Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovering from Antimalware Doctor infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 gordon7322

gordon7322

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 06 May 2012 - 04:15 PM

I'm not entirely sure that this is the right section, but if you can help me out that would be great.

I have a Dell Windows XP Professional SP 3 and was infected by Antimalware Doctor.

Here's the current situation so far, I used Malwarebytes Anti-Malware (full scan) to remove the malicious files, however there are some symptoms that remain from the infection.

1. My drivers (most noticeable are the keyboard and the monitor) were corrupted, however I was only able to fix the keyboard, not the monitor (resolution stuck at lowest setting 640 x 480 at 16bit color).
2. There is a Startup folder located in start>programs that says it's empty, which might mean there could be a hidden file in there. I read online that the hidden contents in this folder might be the cause of the video drive failure.
3. When right-clicking any file, a windows installer window pops-up ask for a path containing the installation package "Symantec AntiVirus.msi", and when I press cancel it pops-up a second time.

Here's a Hijack log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:06:42 PM, on 5/6/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivX Download Manager] "C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" start
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159662860156
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - Unknown owner - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

Edited by gordon7322, 06 May 2012 - 04:18 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:19 PM

Posted 09 May 2012 - 10:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes.

Download FixNCR.reg to your desktop.

Run the program.

===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

If needed.
The scan will also create this Attach.txt log I would also like to see the content.
Please post it in a other post for my review, do not attach the file.

Posted Image

===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#3 gordon7322

gordon7322
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 10 May 2012 - 06:29 PM

(EDIT: The attach log was accidentally posted along with this dds log, however I reposted it.)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Administrator at 15:40:02 on 2012-05-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.122 [GMT -7:00]
.
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159662860156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{F635068C-5177-4BEB-B14E-C09FD9EA516E} : DhcpNameServer = 75.75.75.75 75.75.76.76
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-5 654408]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2004-8-11 547744]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-5 22344]
S1 AW_HOST;AW_HOST;c:\windows\system32\drivers\aw_host5.sys --> c:\windows\system32\drivers\aw_host5.sys [?]
S1 awlegacy;awlegacy;c:\windows\system32\drivers\awlegacy.sys --> c:\windows\system32\drivers\awlegacy.sys [?]
S1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys --> c:\program files\symantec antivirus\savrt.sys [?]
S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\savrtpel.sys --> c:\program files\symantec antivirus\Savrtpel.sys [?]
S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\rtvscan.exe" --> c:\program files\symantec antivirus\Rtvscan.exe [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe --> c:\program files\symantec\pcanywhere\awhost32.exe [?]
S3 ed_bus;Encrypted Disk Manager;c:\windows\system32\drivers\xcrdisk.sys [2006-10-7 28032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 im_bus;Paragon Image Mounter;c:\windows\system32\drivers\imounter.sys --> c:\windows\system32\drivers\imounter.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20110320.003\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20110320.003\naveng.sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20110320.003\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20110320.003\navex15.sys [?]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\savroam.exe" --> c:\program files\symantec antivirus\SavRoam.exe [?]
.
=============== Created Last 30 ================
.
2012-05-06 02:44:44 -------- d-s---w- C:\ComboFix
2012-05-06 02:11:41 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-05-06 02:10:22 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-06 02:10:21 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-06 02:10:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-06 01:37:37 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-05-06 01:37:35 -------- d-----w- c:\program files\Trend Micro
2012-05-06 01:31:25 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2012-05-06 01:31:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-06 01:31:03 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-05-06 01:12:23 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2012-04-28 17:27:10 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-04-28 17:27:10 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-04-28 16:39:59 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2012-04-28 16:39:59 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2000JB-00REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8333D439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x833437d0]; MOV EAX, [0x8334384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x83350AB8]
3 CLASSPNP[0xF8838FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x83383030]
\Driver\atapi[0x8337BA48] -> IRP_MJ_CREATE -> 0x8333D439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD2000JB-00REA0_____________________20.00K20#5&27d7eb1e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8333D27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:42:24.01 ===============

Edited by gordon7322, 10 May 2012 - 06:39 PM.


#4 gordon7322

gordon7322
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 10 May 2012 - 06:33 PM

Now for Combofix, everything was fine up until combofix was scanning. Before the scan was able to finish, the computer suddenly restarted and I didn't get a log saved on my desktop. I even disabled all antivirus and antispyware programs before doing the scan. What do I do now?

