Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot.Tidserv detection


  • This topic is locked This topic is locked
55 replies to this topic

#1 cmango

cmango

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 05 May 2012 - 04:56 PM

A while back my HP Pavilion running XP became infected with viruses (the Happli browser redirect, AV Protection program installed itself). I bought Norton AV 2012, but my computer was too infected for it to work, so I did a System Recovery and then reinstalled Norton. All the other stuff is gone, but Norton is still detecting a Boot.Tidserv threat. I know I should have come here first, before installing Norton or doing the System Recovery. I didn't know rootkits could survive an OS reinstall. Live and learn...

I posted in the "Am I Infected?" forum where I was advised to post some log results and finally directed to this forum. I followed the steps for posting here, and I should note that the first time I tried to create the gmer log my computer froze (white screen with bluish diagonal lines) for a minute or so, then rebooted. Luckily it was at the beginning of the scan, because I ran it again and it took several hours to complete. All other logs were created without incident.

Thank you for all the help.

DDS log:.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Administrator at 13:43:44 on 2012-05-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.964 [GMT -4:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\19.7.0.9\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton AntiVirus\Engine\19.7.0.9\ccSvcHst.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\19.7.0.9\ips\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [<NO NAME>]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{513E3D03-091D-485D-BF24-104A4C4A914C} : DhcpNameServer = 192.168.1.1 71.243.0.12
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1307000.009\symds.sys [2012-5-3 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1307000.009\symefa.sys [2012-5-3 905336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\bashdefs\20120413.001\BHDrvx86.sys [2012-4-13 821880]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\nav\1307000.009\ccsetx86.sys [2012-5-3 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1307000.009\ironx86.sys [2012-5-3 149624]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\19.7.0.9\ccsvchst.exe [2012-5-3 138232]
R3 cmudaxp;C-Media Oxygen HD Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2012-5-2 1428544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-3 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\ipsdefs\20120505.001\IDSXpx86.sys [2012-5-4 356792]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\virusdefs\20120504.033\NAVENG.SYS [2012-5-5 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\virusdefs\20120504.033\NAVEX15.SYS [2012-5-5 1576312]
.
=============== Created Last 30 ================
.
2012-05-05 14:32:56 -------- d-----w- c:\documents and settings\hp_administrator.desktop\application data\Malwarebytes
2012-05-05 14:32:47 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-05 14:32:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-05 14:32:47 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-04 22:28:42 -------- d-----w- c:\documents and settings\hp_administrator.desktop\local settings\application data\NPE
2012-05-04 22:03:03 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2012-05-04 22:02:54 229888 ------w- c:\windows\system32\dllcache\fxscover.exe
2012-05-04 22:02:26 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2012-05-04 22:01:06 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2012-05-04 21:58:19 105472 ------w- c:\windows\system32\dllcache\mup.sys
2012-05-04 21:55:15 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2012-05-04 21:55:08 3072 ------w- c:\windows\system32\iacenc.dll
2012-05-04 21:55:08 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-05-04 21:54:43 45568 ------w- c:\windows\system32\dllcache\wab.exe
2012-05-04 21:54:43 -------- d-----w- c:\documents and settings\hp_administrator.desktop\application data\HpUpdate
2012-05-04 21:53:57 139784 ------w- c:\windows\system32\dllcache\rdpwd.sys
2012-05-04 00:16:24 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2012-05-04 00:16:01 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-05-03 23:58:46 -------- d-----w- c:\windows\system32\scripting
2012-05-03 23:58:46 -------- d-----w- c:\windows\system32\en
2012-05-03 23:58:46 -------- d-----w- c:\windows\system32\bits
2012-05-03 23:26:51 20992 ------w- c:\windows\system32\spupdwxp.exe
2012-05-03 23:25:59 13776 ------w- c:\windows\system32\drivers\recagent.sys
2012-05-03 23:24:45 33792 ------w- c:\windows\system32\mmcperf.exe
2012-05-03 23:21:44 388216 ----a-w- c:\windows\system32\drivers\nav\1307000.009\symtdi.sys
2012-05-03 23:21:44 345208 ----a-w- c:\windows\system32\drivers\nav\1307000.009\symtdiv.sys
2012-05-03 23:21:43 905336 ----a-w- c:\windows\system32\drivers\nav\1307000.009\symefa.sys
2012-05-03 23:21:43 318584 ----a-w- c:\windows\system32\drivers\nav\1307000.009\symnets.sys
2012-05-03 23:21:42 340088 ----a-r- c:\windows\system32\drivers\nav\1307000.009\symds.sys
2012-05-03 23:21:42 32888 ----a-w- c:\windows\system32\drivers\nav\1307000.009\srtspx.sys
2012-05-03 23:21:41 574072 ----a-w- c:\windows\system32\drivers\nav\1307000.009\srtsp.sys
2012-05-03 23:21:41 149624 ----a-w- c:\windows\system32\drivers\nav\1307000.009\ironx86.sys
2012-05-03 23:21:40 132744 ----a-w- c:\windows\system32\drivers\nav\1307000.009\ccsetx86.sys
2012-05-03 23:20:46 -------- d-----w- c:\windows\system32\drivers\nav\1307000.009
2012-05-03 23:08:01 -------- d-s---w- c:\documents and settings\hp_administrator.desktop\UserData
2012-05-03 23:07:54 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2012-05-03 23:07:46 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2012-05-03 23:05:55 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2012-05-03 23:05:55 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2012-05-03 23:05:55 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2012-05-03 23:05:55 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2012-05-03 23:05:55 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2012-05-03 23:05:55 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2012-05-03 23:05:55 110592 ------w- c:\windows\system32\dllcache\services.exe
2012-05-03 23:05:54 718336 ------w- c:\windows\system32\dllcache\ntdll.dll
2012-05-03 23:05:54 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2012-05-03 23:05:54 2192768 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-05-03 23:05:54 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-05-03 23:05:53 2027008 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-05-03 23:03:10 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2012-05-03 23:02:14 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2012-05-03 23:01:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2012-05-03 23:01:01 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2012-05-03 23:00:49 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-05-03 23:00:49 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2012-05-03 23:00:37 357888 ------w- c:\windows\system32\dllcache\srv.sys
2012-05-03 23:00:11 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2012-05-03 22:59:57 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2012-05-03 22:59:57 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2012-05-03 22:59:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-03 22:59:26 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-03 22:59:26 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-03 22:51:45 -------- d-----w- c:\windows\system32\PreInstall
2012-05-03 06:46:50 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-05-03 06:46:47 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2012-05-03 06:46:44 6144 ----a-w- c:\windows\system32\kbd106.dll
2012-05-03 06:46:43 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-05-03 06:46:42 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-05-03 06:46:39 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-05-03 05:23:26 -------- d-sh--r- c:\windows\system32\dllcache
2012-05-03 04:14:51 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-05-03 04:14:50 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-05-03 04:14:50 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-05-03 04:14:50 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-05-03 04:14:50 2000384 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-05-03 04:14:49 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-05-03 04:14:49 11082752 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-05-03 04:04:14 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-05-03 04:04:14 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-05-03 04:03:20 -------- d-----w- c:\windows\system32\drivers\NAV
2012-05-03 04:03:17 -------- d-----w- c:\program files\Norton AntiVirus
2012-05-03 03:22:02 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-05-03 03:21:53 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-05-03 03:21:48 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-05-03 03:08:02 -------- d-----w- c:\windows\system32\appmgmt
2012-05-03 02:59:50 712704 ----a-r- c:\windows\system32\Audio3Dp.dll
2012-05-03 02:59:50 151623 ----a-r- c:\windows\system32\cmasiop.dll
2012-05-03 02:59:49 712704 ----a-w- c:\windows\system32\dllcache\a3d.dll
2012-05-03 02:59:49 712704 ----a-r- c:\windows\system32\a3d.dll
2012-05-03 02:59:49 32768 ----a-r- c:\windows\system32\cmudaxp.dll
2012-05-03 02:59:49 32768 ----a-r- c:\windows\system32\CmPropP.dll
2012-05-03 02:59:49 28672 ----a-r- c:\windows\system32\cmrmdrvp.dll
2012-05-03 02:59:49 253952 ----a-r- c:\windows\system32\cmrmdrvp.exe
2012-05-03 02:59:49 1428544 ----a-r- c:\windows\system32\drivers\cmudaxp.sys
2012-05-03 02:58:25 -------- d-sh--w- C:\cmdcons
2012-05-03 02:51:40 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-05-02 22:25:13 -------- d-----w- c:\documents and settings\all users\application data\PCSettings
2012-04-27 03:34:05 88064 ----a-w- c:\documents and settings\all users\application data\388cLdcK.exe
.
==================== Find3M ====================
.
2012-05-04 00:02:21 45056 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2012-05-04 00:02:20 61440 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2012-05-04 00:02:20 44032 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2012-05-04 00:02:20 40960 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2012-05-04 00:02:20 341048 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2012-05-04 00:02:20 32768 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2012-05-04 00:02:20 32768 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2012-05-04 00:02:20 163840 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 13:47:03.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:50 AM

