Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect, turned into larger infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 Foooznatch

Foooznatch

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 01 May 2012 - 10:41 AM

I'm hoping someone can help me out with a PC one of my users seriously messed up.

Some background: Last week the user told me that when they searched for things in Google or Bing, they would click on the results and would be redirected to another webpage. Red flags went up and I know it was a redirect, I've cleaned them up before. Ran the usual tools, and Kaspersky's TDSSKiller. It found nothing. Ran Malware Bytes, found a couple things, removed, and after that all was right in the world. Fast forward to yesterday, browser redirect is back, unfortunately didn't have time to take a look it. Today things have progressed to worse. My user got a popup from Symantec Endpoint Protection with infections, and having to reboot the machine to remove, so she clicked reboot. Since the reboot the machine has hidden all icons, a fake scanner called S.M.A.R.T. Disk Check will run and tell you you're infected, and I'm having issues running any of the usual AV Tools.

I've since been able to run UNHIDE, so I can see the programs again, but I need some help to remove this infection!

Will follow all directions and I'm fairly knowledgeable about computers.

Windows XP SP3

The virus that comes up in Normal Mode is one that is called: Data Recovery S.M.A.R.T. Repair


Thanks!

Edited by Foooznatch, 01 May 2012 - 02:47 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:26 PM

Posted 01 May 2012 - 04:41 PM

Boot the PC into safemode with networking

Press Windows+R key and type

%temp% and click ok

Now of you find a folder called SMTMP,copy it to your desktop.

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Edited by narenxp, 01 May 2012 - 04:41 PM.


#3 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 02 May 2012 - 01:26 PM

Sorry for the delay, busy day...

Malware Byte scan found it in safe mode, then when I rebooted and ran again in Normal Mode, it came back clear. I than ran the addition scans you asked for, and after that I just started getting Symantec popups about Trojan.Gen.2 and the occasional pop up in the bottom right hand corner that is saying files are corrupt and I should run Chkdsk.

Logs are below:

Malware Bytes:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.02.03

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Administrator :: MAEHC0027 [administrator]

5/2/2012 11:03:27 AM
mbam-log-2012-05-02 (11-03-27).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1010149
Time elapsed: 1 hour(s), 14 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

TDSSKiller:

