000 3452 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
18:21:12.0109 3452 RDPWD - ok
18:21:12.0671 3452 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:21:12.0765 3452 RDSessMgr - ok
18:21:13.0265 3452 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:21:13.0296 3452 redbook - ok
18:21:13.0812 3452 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:21:13.0843 3452 RemoteAccess - ok
18:21:14.0296 3452 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
18:21:14.0328 3452 RemoteRegistry - ok
18:21:14.0765 3452 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:21:14.0828 3452 RpcLocator - ok
18:21:15.0484 3452 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:21:15.0500 3452 RpcSs - ok
18:21:15.0984 3452 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:21:16.0078 3452 RSVP - ok
18:21:16.0562 3452 RTL8023 (471e91c38bd05cb024f9c02017235424) C:\WINDOWS\system32\DRIVERS\GA311ND5.SYS
18:21:16.0593 3452 RTL8023 - ok
18:21:17.0140 3452 RTLE8023xp (832f27e6962a14ebf3b09af0e65fd7b4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
18:21:17.0218 3452 RTLE8023xp - ok
18:21:17.0640 3452 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:21:17.0640 3452 SamSs - ok
18:21:18.0140 3452 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:21:18.0203 3452 SCardSvr - ok
18:21:18.0718 3452 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:21:18.0890 3452 Schedule - ok
18:21:19.0343 3452 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:21:19.0359 3452 Secdrv - ok
18:21:19.0796 3452 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:21:19.0812 3452 seclogon - ok
18:21:20.0593 3452 Secunia PSI Agent (5b66db4877bbac9f7493aa8d84421e49) C:\Program Files\Secunia\PSI\PSIA.exe
18:21:21.0234 3452 Secunia PSI Agent - ok
18:21:21.0515 3452 Secunia Update Agent (0e88fdf474f2cdd370a4a6ce77d018f0) C:\Program Files\Secunia\PSI\sua.exe
18:21:21.0609 3452 Secunia Update Agent - ok
18:21:22.0156 3452 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:21:22.0187 3452 SENS - ok
18:21:22.0687 3452 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:21:22.0703 3452 serenum - ok
18:21:23.0171 3452 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:21:23.0203 3452 Serial - ok
18:21:23.0656 3452 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:21:23.0671 3452 Sfloppy - ok
18:21:24.0312 3452 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:21:24.0515 3452 SharedAccess - ok
18:21:25.0046 3452 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:21:25.0062 3452 ShellHWDetection - ok
18:21:25.0531 3452 Simbad - ok
18:21:26.0031 3452 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:21:26.0046 3452 SLIP - ok
18:21:26.0515 3452 Sparrow - ok
18:21:26.0953 3452 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:21:26.0968 3452 splitter - ok
18:21:27.0437 3452 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:21:27.0437 3452 Spooler - ok
18:21:27.0921 3452 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:21:27.0968 3452 sr - ok
18:21:28.0578 3452 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:21:28.0671 3452 srservice - ok
18:21:29.0546 3452 SRTSP (c16d048faf2978d2121f9f40594a6bdc) C:\WINDOWS\System32\Drivers\N360\0601020.00A\SRTSP.SYS
18:21:29.0890 3452 SRTSP - ok
18:21:30.0484 3452 SRTSPX (f0d02c2e25970c9c72a5cd278c17cdb6) C:\WINDOWS\system32\drivers\N360\0601020.00A\SRTSPX.SYS
18:21:30.0515 3452 SRTSPX - ok
18:21:31.0375 3452 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:21:31.0578 3452 Srv - ok
18:21:32.0078 3452 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:21:32.0125 3452 SSDPSRV - ok
18:21:32.0218 3452 Steam Client Service - ok
18:21:32.0671 3452 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
18:21:32.0687 3452 StillCam - ok
18:21:33.0281 3452 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:21:33.0484 3452 stisvc - ok
18:21:33.0968 3452 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:21:33.0968 3452 streamip - ok
18:21:34.0453 3452 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:21:34.0468 3452 swenum - ok
18:21:34.0953 3452 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:21:34.0984 3452 swmidi - ok
18:21:35.0375 3452 SwPrv - ok
18:21:35.0796 3452 symc810 - ok
18:21:36.0218 3452 symc8xx - ok
18:21:36.0906 3452 SymDS (690fa0e61b90084c4d9a721bd4f3d779) C:\WINDOWS\system32\drivers\N360\0601020.00A\SYMDS.SYS
18:21:37.0093 3452 SymDS - ok
18:21:38.0078 3452 SymEFA (4e55148a2e044d02245cbcdbb266b98c) C:\WINDOWS\system32\drivers\N360\0601020.00A\SYMEFA.SYS
18:21:38.0609 3452 SymEFA - ok
18:21:39.0156 3452 SymEvent (555fb450fe6908600310e990738b41d6) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
18:21:39.0234 3452 SymEvent - ok
18:21:39.0781 3452 SymIM (a7100ea17ed9eaf365362a05bf430e77) C:\WINDOWS\system32\DRIVERS\SymIM.sys
18:21:39.0812 3452 SymIM - ok
18:21:39.0843 3452 SymIMMP (a7100ea17ed9eaf365362a05bf430e77) C:\WINDOWS\system32\DRIVERS\SymIM.sys
18:21:39.0843 3452 SymIMMP - ok
18:21:40.0421 3452 SymIRON (2c356cca706505cf63cbe39d532b9236) C:\WINDOWS\system32\drivers\N360\0601020.00A\Ironx86.SYS
18:21:40.0515 3452 SymIRON - ok
18:21:41.0218 3452 SYMTDI (508bd882040f9cb12319e3a4fc78edb9) C:\WINDOWS\System32\Drivers\N360\0601020.00A\SYMTDI.SYS
18:21:41.0437 3452 SYMTDI - ok
18:21:41.0875 3452 sym_hi - ok
18:21:42.0296 3452 sym_u3 - ok
18:21:42.0796 3452 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:21:42.0828 3452 sysaudio - ok
18:21:43.0296 3452 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:21:43.0343 3452 SysmonLog - ok