Here is that security check up log:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Symantec AntiVirus
McAfee Security Scan Plus
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
CCleaner (remove only)
Java™ 6 Update 2
Java version out of date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
``````````End of Log````````````

#5 gordon7322

gordon7322
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 10 May 2012 - 06:36 PM

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/30/2006 1:41:16 PM
System Uptime: 5/10/2012 3:32:25 PM (0 hours ago)
.
Motherboard: Dell Computer Corp. | | 00T606
Processor: Intel® Pentium® 4 CPU 2.40GHz | Microprocessor | 2399/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 186 GiB total, 28.908 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01261028&REV_01\3&172E68DD&0&10
Manufacturer: Intel Corporation
Name: Intel® 82845G/GL/GE/PE/GV Graphics Controller
PNP Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01261028&REV_01\3&172E68DD&0&10
Service: ialm
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
1400
1400_Help
1400Trb
aaa
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.8 Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1
AIM 7
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 5.0
Bonjour
CCleaner (remove only)
CmdHere Powertoy For Windows XP
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Defraggler (remove only)
Download Updater (AOL LLC)
Fax
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB939209)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 2050 J510 series Basic Device Software
HP Deskjet 2050 J510 series Help
HP Deskjet 2050 J510 series Product Improvement Study
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Update
Image Resizer Powertoy for Windows XP
Intel® Extreme Graphics Driver
Intel® PRO Ethernet Adapter and Software
iTunes
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 2
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.61.0.1400
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero PhotoShow Express
Nero Suite
OGA Notifier 2.0.0048.0
PowerDVD
ProductContext
QuickTime
Readme
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
SUPERAntiSpyware
Symantec AntiVirus
Symantec pcAnywhere
TouchCopy 09
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.5
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
5/5/2012 9:48:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/5/2012 9:42:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/5/2012 9:39:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD awlegacy AW_HOST eeCtrl Fips Gernuwa intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss SASDIFSV SASKUTIL SAVRT SAVRTPEL SPBBCDrv Tcpip WS2IFSL
5/5/2012 9:39:51 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/5/2012 9:39:51 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/5/2012 9:39:51 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/5/2012 9:39:51 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/5/2012 9:39:51 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/5/2012 9:39:51 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/5/2012 9:35:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy AW_HOST eeCtrl Fips Gernuwa intelppm OMCI SASDIFSV SASKUTIL SAVRT SAVRTPEL SPBBCDrv
5/5/2012 9:34:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/5/2012 9:34:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/5/2012 5:54:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy AW_HOST eeCtrl Gernuwa i8042prt SAVRT SAVRTPEL SPBBCDrv
5/5/2012 5:54:18 PM, error: Service Control Manager [7000] - The Symantec SPBBCSvc service failed to start due to the following error: The system cannot find the path specified.
5/5/2012 5:54:18 PM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: The system cannot find the path specified.
5/5/2012 5:35:35 PM, error: Service Control Manager [7038] - The ALG service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
5/5/2012 5:35:35 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not start due to a logon failure.
5/5/2012 5:06:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy AW_HOST eeCtrl Gernuwa SAVRT SAVRTPEL SPBBCDrv
.
==== End Of File ===========================

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:19 PM

Posted 11 May 2012 - 08:36 AM

Warning: possible TDL3 rootkit infection !


We must take care of this.

Before we do anything else please run these tool.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#7 gordon7322

gordon7322
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 May 2012 - 08:50 PM

TDSS rootkit log

18:12:48.0421 0680 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
18:12:49.0015 0680 ============================================================
18:12:49.0015 0680 Current date / time: 2012/05/11 18:12:49.0015
18:12:49.0015 0680 SystemInfo:
18:12:49.0015 0680
18:12:49.0015 0680 OS Version: 5.1.2600 ServicePack: 3.0
18:12:49.0015 0680 Product type: Workstation
18:12:49.0015 0680 ComputerName: SRV000
18:12:49.0015 0680 UserName: Administrator
18:12:49.0015 0680 Windows directory: C:\WINDOWS
18:12:49.0015 0680 System windows directory: C:\WINDOWS
18:12:49.0015 0680 Processor architecture: Intel x86
18:12:49.0015 0680 Number of processors: 1
18:12:49.0015 0680 Page size: 0x1000
18:12:49.0015 0680 Boot type: Normal boot
18:12:49.0015 0680 ============================================================
18:12:51.0343 0680 Drive \Device\Harddisk0\DR0 - Size: 0x2E93E36000 (186.31 Gb), SectorSize: 0x200, Cylinders: 0x5F01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:12:51.0343 0680 Drive \Device\Harddisk1\DR2 - Size: 0x1E1600000 (7.52 Gb), SectorSize: 0x200, Cylinders: 0x3D5, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:12:51.0343 0680 ============================================================
18:12:51.0343 0680 \Device\Harddisk0\DR0:
18:12:51.0343 0680 MBR partitions:
18:12:51.0343 0680 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1749DD82
18:12:51.0343 0680 \Device\Harddisk1\DR2:
18:12:51.0343 0680 MBR partitions:
18:12:51.0343 0680 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0xF0AFC1
18:12:51.0343 0680 ============================================================
18:12:51.0375 0680 C: <-> \Device\Harddisk0\DR0\Partition0
18:12:51.0375 0680 ============================================================
18:12:51.0375 0680 Initialize success
18:12:51.0375 0680 ============================================================
18:12:56.0390 2936 ============================================================
18:12:56.0390 2936 Scan started
18:12:56.0390 2936 Mode: Manual;
18:12:56.0390 2936 ============================================================
18:12:56.0562 2936 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
18:12:56.0578 2936 !SASCORE - ok
18:12:56.0796 2936 A3AB (21af8e9c727c6d7643ad497268f55bf1) C:\WINDOWS\system32\DRIVERS\A3AB.sys
18:12:56.0828 2936 A3AB - ok
18:12:56.0859 2936 Abiosdsk - ok
18:12:56.0906 2936 abp480n5 - ok
18:12:56.0968 2936 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:12:56.0968 2936 ACPI - ok
18:12:57.0015 2936 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:12:57.0015 2936 ACPIEC - ok
18:12:57.0046 2936 adpu160m - ok
18:12:57.0093 2936 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
18:12:57.0109 2936 aeaudio - ok
18:12:57.0156 2936 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:12:57.0171 2936 aec - ok