Posted 05 May 2012 - 05:08 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Delete is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 cmango

cmango
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 05 May 2012 - 06:18 PM

Hi,
I've downloaded and run the Kaspersky file you mentioned. Right now there is a threats detected window open with a TDSS file system listed. Should I delete it?
Thanks

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:50 AM

Posted 05 May 2012 - 06:28 PM

Yes, please delete it

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 cmango

cmango
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 05 May 2012 - 06:37 PM

OK, I deleted the file, but clicking continue did not prompt a reboot, should I try again? I found the file on my drive:

18:58:12.0648 2780 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
18:58:13.0038 2780 ============================================================
18:58:13.0038 2780 Current date / time: 2012/05/05 18:58:13.0038
18:58:13.0038 2780 SystemInfo:
18:58:13.0038 2780
18:58:13.0038 2780 OS Version: 5.1.2600 ServicePack: 3.0
18:58:13.0038 2780 Product type: Workstation
18:58:13.0038 2780 ComputerName: DESKTOP
18:58:13.0038 2780 UserName: HP_Administrator
18:58:13.0038 2780 Windows directory: C:\WINDOWS
18:58:13.0038 2780 System windows directory: C:\WINDOWS
18:58:13.0038 2780 Processor architecture: Intel x86
18:58:13.0038 2780 Number of processors: 2
18:58:13.0038 2780 Page size: 0x1000
18:58:13.0038 2780 Boot type: Normal boot
18:58:13.0038 2780 ============================================================
18:58:13.0772 2780 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:58:13.0897 2780 ============================================================
18:58:13.0897 2780 \Device\Harddisk0\DR0:
18:58:13.0897 2780 MBR partitions:
18:58:13.0897 2780 \Device\Harddisk0\DR0\Partition0: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x1105758
18:58:13.0897 2780 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1105797, BlocksNum 0x1C0BAF29
18:58:13.0897 2780 ============================================================
18:58:13.0944 2780 C: <-> \Device\Harddisk0\DR0\Partition1
18:58:13.0944 2780 D: <-> \Device\Harddisk0\DR0\Partition0
18:58:13.0944 2780 ============================================================
18:58:13.0944 2780 Initialize success
18:58:13.0944 2780 ============================================================
18:58:58.0829 3488 ============================================================
18:58:58.0829 3488 Scan started
18:58:58.0829 3488 Mode: Manual; TDLFS;
18:58:58.0829 3488 ============================================================
18:59:00.0407 3488 Abiosdsk - ok
18:59:00.0422 3488 abp480n5 - ok
18:59:00.0469 3488 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:59:00.0469 3488 ACPI - ok
18:59:00.0500 3488 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:59:00.0500 3488 ACPIEC - ok
18:59:00.0516 3488 adpu160m - ok
18:59:00.0547 3488 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:59:00.0547 3488 aec - ok
18:59:00.0594 3488 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:59:00.0610 3488 AFD - ok
18:59:00.0719 3488 AgereSoftModem (b7d2103eb2ecb765b2b7106bad089ab1) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
18:59:00.0735 3488 AgereSoftModem - ok
18:59:00.0735 3488 Aha154x - ok
18:59:00.0750 3488 aic78u2 - ok
18:59:00.0750 3488 aic78xx - ok
18:59:00.0782 3488 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:59:00.0782 3488 Alerter - ok
18:59:00.0813 3488 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:59:00.0813 3488 ALG - ok
18:59:00.0813 3488 AliIde - ok
18:59:00.0828 3488 amsint - ok
18:59:00.0875 3488 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
18:59:00.0875 3488 AppMgmt - ok
18:59:00.0907 3488 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
18:59:00.0922 3488 aracpi - ok
18:59:00.0922 3488 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
18:59:00.0922 3488 arhidfltr - ok
18:59:00.0938 3488 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
18:59:00.0938 3488 arkbcfltr - ok
18:59:00.0938 3488 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
18:59:00.0938 3488 armoucfltr - ok
18:59:00.0985 3488 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
18:59:00.0985 3488 Arp1394 - ok
18:59:01.0000 3488 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
18:59:01.0000 3488 ARPolicy - ok
18:59:01.0047 3488 ARSVC (9a0d9b2e263bede80fb79ddbad240ec1) C:\WINDOWS\arservice.exe
18:59:01.0047 3488 ARSVC - ok
18:59:01.0047 3488 asc - ok
18:59:01.0063 3488 asc3350p - ok
18:59:01.0063 3488 asc3550 - ok
18:59:01.0157 3488 aspnet_state (e1a1206a4fb19b675e947b29ccd25fba) C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
18:59:01.0157 3488 aspnet_state - ok
18:59:01.0188 3488 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:59:01.0188 3488 AsyncMac - ok
18:59:01.0219 3488 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:59:01.0219 3488 atapi - ok
18:59:01.0219 3488 Atdisk - ok
18:59:01.0250 3488 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:59:01.0250 3488 Atmarpc - ok
18:59:01.0297 3488 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:59:01.0297 3488 AudioSrv - ok
18:59:01.0313 3488 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:59:01.0313 3488 audstub - ok
18:59:01.0313 3488 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
18:59:01.0328 3488 bb-run - ok
18:59:01.0328 3488 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:59:01.0328 3488 Beep - ok
18:59:01.0563 3488 BHDrvx86 (a503d32ae26f77cb942aed530112edaa) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120413.001\BHDrvx86.sys
18:59:01.0578 3488 BHDrvx86 - ok
18:59:01.0657 3488 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:59:01.0657 3488 BITS - ok
18:59:01.0719 3488 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:59:01.0719 3488 Browser - ok
18:59:01.0797 3488 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:59:01.0828 3488 cbidf2k - ok
18:59:01.0860 3488 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:59:01.0860 3488 CCDECODE - ok
18:59:01.0922 3488 ccSet_NAV (599e7f6259a127c174c49938d2aa6a60) C:\WINDOWS\system32\drivers\NAV\1307000.009\ccSetx86.sys
18:59:01.0938 3488 ccSet_NAV - ok
18:59:01.0938 3488 cd20xrnt - ok
18:59:01.0953 3488 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:59:01.0953 3488 Cdaudio - ok
18:59:01.0969 3488 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:59:01.0969 3488 Cdfs - ok
18:59:01.0985 3488 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:59:02.0000 3488 Cdrom - ok
18:59:02.0000 3488 Changer - ok
18:59:02.0031 3488 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:59:02.0031 3488 CiSvc - ok