18:21:43.0906 3452 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:21:44.0046 3452 TapiSrv - ok
18:21:44.0734 3452 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:21:44.0984 3452 Tcpip - ok
18:21:45.0546 3452 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:21:45.0578 3452 TDPIPE - ok
18:21:46.0390 3452 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:21:46.0484 3452 TDTCP - ok
18:21:47.0156 3452 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:21:47.0187 3452 TermDD - ok
18:21:47.0828 3452 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:21:48.0015 3452 TermService - ok
18:21:48.0531 3452 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:21:48.0531 3452 Themes - ok
18:21:49.0000 3452 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
18:21:49.0046 3452 TlntSvr - ok
18:21:49.0468 3452 TosIde - ok
18:21:49.0984 3452 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:21:50.0046 3452 TrkWks - ok
18:21:50.0562 3452 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:21:50.0593 3452 Udfs - ok
18:21:51.0031 3452 ultra - ok
18:21:51.0671 3452 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:21:52.0031 3452 Update - ok
18:21:53.0000 3452 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:21:53.0171 3452 upnphost - ok
18:21:53.0937 3452 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:21:56.0625 3452 UPS - ok
18:21:57.0140 3452 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
18:21:57.0171 3452 USBAAPL - ok
18:21:57.0671 3452 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
18:21:57.0718 3452 usbaudio - ok
18:21:58.0203 3452 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:21:58.0234 3452 usbccgp - ok
18:21:58.0703 3452 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:21:58.0718 3452 usbehci - ok
18:21:59.0234 3452 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:21:59.0265 3452 usbhub - ok
18:21:59.0718 3452 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
18:21:59.0718 3452 usbohci - ok
18:22:00.0265 3452 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:22:00.0281 3452 usbprint - ok
18:22:00.0734 3452 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:22:00.0750 3452 usbscan - ok
18:22:01.0218 3452 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:22:01.0234 3452 USBSTOR - ok
18:22:01.0781 3452 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
18:22:01.0859 3452 usbvideo - ok
18:22:02.0328 3452 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:22:02.0343 3452 VgaSave - ok
18:22:02.0765 3452 ViaIde - ok
18:22:03.0234 3452 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:22:03.0265 3452 VolSnap - ok
18:22:03.0843 3452 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:22:04.0015 3452 VSS - ok
18:22:04.0531 3452 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:22:04.0625 3452 W32Time - ok
18:22:05.0109 3452 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:22:05.0125 3452 Wanarp - ok
18:22:06.0140 3452 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
18:22:06.0593 3452 Wdf01000 - ok
18:22:07.0046 3452 WDICA - ok
18:22:07.0609 3452 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:22:07.0656 3452 wdmaud - ok
18:22:08.0109 3452 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:22:08.0140 3452 WebClient - ok
18:22:08.0718 3452 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:22:08.0796 3452 winmgmt - ok
18:22:09.0843 3452 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
18:22:10.0859 3452 wlidsvc - ok
18:22:11.0640 3452 WmdmPmSN (051b1bdecd6dee18c771b5d5ec7f044d) C:\WINDOWS\system32\MsPMSNSv.dll
18:22:11.0671 3452 WmdmPmSN - ok
18:22:12.0687 3452 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
18:22:13.0031 3452 Wmi - ok
18:22:13.0796 3452 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:22:13.0875 3452 WmiApSrv - ok
18:22:14.0734 3452 WMPNetworkSvc (6bab4dc65515a098505f8b3d01fb6fe5) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:22:15.0156 3452 WMPNetworkSvc - ok
18:22:16.0140 3452 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
18:22:16.0234 3452 wscsvc - ok
18:22:17.0015 3452 WSearch - ok
18:22:17.0546 3452 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:22:17.0562 3452 WSTCODEC - ok
18:22:17.0984 3452 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:22:17.0984 3452 wuauserv - ok
18:22:18.0500 3452 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:22:18.0546 3452 WudfPf - ok
18:22:19.0015 3452 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:22:19.0078 3452 WudfRd - ok
18:22:19.0500 3452 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:22:19.0546 3452 WudfSvc - ok
18:22:20.0250 3452 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:22:20.0546 3452 WZCSVC - ok
18:22:21.0093 3452 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:22:21.0171 3452 xmlprov - ok
18:22:21.0656 3452 xusb21 (a640c90b007762939507c28a021be3b3) C:\WINDOWS\system32\DRIVERS\xusb21.sys
18:22:21.0687 3452 xusb21 - ok
18:22:21.0734 3452 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:22:22.0015 3452 \Device\Harddisk0\DR0 - ok
18:22:22.0031 3452 Boot (0x1200) (b1da644d123462e73facf1a7fd578f19) \Device\Harddisk0\DR0\Partition0
18:22:22.0031 3452 \Device\Harddisk0\DR0\Partition0 - ok
18:22:22.0031 3452 ============================================================
18:22:22.0031 3452 Scan finished
18:22:22.0031 3452 ============================================================
18:22:22.0046 1552 Detected object count: 0
18:22:22.0046 1552 Actual detected object count: 0
18:23:21.0421 3448 Deinitialize success