18:12:57.0218 2936 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
18:12:57.0218 2936 AFD - ok
18:12:57.0250 2936 Aha154x - ok
18:12:57.0281 2936 aic78u2 - ok
18:12:57.0312 2936 aic78xx - ok
18:12:57.0375 2936 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:12:57.0390 2936 Alerter - ok
18:12:57.0437 2936 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:12:57.0437 2936 ALG - ok
18:12:57.0468 2936 AliIde - ok
18:12:57.0500 2936 amsint - ok
18:12:57.0593 2936 Apple Mobile Device (d503df3aba595f551b98b9bae017a271) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:12:57.0593 2936 Apple Mobile Device - ok
18:12:57.0671 2936 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
18:12:57.0687 2936 AppMgmt - ok
18:12:57.0718 2936 asc - ok
18:12:57.0750 2936 asc3350p - ok
18:12:57.0781 2936 asc3550 - ok
18:12:57.0953 2936 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:12:58.0000 2936 aspnet_state - ok
18:12:58.0046 2936 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:12:58.0046 2936 AsyncMac - ok
18:12:58.0078 2936 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:12:58.0093 2936 atapi - ok
18:12:58.0125 2936 Atdisk - ok
18:12:58.0187 2936 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:12:58.0187 2936 Atmarpc - ok
18:12:58.0234 2936 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:12:58.0234 2936 AudioSrv - ok
18:12:58.0312 2936 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:12:58.0312 2936 audstub - ok
18:12:58.0343 2936 awhost32 - ok
18:12:58.0375 2936 awlegacy - ok
18:12:58.0421 2936 AW_HOST - ok
18:12:58.0500 2936 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:12:58.0500 2936 Beep - ok
18:12:58.0593 2936 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:12:58.0656 2936 BITS - ok
18:12:58.0718 2936 Bonjour Service (ebad0f51d8d4dade7660b1851addbd07) C:\Program Files\Bonjour\mDNSResponder.exe
18:12:58.0734 2936 Bonjour Service - ok
18:12:58.0781 2936 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:12:58.0781 2936 Browser - ok
18:12:58.0859 2936 catchme - ok
18:12:58.0921 2936 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:12:58.0921 2936 cbidf2k - ok
18:12:58.0968 2936 ccEvtMgr - ok
18:12:59.0000 2936 ccSetMgr - ok
18:12:59.0031 2936 cd20xrnt - ok
18:12:59.0078 2936 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:12:59.0078 2936 Cdaudio - ok
18:12:59.0125 2936 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:12:59.0125 2936 Cdfs - ok
18:12:59.0187 2936 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:12:59.0187 2936 Cdrom - ok
18:12:59.0218 2936 Changer - ok
18:12:59.0265 2936 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:12:59.0265 2936 CiSvc - ok
18:12:59.0312 2936 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:12:59.0312 2936 ClipSrv - ok
18:12:59.0484 2936 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:12:59.0750 2936 clr_optimization_v2.0.50727_32 - ok
18:12:59.0781 2936 CmdIde - ok
18:12:59.0812 2936 COMSysApp - ok
18:12:59.0875 2936 Cpqarray - ok
18:13:00.0015 2936 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:13:00.0015 2936 CryptSvc - ok
18:13:00.0046 2936 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
18:13:00.0062 2936 CVirtA - ok
18:13:00.0078 2936 dac2w2k - ok
18:13:00.0109 2936 dac960nt - ok
18:13:00.0203 2936 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:13:00.0218 2936 DcomLaunch - ok
18:13:00.0250 2936 DefWatch - ok
18:13:00.0343 2936 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:13:00.0343 2936 Dhcp - ok
18:13:00.0390 2936 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:13:00.0390 2936 Disk - ok
18:13:00.0406 2936 dmadmin - ok
18:13:00.0531 2936 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:13:00.0562 2936 dmboot - ok
18:13:00.0609 2936 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:13:00.0609 2936 dmio - ok
18:13:00.0671 2936 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:13:00.0671 2936 dmload - ok
18:13:00.0734 2936 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:13:00.0734 2936 dmserver - ok
18:13:00.0843 2936 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:13:00.0843 2936 DMusic - ok
18:13:00.0906 2936 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
18:13:00.0906 2936 Dnscache - ok
18:13:01.0031 2936 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:13:01.0031 2936 Dot3svc - ok
18:13:01.0078 2936 dpti2o - ok
18:13:01.0109 2936 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:13:01.0125 2936 drmkaud - ok
18:13:01.0203 2936 E1000 (854293999e91bf2eb9e786166de4a35f) C:\WINDOWS\system32\DRIVERS\e1000325.sys
18:13:01.0218 2936 E1000 - ok
18:13:01.0250 2936 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:13:01.0250 2936 EapHost - ok
18:13:01.0343 2936 ed_bus (975304936a3d14faece2e8f162554ded) C:\WINDOWS\system32\DRIVERS\xcrdisk.sys
18:13:01.0343 2936 ed_bus - ok
18:13:01.0437 2936 eeCtrl - ok
18:13:01.0468 2936 EraserUtilRebootDrv - ok
18:13:01.0515 2936 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:13:01.0515 2936 ERSvc - ok
18:13:01.0625 2936 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:13:01.0625 2936 Eventlog - ok
18:13:01.0687 2936 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:13:01.0703 2936 EventSystem - ok
18:13:01.0750 2936 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:13:01.0765 2936 Fastfat - ok
18:13:01.0828 2936 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:13:01.0843 2936 FastUserSwitchingCompatibility - ok
18:13:01.0875 2936 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:13:01.0875 2936 Fdc - ok
18:13:01.0921 2936 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:13:01.0921 2936 Fips - ok
18:13:01.0953 2936 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:13:01.0953 2936 Flpydisk - ok
18:13:02.0000 2936 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:13:02.0000 2936 FltMgr - ok
18:13:02.0125 2936 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:13:02.0125 2936 FontCache3.0.0.0 - ok
18:13:02.0156 2936 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:13:02.0171 2936 Fs_Rec - ok
18:13:02.0218 2936 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:13:02.0218 2936 Ftdisk - ok
18:13:02.0265 2936 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
18:13:02.0265 2936 GEARAspiWDM - ok
18:13:02.0296 2936 Gernuwa - ok
18:13:02.0359 2936 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:13:02.0359 2936 Gpc - ok
18:13:02.0468 2936 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
18:13:02.0468 2936 gupdate - ok
18:13:02.0500 2936 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
18:13:02.0500 2936 gupdatem - ok
18:13:02.0578 2936 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
18:13:02.0593 2936 gusvc - ok
18:13:02.0671 2936 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:13:02.0671 2936 helpsvc - ok
18:13:02.0734 2936 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:13:02.0734 2936 HidServ - ok
18:13:02.0796 2936 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:13:02.0796 2936 HidUsb - ok
18:13:02.0843 2936 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:13:02.0859 2936 hkmsvc - ok
18:13:02.0890 2936 hpn - ok
18:13:02.0953 2936 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:13:02.0953 2936 HPZid412 - ok
18:13:03.0015 2936 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:13:03.0015 2936 HPZipr12 - ok