18:59:02.0047 3488 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:59:02.0047 3488 ClipSrv - ok
18:59:02.0063 3488 CmdIde - ok
18:59:02.0203 3488 cmudaxp (c02f4b61f0dc98f54d38b2cac67071e5) C:\WINDOWS\system32\drivers\cmudaxp.sys
18:59:02.0235 3488 cmudaxp - ok
18:59:02.0391 3488 COMSysApp - ok
18:59:02.0422 3488 Cpqarray - ok
18:59:02.0469 3488 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:59:02.0469 3488 CryptSvc - ok
18:59:02.0469 3488 dac2w2k - ok
18:59:02.0485 3488 dac960nt - ok
18:59:02.0563 3488 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:59:02.0563 3488 DcomLaunch - ok
18:59:02.0625 3488 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:59:02.0625 3488 Dhcp - ok
18:59:02.0641 3488 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:59:02.0641 3488 Disk - ok
18:59:02.0641 3488 dmadmin - ok
18:59:02.0719 3488 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:59:02.0719 3488 dmboot - ok
18:59:02.0734 3488 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:59:02.0734 3488 dmio - ok
18:59:02.0750 3488 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:59:02.0750 3488 dmload - ok
18:59:02.0781 3488 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:59:02.0781 3488 dmserver - ok
18:59:02.0797 3488 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:59:02.0813 3488 DMusic - ok
18:59:02.0844 3488 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:59:02.0844 3488 Dnscache - ok
18:59:02.0891 3488 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:59:02.0891 3488 Dot3svc - ok
18:59:02.0891 3488 dpti2o - ok
18:59:02.0906 3488 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:59:02.0906 3488 drmkaud - ok
18:59:02.0953 3488 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
18:59:02.0969 3488 E100B - ok
18:59:03.0000 3488 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:59:03.0000 3488 EapHost - ok
18:59:03.0109 3488 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
18:59:03.0125 3488 eeCtrl - ok
18:59:03.0234 3488 ehRecvr (8301243bde5b6cd316d79c0191d50d9a) C:\WINDOWS\eHome\ehRecvr.exe
18:59:03.0234 3488 ehRecvr - ok
18:59:03.0250 3488 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
18:59:03.0266 3488 ehSched - ok
18:59:03.0281 3488 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
18:59:03.0281 3488 EraserUtilRebootDrv - ok
18:59:03.0313 3488 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:59:03.0313 3488 ERSvc - ok
18:59:03.0375 3488 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:59:03.0375 3488 Eventlog - ok
18:59:03.0422 3488 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:59:03.0438 3488 EventSystem - ok
18:59:03.0531 3488 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:59:03.0531 3488 Fastfat - ok
18:59:03.0578 3488 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:59:03.0578 3488 FastUserSwitchingCompatibility - ok
18:59:03.0625 3488 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
18:59:03.0625 3488 Fax - ok
18:59:03.0641 3488 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:59:03.0641 3488 Fdc - ok
18:59:03.0656 3488 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:59:03.0672 3488 Fips - ok
18:59:03.0672 3488 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:59:03.0672 3488 Flpydisk - ok
18:59:03.0703 3488 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:59:03.0703 3488 FltMgr - ok
18:59:03.0734 3488 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:59:03.0734 3488 Fs_Rec - ok
18:59:03.0750 3488 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:59:03.0750 3488 Ftdisk - ok
18:59:03.0766 3488 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
18:59:03.0766 3488 ftsata2 - ok
18:59:03.0812 3488 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:59:03.0812 3488 Gpc - ok
18:59:03.0859 3488 hcwPP2 (41bbad646a8c842bc30ef6745a4f6ff3) C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
18:59:03.0859 3488 hcwPP2 - ok
18:59:03.0891 3488 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:59:03.0891 3488 HDAudBus - ok
18:59:03.0984 3488 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:59:03.0984 3488 helpsvc - ok
18:59:04.0000 3488 HidIr (bb1a6fb7d35a91e599973fa74a619056) C:\WINDOWS\system32\DRIVERS\hidir.sys
18:59:04.0000 3488 HidIr - ok
18:59:04.0031 3488 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:59:04.0031 3488 HidServ - ok
18:59:04.0031 3488 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:59:04.0031 3488 HidUsb - ok
18:59:04.0094 3488 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:59:04.0109 3488 hkmsvc - ok
18:59:04.0109 3488 hpn - ok
18:59:04.0141 3488 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:59:04.0141 3488 HPZid412 - ok
18:59:04.0156 3488 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:59:04.0172 3488 HPZipr12 - ok
18:59:04.0187 3488 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:59:04.0187 3488 HPZius12 - ok
18:59:04.0234 3488 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:59:04.0250 3488 HTTP - ok
18:59:04.0266 3488 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:59:04.0266 3488 HTTPFilter - ok
18:59:04.0266 3488 i2omgmt - ok
18:59:04.0281 3488 i2omp - ok
18:59:04.0328 3488 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:59:04.0328 3488 i8042prt - ok
18:59:04.0422 3488 IAANTMon (0b66a9a2137213075f753579e7d573a5) C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
18:59:04.0422 3488 IAANTMon - ok
18:59:04.0531 3488 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
18:59:04.0547 3488 iaStor - ok
18:59:04.0594 3488 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
18:59:04.0594 3488 IDriverT - ok
18:59:04.0797 3488 IDSxpx86 (c924bf6d42b3d9292268ff1998596bd1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120505.001\IDSxpx86.sys
18:59:04.0797 3488 IDSxpx86 - ok
18:59:05.0015 3488 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:59:05.0015 3488 Imapi - ok
18:59:05.0109 3488 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:59:05.0109 3488 ImapiService - ok
18:59:05.0140 3488 ini910u - ok
18:59:05.0562 3488 IntcAzAudAddService (27b220620a480e54bf57e4750ca9b65f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
18:59:05.0656 3488 IntcAzAudAddService - ok
18:59:05.0828 3488 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:59:05.0828 3488 IntelIde - ok
18:59:05.0875 3488 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:59:05.0875 3488 intelppm - ok
18:59:05.0906 3488 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:59:05.0906 3488 Ip6Fw - ok
18:59:05.0937 3488 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:59:05.0937 3488 IpFilterDriver - ok
18:59:05.0953 3488 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:59:05.0968 3488 IpInIp - ok
18:59:06.0000 3488 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:59:06.0000 3488 IpNat - ok