12:53:15.0188 2104 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
12:53:15.0483 2104 ============================================================
12:53:15.0483 2104 Current date / time: 2012/05/02 12:53:15.0483
12:53:15.0483 2104 SystemInfo:
12:53:15.0483 2104
12:53:15.0483 2104 OS Version: 5.1.2600 ServicePack: 2.0
12:53:15.0483 2104 Product type: Workstation
12:53:15.0483 2104 ComputerName: MAEHC0027
12:53:15.0483 2104 UserName: Administrator
12:53:15.0483 2104 Windows directory: C:\WINDOWS
12:53:15.0483 2104 System windows directory: C:\WINDOWS
12:53:15.0483 2104 Processor architecture: Intel x86
12:53:15.0483 2104 Number of processors: 2
12:53:15.0483 2104 Page size: 0x1000
12:53:15.0483 2104 Boot type: Normal boot
12:53:15.0483 2104 ============================================================
12:53:19.0109 2104 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
12:53:19.0125 2104 ============================================================
12:53:19.0125 2104 \Device\Harddisk0\DR0:
12:53:19.0156 2104 MBR partitions:
12:53:19.0156 2104 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950E482
12:53:19.0156 2104 ============================================================
12:53:19.0218 2104 C: <-> \Device\Harddisk0\DR0\Partition0
12:53:19.0218 2104 ============================================================
12:53:19.0218 2104 Initialize success
12:53:19.0218 2104 ============================================================
12:53:26.0563 2416 ============================================================
12:53:26.0563 2416 Scan started
12:53:26.0563 2416 Mode: Manual; TDLFS;
12:53:26.0563 2416 ============================================================
12:53:28.0881 2416 Abiosdsk - ok
12:53:28.0897 2416 abp480n5 - ok
12:53:29.0332 2416 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:53:29.0348 2416 ACPI - ok
12:53:29.0426 2416 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:53:29.0441 2416 ACPIEC - ok
12:53:30.0095 2416 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
12:53:30.0157 2416 AdobeFlashPlayerUpdateSvc - ok
12:53:30.0157 2416 adpu160m - ok
12:53:30.0624 2416 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys
12:53:30.0639 2416 aeaudio - ok
12:53:31.0028 2416 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
12:53:31.0044 2416 aec - ok
12:53:31.0371 2416 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
12:53:31.0386 2416 AFD - ok
12:53:31.0386 2416 Aha154x - ok
12:53:31.0386 2416 aic78u2 - ok
12:53:31.0402 2416 aic78xx - ok
12:53:31.0480 2416 Alerter (c7ae0fd3867db0d42b03b73c18f3d671) C:\WINDOWS\system32\alrsvc.dll
12:53:31.0480 2416 Alerter - ok
12:53:31.0635 2416 ALG (f1958fbf86d5c004cf19a5951a9514b7) C:\WINDOWS\System32\alg.exe
12:53:31.0651 2416 ALG - ok
12:53:31.0651 2416 AliIde - ok
12:53:31.0651 2416 amsint - ok
12:53:32.0118 2416 AppMgmt (9c3c12975c97119412802b181fbeeffe) C:\WINDOWS\System32\appmgmts.dll
12:53:32.0149 2416 AppMgmt - ok
12:53:32.0149 2416 asc - ok
12:53:32.0149 2416 asc3350p - ok
12:53:32.0149 2416 asc3550 - ok
12:53:32.0725 2416 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
12:53:32.0833 2416 aspnet_state - ok
12:53:32.0927 2416 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:53:32.0942 2416 AsyncMac - ok
12:53:33.0191 2416 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:53:33.0191 2416 atapi - ok
12:53:33.0191 2416 Atdisk - ok
12:53:33.0363 2416 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:53:33.0363 2416 Atmarpc - ok
12:53:33.0487 2416 AudioSrv (db66db626e4882ebef55f136f12c1829) C:\WINDOWS\System32\audiosrv.dll
12:53:33.0503 2416 AudioSrv - ok
12:53:33.0534 2416 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:53:33.0549 2416 audstub - ok
12:53:34.0203 2416 AutoReceive (c5857bb6f31464037b80605fb2901baa) C:\Program Files\AutoReceive\wrapper.exe
12:53:34.0576 2416 AutoReceive - ok
12:53:35.0230 2416 b57w2k (5175e788bcd1cb7345ab21f3e14369d2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
12:53:35.0245 2416 b57w2k - ok
12:53:35.0308 2416 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:53:35.0323 2416 Beep - ok
12:53:35.0883 2416 BITS (2c69ec7e5a311334d10dd95f338fccea) C:\WINDOWS\system32\qmgr.dll
12:53:36.0210 2416 BITS - ok
12:53:36.0304 2416 Browser (e3cfccdda4edd1d0dc9168b2e18f27b8) C:\WINDOWS\System32\browser.dll
12:53:36.0319 2416 Browser - ok
12:53:36.0366 2416 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:53:36.0381 2416 cbidf2k - ok
12:53:36.0708 2416 ccEvtMgr (c5f0c1fff968e9d143f62075cbd8ed60) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
12:53:36.0910 2416 ccEvtMgr - ok
12:53:37.0268 2416 ccSetMgr (324318bd026aa58e3ea8c23647ade1c3) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
12:53:37.0533 2416 ccSetMgr - ok
12:53:37.0533 2416 cd20xrnt - ok
12:53:37.0626 2416 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:53:37.0642 2416 Cdaudio - ok
12:53:37.0797 2416 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
12:53:37.0813 2416 Cdfs - ok
12:53:37.0922 2416 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:53:37.0922 2416 Cdrom - ok
12:53:38.0031 2416 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
12:53:38.0046 2416 cercsr6 - ok
12:53:38.0062 2416 Changer - ok
12:53:38.0093 2416 CiSvc (3192bd04d032a9c4a85a3278c268a13a) C:\WINDOWS\system32\cisvc.exe
12:53:38.0109 2416 CiSvc - ok
12:53:38.0155 2416 ClipSrv (c8dec22c4137d7a90f8bdf41ca4b82ae) C:\WINDOWS\system32\clipsrv.exe
12:53:38.0155 2416 ClipSrv - ok
12:53:38.0544 2416 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:53:38.0669 2416 clr_optimization_v2.0.50727_32 - ok
12:53:38.0669 2416 CmdIde - ok
12:53:38.0669 2416 COMSysApp - ok
12:53:38.0684 2416 Cpqarray - ok
12:53:38.0778 2416 CryptSvc (10654f9ddcea9c46cfb77554231be73b) C:\WINDOWS\System32\cryptsvc.dll
12:53:38.0793 2416 CryptSvc - ok
12:53:38.0933 2416 ctxusbm (cb6ff7012bb5d59d7c12350db795ce1f) C:\WINDOWS\system32\DRIVERS\ctxusbm.sys
12:53:38.0933 2416 ctxusbm - ok
12:53:38.0933 2416 dac2w2k - ok
12:53:38.0949 2416 dac960nt - ok
12:53:39.0369 2416 DcomLaunch (5c83a4408604f737717ab96371201680) C:\WINDOWS\system32\rpcss.dll
12:53:39.0385 2416 DcomLaunch - ok
12:53:39.0478 2416 DefWatch (6a0a8fe766943de793e6f03f4fe882dd) C:\Program Files\Symantec AntiVirus\DefWatch.exe
12:53:39.0509 2416 DefWatch - ok
12:53:39.0789 2416 Dhcp (cb6ca3e5261d65f6f809eed23bf167aa) C:\WINDOWS\System32\dhcpcsvc.dll
12:53:39.0805 2416 Dhcp - ok
12:53:39.0882 2416 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
12:53:39.0898 2416 Disk - ok
12:53:39.0898 2416 dmadmin - ok
12:53:40.0505 2416 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
12:53:40.0536 2416 dmboot - ok
12:53:40.0661 2416 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
12:53:40.0661 2416 dmio - ok
12:53:40.0723 2416 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:53:40.0723 2416 dmload - ok
12:53:40.0801 2416 dmserver (1639d9964c9e1b2ecca95c8217d3e70d) C:\WINDOWS\System32\dmserver.dll
12:53:40.0816 2416 dmserver - ok
12:53:40.0847 2416 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
12:53:40.0847 2416 DMusic - ok
12:53:40.0941 2416 DNE (7efbafdec4f543d43296bdbdf912bdd4) C:\WINDOWS\system32\DRIVERS\dne2000.sys
12:53:40.0941 2416 DNE - ok
12:53:40.0972 2416 Dnscache (7379de06fd196e396a00aa97b990c00d) C:\WINDOWS\System32\dnsrslvr.dll
12:53:40.0972 2416 Dnscache - ok
12:53:41.0034 2416 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
12:53:41.0034 2416 Dot3svc - ok
12:53:41.0034 2416 dpti2o - ok
12:53:41.0065 2416 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
12:53:41.0065 2416 drmkaud - ok
12:53:41.0096 2416 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
12:53:41.0096 2416 EapHost - ok
12:53:41.0298 2416 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
12:53:41.0314 2416 eeCtrl - ok