18:13:03.0078 2936 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:13:03.0078 2936 HPZius12 - ok
18:13:03.0156 2936 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:13:03.0171 2936 HTTP - ok
18:13:03.0203 2936 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:13:03.0203 2936 HTTPFilter - ok
18:13:03.0250 2936 i2omgmt - ok
18:13:03.0281 2936 i2omp - ok
18:13:03.0343 2936 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:13:03.0343 2936 i8042prt - ok
18:13:03.0437 2936 ialm (3ca41cdb9c912aed354b0c7abe4a4654) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
18:13:03.0484 2936 ialm - ok
18:13:03.0656 2936 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:13:03.0718 2936 idsvc - ok
18:13:03.0828 2936 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:13:03.0828 2936 Imapi - ok
18:13:03.0890 2936 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:13:03.0906 2936 ImapiService - ok
18:13:03.0937 2936 im_bus - ok
18:13:04.0000 2936 ini910u - ok
18:13:04.0062 2936 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:13:04.0062 2936 IntelIde - ok
18:13:04.0093 2936 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:13:04.0093 2936 intelppm - ok
18:13:04.0156 2936 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:13:04.0156 2936 Ip6Fw - ok
18:13:04.0218 2936 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:13:04.0218 2936 IpFilterDriver - ok
18:13:04.0281 2936 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:13:04.0281 2936 IpInIp - ok
18:13:04.0328 2936 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:13:04.0343 2936 IpNat - ok
18:13:04.0453 2936 iPod Service (3c30491045dbbd44a42876b3d6f3917d) C:\Program Files\iPod\bin\iPodService.exe
18:13:04.0515 2936 iPod Service - ok
18:13:04.0875 2936 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:13:04.0875 2936 IPSec - ok
18:13:04.0921 2936 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:13:04.0921 2936 IRENUM - ok
18:13:04.0968 2936 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:13:04.0968 2936 isapnp - ok
18:13:05.0031 2936 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:13:05.0031 2936 Kbdclass - ok
18:13:05.0078 2936 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:13:05.0093 2936 kmixer - ok
18:13:05.0156 2936 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:13:05.0156 2936 KSecDD - ok
18:13:05.0218 2936 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:13:05.0218 2936 lanmanserver - ok
18:13:05.0312 2936 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:13:05.0328 2936 lanmanworkstation - ok
18:13:05.0359 2936 lbrtfdc - ok
18:13:05.0406 2936 LiveUpdate - ok
18:13:05.0468 2936 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:13:05.0468 2936 LmHosts - ok
18:13:05.0546 2936 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
18:13:05.0546 2936 MBAMProtector - ok
18:13:05.0734 2936 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
18:13:05.0781 2936 MBAMService - ok
18:13:05.0875 2936 McciCMService (fb4125937b07247e236bdb49b91102bf) C:\Program Files\Common Files\Motive\McciCMService.exe
18:13:05.0890 2936 McciCMService - ok
18:13:05.0921 2936 McComponentHostService - ok
18:13:06.0046 2936 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
18:13:06.0046 2936 MDM - ok
18:13:06.0093 2936 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:13:06.0109 2936 Messenger - ok
18:13:06.0171 2936 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:13:06.0171 2936 mnmdd - ok
18:13:06.0203 2936 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:13:06.0203 2936 mnmsrvc - ok
18:13:06.0265 2936 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:13:06.0281 2936 Modem - ok
18:13:06.0328 2936 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:13:06.0328 2936 Mouclass - ok
18:13:06.0375 2936 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:13:06.0375 2936 mouhid - ok
18:13:06.0406 2936 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:13:06.0406 2936 MountMgr - ok
18:13:06.0437 2936 mraid35x - ok
18:13:06.0500 2936 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
18:13:06.0531 2936 MREMP50 - ok
18:13:06.0546 2936 MREMP50a64 - ok
18:13:06.0578 2936 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
18:13:06.0578 2936 MRESP50 - ok
18:13:06.0609 2936 MRESP50a64 - ok
18:13:06.0671 2936 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:13:06.0687 2936 MRxDAV - ok
18:13:06.0765 2936 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:13:06.0781 2936 MRxSmb - ok
18:13:06.0828 2936 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:13:06.0828 2936 MSDTC - ok
18:13:06.0875 2936 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:13:06.0875 2936 Msfs - ok
18:13:06.0890 2936 MSIServer - ok
18:13:06.0937 2936 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:13:06.0937 2936 MSKSSRV - ok
18:13:06.0968 2936 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:13:06.0968 2936 MSPCLOCK - ok
18:13:07.0000 2936 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:13:07.0000 2936 MSPQM - ok
18:13:07.0046 2936 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:13:07.0046 2936 mssmbios - ok
18:13:07.0078 2936 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
18:13:07.0078 2936 Mup - ok
18:13:07.0140 2936 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:13:07.0171 2936 napagent - ok
18:13:07.0234 2936 NAVENG - ok
18:13:07.0281 2936 NAVEX15 - ok
18:13:07.0312 2936 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:13:07.0328 2936 NDIS - ok
18:13:07.0359 2936 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:13:07.0359 2936 NdisTapi - ok
18:13:07.0390 2936 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:13:07.0390 2936 Ndisuio - ok
18:13:07.0421 2936 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:13:07.0437 2936 NdisWan - ok
18:13:07.0515 2936 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:13:07.0515 2936 NDProxy - ok
18:13:07.0546 2936 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:13:07.0546 2936 NetBIOS - ok
18:13:07.0593 2936 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:13:07.0625 2936 NetBT - ok
18:13:07.0687 2936 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:13:07.0703 2936 NetDDE - ok
18:13:07.0734 2936 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:13:07.0734 2936 NetDDEdsdm - ok
18:13:07.0796 2936 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:13:07.0796 2936 Netlogon - ok
18:13:07.0843 2936 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:13:07.0843 2936 Netman - ok
18:13:07.0953 2936 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:13:07.0953 2936 NetTcpPortSharing - ok
18:13:08.0031 2936 Nla (832e4dd8964ab7acc880b2837cb1ed20) C:\WINDOWS\System32\mswsock.dll
18:13:08.0031 2936 Nla - ok
18:13:08.0078 2936 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:13:08.0078 2936 Npfs - ok
18:13:08.0156 2936 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:13:08.0187 2936 Ntfs - ok
18:13:08.0218 2936 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:13:08.0218 2936 NtLmSsp - ok
18:13:08.0296 2936 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:13:08.0328 2936 NtmsSvc - ok
18:13:08.0390 2936 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:13:08.0390 2936 Null - ok
18:13:08.0421 2936 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:13:08.0421 2936 NwlnkFlt - ok
18:13:08.0484 2936 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:13:08.0484 2936 NwlnkFwd - ok