18:59:06.0015 3488 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:59:06.0015 3488 IPSec - ok
18:59:06.0047 3488 IrBus (b43b36b382aea10861f7c7a37f9d4ae2) C:\WINDOWS\system32\DRIVERS\IrBus.sys
18:59:06.0047 3488 IrBus - ok
18:59:06.0078 3488 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:59:06.0078 3488 IRENUM - ok
18:59:06.0109 3488 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:59:06.0109 3488 isapnp - ok
18:59:06.0265 3488 JavaQuickStarterService (a38441ed570f190cc041a7be49488fa7) C:\Program Files\Java\jre6\bin\jqs.exe
18:59:06.0281 3488 JavaQuickStarterService - ok
18:59:06.0297 3488 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:59:06.0297 3488 Kbdclass - ok
18:59:06.0328 3488 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:59:06.0343 3488 kbdhid - ok
18:59:06.0359 3488 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:59:06.0359 3488 kmixer - ok
18:59:06.0406 3488 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:59:06.0406 3488 KSecDD - ok
18:59:06.0453 3488 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:59:06.0453 3488 lanmanserver - ok
18:59:06.0484 3488 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:59:06.0500 3488 lanmanworkstation - ok
18:59:06.0500 3488 lbrtfdc - ok
18:59:06.0593 3488 LightScribeService (6e68e520e6f2f5dce97a9ff947038769) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
18:59:06.0593 3488 LightScribeService - ok
18:59:06.0640 3488 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:59:06.0640 3488 LmHosts - ok
18:59:06.0734 3488 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
18:59:06.0734 3488 McrdSvc - ok
18:59:06.0812 3488 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
18:59:06.0812 3488 MDM - ok
18:59:06.0843 3488 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:59:06.0843 3488 Messenger - ok
18:59:06.0875 3488 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
18:59:06.0875 3488 MHN - ok
18:59:06.0906 3488 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
18:59:06.0906 3488 MHNDRV - ok
18:59:06.0937 3488 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:59:06.0937 3488 mnmdd - ok
18:59:06.0984 3488 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:59:06.0984 3488 mnmsrvc - ok
18:59:07.0015 3488 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:59:07.0031 3488 Modem - ok
18:59:07.0031 3488 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:59:07.0046 3488 Mouclass - ok
18:59:07.0109 3488 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:59:07.0109 3488 mouhid - ok
18:59:07.0125 3488 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:59:07.0125 3488 MountMgr - ok
18:59:07.0140 3488 mraid35x - ok
18:59:07.0156 3488 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:59:07.0156 3488 MRxDAV - ok
18:59:07.0234 3488 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:59:07.0234 3488 MRxSmb - ok
18:59:07.0250 3488 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:59:07.0250 3488 MSDTC - ok
18:59:07.0281 3488 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:59:07.0281 3488 Msfs - ok
18:59:07.0281 3488 MSIServer - ok
18:59:07.0312 3488 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:59:07.0312 3488 MSKSSRV - ok
18:59:07.0328 3488 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:59:07.0328 3488 MSPCLOCK - ok
18:59:07.0359 3488 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:59:07.0359 3488 MSPQM - ok
18:59:07.0390 3488 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:59:07.0390 3488 mssmbios - ok
18:59:07.0421 3488 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:59:07.0421 3488 MSTEE - ok
18:59:07.0453 3488 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:59:07.0468 3488 Mup - ok
18:59:07.0484 3488 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:59:07.0484 3488 NABTSFEC - ok
18:59:07.0531 3488 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:59:07.0546 3488 napagent - ok
18:59:07.0687 3488 NAV (c6948f034d7edabcfa2234d399fc78bc) C:\Program Files\Norton AntiVirus\Engine\19.7.0.9\ccSvcHst.exe
18:59:07.0687 3488 NAV - ok
18:59:07.0859 3488 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120504.033\NAVENG.SYS
18:59:07.0859 3488 NAVENG - ok
18:59:07.0984 3488 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120504.033\NAVEX15.SYS
18:59:07.0999 3488 NAVEX15 - ok
18:59:08.0203 3488 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:59:08.0203 3488 NDIS - ok
18:59:08.0234 3488 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:59:08.0234 3488 NdisIP - ok
18:59:08.0265 3488 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:59:08.0265 3488 NdisTapi - ok
18:59:08.0296 3488 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:59:08.0296 3488 Ndisuio - ok
18:59:08.0327 3488 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:59:08.0327 3488 NdisWan - ok
18:59:08.0359 3488 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:59:08.0359 3488 NDProxy - ok
18:59:08.0374 3488 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:59:08.0374 3488 NetBIOS - ok
18:59:08.0406 3488 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:59:08.0421 3488 NetBT - ok
18:59:08.0468 3488 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:59:08.0468 3488 NetDDE - ok
18:59:08.0468 3488 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:59:08.0468 3488 NetDDEdsdm - ok
18:59:08.0515 3488 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:08.0515 3488 Netlogon - ok
18:59:08.0546 3488 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:59:08.0546 3488 Netman - ok
18:59:08.0577 3488 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
18:59:08.0593 3488 NIC1394 - ok
18:59:08.0624 3488 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:59:08.0624 3488 Nla - ok
18:59:08.0656 3488 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:59:08.0656 3488 Npfs - ok
18:59:08.0702 3488 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:59:08.0718 3488 Ntfs - ok
18:59:08.0718 3488 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:08.0718 3488 NtLmSsp - ok
18:59:08.0781 3488 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:59:08.0796 3488 NtmsSvc - ok
18:59:08.0827 3488 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:59:08.0827 3488 Null - ok
18:59:09.0077 3488 nv (55310bbf289cdc07d1a8bdbe3432abbf) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:59:09.0124 3488 nv - ok
18:59:09.0312 3488 NVSvc (5705d065b450f03ec0743e601941ddfa) C:\WINDOWS\system32\nvsvc32.exe
18:59:09.0312 3488 NVSvc - ok
18:59:09.0359 3488 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:59:09.0359 3488 NwlnkFlt - ok
18:59:09.0374 3488 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:59:09.0374 3488 NwlnkFwd - ok
18:59:09.0405 3488 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