12:53:41.0361 2416 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
12:53:41.0376 2416 EraserUtilRebootDrv - ok
12:53:41.0407 2416 ERSvc (67dff7bbbd0e80aab7b3cf061448db8a) C:\WINDOWS\System32\ersvc.dll
12:53:41.0407 2416 ERSvc - ok
12:53:41.0454 2416 Eventlog (c6ce6eec82f187615d1002bb3bb50ed4) C:\WINDOWS\system32\services.exe
12:53:41.0470 2416 Eventlog - ok
12:53:41.0579 2416 EventSystem (acd36a2dd7d1e9d8a060aa651dc07e63) C:\WINDOWS\system32\es.dll
12:53:41.0579 2416 EventSystem - ok
12:53:41.0641 2416 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
12:53:41.0656 2416 Fastfat - ok
12:53:41.0719 2416 FastUserSwitchingCompatibility (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
12:53:41.0719 2416 FastUserSwitchingCompatibility - ok
12:53:41.0750 2416 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:53:41.0750 2416 Fdc - ok
12:53:41.0796 2416 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
12:53:41.0796 2416 Fips - ok
12:53:41.0812 2416 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
12:53:41.0812 2416 Flpydisk - ok
12:53:41.0843 2416 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
12:53:41.0843 2416 FltMgr - ok
12:53:41.0936 2416 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
12:53:41.0952 2416 FontCache3.0.0.0 - ok
12:53:41.0983 2416 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:53:41.0983 2416 Fs_Rec - ok
12:53:42.0030 2416 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:53:42.0030 2416 Ftdisk - ok
12:53:42.0061 2416 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:53:42.0061 2416 Gpc - ok
12:53:42.0061 2416 hclinetd - ok
12:53:42.0154 2416 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:53:42.0154 2416 HDAudBus - ok
12:53:42.0201 2416 helpsvc (8827911a8c37e40c027cbfc88e69d967) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
12:53:42.0201 2416 helpsvc - ok
12:53:42.0217 2416 HidServ - ok
12:53:42.0232 2416 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:53:42.0248 2416 HidUsb - ok
12:53:42.0279 2416 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
12:53:42.0294 2416 hkmsvc - ok
12:53:42.0294 2416 hpn - ok
12:53:42.0357 2416 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
12:53:42.0372 2416 HTTP - ok
12:53:42.0403 2416 HTTPFilter (064d8581adf77c25133e7d751d917d83) C:\WINDOWS\System32\w3ssl.dll
12:53:42.0403 2416 HTTPFilter - ok
12:53:42.0403 2416 i2omgmt - ok
12:53:42.0403 2416 i2omp - ok
12:53:42.0481 2416 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:53:42.0481 2416 i8042prt - ok
12:53:43.0166 2416 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
12:53:43.0306 2416 ialm - ok
12:53:44.0753 2416 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
12:53:45.0920 2416 idsvc - ok
12:53:47.0818 2416 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:53:47.0850 2416 Imapi - ok
12:53:48.0145 2416 ImapiService (fa788520bcac0f5d9d5cde5615c0d931) C:\WINDOWS\system32\imapi.exe
12:53:48.0176 2416 ImapiService - ok
12:53:48.0223 2416 InAspi32 (35738fd20716cfcc5cb104f76ee48e80) C:\WINDOWS\system32\drivers\InAspi32.sys
12:53:48.0239 2416 InAspi32 - ok
12:53:48.0239 2416 ini910u - ok
12:54:04.0002 2416 IntcAzAudAddService (6d6b57808c923a4d79cc8f47307753c9) C:\WINDOWS\system32\drivers\RtkHDAud.sys
12:54:07.0658 2416 IntcAzAudAddService - ok
12:54:12.0093 2416 IntelIde - ok
12:54:12.0249 2416 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:54:12.0280 2416 intelppm - ok
12:54:12.0498 2416 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
12:54:12.0513 2416 ip6fw - ok
12:54:12.0716 2416 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:54:12.0731 2416 IpFilterDriver - ok
12:54:12.0871 2416 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:54:12.0902 2416 IpInIp - ok
12:54:13.0354 2416 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:54:13.0385 2416 IpNat - ok
12:54:13.0618 2416 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:54:13.0649 2416 IPSec - ok
12:54:13.0711 2416 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:54:13.0711 2416 IRENUM - ok
12:54:13.0914 2416 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:54:13.0945 2416 isapnp - ok
12:54:14.0847 2416 JavaQuickStarterService (9dba73c2f1e76ec4cb837e67c5743596) C:\Program Files\Java\jre6\bin\jqs.exe
12:54:15.0143 2416 JavaQuickStarterService - ok
12:54:15.0236 2416 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:54:15.0252 2416 Kbdclass - ok
12:54:15.0750 2416 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
12:54:15.0765 2416 kmixer - ok
12:54:16.0092 2416 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
12:54:16.0108 2416 KSecDD - ok
12:54:16.0497 2416 lanmanserver (93d32468d34e000cb3407947d1d6e22a) C:\WINDOWS\System32\srvsvc.dll
12:54:16.0512 2416 lanmanserver - ok
12:54:17.0088 2416 lanmanworkstation (2c0a7b2ae9c26f2c163627679b42783c) C:\WINDOWS\System32\wkssvc.dll
12:54:17.0119 2416 lanmanworkstation - ok
12:54:17.0119 2416 lbrtfdc - ok
12:54:24.0651 2416 LiveUpdate (89bffb6a09652da7d019a387354d0d19) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
12:54:27.0436 2416 LiveUpdate - ok
12:54:30.0346 2416 LmHosts (b3eff6d938c572e90a07b3d87a3c7657) C:\WINDOWS\System32\lmhsvc.dll
12:54:30.0361 2416 LmHosts - ok
12:54:30.0673 2416 MBAMSwissArmy - ok
12:54:32.0260 2416 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
12:54:32.0836 2416 MDM - ok
12:54:33.0022 2416 Messenger (95fd808e4ac22aba025a7b3eac0375d2) C:\WINDOWS\System32\msgsvc.dll
12:54:33.0038 2416 Messenger - ok
12:54:33.0147 2416 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:54:33.0178 2416 mnmdd - ok
12:54:33.0349 2416 mnmsrvc (f6415361201915b9fe3896b0e4e724ff) C:\WINDOWS\System32\mnmsrvc.exe
12:54:33.0365 2416 mnmsrvc - ok
12:54:33.0551 2416 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
12:54:33.0567 2416 Modem - ok
12:54:33.0691 2416 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:54:33.0722 2416 Mouclass - ok
12:54:33.0831 2416 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:54:33.0847 2416 mouhid - ok
12:54:33.0971 2416 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
12:54:33.0987 2416 MountMgr - ok
12:54:33.0987 2416 mraid35x - ok
12:54:34.0252 2416 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:54:34.0283 2416 MRxDAV - ok
12:54:34.0952 2416 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:54:34.0983 2416 MRxSmb - ok
12:54:35.0030 2416 MSDTC (c7c3d89eb0a6f3dba622ea737fa335b1) C:\WINDOWS\System32\msdtc.exe
12:54:35.0045 2416 MSDTC - ok
12:54:35.0076 2416 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
12:54:35.0076 2416 Msfs - ok
12:54:35.0076 2416 MSIServer - ok
12:54:35.0139 2416 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:54:35.0154 2416 MSKSSRV - ok
12:54:35.0201 2416 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:54:35.0201 2416 MSPCLOCK - ok
12:54:35.0279 2416 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
12:54:35.0294 2416 MSPQM - ok
12:54:35.0792 2416 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:54:35.0808 2416 mssmbios - ok
12:54:35.0994 2416 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
12:54:36.0057 2416 napagent - ok
12:54:36.0710 2416 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120430.002\naveng.sys
12:54:36.0866 2416 NAVENG - ok
12:54:38.0142 2416 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120430.002\navex15.sys
12:54:38.0235 2416 NAVEX15 - ok
12:54:38.0593 2416 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
12:54:38.0593 2416 NDIS - ok
12:54:38.0624 2416 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:54:38.0624 2416 NdisTapi - ok
12:54:38.0640 2416 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:54:38.0640 2416 Ndisuio - ok
12:54:38.0671 2416 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:54:38.0671 2416 NdisWan - ok
12:54:38.0702 2416 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