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-06 18:25:39
-----------------------------
18:25:39.531 OS Version: Windows 5.1.2600 Service Pack 3
18:25:39.531 Number of processors: 2 586 0x4302
18:25:39.531 ComputerName: THECUBE UserName: Owner
18:25:49.078 Initialize success
18:26:15.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:26:15.421 Disk 0 Vendor: ST3250410AS 3.AAC Size: 238475MB BusType: 3
18:26:15.468 Disk 0 MBR read successfully
18:26:15.468 Disk 0 MBR scan
18:26:15.468 Disk 0 Windows XP default MBR code
18:26:15.468 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
18:26:15.546 Disk 0 scanning sectors +488376000
18:26:15.734 Disk 0 scanning C:\WINDOWS\system32\drivers
18:27:01.578 Service scanning
18:28:04.687 Modules scanning
18:29:03.250 Disk 0 trace - called modules:
18:29:03.281 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
18:29:03.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a637ab8]
18:29:03.281 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000072[0x8a68c138]
18:29:03.281 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a68ad98]
18:29:03.281 Scan finished successfully
18:29:22.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
18:29:22.031 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 07 April 2012 - 04:23 AM

That looks fine. Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 OnlyZuul

OnlyZuul
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 08 April 2012 - 06:08 PM

Got this error when I attempted to run the combofix, computer rebooted.