18:59:09.0405 3488 ohci1394 - ok
18:59:09.0452 3488 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:59:09.0468 3488 Parport - ok
18:59:09.0468 3488 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:59:09.0468 3488 PartMgr - ok
18:59:09.0515 3488 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:59:09.0515 3488 ParVdm - ok
18:59:09.0530 3488 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:59:09.0530 3488 PCI - ok
18:59:09.0530 3488 PCIDump - ok
18:59:09.0530 3488 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:59:09.0546 3488 PCIIde - ok
18:59:09.0577 3488 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:59:09.0577 3488 Pcmcia - ok
18:59:09.0577 3488 PDCOMP - ok
18:59:09.0593 3488 PDFRAME - ok
18:59:09.0593 3488 PDRELI - ok
18:59:09.0593 3488 PDRFRAME - ok
18:59:09.0609 3488 perc2 - ok
18:59:09.0609 3488 perc2hib - ok
18:59:09.0671 3488 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:59:09.0671 3488 PlugPlay - ok
18:59:09.0718 3488 Pml Driver HPZ12 (9d84376931440f3679beef2a414fa493) C:\WINDOWS\system32\HPZipm12.exe
18:59:09.0734 3488 Pml Driver HPZ12 - ok
18:59:09.0765 3488 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:09.0780 3488 PolicyAgent - ok
18:59:09.0812 3488 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:59:09.0827 3488 PptpMiniport - ok
18:59:09.0827 3488 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:09.0827 3488 ProtectedStorage - ok
18:59:09.0874 3488 Ps2 (0e2eb30605ca6ed2509d59af6a7362b4) C:\WINDOWS\system32\DRIVERS\PS2.sys
18:59:09.0874 3488 Ps2 - ok
18:59:09.0890 3488 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:59:09.0890 3488 PSched - ok
18:59:09.0905 3488 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:59:09.0905 3488 Ptilink - ok
18:59:09.0937 3488 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:59:09.0937 3488 PxHelp20 - ok
18:59:09.0937 3488 ql1080 - ok
18:59:09.0937 3488 Ql10wnt - ok
18:59:09.0952 3488 ql12160 - ok
18:59:09.0952 3488 ql1240 - ok
18:59:09.0968 3488 ql1280 - ok
18:59:10.0015 3488 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:59:10.0015 3488 RasAcd - ok
18:59:10.0062 3488 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:59:10.0077 3488 RasAuto - ok
18:59:10.0077 3488 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:59:10.0077 3488 Rasl2tp - ok
18:59:10.0140 3488 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:59:10.0140 3488 RasMan - ok
18:59:10.0155 3488 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:59:10.0155 3488 RasPppoe - ok
18:59:10.0171 3488 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:59:10.0171 3488 Raspti - ok
18:59:10.0218 3488 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:59:10.0218 3488 Rdbss - ok
18:59:10.0249 3488 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:59:10.0249 3488 RDPCDD - ok
18:59:10.0265 3488 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:59:10.0265 3488 rdpdr - ok
18:59:10.0312 3488 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
18:59:10.0312 3488 RDPWD - ok
18:59:10.0358 3488 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:59:10.0358 3488 RDSessMgr - ok
18:59:10.0390 3488 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:59:10.0390 3488 redbook - ok
18:59:10.0421 3488 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:59:10.0421 3488 RemoteAccess - ok
18:59:10.0468 3488 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
18:59:10.0468 3488 RemoteRegistry - ok
18:59:10.0483 3488 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:59:10.0483 3488 RpcLocator - ok
18:59:10.0562 3488 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:59:10.0562 3488 RpcSs - ok
18:59:10.0593 3488 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:59:10.0593 3488 RSVP - ok
18:59:10.0624 3488 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
18:59:10.0624 3488 rtl8139 - ok
18:59:10.0655 3488 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:10.0655 3488 SamSs - ok
18:59:10.0671 3488 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:59:10.0671 3488 SCardSvr - ok
18:59:10.0687 3488 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:59:10.0702 3488 Schedule - ok
18:59:10.0733 3488 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:59:10.0733 3488 Secdrv - ok
18:59:10.0765 3488 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:59:10.0765 3488 seclogon - ok
18:59:10.0780 3488 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:59:10.0780 3488 SENS - ok
18:59:10.0812 3488 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
18:59:10.0812 3488 Serial - ok
18:59:10.0812 3488 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:59:10.0812 3488 Sfloppy - ok
18:59:10.0874 3488 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:59:10.0890 3488 SharedAccess - ok
18:59:10.0921 3488 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:59:10.0937 3488 ShellHWDetection - ok
18:59:10.0937 3488 Simbad - ok
18:59:10.0952 3488 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:59:10.0952 3488 SLIP - ok
18:59:10.0952 3488 Sparrow - ok
18:59:10.0983 3488 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:59:10.0983 3488 splitter - ok
18:59:11.0030 3488 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:59:11.0030 3488 Spooler - ok
18:59:11.0061 3488 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:59:11.0061 3488 sr - ok
18:59:11.0124 3488 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:59:11.0124 3488 srservice - ok
18:59:11.0265 3488 SRTSP (9dd258ee034afd36259cb7357e19d0b1) C:\WINDOWS\System32\Drivers\NAV\1307000.009\SRTSP.SYS
18:59:11.0265 3488 SRTSP - ok
18:59:11.0311 3488 SRTSPX (0cc3a10f363436c7b478419eb73f8d91) C:\WINDOWS\system32\drivers\NAV\1307000.009\SRTSPX.SYS
18:59:11.0311 3488 SRTSPX - ok
18:59:11.0374 3488 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:59:11.0374 3488 Srv - ok
18:59:11.0405 3488 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:59:11.0405 3488 SSDPSRV - ok
18:59:11.0483 3488 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:59:11.0483 3488 stisvc - ok
18:59:11.0530 3488 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:59:11.0530 3488 streamip - ok
18:59:11.0561 3488 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:59:11.0561 3488 swenum - ok
18:59:11.0577 3488 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:59:11.0577 3488 swmidi - ok
18:59:11.0577 3488 SwPrv - ok
18:59:11.0593 3488 symc810 - ok
18:59:11.0593 3488 symc8xx - ok
18:59:11.0655 3488 SymDS (690fa0e61b90084c4d9a721bd4f3d779) C:\WINDOWS\system32\drivers\NAV\1307000.009\SYMDS.SYS
18:59:11.0671 3488 SymDS - ok
18:59:11.0765 3488 SymEFA (4e55148a2e044d02245cbcdbb266b98c) C:\WINDOWS\system32\drivers\NAV\1307000.009\SYMEFA.SYS
18:59:11.0780 3488 SymEFA - ok