12:54:38.0702 2416 NDProxy - ok
12:54:38.0733 2416 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:54:38.0749 2416 NetBIOS - ok
12:54:38.0795 2416 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:54:38.0795 2416 NetBT - ok
12:54:38.0858 2416 NetDDE (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
12:54:38.0889 2416 NetDDE - ok
12:54:38.0889 2416 NetDDEdsdm (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
12:54:38.0889 2416 NetDDEdsdm - ok
12:54:38.0920 2416 Netlogon (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:54:38.0920 2416 Netlogon - ok
12:54:38.0966 2416 Netman (dab9e6c7105d2ef49876fe92c524f565) C:\WINDOWS\System32\netman.dll
12:54:38.0966 2416 Netman - ok
12:54:39.0091 2416 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
12:54:39.0138 2416 NetTcpPortSharing - ok
12:54:39.0184 2416 Nla (4e74af063c3271fbea20dd940cfd1184) C:\WINDOWS\System32\mswsock.dll
12:54:39.0200 2416 Nla - ok
12:54:39.0215 2416 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
12:54:39.0215 2416 Npfs - ok
12:54:39.0293 2416 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
12:54:39.0324 2416 Ntfs - ok
12:54:39.0324 2416 NtLmSsp (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:54:39.0324 2416 NtLmSsp - ok
12:54:39.0387 2416 NtmsSvc (b62f29c00ac55a761b2e45877d85ea0f) C:\WINDOWS\system32\ntmssvc.dll
12:54:39.0402 2416 NtmsSvc - ok
12:54:39.0418 2416 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:54:39.0418 2416 Null - ok
12:54:39.0433 2416 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:54:39.0449 2416 NwlnkFlt - ok
12:54:39.0449 2416 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:54:39.0449 2416 NwlnkFwd - ok
12:54:39.0527 2416 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:54:39.0558 2416 ose - ok
12:54:39.0589 2416 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
12:54:39.0589 2416 Parport - ok
12:54:39.0620 2416 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
12:54:39.0620 2416 PartMgr - ok
12:54:39.0636 2416 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:54:39.0636 2416 ParVdm - ok
12:54:39.0667 2416 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
12:54:39.0667 2416 PCI - ok
12:54:39.0667 2416 PCIDump - ok
12:54:39.0698 2416 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:54:39.0698 2416 PCIIde - ok
12:54:39.0729 2416 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:54:39.0744 2416 Pcmcia - ok
12:54:39.0744 2416 PDCOMP - ok
12:54:39.0744 2416 PDFRAME - ok
12:54:39.0744 2416 PDRELI - ok
12:54:39.0744 2416 PDRFRAME - ok
12:54:39.0760 2416 perc2 - ok
12:54:39.0760 2416 perc2hib - ok
12:54:39.0776 2416 PEVSystemStart - ok
12:54:39.0807 2416 PlugPlay (c6ce6eec82f187615d1002bb3bb50ed4) C:\WINDOWS\system32\services.exe
12:54:39.0807 2416 PlugPlay - ok
12:54:39.0822 2416 PolicyAgent (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:54:39.0822 2416 PolicyAgent - ok
12:54:39.0838 2416 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:54:39.0838 2416 PptpMiniport - ok
12:54:39.0885 2416 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
12:54:39.0885 2416 Processor - ok
12:54:39.0885 2416 ProtectedStorage (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:54:39.0885 2416 ProtectedStorage - ok
12:54:39.0916 2416 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:54:39.0916 2416 Ptilink - ok
12:54:39.0916 2416 ql1080 - ok
12:54:39.0916 2416 Ql10wnt - ok
12:54:39.0916 2416 ql12160 - ok
12:54:39.0931 2416 ql1240 - ok
12:54:39.0931 2416 ql1280 - ok
12:54:40.0009 2416 RampartSvc (bc1980557ce60cf5dfc5d570256b0a83) C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
12:54:40.0071 2416 RampartSvc - ok
12:54:40.0087 2416 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:54:40.0087 2416 RasAcd - ok
12:54:40.0118 2416 RasAuto (44db7a9bdd2fb58747d123fbf1d35adb) C:\WINDOWS\System32\rasauto.dll
12:54:40.0118 2416 RasAuto - ok
12:54:40.0134 2416 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:54:40.0149 2416 Rasl2tp - ok
12:54:40.0180 2416 RasMan (41a3c11e3517c962c9b44893bcec3b34) C:\WINDOWS\System32\rasmans.dll
12:54:40.0180 2416 RasMan - ok
12:54:40.0211 2416 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:54:40.0211 2416 RasPppoe - ok
12:54:40.0242 2416 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:54:40.0242 2416 Raspti - ok
12:54:40.0289 2416 RCFOX (8f1211a58c1bf3b63ca928878ac6deb0) C:\WINDOWS\system32\Drivers\RCFOX.sys
12:54:40.0289 2416 RCFOX - ok
12:54:40.0320 2416 rcvpn (bca39c96b11318cbc2797c4b842e22e4) C:\WINDOWS\system32\DRIVERS\rcvpn.sys
12:54:40.0320 2416 rcvpn - ok
12:54:40.0351 2416 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:54:40.0351 2416 Rdbss - ok
12:54:40.0367 2416 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:54:40.0367 2416 RDPCDD - ok
12:54:40.0414 2416 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:54:40.0414 2416 rdpdr - ok
12:54:40.0460 2416 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
12:54:40.0460 2416 RDPWD - ok
12:54:40.0507 2416 RDSessMgr (729798e0933076b8fcfcd9934698f164) C:\WINDOWS\system32\sessmgr.exe
12:54:40.0507 2416 RDSessMgr - ok
12:54:40.0538 2416 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:54:40.0538 2416 redbook - ok
12:54:40.0585 2416 RemoteAccess (3046db917e3cfa040632799dd9b14865) C:\WINDOWS\System32\mprdim.dll
12:54:40.0585 2416 RemoteAccess - ok
12:54:40.0600 2416 RemoteRegistry (3151427db7d87107d1c5be58fac53960) C:\WINDOWS\system32\regsvc.dll
12:54:40.0616 2416 RemoteRegistry - ok
12:54:40.0647 2416 RpcLocator (793f04a09b15e7c6c11dbdffaf06c0ab) C:\WINDOWS\system32\locator.exe
12:54:40.0647 2416 RpcLocator - ok
12:54:40.0709 2416 RpcSs (5c83a4408604f737717ab96371201680) C:\WINDOWS\system32\rpcss.dll
12:54:40.0709 2416 RpcSs - ok
12:54:40.0818 2416 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
12:54:40.0880 2416 RSVP - ok
12:54:40.0943 2416 SamSs (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:54:40.0943 2416 SamSs - ok
12:54:41.0207 2416 SavRoam (0de5ce2c919e4371c1fced0196086e3e) C:\Program Files\Symantec AntiVirus\SavRoam.exe
12:54:41.0238 2416 SavRoam - ok
12:54:41.0269 2416 SAVRT (cdb565c093b0105086cc630b32f9e6e6) C:\Program Files\Symantec AntiVirus\savrt.sys
12:54:41.0285 2416 SAVRT - ok
12:54:41.0301 2416 SAVRTPEL (1042cb5a003f9aed8d6cec56a0fc6c49) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
12:54:41.0316 2416 SAVRTPEL - ok
12:54:41.0347 2416 SCardSvr (25d8de134df108e3dbc8d7d23b1aa58e) C:\WINDOWS\System32\SCardSvr.exe
12:54:41.0347 2416 SCardSvr - ok
12:54:41.0394 2416 Schedule (92360854316611f6cc471612213c3d92) C:\WINDOWS\system32\schedsvc.dll
12:54:41.0409 2416 Schedule - ok
12:54:41.0487 2416 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:54:41.0487 2416 Secdrv - ok
12:54:41.0518 2416 seclogon (b1e0ce09895376871746f36dc5773b4f) C:\WINDOWS\System32\seclogon.dll
12:54:41.0518 2416 seclogon - ok
12:54:41.0550 2416 SENS (dfd9870cf39c791d86c4c209da9fa919) C:\WINDOWS\system32\sens.dll
12:54:41.0550 2416 SENS - ok
12:54:41.0565 2416 Sentinel (d23fc3f409fdbb2a5c230abc137c4b45) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
12:54:41.0565 2416 Sentinel - ok
12:54:41.0612 2416 SentinelProtectionServer (881f7e7a2a9f9e91189b4fbb70eb5f47) C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
12:54:41.0643 2416 SentinelProtectionServer - ok
12:54:41.0674 2416 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:54:41.0674 2416 serenum - ok
12:54:41.0690 2416 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
12:54:41.0705 2416 Serial - ok
12:54:41.0721 2416 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
12:54:41.0721 2416 Sfloppy - ok
12:54:41.0783 2416 SharedAccess (36cc8c01b5e50163037bef56cb96deff) C:\WINDOWS\System32\ipnathlp.dll
12:54:41.0798 2416 SharedAccess - ok
12:54:41.0845 2416 ShellHWDetection (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