18:13:08.0625 2936 odserv (1f0e05dff4f5a833168e49be1256f002) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
18:13:08.0687 2936 odserv - ok
18:13:08.0734 2936 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
18:13:08.0734 2936 OMCI - ok
18:13:08.0828 2936 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:13:08.0843 2936 ose - ok
18:13:08.0921 2936 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:13:08.0937 2936 Parport - ok
18:13:08.0968 2936 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:13:08.0968 2936 PartMgr - ok
18:13:09.0000 2936 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:13:09.0000 2936 ParVdm - ok
18:13:09.0046 2936 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:13:09.0046 2936 PCI - ok
18:13:09.0062 2936 PCIDump - ok
18:13:09.0109 2936 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:13:09.0109 2936 PCIIde - ok
18:13:09.0187 2936 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:13:09.0187 2936 Pcmcia - ok
18:13:09.0218 2936 PDCOMP - ok
18:13:09.0265 2936 PDFRAME - ok
18:13:09.0296 2936 PDRELI - ok
18:13:09.0328 2936 PDRFRAME - ok
18:13:09.0359 2936 perc2 - ok
18:13:09.0390 2936 perc2hib - ok
18:13:09.0531 2936 PEVSystemStart (f042ee4c8d66248d9b86dcf52abae416) C:\ComboFix\pev.3XE
18:13:09.0640 2936 PEVSystemStart - ok
18:13:09.0687 2936 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:13:09.0687 2936 PlugPlay - ok
18:13:09.0734 2936 Pml Driver HPZ12 (d31f88c5f19eefa366a415d6bc5f2abc) C:\WINDOWS\system32\HPZipm12.exe
18:13:09.0750 2936 Pml Driver HPZ12 - ok
18:13:09.0781 2936 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:13:09.0781 2936 PolicyAgent - ok
18:13:09.0843 2936 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:13:09.0843 2936 PptpMiniport - ok
18:13:09.0890 2936 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:13:09.0890 2936 ProtectedStorage - ok
18:13:09.0906 2936 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:13:09.0906 2936 PSched - ok
18:13:09.0953 2936 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:13:09.0953 2936 Ptilink - ok
18:13:09.0968 2936 ql1080 - ok
18:13:10.0000 2936 Ql10wnt - ok
18:13:10.0031 2936 ql12160 - ok
18:13:10.0062 2936 ql1240 - ok
18:13:10.0093 2936 ql1280 - ok
18:13:10.0156 2936 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:13:10.0156 2936 RasAcd - ok
18:13:10.0218 2936 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:13:10.0218 2936 RasAuto - ok
18:13:10.0265 2936 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:13:10.0265 2936 Rasl2tp - ok
18:13:10.0312 2936 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:13:10.0343 2936 RasMan - ok
18:13:10.0375 2936 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:13:10.0375 2936 RasPppoe - ok
18:13:10.0390 2936 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:13:10.0406 2936 Raspti - ok
18:13:10.0453 2936 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:13:10.0468 2936 Rdbss - ok
18:13:10.0515 2936 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:13:10.0515 2936 RDPCDD - ok
18:13:10.0593 2936 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:13:10.0593 2936 rdpdr - ok
18:13:10.0671 2936 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:13:10.0671 2936 RDPWD - ok
18:13:10.0734 2936 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:13:10.0750 2936 RDSessMgr - ok
18:13:10.0796 2936 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:13:10.0796 2936 redbook - ok
18:13:10.0843 2936 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:13:10.0843 2936 RemoteAccess - ok
18:13:10.0890 2936 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
18:13:10.0890 2936 RemoteRegistry - ok
18:13:10.0937 2936 RimUsb - ok
18:13:10.0984 2936 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
18:13:10.0984 2936 RimVSerPort - ok
18:13:11.0031 2936 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
18:13:11.0031 2936 ROOTMODEM - ok
18:13:11.0078 2936 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:13:11.0078 2936 RpcLocator - ok
18:13:11.0156 2936 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:13:11.0156 2936 RpcSs - ok
18:13:11.0218 2936 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:13:11.0218 2936 RSVP - ok
18:13:11.0281 2936 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:13:11.0281 2936 SamSs - ok
18:13:11.0390 2936 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
18:13:11.0390 2936 SASDIFSV - ok
18:13:11.0437 2936 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
18:13:11.0437 2936 SASKUTIL - ok
18:13:11.0453 2936 SavRoam - ok
18:13:11.0484 2936 SAVRT - ok
18:13:11.0500 2936 SAVRTPEL - ok
18:13:11.0562 2936 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:13:11.0562 2936 SCardSvr - ok
18:13:11.0640 2936 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:13:11.0656 2936 Schedule - ok
18:13:11.0703 2936 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:13:11.0703 2936 Secdrv - ok
18:13:11.0734 2936 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:13:11.0734 2936 seclogon - ok
18:13:11.0796 2936 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:13:11.0796 2936 SENS - ok
18:13:11.0843 2936 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:13:11.0843 2936 serenum - ok
18:13:11.0875 2936 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:13:11.0890 2936 Serial - ok
18:13:11.0968 2936 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:13:11.0968 2936 Sfloppy - ok
18:13:12.0046 2936 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:13:12.0062 2936 SharedAccess - ok
18:13:12.0109 2936 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:13:12.0109 2936 ShellHWDetection - ok
18:13:12.0140 2936 Simbad - ok
18:13:12.0265 2936 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
18:13:12.0281 2936 smwdm - ok
18:13:12.0312 2936 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
18:13:12.0312 2936 SONYPVU1 - ok
18:13:12.0343 2936 Sparrow - ok
18:13:12.0421 2936 SPBBCDrv - ok
18:13:12.0453 2936 SPBBCSvc - ok
18:13:12.0500 2936 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:13:12.0500 2936 splitter - ok
18:13:12.0546 2936 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:13:12.0546 2936 Spooler - ok
18:13:12.0593 2936 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:13:12.0593 2936 sr - ok
18:13:12.0656 2936 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:13:12.0687 2936 srservice - ok
18:13:12.0765 2936 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
18:13:12.0781 2936 Srv - ok
18:13:12.0843 2936 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:13:12.0843 2936 SSDPSRV - ok
18:13:12.0906 2936 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:13:12.0921 2936 stisvc - ok
18:13:12.0984 2936 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:13:12.0984 2936 swenum - ok
18:13:13.0046 2936 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:13:13.0046 2936 swmidi - ok
18:13:13.0078 2936 SwPrv - ok
18:13:13.0125 2936 Symantec AntiVirus - ok
18:13:13.0156 2936 symc810 - ok
18:13:13.0187 2936 symc8xx - ok
18:13:13.0218 2936 SymEvent - ok
18:13:13.0265 2936 sym_hi - ok
18:13:13.0296 2936 sym_u3 - ok
18:13:13.0343 2936 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:13:13.0343 2936 sysaudio - ok
18:13:13.0406 2936 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:13:13.0406 2936 SysmonLog - ok