18:59:11.0843 3488 SymEvent (74e2521e96176a4449570e50be91954d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
18:59:11.0843 3488 SymEvent - ok
18:59:11.0874 3488 SymIRON (2c356cca706505cf63cbe39d532b9236) C:\WINDOWS\system32\drivers\NAV\1307000.009\Ironx86.SYS
18:59:11.0874 3488 SymIRON - ok
18:59:11.0936 3488 SYMTDI (508bd882040f9cb12319e3a4fc78edb9) C:\WINDOWS\System32\Drivers\NAV\1307000.009\SYMTDI.SYS
18:59:11.0936 3488 SYMTDI - ok
18:59:11.0952 3488 sym_hi - ok
18:59:11.0952 3488 sym_u3 - ok
18:59:11.0999 3488 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:59:12.0014 3488 sysaudio - ok
18:59:12.0061 3488 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:59:12.0061 3488 SysmonLog - ok
18:59:12.0124 3488 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:59:12.0124 3488 TapiSrv - ok
18:59:12.0218 3488 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:59:12.0218 3488 Tcpip - ok
18:59:12.0233 3488 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:59:12.0249 3488 TDPIPE - ok
18:59:12.0264 3488 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:59:12.0264 3488 TDTCP - ok
18:59:12.0280 3488 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:59:12.0296 3488 TermDD - ok
18:59:12.0327 3488 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:59:12.0343 3488 TermService - ok
18:59:12.0389 3488 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:59:12.0389 3488 Themes - ok
18:59:12.0436 3488 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
18:59:12.0436 3488 TlntSvr - ok
18:59:12.0436 3488 TosIde - ok
18:59:12.0468 3488 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:59:12.0483 3488 TrkWks - ok
18:59:12.0514 3488 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:59:12.0530 3488 Udfs - ok
18:59:12.0546 3488 ultra - ok
18:59:12.0577 3488 UMWdf (9651e5d850b6f6bd7c77c70aa06f02bf) C:\WINDOWS\system32\wdfmgr.exe
18:59:12.0577 3488 UMWdf - ok
18:59:12.0639 3488 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:59:12.0639 3488 Update - ok
18:59:12.0671 3488 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:59:12.0686 3488 upnphost - ok
18:59:12.0718 3488 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:59:12.0718 3488 UPS - ok
18:59:12.0733 3488 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:59:12.0733 3488 usbccgp - ok
18:59:12.0764 3488 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:59:12.0780 3488 usbehci - ok
18:59:12.0780 3488 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:59:12.0780 3488 usbhub - ok
18:59:12.0843 3488 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:59:12.0843 3488 usbprint - ok
18:59:12.0843 3488 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:59:12.0858 3488 usbscan - ok
18:59:12.0874 3488 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:59:12.0874 3488 usbstor - ok
18:59:12.0889 3488 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:59:12.0889 3488 usbuhci - ok
18:59:12.0905 3488 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:59:12.0905 3488 VgaSave - ok
18:59:12.0936 3488 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
18:59:12.0936 3488 ViaIde - ok
18:59:12.0967 3488 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:59:12.0967 3488 VolSnap - ok
18:59:13.0030 3488 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:59:13.0030 3488 VSS - ok
18:59:13.0092 3488 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:59:13.0092 3488 W32Time - ok
18:59:13.0155 3488 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:59:13.0155 3488 Wanarp - ok
18:59:13.0171 3488 WDICA - ok
18:59:13.0249 3488 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:59:13.0249 3488 wdmaud - ok
18:59:13.0296 3488 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:59:13.0296 3488 WebClient - ok
18:59:13.0389 3488 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:59:13.0389 3488 winmgmt - ok
18:59:13.0452 3488 WmdmPmSN (b9715b9c18bc6c8f4b66733d208cc9f7) C:\WINDOWS\system32\MsPMSNSv.dll
18:59:13.0452 3488 WmdmPmSN - ok
18:59:13.0546 3488 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
18:59:13.0561 3488 Wmi - ok
18:59:13.0592 3488 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:59:13.0608 3488 WmiApSrv - ok
18:59:13.0655 3488 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
18:59:13.0655 3488 wscsvc - ok
18:59:13.0686 3488 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:59:13.0686 3488 WSTCODEC - ok
18:59:13.0717 3488 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:59:13.0717 3488 wuauserv - ok
18:59:13.0796 3488 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:59:13.0811 3488 WZCSVC - ok
18:59:13.0842 3488 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:59:13.0842 3488 xmlprov - ok
18:59:13.0874 3488 MBR (0x1B8) (0ac6d996bce152aed9600e6d6b797e2e) \Device\Harddisk0\DR0
18:59:13.0983 3488 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
18:59:13.0983 3488 \Device\Harddisk0\DR0 - detected TDSS File System (1)
18:59:13.0983 3488 Boot (0x1200) (dc04e25f6b086442cbde59d4674d0331) \Device\Harddisk0\DR0\Partition0
18:59:13.0983 3488 \Device\Harddisk0\DR0\Partition0 - ok
18:59:13.0999 3488 Boot (0x1200) (d3e177eba7a2a8a3058d08aaeffac7b5) \Device\Harddisk0\DR0\Partition1
18:59:13.0999 3488 \Device\Harddisk0\DR0\Partition1 - ok
18:59:13.0999 3488 ============================================================
18:59:13.0999 3488 Scan finished
18:59:13.0999 3488 ============================================================
18:59:14.0014 0580 Detected object count: 1
18:59:14.0014 0580 Actual detected object count: 1
19:29:39.0510 0580 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
19:29:39.0525 0580 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
19:29:39.0525 0580 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
19:29:39.0525 0580 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
19:29:39.0525 0580 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
19:29:39.0541 0580 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
19:29:39.0556 0580 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
19:29:39.0572 0580 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
19:29:39.0572 0580 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
19:29:39.0603 0580 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
19:29:39.0603 0580 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
19:29:39.0619 0580 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
19:29:39.0619 0580 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
19:29:39.0619 0580 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
19:29:39.0635 0580 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
19:29:39.0635 0580 \Device\Harddisk0\DR0\TDLFS - deleted
19:29:39.0635 0580 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete
19:30:18.0115 3752 Deinitialize success