12:54:41.0845 2416 ShellHWDetection - ok
12:54:41.0845 2416 Simbad - ok
12:54:41.0892 2416 smwdm (86d17b6760dd2b09e932ff101714e0dc) C:\WINDOWS\system32\drivers\smwdm.sys
12:54:41.0923 2416 smwdm - ok
12:54:41.0985 2416 SNDSrvc (c5f415bb02ee89cde1b6cee3538f424b) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
12:54:42.0032 2416 SNDSrvc - ok
12:54:42.0032 2416 Sparrow - ok
12:54:42.0094 2416 SPBBCDrv (cc22bf5631c4837abcd81d75de8fb1aa) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
12:54:42.0141 2416 SPBBCDrv - ok
12:54:42.0203 2416 SPBBCSvc (dabd8523d9b60ce6513653dfd8b96c1b) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
12:54:42.0296 2416 SPBBCSvc - ok
12:54:42.0623 2416 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
12:54:42.0623 2416 splitter - ok
12:54:42.0654 2416 Spooler (7435b108b935e42ea92ca94f59c8e717) C:\WINDOWS\system32\spoolsv.exe
12:54:42.0654 2416 Spooler - ok
12:54:42.0670 2416 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
12:54:42.0685 2416 sr - ok
12:54:42.0717 2416 srservice (92bdf74f12d6cbec43c94d4b7f804838) C:\WINDOWS\system32\srsvc.dll
12:54:42.0717 2416 srservice - ok
12:54:42.0763 2416 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
12:54:42.0779 2416 Srv - ok
12:54:42.0794 2416 SSDPSRV (4b8d61792f7175bed48859cc18ce4e38) C:\WINDOWS\System32\ssdpsrv.dll
12:54:42.0794 2416 SSDPSRV - ok
12:54:42.0857 2416 stisvc (d9f6c4f6b1e188adafc42b561d9bc2e6) C:\WINDOWS\system32\wiaservc.dll
12:54:42.0857 2416 stisvc - ok
12:54:42.0888 2416 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:54:42.0888 2416 swenum - ok
12:54:42.0934 2416 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
12:54:42.0934 2416 swmidi - ok
12:54:42.0934 2416 SwPrv - ok
12:54:43.0090 2416 Symantec AntiVirus (8b3550214824abf244d1e27e2a300990) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
12:54:43.0152 2416 Symantec AntiVirus - ok
12:54:43.0448 2416 symc810 - ok
12:54:43.0448 2416 symc8xx - ok
12:54:43.0526 2416 SymEvent (5156f63e684e8c864ff40e40d5309f41) C:\Program Files\Symantec\SYMEVENT.SYS
12:54:43.0541 2416 SymEvent - ok
12:54:43.0572 2416 SYMREDRV (5314e345dfc068504cfb2676d3b2ca39) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
12:54:43.0572 2416 SYMREDRV - ok
12:54:43.0588 2416 SYMTDI (8cd0a1478256240249b8ee88e6f25e94) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
12:54:43.0604 2416 SYMTDI - ok
12:54:43.0604 2416 sym_hi - ok
12:54:43.0604 2416 sym_u3 - ok
12:54:43.0650 2416 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
12:54:43.0650 2416 sysaudio - ok
12:54:43.0666 2416 SysmonLog (8b54aa346d1b1b113ffaa75501b8b1b2) C:\WINDOWS\system32\smlogsvc.exe
12:54:43.0666 2416 SysmonLog - ok
12:54:43.0712 2416 TapiSrv (eb4a4187d74a8efdcbea3ea2cb1bdfbd) C:\WINDOWS\System32\tapisrv.dll
12:54:43.0728 2416 TapiSrv - ok
12:54:43.0775 2416 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:54:43.0790 2416 Tcpip - ok
12:54:43.0821 2416 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:54:43.0821 2416 TDPIPE - ok
12:54:43.0837 2416 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
12:54:43.0837 2416 TDTCP - ok
12:54:43.0868 2416 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:54:43.0868 2416 TermDD - ok
12:54:43.0915 2416 TermService (b60c877d16d9c880b952fda04adf16e6) C:\WINDOWS\System32\termsrv.dll
12:54:43.0930 2416 TermService - ok
12:54:43.0977 2416 Themes (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
12:54:43.0977 2416 Themes - ok
12:54:44.0008 2416 TlntSvr (37db0a7d097310e8b4de803fc3119c78) C:\WINDOWS\System32\tlntsvr.exe
12:54:44.0008 2416 TlntSvr - ok
12:54:44.0008 2416 TosIde - ok
12:54:44.0055 2416 TrkWks (6d9ac544b30f96c57f8206566c1fb6a1) C:\WINDOWS\system32\trkwks.dll
12:54:44.0070 2416 TrkWks - ok
12:54:44.0195 2416 TvWksSvc (bb4ef8c0241330629fc7f6326ccc1359) C:\Program Files\Common Files\Vertical\Wave\TvWksSvc.exe
12:54:44.0210 2416 TvWksSvc - ok
12:54:44.0242 2416 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
12:54:44.0242 2416 Udfs - ok
12:54:44.0242 2416 ultra - ok
12:54:44.0288 2416 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
12:54:44.0288 2416 Update - ok
12:54:44.0319 2416 upnphost (0546477bde979e33294fe97f6b3de84a) C:\WINDOWS\System32\upnphost.dll
12:54:44.0319 2416 upnphost - ok
12:54:44.0335 2416 UPS (3f5df65b0758675f95a2d43918a740a3) C:\WINDOWS\System32\ups.exe
12:54:44.0335 2416 UPS - ok
12:54:44.0350 2416 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:54:44.0350 2416 usbehci - ok
12:54:44.0397 2416 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:54:44.0397 2416 usbhub - ok
12:54:44.0413 2416 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:54:44.0413 2416 usbprint - ok
12:54:44.0428 2416 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:54:44.0428 2416 usbscan - ok
12:54:44.0444 2416 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:54:44.0444 2416 USBSTOR - ok
12:54:44.0475 2416 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:54:44.0475 2416 usbuhci - ok
12:54:44.0491 2416 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
12:54:44.0506 2416 VgaSave - ok
12:54:44.0506 2416 ViaIde - ok
12:54:44.0522 2416 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
12:54:44.0522 2416 VolSnap - ok
12:54:44.0553 2416 VSS (3ee00364ae0fd8d604f46cbaf512838a) C:\WINDOWS\System32\vssvc.exe
12:54:44.0568 2416 VSS - ok
12:54:44.0615 2416 W32Time (2b281958f5d0cf99ed626e3ef39d5c8d) C:\WINDOWS\system32\w32time.dll
12:54:44.0615 2416 W32Time - ok
12:54:44.0646 2416 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:54:44.0646 2416 Wanarp - ok
12:54:44.0646 2416 WDICA - ok
12:54:44.0693 2416 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
12:54:44.0693 2416 wdmaud - ok
12:54:44.0724 2416 WebClient (5d0a442864bfbf3b19dcca4cd29f6e99) C:\WINDOWS\System32\webclnt.dll
12:54:44.0724 2416 WebClient - ok
12:54:44.0802 2416 winmgmt (f399242a80c4066fd155efa4cf96658e) C:\WINDOWS\system32\wbem\WMIsvc.dll
12:54:44.0802 2416 winmgmt - ok
12:54:44.0911 2416 winvnc (847a140d1e8ec90d21f841d7065e6abb) C:\Program Files\TightVNC\WinVNC.exe
12:54:44.0942 2416 winvnc - ok
12:54:44.0988 2416 WmdmPmSN (c086483e3dba8c1c0a687ec8d5b3d4c1) C:\WINDOWS\system32\mspmsnsv.dll
12:54:44.0988 2416 WmdmPmSN - ok
12:54:45.0066 2416 Wmi (1aff244ca134956c54474f4e2433e4ce) C:\WINDOWS\System32\advapi32.dll
12:54:45.0082 2416 Wmi - ok
12:54:45.0175 2416 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
12:54:45.0191 2416 WmiAcpi - ok
12:54:45.0269 2416 WmiApSrv (ba8cecc3e813e1f7c441b20393d4f86c) C:\WINDOWS\system32\wbem\wmiapsrv.exe
12:54:45.0284 2416 WmiApSrv - ok
12:54:45.0315 2416 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:54:45.0315 2416 WS2IFSL - ok
12:54:45.0362 2416 wscsvc (4d59daa66c60858cdf4f67a900f42d4a) C:\WINDOWS\system32\wscsvc.dll
12:54:45.0362 2416 wscsvc - ok
12:54:45.0377 2416 wuauserv (13d72740963cba12d9ff76a7f218bcd8) C:\WINDOWS\system32\wuauserv.dll
12:54:45.0377 2416 wuauserv - ok
12:54:45.0440 2416 WZCSVC (5a91e6feab9f901302fa7ff768c0120f) C:\WINDOWS\System32\wzcsvc.dll
12:54:45.0455 2416 WZCSVC - ok
12:54:45.0518 2416 xmlprov (eef46dab68229a14da3d8e73c99e2959) C:\WINDOWS\System32\xmlprov.dll
12:54:45.0533 2416 xmlprov - ok
12:54:45.0549 2416 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:54:45.0735 2416 \Device\Harddisk0\DR0 - ok
12:54:45.0735 2416 Boot (0x1200) (4e85c0a7425042ef4050c7bf692b283e) \Device\Harddisk0\DR0\Partition0
12:54:45.0735 2416 \Device\Harddisk0\DR0\Partition0 - ok
12:54:45.0735 2416 ============================================================
12:54:45.0735 2416 Scan finished
12:54:45.0735 2416 ============================================================
12:54:45.0751 2532 Detected object count: 0
12:54:45.0751 2532 Actual detected object count: 0
13:16:38.0362 2156 Deinitialize success


aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-02 13:19:37
-----------------------------
13:19:37.361 OS Version: Windows 5.1.2600 Service Pack 2
13:19:37.361 Number of processors: 2 586 0xF06
13:19:37.361 ComputerName: MAEHC0027 UserName:
13:19:37.581 Initialize success
13:20:55.343 AVAST engine defs: 12050200
14:03:16.818 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:03:16.818 Disk 0 Vendor: WDC_WD800JD-60LSA5 10.01E03 Size: 76319MB BusType: 3
14:03:16.834 Disk 0 MBR read successfully
14:03:16.834 Disk 0 MBR scan
14:03:16.881 Disk 0 Windows XP default MBR code
14:03:16.881 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
14:03:16.881 Disk 0 scanning sectors +156296385
14:03:16.959 Disk 0 scanning C:\WINDOWS\system32\drivers
14:03:30.681 Service scanning
14:03:48.757 Modules scanning
14:03:56.558 Disk 0 trace - called modules:
14:03:56.589 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:03:56.589 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865d3ab8]
14:03:56.605 3 CLASSPNP.SYS[f75d905b] -> nt!IofCallDriver -> \Device\0000006c[0x8656b510]
14:03:56.605 5 ACPI.sys[f745f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8656a940]
14:03:56.793 AVAST engine scan C:\WINDOWS
14:04:06.802 AVAST engine scan C:\WINDOWS\system32
14:06:53.136 AVAST engine scan C:\WINDOWS\system32\drivers
14:07:23.050 AVAST engine scan C:\Documents and Settings\ADMINISTRATOR.ANGELS
14:09:15.096 AVAST engine scan C:\Documents and Settings\All Users
14:09:38.999 Scan finished successfully
14:18:06.017 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ADMINISTRATOR.ANGELS\Desktop\Cleanup Tools\Logs\MBR.dat"
14:18:06.017 The log file has been saved successfully to "C:\Documents and Settings\ADMINISTRATOR.ANGELS\Desktop\Cleanup Tools\Logs\aswMBR.txt"