BCCode:1000007e BCP1:c000005 BCP2:A8959c30 BCP4:A895992C
OSVer:5_1_2600 SP:3_0 Product:256_1


ComboFix 12-04-07.03 - Owner 04/08/2012 13:57:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1204 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\Application Data\PriceGong
c:\documents and settings\Owner\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\z.xml
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\SET222.tmp
c:\windows\system32\SET224.tmp
c:\windows\system32\SET232.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-08 to 2012-04-08 )))))))))))))))))))))))))))))))
.
.
2012-04-08 04:35 . 2012-04-08 04:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Facebook
2012-04-02 23:35 . 2012-04-02 23:35 151552 ----a-w- c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
2012-03-30 21:53 . 2012-03-30 21:53 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2012-03-30 21:50 . 2012-03-30 21:50 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 21:45 . 2012-03-30 21:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Secunia PSI
2012-03-30 21:43 . 2012-03-30 21:43 -------- d-----w- c:\program files\Secunia
2012-03-29 18:11 . 2010-11-04 01:15 359016 ----a-w- c:\windows\vncutil.exe
2012-03-29 18:11 . 2011-01-05 02:25 55912 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2012-03-29 18:11 . 2010-11-04 01:14 129640 ----a-w- c:\windows\RtkAudioService.exe
2012-03-29 18:11 . 2009-11-18 14:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2012-03-29 18:11 . 2009-11-18 14:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2012-03-28 20:12 . 2011-12-29 15:44 4111704 ----a-w- c:\windows\system32\GameMon.des
2012-03-28 20:11 . 2005-01-05 03:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2012-03-28 20:11 . 2003-07-21 12:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2012-03-28 20:11 . 2012-03-28 20:11 -------- d-----w- c:\program files\Common Files\INCA Shared
2012-03-23 20:09 . 2012-03-25 01:56 -------- d-----w- c:\windows\system32\drivers\N360\0601020.00A
2012-03-17 21:01 . 2012-03-17 21:01 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-17 21:01 . 2012-03-17 21:01 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-15 05:07 . 2012-03-15 05:07 -------- d-----w- c:\program files\iPod
2012-03-15 00:27 . 2012-03-15 00:27 -------- d-----w- c:\documents and settings\Administrator
2012-03-12 21:39 . 2012-03-12 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2012-03-12 21:39 . 2012-03-12 21:39 -------- d-----w- c:\documents and settings\UpdatusUser
2012-03-12 21:37 . 2012-02-10 04:10 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-03-12 21:37 . 2012-02-10 04:10 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-03-10 21:36 . 2012-03-10 21:36 -------- d-----w- c:\program files\Common Files\Java
2012-03-10 21:36 . 2012-03-10 21:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 21:50 . 2011-05-19 21:58 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-23 20:09 . 2010-11-20 08:10 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-03-23 20:09 . 2010-11-20 08:10 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-10 21:36 . 2011-07-08 20:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-15 18:01 . 2009-04-15 07:15 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 18:01 . 2009-04-15 07:15 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-10 04:10 . 2010-09-23 07:11 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-02-10 04:10 . 2010-09-23 07:11 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-02-10 04:10 . 2010-09-23 07:11 17534976 ----a-w- c:\windows\system32\nvcompiler.dll
2012-02-10 04:10 . 2009-03-27 15:03 5918720 ----a-w- c:\windows\system32\nvcuda.dll
2012-02-10 04:10 . 2009-03-27 15:03 4309760 ----a-w- c:\windows\system32\nv4_disp.dll
2012-02-10 04:10 . 2009-03-27 15:03 2522944 ----a-w- c:\windows\system32\nvcuvid.dll
2012-02-10 04:10 . 2009-03-27 15:03 2292224 ----a-w- c:\windows\system32\nvapi.dll
2012-02-10 04:10 . 2009-03-27 15:03 18620416 ----a-w- c:\windows\system32\nvoglnt.dll
2012-02-10 04:10 . 2009-03-27 15:03 13415040 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-02-10 03:04 . 2010-07-09 23:24 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-02-10 03:04 . 2010-07-09 23:24 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-02-10 03:04 . 2010-07-09 23:24 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-02-10 03:04 . 2010-07-09 23:24 15494464 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-10 03:04 . 2010-07-09 23:24 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-03 09:22 . 2007-07-27 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-14 22:19 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-17 21:01 . 2011-04-23 07:08 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre1.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre1.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre1.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-31 204288]
"Facebook Update"="c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-04-08 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-10 15494464]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"RTHDCPL"="RTHDCPL.EXE" [2011-02-17 20029032]
"EKAiO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.EXE" [2011-12-10 2756608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-12-12 2234288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-13 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\lxcecoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcePSWX.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Peggle Extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"56316:TCP"= 56316:TCP:Pando Media Booster
"56316:UDP"= 56316:UDP:Pando Media Booster
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"9322:TCP"= 9322:TCP:EKDiscovery
"56483:TCP"= 56483:TCP:Pando Media Booster
"56483:UDP"= 56483:UDP:Pando Media Booster
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0601020.00A\symds.sys [3/23/2012 1:09 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0601020.00A\symefa.sys [3/23/2012 1:09 PM 905336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20120317.002\BHDrvx86.sys [3/19/2012 6:26 PM 820856]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\0601020.00A\ccsetx86.sys [3/23/2012 1:09 PM 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0601020.00A\ironx86.sys [3/23/2012 1:09 PM 149624]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [12/19/2011 5:32 PM 394672]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [12/25/2003 5:53 PM 8440]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\6.1.2.10\ccsvchst.exe [3/23/2012 1:09 PM 138232]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [3/12/2012 2:39 PM 2348352]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/13/2011 11:01 PM 399416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/25/2012 9:27 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20120406.002\IDSXpx86.sys [4/6/2012 5:04 PM 356280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/14/2011 9:49 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 2:50 PM 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/29/2012 11:11 AM 1691480]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [12/25/2003 5:53 PM 11237]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/14/2011 9:49 PM 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/8/2011 5:07 PM 20464]
S3 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/8/2011 5:07 PM 652360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 11:01 PM 994360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 21:50]
.
2012-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2012-04-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1844237615-838170752-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-04-08 04:35]
.
2012-04-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1844237615-838170752-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-04-08 04:35]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-15 04:48]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-15 04:48]
.
2012-04-08 c:\windows\Tasks\User_Feed_Synchronization-{9A7AF806-CDD2-43C5-9115-6A4697BEA44C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=21
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.190.192.35 71.9.127.107 24.205.224.36
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\204m6qut.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=433&sr=0&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
HKCU-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\YspService.exe
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-08 14:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\6.1.2.10\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\6.1.2.10\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2012-04-08 14:26:39
ComboFix-quarantined-files.txt 2012-04-08 21:26
.
Pre-Run: 73,300,930,560 bytes free
Post-Run: 73,405,669,376 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 02B928032B39F31F3C364B46FC38FC10