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:50 AM

Posted 05 May 2012 - 06:41 PM

First continue on with ComboFix, that will likely reboot your system for you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 cmango

cmango
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 05 May 2012 - 07:29 PM

Here is the log from ComboFix. I should point out that when I first disabled Norton, I chose the "enable upon reboot" option instead of "permanent disable". Hope that didn't affect anything.

ComboFix 12-05-05.06 - HP_Administrator 05/05/2012 19:59:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1676 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator.DESKTOP\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\388cLdcK.exe
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Guest.MANGODESKTOP\Application Data\E027A1A4.exe
c:\documents and settings\Guest.MANGODESKTOP\WINDOWS
c:\documents and settings\Guest\WINDOWS
c:\documents and settings\HP_Administrator.DESKTOP\WINDOWS
c:\documents and settings\NetworkService\Application Data\E027A1A4.exe
c:\documents and settings\User.MANGO\WINDOWS
c:\documents and settings\User\WINDOWS
c:\windows\$NtUninstallKB32694$
c:\windows\$NtUninstallKB32694$\3384260097\@
c:\windows\$NtUninstallKB32694$\3384260097\cfg(2).ini
c:\windows\$NtUninstallKB32694$\3384260097\cfg(3).ini
c:\windows\$NtUninstallKB32694$\3384260097\cfg.ini
c:\windows\$NtUninstallKB32694$\3384260097\Desktop.ini
c:\windows\$NtUninstallKB32694$\3384260097\L\aqaeidou
c:\windows\$NtUninstallKB32694$\3384260097\oemid
c:\windows\$NtUninstallKB32694$\3384260097\U\00000001.@
c:\windows\$NtUninstallKB32694$\3384260097\U\00000002.@
c:\windows\$NtUninstallKB32694$\3384260097\U\00000004.@
c:\windows\$NtUninstallKB32694$\3384260097\U\80000000.@
c:\windows\$NtUninstallKB32694$\3384260097\U\80000004.@
c:\windows\$NtUninstallKB32694$\3384260097\U\80000032.@
c:\windows\$NtUninstallKB32694$\3384260097\version
c:\windows\$NtUninstallKB32694$\3928550624
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
c:\windows\Tasks\At1.job
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-04-06 to 2012-05-06 )))))))))))))))))))))))))))))))
.
.
2012-05-05 23:29 . 2012-05-05 23:29 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-05 14:32 . 2012-05-05 14:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-05 14:32 . 2012-05-05 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-05 14:32 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-04 21:55 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-05-03 23:58 . 2012-05-03 23:58 -------- d-----w- c:\windows\system32\scripting
2012-05-03 23:58 . 2012-05-03 23:58 -------- d-----w- c:\windows\system32\en
2012-05-03 23:58 . 2012-05-03 23:58 -------- d-----w- c:\windows\system32\bits
2012-05-03 23:26 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\spupdwxp.exe
2012-05-03 23:25 . 2004-08-04 05:41 13776 ------w- c:\windows\system32\drivers\recagent.sys
2012-05-03 23:24 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2012-05-03 23:01 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2012-05-03 23:00 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-05-03 22:59 . 2012-05-03 22:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-03 22:59 . 2012-05-03 22:59 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-03 22:59 . 2012-05-03 22:59 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-03 06:46 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-05-03 06:46 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2012-05-03 06:46 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2012-05-03 06:46 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-05-03 06:46 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-05-03 06:46 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-05-03 05:23 . 2012-05-05 12:52 -------- d-sh--r- c:\windows\system32\dllcache
2012-05-03 04:04 . 2012-05-03 04:04 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-05-03 04:04 . 2012-05-03 04:04 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-05-03 04:03 . 2012-05-03 23:47 -------- d-----w- c:\windows\system32\drivers\NAV
2012-05-03 04:03 . 2012-05-03 04:03 -------- d-----w- c:\program files\Norton AntiVirus
2012-05-03 03:22 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-05-03 03:21 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-05-03 03:21 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-05-03 02:59 . 2006-07-27 07:34 151623 ----a-r- c:\windows\system32\cmasiop.dll
2012-05-03 02:59 . 2001-11-23 04:08 712704 ----a-r- c:\windows\system32\Audio3Dp.dll
2012-05-03 02:59 . 2006-12-22 06:10 1428544 ----a-r- c:\windows\system32\drivers\cmudaxp.sys
2012-05-03 02:59 . 2006-10-13 04:03 253952 ----a-r- c:\windows\system32\cmrmdrvp.exe
2012-05-03 02:59 . 2006-10-04 03:47 32768 ----a-r- c:\windows\system32\cmudaxp.dll
2012-05-03 02:59 . 2005-04-13 07:29 32768 ----a-r- c:\windows\system32\CmPropP.dll
2012-05-03 02:59 . 2003-02-18 10:26 28672 ----a-r- c:\windows\system32\cmrmdrvp.dll
2012-05-03 02:59 . 2001-11-23 04:08 712704 ----a-r- c:\windows\system32\a3d.dll
2012-05-03 02:54 . 2012-05-06 00:11 -------- d-----w- c:\documents and settings\HP_Administrator.DESKTOP
2012-05-03 02:52 . 2011-12-15 23:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2012-05-03 02:52 . 2011-12-10 01:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-05-03 02:52 . 2011-12-10 01:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-05-03 02:52 . 2011-12-15 23:51 -------- d-sh--w- c:\documents and settings\Default User\IECompatCache
2012-05-03 02:11 . 2012-05-03 02:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ
2012-05-02 22:25 . 2012-05-02 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2012-04-27 00:34 . 2012-04-27 00:34 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-04-26 01:29 . 2012-04-26 01:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-04-16 07:13 . 2012-04-27 03:22 -------- d-----w- c:\documents and settings\Guest.MANGODESKTOP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 00:02 . 2012-05-04 00:02 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2012-05-04 00:02 . 2012-05-04 00:02 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2012-05-04 00:02 . 2012-05-04 00:02 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2012-05-04 00:02 . 2012-05-04 00:02 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2012-05-04 00:02 . 2012-05-04 00:02 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2012-05-04 00:02 . 2012-05-04 00:02 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2012-05-04 00:02 . 2012-05-04 00:02 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2012-05-04 00:02 . 2012-05-04 00:02 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2012-03-01 11:01 . 2004-08-10 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-10 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-10 19:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:10 . 2004-08-10 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-10 12:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-13 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"nwiz"="nwiz.exe" [2005-08-02 1519616]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-9-22 813584]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-12-9 36903]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1307000.009\symds.sys [5/3/2012 7:21 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1307000.009\symefa.sys [5/3/2012 7:21 PM 905336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120413.001\BHDrvx86.sys [4/13/2012 1:34 AM 821880]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1307000.009\ccsetx86.sys [5/3/2012 7:21 PM 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1307000.009\ironx86.sys [5/3/2012 7:21 PM 149624]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.7.0.9\ccsvchst.exe [5/3/2012 7:21 PM 138232]
R3 cmudaxp;C-Media Oxygen HD Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [5/2/2012 10:59 PM 1428544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/3/2012 7:22 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120505.001\IDSXpx86.sys [5/4/2012 11:34 PM 356792]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-05-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-20 15:37]
.
2012-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc9102e2c8863a.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 03:27]
.
2012-05-06 c:\windows\Tasks\User_Feed_Synchronization-{3C21731E-BA6B-4548-9EFB-E168C13806D7}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2012-05-06 c:\windows\Tasks\User_Feed_Synchronization-{50821992-E0FF-439C-9D52-E35BBBFFE036}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2012-05-06 c:\windows\Tasks\User_Feed_Synchronization-{6314B4A9-4E29-4CDD-96ED-0A6FFC82853E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2012-05-06 c:\windows\Tasks\User_Feed_Synchronization-{FD8EB278-90B2-4690-9374-2D19C2242FB8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-Cmaudio8788 - cmicnfgp.cpl
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-05 20:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.7.0.9\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.7.0.9\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2356)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1.DES\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ARPWRMSG.EXE
c:\windows\system32\RunDll32.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-05 20:25:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-06 00:25
.
Pre-Run: 170,080,137,216 bytes free
Post-Run: 171,247,177,728 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - AC6AAFB3B9268620B925D84AD8720D53