18:13:13.0468 2936 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:13:13.0531 2936 TapiSrv - ok
18:13:13.0609 2936 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:13:13.0625 2936 Tcpip - ok
18:13:13.0671 2936 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:13:13.0671 2936 TDPIPE - ok
18:13:13.0718 2936 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:13:13.0718 2936 TDTCP - ok
18:13:13.0765 2936 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:13:13.0765 2936 TermDD - ok
18:13:13.0828 2936 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:13:13.0843 2936 TermService - ok
18:13:13.0906 2936 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:13:13.0906 2936 Themes - ok
18:13:13.0953 2936 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
18:13:13.0968 2936 TlntSvr - ok
18:13:13.0984 2936 TosIde - ok
18:13:14.0046 2936 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:13:14.0046 2936 TrkWks - ok
18:13:14.0109 2936 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:13:14.0109 2936 Udfs - ok
18:13:14.0140 2936 ultra - ok
18:13:14.0218 2936 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:13:14.0250 2936 Update - ok
18:13:14.0312 2936 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:13:14.0343 2936 upnphost - ok
18:13:14.0375 2936 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:13:14.0375 2936 UPS - ok
18:13:14.0453 2936 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
18:13:14.0453 2936 USBAAPL - ok
18:13:14.0515 2936 usbbus (5353218b3265e3b8190335059f697a11) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
18:13:14.0531 2936 usbbus - ok
18:13:14.0578 2936 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:13:14.0578 2936 usbccgp - ok
18:13:14.0640 2936 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
18:13:14.0640 2936 UsbDiag - ok
18:13:14.0687 2936 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:13:14.0687 2936 usbehci - ok
18:13:14.0718 2936 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:13:14.0734 2936 usbhub - ok
18:13:14.0796 2936 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
18:13:14.0796 2936 USBModem - ok
18:13:14.0828 2936 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:13:14.0843 2936 usbprint - ok
18:13:14.0875 2936 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:13:14.0875 2936 usbscan - ok
18:13:14.0921 2936 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:13:14.0921 2936 USBSTOR - ok
18:13:14.0968 2936 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:13:14.0968 2936 usbuhci - ok
18:13:15.0000 2936 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:13:15.0000 2936 VgaSave - ok
18:13:15.0046 2936 ViaIde - ok
18:13:15.0109 2936 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:13:15.0125 2936 VolSnap - ok
18:13:15.0171 2936 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:13:15.0187 2936 VSS - ok
18:13:15.0250 2936 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:13:15.0265 2936 W32Time - ok
18:13:15.0328 2936 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:13:15.0328 2936 Wanarp - ok
18:13:15.0343 2936 WDICA - ok
18:13:15.0406 2936 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:13:15.0406 2936 wdmaud - ok
18:13:15.0484 2936 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:13:15.0484 2936 WebClient - ok
18:13:15.0593 2936 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:13:15.0609 2936 winmgmt - ok
18:13:15.0843 2936 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
18:13:15.0906 2936 wlidsvc - ok
18:13:16.0015 2936 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
18:13:16.0015 2936 WmdmPmSN - ok
18:13:16.0125 2936 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
18:13:16.0140 2936 Wmi - ok
18:13:16.0187 2936 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:13:16.0218 2936 WmiApSrv - ok
18:13:16.0343 2936 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:13:16.0390 2936 WMPNetworkSvc - ok
18:13:16.0468 2936 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
18:13:16.0468 2936 WpdUsb - ok
18:13:16.0531 2936 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:13:16.0531 2936 WS2IFSL - ok
18:13:16.0625 2936 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
18:13:16.0625 2936 wscsvc - ok
18:13:16.0656 2936 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:13:16.0671 2936 wuauserv - ok
18:13:16.0734 2936 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:13:16.0750 2936 WudfPf - ok
18:13:16.0812 2936 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:13:16.0812 2936 WudfRd - ok
18:13:16.0843 2936 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:13:16.0859 2936 WudfSvc - ok
18:13:16.0937 2936 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:13:16.0968 2936 WZCSVC - ok
18:13:17.0031 2936 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:13:17.0031 2936 xmlprov - ok
18:13:17.0093 2936 {6080A529-897E-4629-A488-ABA0C29B635E} (981210ddf5f7ed0cdf9f407999b3080c) C:\WINDOWS\system32\drivers\ialmsbw.sys
18:13:17.0093 2936 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
18:13:17.0156 2936 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (7ba8437f4e9db34ac602ffb66ca7120f) C:\WINDOWS\system32\drivers\ialmkchw.sys
18:13:17.0156 2936 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
18:13:17.0203 2936 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
18:13:17.0234 2936 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
18:13:17.0234 2936 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
18:13:17.0265 2936 MBR (0x1B8) (08b26729634452d0c2889c002b1bb97c) \Device\Harddisk1\DR2
18:13:21.0718 2936 \Device\Harddisk1\DR2 - ok
18:13:21.0750 2936 Boot (0x1200) (38f9f59cb2dcb0d9484405518e062b3a) \Device\Harddisk0\DR0\Partition0
18:13:21.0750 2936 \Device\Harddisk0\DR0\Partition0 - ok
18:13:21.0765 2936 Boot (0x1200) (2b3d949886040684604d4b0800a5bcce) \Device\Harddisk1\DR2\Partition0
18:13:21.0765 2936 \Device\Harddisk1\DR2\Partition0 - ok
18:13:21.0781 2936 ============================================================
18:13:21.0781 2936 Scan finished
18:13:21.0781 2936 ============================================================
18:13:21.0828 2896 Detected object count: 1
18:13:21.0828 2896 Actual detected object count: 1
18:14:34.0875 2896 \Device\Harddisk0\DR0\# - copied to quarantine
18:14:34.0875 2896 \Device\Harddisk0\DR0 - copied to quarantine
18:14:34.0890 2896 \Device\Harddisk0\DR0\TDLFS\cfg.ini - copied to quarantine
18:14:34.0890 2896 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
18:14:34.0921 2896 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
18:14:34.0921 2896 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
18:14:34.0921 2896 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
18:14:34.0921 2896 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
18:14:34.0953 2896 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
18:14:34.0953 2896 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
18:14:34.0953 2896 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
18:14:35.0000 2896 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
18:14:35.0015 2896 \Device\Harddisk0\DR0\TDLFS\keywords - copied to quarantine
18:14:35.0031 2896 \Device\Harddisk0\DR0\TDLFS\dkmks.tmp - copied to quarantine
18:14:35.0046 2896 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
18:14:35.0046 2896 \Device\Harddisk0\DR0 - ok
18:14:36.0078 2896 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