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 09 April 2012 - 04:34 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"=-
"5000:TCP"=-
"5001:TCP"=-
"5002:TCP"=-
"5003:TCP"=-
"5004:TCP"=-
"5005:TCP"=-
"5006:TCP"=-
"5007:TCP"=-
"5008:TCP"=-
"5009:TCP"=-
"5010:TCP"=-
"5011:TCP"=-
"5012:TCP"=-
"5013:TCP"=-
"5014:TCP"=-
"5015:TCP"=-
"5016:TCP"=-
"5017:TCP"=-
"5018:TCP"=-
"5019:TCP"=-
"5020:TCP"=-


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 OnlyZuul

OnlyZuul
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 09 April 2012 - 05:33 PM

ComboFix 12-04-07.03 - Owner 04/09/2012 14:59:34.3.2 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\PriceGong
c:\documents and settings\Owner\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\j.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\z.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-03-09 to 2012-04-09 )))))))))))))))))))))))))))))))
.
.
2012-04-08 04:35 . 2012-04-08 04:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Facebook
2012-04-02 23:35 . 2012-04-02 23:35 151552 ----a-w- c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
2012-03-30 21:53 . 2012-03-30 21:53 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2012-03-30 21:50 . 2012-03-30 21:50 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 21:45 . 2012-03-30 21:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Secunia PSI
2012-03-30 21:43 . 2012-03-30 21:43 -------- d-----w- c:\program files\Secunia
2012-03-29 18:11 . 2010-11-04 01:15 359016 ----a-w- c:\windows\vncutil.exe
2012-03-29 18:11 . 2011-01-05 02:25 55912 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2012-03-29 18:11 . 2010-11-04 01:14 129640 ----a-w- c:\windows\RtkAudioService.exe
2012-03-29 18:11 . 2009-11-18 14:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2012-03-29 18:11 . 2009-11-18 14:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2012-03-28 20:12 . 2011-12-29 15:44 4111704 ----a-w- c:\windows\system32\GameMon.des
2012-03-28 20:11 . 2005-01-05 03:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2012-03-28 20:11 . 2003-07-21 12:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2012-03-28 20:11 . 2012-03-28 20:11 -------- d-----w- c:\program files\Common Files\INCA Shared
2012-03-23 20:09 . 2012-03-25 01:56 -------- d-----w- c:\windows\system32\drivers\N360\0601020.00A
2012-03-17 21:01 . 2012-03-17 21:01 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-17 21:01 . 2012-03-17 21:01 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-15 05:07 . 2012-03-15 05:07 -------- d-----w- c:\program files\iPod
2012-03-15 00:27 . 2012-03-15 00:27 -------- d-----w- c:\documents and settings\Administrator
2012-03-12 21:39 . 2012-03-12 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2012-03-12 21:39 . 2012-03-12 21:39 -------- d-----w- c:\documents and settings\UpdatusUser
2012-03-12 21:37 . 2012-02-10 04:10 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-03-12 21:37 . 2012-02-10 04:10 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 21:50 . 2011-05-19 21:58 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-23 20:09 . 2010-11-20 08:10 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-03-23 20:09 . 2010-11-20 08:10 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-10 21:36 . 2012-03-10 21:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-10 21:36 . 2011-07-08 20:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-15 18:01 . 2009-04-15 07:15 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 18:01 . 2009-04-15 07:15 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-10 04:10 . 2010-09-23 07:11 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-02-10 04:10 . 2010-09-23 07:11 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-02-10 04:10 . 2010-09-23 07:11 17534976 ----a-w- c:\windows\system32\nvcompiler.dll
2012-02-10 04:10 . 2009-03-27 15:03 5918720 ----a-w- c:\windows\system32\nvcuda.dll
2012-02-10 04:10 . 2009-03-27 15:03 4309760 ----a-w- c:\windows\system32\nv4_disp.dll
2012-02-10 04:10 . 2009-03-27 15:03 2522944 ----a-w- c:\windows\system32\nvcuvid.dll
2012-02-10 04:10 . 2009-03-27 15:03 2292224 ----a-w- c:\windows\system32\nvapi.dll
2012-02-10 04:10 . 2009-03-27 15:03 18620416 ----a-w- c:\windows\system32\nvoglnt.dll
2012-02-10 04:10 . 2009-03-27 15:03 13415040 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-02-10 03:04 . 2010-07-09 23:24 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-02-10 03:04 . 2010-07-09 23:24 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-02-10 03:04 . 2010-07-09 23:24 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-02-10 03:04 . 2010-07-09 23:24 15494464 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-10 03:04 . 2010-07-09 23:24 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-03 09:22 . 2007-07-27 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-14 22:19 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-17 21:01 . 2011-04-23 07:08 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-08_21.19.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-09 18:15 . 2012-04-09 18:15 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