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:26 PM

Posted 02 May 2012 - 01:59 PM

Press Windows+R key and type

%temp% and click ok

Now if you find a folder called SMTMP,copy it to your desktop.


Edited by narenxp, 02 May 2012 - 01:59 PM.


#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:26 PM

Posted 02 May 2012 - 02:04 PM

Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply


Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

#6 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 02 May 2012 - 03:13 PM

I did make the copy of the SMTMP folder as well, and it's on my desktop. Didn't include a note of that in my reply.

Running additional scans now, may not be able to post the logs until tomorrow AM.

Thanks again.

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:26 PM

Posted 02 May 2012 - 03:18 PM

No problem :thumbup2:

#8 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 03 May 2012 - 10:06 AM

All scan complete. ESET found some things GMER took a long time as well, but in any case logs are below.

Thanks again for your patience.

GMER:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-03 09:41:39
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-60LSA5 rev.10.01E03
Running: mgkb1y5h.exe; Driver: C:\DOCUME~1\ADMINI~1.ANG\LOCALS~1\Temp\pxldrpow.sys


---- System - GMER 1.0.15 ----

SSDT 8632BD50 ZwAlertResumeThread
SSDT 8632BE10 ZwAlertThread
SSDT 86338D40 ZwAllocateVirtualMemory
SSDT 862F9A80 ZwConnectPort
SSDT 8632FF48 ZwCreateMutant
SSDT 86347E70 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA188CB0]
SSDT 86308C40 ZwFreeVirtualMemory
SSDT 862DFAA8 ZwImpersonateAnonymousToken
SSDT 8632BD18 ZwImpersonateThread
SSDT 86312C90 ZwMapViewOfSection
SSDT 8632FE88 ZwOpenEvent
SSDT 86338E10 ZwOpenProcessToken
SSDT 86352E10 ZwOpenThreadToken
SSDT 86313F38 ZwQueryValueKey
SSDT 86300BF8 ZwResumeThread
SSDT 86352D50 ZwSetContextThread
SSDT 86345DC8 ZwSetInformationProcess
SSDT 86309BC8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA188F10]
SSDT 8632FE50 ZwSuspendProcess
SSDT 86354C50 ZwSuspendThread
SSDT 862D7B98 ZwTerminateProcess
SSDT 8630FC10 ZwTerminateThread
SSDT 86340D40 ZwUnmapViewOfSection
SSDT 86308C78 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? pvebqovw.sys The system cannot find the file specified. !
? C:\DOCUME~1\ADMINI~1.ANG\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB12694$\2902660056 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\cfg.ini 163 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\L 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\L\lhnjixjf 75264 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000032.@ 115712 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\version 1268 bytes

---- EOF - GMER 1.0.15 ----


ESET


C:\CCPDL\Java.exe Win32/StartPage.ODO trojan deleted - quarantined
C:\CCPDL\Webex.exe Win32/StartPage.ODO trojan deleted - quarantined
C:\Documents and Settings\Sphillion\Local Settings\Temporary Internet Files\Content.IE5\M3RZ6ETO\rstvodka[1] Java/TrojanDownloader.Agent.NEB trojan cleaned by deleting - quarantined
C:\Documents and Settings\Sphillion\Local Settings\Temporary Internet Files\Content.IE5\M3RZ6ETO\rstvodka[2] Java/TrojanDownloader.Agent.NEA trojan cleaned by deleting - quarantined
C:\Program Files\Quest Diagnostics\QuestPortal.exe Win32/StartPage.ODO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\01.05.2012_14.45.35\mbr0000\tdlfs0000\tsk0017.dta probably a variant of Win32/Agent.KVIEKYE trojan cleaned by deleting - quarantined


minitoolbox

MiniToolBox by Farbar Version: 18-01-2012
Ran by Administrator (administrator) on 03-05-2012 at 11:00:31
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================



========================= IP Configuration: ================================

SonicWALL VPN Adapter = SonicWALL Virtual Adapter (Disconnected)
Broadcom NetXtreme Gigabit Ethernet = Local Area Connection 4 (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 4"

set address name="Local Area Connection 4" source=dhcp
set dns name="Local Area Connection 4" source=dhcp register=PRIMARY
set wins name="Local Area Connection 4" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : maehc0027

Primary Dns Suffix . . . . . . . : angels.local

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : angels.local



Ethernet adapter Local Area Connection 4:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet

Physical Address. . . . . . . . . : 00-18-71-73-1F-77

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.15.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.15.1

DHCP Server . . . . . . . . . . . : 192.168.15.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Wednesday, May 02, 2012 10:51:47 AM

Lease Expires . . . . . . . . . . : Wednesday, May 09, 2012 10:51:47 AM

Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 74.125.228.36, 74.125.228.38, 74.125.228.32, 74.125.228.34
74.125.228.39, 74.125.228.41, 74.125.228.46, 74.125.228.33, 74.125.228.35
74.125.228.37, 74.125.228.40



Pinging google.com [74.125.228.36] with 32 bytes of data:



Reply from 74.125.228.36: bytes=32 time=28ms TTL=251

Reply from 74.125.228.36: bytes=32 time=22ms TTL=251



Ping statistics for 74.125.228.36:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 22ms, Maximum = 28ms, Average = 25ms

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 72.30.38.140, 98.139.183.24, 209.191.122.70



Pinging yahoo.com [72.30.38.140] with 32 bytes of data:



Reply from 72.30.38.140: bytes=32 time=228ms TTL=251

Reply from 72.30.38.140: bytes=32 time=170ms TTL=251



Ping statistics for 72.30.38.140:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 170ms, Maximum = 228ms, Average = 199ms

Server: UnKnown
Address: 192.168.0.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 71 73 1f 77 ...... Broadcom NetXtreme Gigabit Ethernet - Deterministic Network Enhancer Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.15.1 192.168.15.3 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.15.0 255.255.255.0 192.168.15.3 192.168.15.3 20
192.168.15.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.15.255 255.255.255.255 192.168.15.3 192.168.15.3 20
224.0.0.0 240.0.0.0 192.168.15.3 192.168.15.3 20
255.255.255.255 255.255.255.255 192.168.15.3 192.168.15.3 1
Default Gateway: 192.168.15.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/11/2009 04:00:38 PM) (Source: Userenv) (User: INTERN)INTERN
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Error: (11/11/2009 04:00:38 PM) (Source: Userenv) (User: INTERN)INTERN
Description: Windows cannot bind to angels.local domain. (Invalid Credentials). Group Policy processing aborted.

Error: (11/11/2009 02:01:38 PM) (Source: Userenv) (User: INTERN)INTERN
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Error: (11/11/2009 02:01:38 PM) (Source: Userenv) (User: INTERN)INTERN
Description: Windows cannot bind to angels.local domain. (Invalid Credentials). Group Policy processing aborted.

Error: (11/11/2009 00:08:34 PM) (Source: UserInit) (User: )
Description: Could not execute the following script STANDARD.BAT. The system cannot find the file specified.
.