18:14:43.0015 2704 Deinitialize success

#8 gordon7322

gordon7322
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 May 2012 - 08:55 PM

aswMBR log is below and attached to this post is the zipped MBR dat file. I did not click fix after the scan.Attached File  MBR.zip   499bytes   0 downloads

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-11 18:18:57
-----------------------------
18:18:57.765 OS Version: Windows 5.1.2600 Service Pack 3
18:18:57.765 Number of processors: 1 586 0x204
18:18:57.765 ComputerName: SRV000 UserName:
18:18:59.640 Initialize success
18:30:15.437 AVAST engine defs: 12051101
18:30:47.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:30:47.765 Disk 0 Vendor: WDC_WD2000JB-00REA0 20.00K20 Size: 190782MB BusType: 3
18:30:47.796 Disk 0 MBR read successfully
18:30:47.796 Disk 0 MBR scan
18:30:47.859 Disk 0 Windows XP default MBR code
18:30:47.875 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 190779 MB offset 63
18:30:47.890 Disk 0 scanning sectors +390716865
18:30:47.953 Disk 0 scanning C:\WINDOWS\system32\drivers
18:31:02.468 Service scanning
18:31:18.828 Modules scanning
18:31:25.921 Disk 0 trace - called modules:
18:31:25.953 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
18:31:25.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x833a5ab8]
18:31:26.984 3 CLASSPNP.SYS[f8838fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8337ed98]
18:31:27.781 AVAST engine scan C:\WINDOWS
18:31:44.546 AVAST engine scan C:\WINDOWS\system32
18:34:58.312 AVAST engine scan C:\WINDOWS\system32\drivers
18:35:28.609 AVAST engine scan C:\Documents and Settings\Administrator
18:39:57.218 AVAST engine scan C:\Documents and Settings\All Users
18:40:53.937 Scan finished successfully
18:41:26.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:41:26.078 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

#9 gordon7322

gordon7322
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 12 May 2012 - 12:51 AM

Hi nasdaq,

Everything is looking fine and running superb. As impatient as I was, I managed to fix all issues manually with the help of your cleaning tools and another useful program.
For those with issues similar to mine, I could help them out by telling them my thinking process and what I did.

After doing what nasdaq required of me (thanks to TDSSKiller.exe, the rootkit was quarantined and deleted), I begin to investigate the issue of the video resolution problem. Before I asked for help, I mentioned that my keyboard wasn't working and in my devices manager, it said the "driver may be corrupted or missing (code 39)". This led me to my solution given on this forum post given by Bas13. In my situation, the upperfilter's data were named "aw_host kbdclass". I modified ALL upperfilters containing kbdclass in the data to just "kbdclass". This then enabled my keyboard to work properly during the windows log in screen. Now then I wondered, what if the issue is occurring with the display driver as well? It turns out that it "aw_host" was in the data part of the upperfilters in the registry display drivers. I believe aw_host was corrupting my drivers when the infection hit my computer. Aw_host is part of the pcanywhere program for Symantec. This site informed me about upper and lower filter drivers. Just to make sure I didn't want to mess up my registry, I double checked on my other computers to see if they had the upperfilters name in the registry display driver. None of my noninfected computers contained the upperfilters name in the registry, so I commenced with the deletion of all the upperfilters that contained data with "aw_host". This fixed my resolution issue and my display driver is now fully functional with different resolution options.

Then my second issue, with the SymantecAntivirus.msi windows installer popup after every right click was still bothersome. I searched online for answers and one program actually helped me out. I installed CCleaner and ran the registry cleaner and removed the errors. BAM, the intallation windows stopped popping up. However, I can't properly uninstall Symantec because it technically doesn't exist anymore, so it's stuck in the "Add or Remove Programs" list.

I wanted to delete AVG2011, but I couldn't find the program on the add or remove programs list, nor an uninstall executable. I searched online and found the solution, this website here. The AVG2011 removal worked flawlessly.

I then decided to try to see why combofix mysteriously rebooted in the middle of scanning, but first I had to uninstall it. In run I entered "combofix /u", however, this made the program run, instead of uninstall, which is supposed to be "combofix /uninstall". I thought what the heck, why not give it another try, and to my surprise the scan completed and gave me a log, which I will post after this post for nasdaq to take a look to see if there is anything left from the infection.

Thank you nasdaq for your time and assistance, I appreciate it. By the way, does everything look clean?

ComboFix 12-05-10.04 - Administrator 05/11/2012 20:57:36.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.217 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: /u
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS36.tmp
c:\documents and settings\Administrator\Application Data\Adobe\plugs
c:\documents and settings\Administrator\Application Data\Adobe\shed
c:\documents and settings\Administrator\Application Data\Local
c:\documents and settings\Administrator\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\Administrator\Application Data\Local\Temp\DDM\Settings\Inception_Trailer_592.divx.ddr
c:\documents and settings\Administrator\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\Administrator\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Inception_Trailer_592.divx
c:\documents and settings\Administrator\Local Settings\Application Data\{B885A623-64A6-4945-AE8A-CF0E9A8F1E5F}
c:\documents and settings\Administrator\Local Settings\Application Data\{B885A623-64A6-4945-AE8A-CF0E9A8F1E5F}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{B885A623-64A6-4945-AE8A-CF0E9A8F1E5F}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{B885A623-64A6-4945-AE8A-CF0E9A8F1E5F}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{B885A623-64A6-4945-AE8A-CF0E9A8F1E5F}\install.rdf
c:\documents and settings\Administrator\Local Settings\Temp\SAS36.tmp
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Judy_Admin\Desktop\Internet Explorer.lnk
c:\windows\system32\null0.9593086320388285.exe
c:\windows\system32\PowerToyReadme.htm
.
.
((((((((((((((((((((((((( Files Created from 2012-04-12 to 2012-05-12 )))))))))))))))))))))))))))))))
.
.
2012-05-12 03:08 . 2012-05-12 03:08 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2012-05-12 02:56 . 2012-05-12 02:56 -------- d-----w- c:\program files\CCleaner