+ 2010-09-23 07:12 . 2012-04-09 18:14 292700 c:\windows\system32\nvdrsdb1.bin
- 2010-09-23 07:12 . 2012-04-08 03:32 292700 c:\windows\system32\nvdrsdb1.bin
+ 2010-09-23 07:12 . 2012-04-09 18:30 292700 c:\windows\system32\nvdrsdb0.bin
- 2010-09-23 07:12 . 2012-04-08 03:28 292700 c:\windows\system32\nvdrsdb0.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre1.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre1.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre1.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-31 204288]
"Facebook Update"="c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-04-08 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-10 15494464]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"RTHDCPL"="RTHDCPL.EXE" [2011-02-17 20029032]
"EKAiO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.EXE" [2011-12-10 2756608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-12-12 2234288]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\lxcecoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcePSWX.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Peggle Extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56316:TCP"= 56316:TCP:Pando Media Booster
"56316:UDP"= 56316:UDP:Pando Media Booster
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"9322:TCP"= 9322:TCP:EKDiscovery
"56483:TCP"= 56483:TCP:Pando Media Booster
"56483:UDP"= 56483:UDP:Pando Media Booster
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0601020.00A\symds.sys [3/23/2012 1:09 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0601020.00A\symefa.sys [3/23/2012 1:09 PM 905336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20120317.002\BHDrvx86.sys [3/19/2012 6:26 PM 820856]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\0601020.00A\ccsetx86.sys [3/23/2012 1:09 PM 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0601020.00A\ironx86.sys [3/23/2012 1:09 PM 149624]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [12/19/2011 5:32 PM 394672]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [12/25/2003 5:53 PM 8440]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\6.1.2.10\ccsvchst.exe [3/23/2012 1:09 PM 138232]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [3/12/2012 2:39 PM 2348352]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/13/2011 11:01 PM 399416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/25/2012 9:27 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20120406.002\IDSXpx86.sys [4/6/2012 5:04 PM 356280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/14/2011 9:49 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 2:50 PM 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/29/2012 11:11 AM 1691480]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [12/25/2003 5:53 PM 11237]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/14/2011 9:49 PM 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/8/2011 5:07 PM 20464]
S3 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/8/2011 5:07 PM 652360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 11:01 PM 994360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 21:50]
.
2012-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2012-04-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1844237615-838170752-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-04-08 04:35]
.
2012-04-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1844237615-838170752-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-04-08 04:35]
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-15 04:48]
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-15 04:48]
.
2012-04-09 c:\windows\Tasks\User_Feed_Synchronization-{9A7AF806-CDD2-43C5-9115-6A4697BEA44C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=21
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.190.192.35 71.9.127.107 24.205.224.36
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\204m6qut.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=433&sr=0&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-09 15:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\6.1.2.10\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\6.1.2.10\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2012-04-09 15:26:37
ComboFix-quarantined-files.txt 2012-04-09 22:26
ComboFix2.txt 2012-04-08 21:26
.
Pre-Run: 73,410,236,416 bytes free
Post-Run: 73,415,884,800 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 3D229F39C0AB10F54EFE36AF118C509F