Error: (11/11/2009 00:08:32 PM) (Source: Userenv) (User: INTERN)INTERN
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Error: (11/11/2009 00:08:32 PM) (Source: Userenv) (User: INTERN)INTERN
Description: Windows cannot bind to angels.local domain. (Invalid Credentials). Group Policy processing aborted.

Error: (04/01/1970 01:49:44 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Error: (03/26/1970 00:11:36 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot find the machine account, The clocks on the client and server machines are skewed. .

Error: (07/01/1970 02:21:44 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.


System errors:
=============
Error: (02/01/2010 09:47:15 AM) (Source: Print) (User: SYSTEM)
Description: Document Test Page was corrupted and has been deleted. The associated driver is: HP LaserJet P2015 Series PCL 5e.

Error: (03/26/1970 00:11:40 AM) (Source: TermServDevices) (User: )
Description: Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.

Error: (06/12/1970 09:27:20 PM) (Source: Service Control Manager) (User: )
Description: The Symantec AntiVirus service terminated unexpectedly. It has done this 3 time(s).

Error: (05/26/1970 10:45:12 AM) (Source: Service Control Manager) (User: )
Description: The Symantec AntiVirus service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/12/1970 09:27:20 PM) (Source: Service Control Manager) (User: )
Description: The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (04/07/1970 03:27:52 AM) (Source: Service Control Manager) (User: )
Description: The AutoReceive service terminated unexpectedly. It has done this 1 time(s).

Error: (04/07/1970 03:27:52 AM) (Source: Service Control Manager) (User: )
Description: The AutoReceive service hung on starting.

Error: (09/21/2009 08:29:16 AM) (Source: NETLOGON) (User: )
Description: Changing machine account password for account MAEHC0027$ failed with
the following error:
%%8206

Error: (09/15/2009 10:26:47 AM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.
Reference error message: The operation completed successfully.
.

Error: (09/15/2009 10:26:47 AM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.


Microsoft Office Sessions:
=========================
Error: (11/11/2009 04:00:38 PM) (Source: Userenv)(User: INTERN)INTERN
Description:

Error: (11/11/2009 04:00:38 PM) (Source: Userenv)(User: INTERN)INTERN
Description: angels.localInvalid Credentials

Error: (11/11/2009 02:01:38 PM) (Source: Userenv)(User: INTERN)INTERN
Description:

Error: (11/11/2009 02:01:38 PM) (Source: Userenv)(User: INTERN)INTERN
Description: angels.localInvalid Credentials

Error: (11/11/2009 00:08:34 PM) (Source: UserInit)(User: )
Description: STANDARD.BATThe system cannot find the file specified.

Error: (11/11/2009 00:08:32 PM) (Source: Userenv)(User: INTERN)INTERN
Description:

Error: (11/11/2009 00:08:32 PM) (Source: Userenv)(User: INTERN)INTERN
Description: angels.localInvalid Credentials

Error: (04/01/1970 01:49:44 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description:

Error: (03/26/1970 00:11:36 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: The clocks on the client and server machines are skewed.

Error: (07/01/1970 02:21:44 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description:


=========================== Installed Programs ============================

Adobe Acrobat 7.0 Standard - English, Franšais, Deutsch (Version: 7.1.0)
Adobe Acrobat 7.1.0 Standard - English, Franšais, Deutsch (Version: 7.1.0)
Adobe Flash Player 11 ActiveX (Version: 11.2.202.233)
Adobe Reader 8.3.1 (Version: 8.3.1)
Adobe SVG Viewer 3.0 (Version: 3.0)
AutoReceive (Version: 1.0.0.0)
Centricity Physician Office (Version: 6.0.7620)
Citrix online plug-in - web (Version: 12.0.0.6410)
Citrix online plug-in (DV) (Version: 12.0.0.6410)
Citrix online plug-in (HDX) (Version: 12.0.0.6410)
Citrix online plug-in (USB) (Version: 12.0.0.6410)
Citrix online plug-in (Web) (Version: 12.0.0.6410)
CPOPM04Client (Version: 7.0.394)
CPOPM04GoldClient710 (Version: 7.1.489)
CPOPM04GoldClient711_2 (Version: 7.1.496)
CPOPM04GoldClient712 (Version: 7.1.510)
ESET Online Scanner v3
FAXCOM Suite for Windows Client (Version: 09.04.0100)
HiJackThis (Version: 1.0.0)
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java™ 6 Update 26 (Version: 6.0.260)
Kofax TWAIN Data Source
Kofax VirtualReScan 4.10 (Version: 4.10.039)
Kryptiq DocuTrak Indexing Client (Version: 7.0.1)
LiveUpdate 3.0 (Symantec Corporation) (Version: 3.0.0.160)
Malwarebytes Anti-Malware version 1.61.0.1400 (Version: 1.61.0.1400)
MAMedicaid04 (Version: 7.1.500)
MAMedicaidHCFA04 (Version: 7.1.500)
MEDITECH Workstation4.x
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office Professional Edition 2003 (Version: 11.0.5614.0)
Realtek High Definition Audio Driver (Version: 5.10.0.5307)
RegInOut System Utilities (Version: 3.0.0.2000)
ScandAll 21
Scanner Utility for Microsoft Windows
Sentinel Protection Installer 7.0.0 (Version: 7.0.0)
Software Operation Panel
SonicWALL Global VPN Client (Version: 4.0.0.835)
SonicWALL Global VPN Client 4.0.0.835 (Version: 4.0.0.835)
Symantec AntiVirus (Version: 10.1.394.0)
TightVNC 1.3.10 (Version: 1.3.10)
Wave Workstation Applications (Version: 1.5.2935)
WebFldrs XP (Version: 9.50.6513)
Windows Support Tools (Version: 5.1.2600.2180)
WinZip (Version: 9.0 (6028))

========================= Memory info: ===================================

Percentage of memory in use: 73%
Total physical RAM: 1015.23 MB
Available physical RAM: 265.26 MB
Total Pagefile: 4014.44 MB
Available Pagefile: 3626.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.09 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:74.53 GB) (Free:60.84 GB) NTFS
3 Drive x: () (Network) (Total:410.18 GB) (Free:345.02 GB) NTFS

========================= Users: ========================================

User accounts for \\MAEHC0027

Administrator ASPNET Guest
HelpAssistant


**** End of log ****

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:26 PM

Posted 03 May 2012 - 10:10 AM

File C:\WINDOWS\$NtUninstallKB12694$\2902660056 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\cfg.ini 163 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\L 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\L\lhnjixjf 75264 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000032.@ 115712 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\version 1268 bytes


You're still infected

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#10 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 03 May 2012 - 10:52 AM

Thanks.

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:26 PM

Posted 03 May 2012 - 12:53 PM

You're welcome

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 03 May 2012 - 05:16 PM

Malware topic here: http://www.bleepingcomputer.com/forums/topic452331.html

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users