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:50 AM

Posted 05 May 2012 - 07:40 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 cmango

cmango
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 05 May 2012 - 08:15 PM

Malwarebytes didn't find any threats:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.06.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Administrator :: DESKTOP [administrator]

5/5/2012 8:46:15 PM
mbam-log-2012-05-05 (20-46-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 339554
Time elapsed: 10 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
==================================================================================

After I agreed to terms of use on eset.com, I tried to install the ActiveX and some other add-on but an IE message kept popping up saying I had to resend the information in order to display it, but when I clicked on Retry the page wouldn't reload. I tried it several times.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:50 AM

Posted 05 May 2012 - 08:28 PM

Did you disable Norton?

clear your internet history and cookies and give it another try

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 cmango

cmango
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 05 May 2012 - 10:52 PM

OK, I got it to work:

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\388cLdcK.exe.vir a variant of Win32/Kryptik.AEVI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Guest.MANGODESKTOP\Application Data\E027A1A4.exe.vir a variant of Win32/Kryptik.AEVI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\E027A1A4.exe.vir a variant of Win32/Kryptik.AEVI trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP17\A0011438.exe a variant of Win32/Kryptik.AEYL trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP19\A0014199.exe a variant of Win32/Kryptik.XBT trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP19\A0015398.exe a variant of Win32/Kryptik.AEVI trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP19\A0015399.exe a variant of Win32/Kryptik.AEVI trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP19\A0015400.exe a variant of Win32/Kryptik.AEVI trojan
C:\TDSSKiller_Quarantine\05.05.2012_18.58.13\tdlfs0000\tsk0005.dta a variant of Win32/Kryptik.XEZ trojan

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:50 AM

Posted 06 May 2012 - 06:56 AM

Hi,

The items found by ESET were in quarantine already, which we shall be clearing up shortly.

Please go to Start > Control Panel > Add/Remove programs > when a list of your installed programs populate > scroll down to the following program and remove:

J2SE Runtime Environment 5.0 Update 5


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Please post a fresh DDS log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 cmango

cmango
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 06 May 2012 - 09:56 AM

I deleted the Java item you listed. I could not install Adobe X. I kept getting various error messages, even after I disabled Norton. One said that Adobe 7 was using files that needed to be updated, but I couldn't figure out how to close it. Should I uninstall Adobe 7 from Add/Remove Programs?

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:50 AM

Posted 06 May 2012 - 10:22 AM

try using Revo uninstaller to remove all traces of Adobe, then give it another try


Download and install the Revo Uninstaller
  • Double click the new Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish
  • Repeat the above steps for any other programs you wish to remove.


NEXT


Please advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 cmango

cmango
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 06 May 2012 - 12:46 PM

Revo found leftover registry items and is asking me to "please carefully verify the bolded items! Only checked bolded items and their subitems will be deleted!" I'm not sure how to verify the items. Should I just check all of them and let Revo delete? I wish I could post a screen shot of the dialogue box for you here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users