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 09 April 2012 - 05:43 PM

The last script shut the open ports and that should prevent PriceGong from returning. However, we should continue as if there is still infection

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then SAS

Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.

Posted Image
m0le is a proud member of UNITE

#11 OnlyZuul

OnlyZuul
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 11 April 2012 - 08:24 PM

Hey m0le I haven't forgotten, It's just that it runs reallllly slow when it does all the drives. Can I just do the C/ drive for mbam scan? I'll post results tomorrow, if I may. Thanks. :)

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 12 April 2012 - 02:12 PM

You can choose which drive to scan when you click to perform a Full Scan.
Posted Image
m0le is a proud member of UNITE

#13 OnlyZuul

OnlyZuul
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 14 April 2012 - 05:32 PM

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.12.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: THECUBE [administrator]

4/12/2012 1:14:59 PM
mbam-log-2012-04-12 (13-14-59).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 335276
Time elapsed: 3 hour(s), 33 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/14/2012 at 02:25 PM

Application Version : 5.0.1146

Core Rules Database Version : 8451
Trace Rules Database Version: 6263

Scan type : Complete Scan
Total Scan Time : 03:08:51

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 546
Memory threats detected : 0
Registry items scanned : 36596
Registry threats detected : 0
File items scanned : 46319
File threats detected : 1

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 14 April 2012 - 05:44 PM

Please run ESET next. The last two logs looked very good.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#15 OnlyZuul

OnlyZuul
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 16 April 2012 - 02:04 PM

hey m0le,

No report was generated, and the scan time took almost 10 hours. Also, there were 3 items that showed up as infected. I ran the scan through IE and I can't find the log. I checked under c:/program files/eset/ and that folder doesn't exist for me...I didn't write the names down either, I thought maybe a log would have been saved somewhere :/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users