2012-05-12 02:39 . 2012-05-12 02:39 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-05-12 02:39 . 2012-05-12 02:39 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-05-12 02:39 . 2012-05-12 02:39 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-05-12 02:39 . 2012-05-12 02:39 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-05-12 02:39 . 2012-05-12 02:39 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-05-12 02:39 . 2012-05-12 02:39 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-05-12 02:39 . 2012-05-12 02:39 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-05-12 02:39 . 2012-05-12 02:39 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-05-12 02:39 . 2012-05-12 02:39 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-05-12 02:39 . 2012-05-12 02:39 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-05-12 02:39 . 2012-05-12 02:39 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-05-12 02:38 . 2012-05-12 02:38 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-05-12 02:38 . 2012-05-12 02:38 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-05-12 02:38 . 2012-05-12 02:38 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-05-12 02:38 . 2012-05-12 02:38 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-05-12 02:38 . 2012-05-12 02:38 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-05-12 02:38 . 2012-05-12 02:38 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-05-12 01:14 . 2012-05-12 01:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-06 02:11 . 2012-05-06 02:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-05-06 02:10 . 2012-05-06 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-06 02:10 . 2012-05-06 02:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-06 02:10 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-06 01:37 . 2012-05-06 01:37 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-06 01:37 . 2012-05-06 01:37 -------- d-----w- c:\program files\Trend Micro
2012-05-06 01:12 . 2012-05-06 01:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-04-28 17:27 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-04-28 17:27 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-04-28 16:39 . 2001-08-17 20:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2012-04-28 16:39 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-31 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]
"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\xtras\mssysmgr.exe" [2005-02-26 212992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-03-19 273544]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\documents and settings\Jessica\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\Judy_Admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\Shanice\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-26 00:28 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM\\aim.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/5/2012 7:10 PM 654408]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [8/11/2004 2:27 PM 547744]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/5/2012 7:10 PM 22344]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 5:53 PM 135664]
S3 ed_bus;Encrypted Disk Manager;c:\windows\system32\drivers\xcrdisk.sys [10/7/2006 3:05 PM 28032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 5:53 PM 135664]
S3 im_bus;Paragon Image Mounter;c:\windows\system32\DRIVERS\imounter.sys --> c:\windows\system32\DRIVERS\imounter.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 59528530
*Deregistered* - 59528530
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-04-16 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2010-02-02 18:15]
.
2012-05-12 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2010-02-02 18:15]
.
2012-05-06 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2010-02-02 18:15]
.
2012-05-06 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2010-02-02 18:15]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd2b3454d08156.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 00:53]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 00:53]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1708537768-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-05-12 03:00]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1708537768-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-05-12 03:00]
.
2012-05-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
.
2012-05-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
2012-05-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-1708537768-839522115-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2012-05-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-1708537768-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2012-05-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-1708537768-839522115-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2012-05-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-1708537768-839522115-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2012-05-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-1708537768-839522115-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2011-04-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-1708537768-839522115-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2011-04-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-1708537768-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2011-04-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-1708537768-839522115-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2011-04-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-1708537768-839522115-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
2012-05-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-1708537768-839522115-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Notify-PCANotify - PCANotify.dll
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-11 21:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-1708537768-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,bb,5b,d8,e6,c9,d0,48,96,8c,b9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,bb,5b,d8,e6,c9,d0,48,96,8c,b9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2012-05-11 21:14:18
ComboFix-quarantined-files.txt 2012-05-12 04:14
.
Pre-Run: 32,139,067,392 bytes free
Post-Run: 32,863,637,504 bytes free
.
- - End Of File - - 8CA6097419D15C175E393E11532771A2

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:19 PM

Posted 12 May 2012 - 08:37 AM

You did good.

For those reading the information posted by gordon7322 on how the matter was solved I have the following comments to add.

Unless you are familiar with editing the registry I suggest you do not proceed with any of the changes suggested.
If you do make sure you have saved the registry to a safe location in the even that you make a error.

The /u switch used in running ComboFix is not a know switch. It worked fine, but I believe that ComboFix would have worked with out that switch.

===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 2


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

However, I can't properly uninstall Symantec because it technically doesn't exist anymore, so it's stuck in the "Add or Remove Programs" list.


This tool will remove all traces of Norton.

Download and run the Norton Removal Tool FOR YOUR PROGRAM.
https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080710133834EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb

Please let me know of any pending issues.

#11 gordon7322

gordon7322
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 12 May 2012 - 12:48 PM

Great thanks nasdaq, everything is fine now.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:19 PM

Posted 12 May 2012 - 01:24 PM

Glad we could help.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:19 PM

Posted 18 May 2012 - 09:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users