Solved According to Norton 360 infected with ZeroAccess Rootkit 4

Status
Not open for further replies.

rlm59

Posts: 14   +0
Hi,

Infected computer:
Samsung N310 GO Duel Boot with Windows XP SP3 and Ubuntu(most current version)

Norton 360 informed me I was infected with ZeroAccess Rootkit 4, but would not run the removal toolkit that it prompted me to use. In normal windows I can no longer access the task manager, and everything runs at a glacial speed. Most recent boot allows me to log in(included log in music), but then just gives me my desktop image and nothing more.

Safemode is available works just fine. Requested logs are below, each were produced in safemode.

Thank you in advance for the help.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.13.03

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Rachael :: LITTLEONE [administrator]

Protection: Disabled

2/13/2012 14:24:53 PM
mbam-log-2012-02-13 (14-29-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 267763
Time elapsed: 4 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\WINDOWS\system32\point32.dll (RootKit.0Access.H) -> No action taken.
C:\WINDOWS\system32\usbatapi2000.dll (RootKit.0Access.H) -> No action taken.
C:\WINDOWS\Installer\MSI78.tmp (HackTool.Hiderun) -> No action taken.
C:\WINDOWS\Installer\MSIC5.tmp (HackTool.Hiderun) -> No action taken.

(end)


GMER: No Logs

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Rachael at 14:52:10 on 2012-02-13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1674 [GMT 0:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2704262
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.2.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.2.0.13\ips\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.2.0.13\coIEPlg.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [NetMeter] c:\program files\hootech net meter\HooNetMeter.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\rachael\startm~1\programs\startup\easydi~1.lnk - c:\program files\samsung\easy display manager\DMLauncher_XP.exe
StartupFolder: c:\docume~1\rachael\startm~1\programs\startup\magick~1.lnk - c:\program files\samsung\magickbd\PreMKBD.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{1ce60928-8325-49a8-8b06-633e48dd2b67}\Icon3E5562ED7.ico
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rachael\application data\mozilla\firefox\profiles\90841v1g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2704262&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: c:\documents and settings\rachael\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\rachael\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\rachael\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-15 64512]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys [2012-1-31 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys [2012-1-31 744568]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120207.003\BHDrvx86.sys [2012-2-8 820344]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys [2012-1-31 136312]
S2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2010-1-16 4300]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011-6-23 99896]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-7-21 2152152]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-13 652360]
S2 N360;Norton 360;c:\program files\norton 360\engine\5.2.0.13\ccsvchst.exe [2012-1-31 130008]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\startmansvc.exe --> c:\program files\common files\pc tools\smonitor\StartManSvc.exe [?]
S2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\srs labs\srs wow xt and tsxt\SRS_PostInstaller.exe [2009-5-19 66792]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-9-4 98304]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2004-8-12 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-16 1684736]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120210.002\IDSXpx86.sys [2012-2-11 356280]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-7-21 15232]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-13 20464]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2011-6-23 17408]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120212.017\NAVENG.SYS [2012-2-13 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120212.017\NAVEX15.SYS [2012-2-13 1576312]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-9-7 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-9-7 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-9-7 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-9-7 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-9-7 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-9-7 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-9-7 109864]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2011-5-28 155344]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2010-3-14 233512]
S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2011-8-9 238464]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-15 394952]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-5-20 11520]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
.
=============== Created Last 30 ================
.
2012-02-13 14:21:58 -------- d-----w- c:\documents and settings\rachael\application data\Malwarebytes
2012-02-13 14:21:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-13 14:21:49 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-13 14:21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-13 13:10:42 -------- d-sha-r- C:\cmdcons
2012-02-13 11:42:18 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-13 11:35:16 98816 ----a-w- c:\windows\sed.exe
2012-02-13 11:35:16 518144 ----a-w- c:\windows\SWREG.exe
2012-02-13 11:35:16 256000 ----a-w- c:\windows\PEV.exe
2012-02-13 11:35:16 208896 ----a-w- c:\windows\MBR.exe
2012-02-13 11:00:45 32808 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-02-13 10:03:24 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-13 10:01:08 -------- d-----w- c:\program files\Catan
2012-02-13 08:50:58 -------- d-----w- c:\documents and settings\all users\application data\Protexis
2012-02-13 08:49:43 -------- d-----w- c:\program files\Oberon
2012-02-11 18:27:38 -------- d-----w- c:\program files\common files\PC Tools
2012-02-03 20:47:13 -------- d-----w- c:\documents and settings\rachael\application data\NCH Software
2012-02-03 20:46:43 -------- d-----w- c:\program files\NCH Software
2012-02-03 20:41:22 -------- d-----w- c:\documents and settings\rachael\application data\MtStudio
2012-01-31 11:58:10 -------- d-----w- c:\documents and settings\rachael\application data\DDMSettings
2012-01-31 05:00:33 331384 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdiv.sys
2012-01-31 05:00:32 744568 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\symefa.sys
2012-01-31 05:00:32 516216 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\srtsp.sys
2012-01-31 05:00:32 50168 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\srtspx.sys
2012-01-31 05:00:32 369784 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdi.sys
2012-01-31 05:00:32 340088 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\symds.sys
2012-01-31 05:00:32 299640 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symnets.sys
2012-01-31 05:00:32 136312 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys
2012-01-31 04:59:49 -------- d-----w- c:\windows\system32\drivers\n360\0502000.00D
2012-01-23 00:02:42 -------- d-----w- c:\windows\_swf_imagine digital freedom_work
2012-01-22 21:02:43 -------- d-----w- c:\program files\Lame For Audacity
2012-01-22 20:29:40 -------- d-----w- c:\program files\Audacity
.
==================== Find3M ====================
.
2012-01-05 10:16:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 00:48:42 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 14:52:37.70 ===============

Attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/16/2010 7:34:44 PM
System Uptime: 2/13/2012 2:42:12 PM (0 hours ago)
.
Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | N310
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U2E1 | 1595/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 135 GiB total, 63.309 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: BCM2046 Bluetooth Device
Device ID: USB\VID_0A5C&PID_2151\002556E92D41
Manufacturer:
Name: BCM2046 Bluetooth Device
PNP Device ID: USB\VID_0A5C&PID_2151\002556E92D41
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP382: 11/12/2011 8:06:46 AM - System Checkpoint
RP383: 11/13/2011 3:09:40 PM - System Checkpoint
RP384: 11/14/2011 9:57:36 PM - System Checkpoint
RP385: 11/15/2011 11:18:31 PM - System Checkpoint
RP386: 11/18/2011 2:54:56 AM - System Checkpoint
RP387: 11/19/2011 3:49:29 AM - System Checkpoint
RP388: 11/23/2011 8:44:03 AM - System Checkpoint
RP389: 11/25/2011 8:01:40 PM - System Checkpoint
RP390: 12/1/2011 5:40:58 PM - Installed QuickTime
RP391: 12/3/2011 11:24:04 AM - System Checkpoint
RP392: 12/4/2011 1:55:28 PM - System Checkpoint
RP393: 12/6/2011 11:31:38 AM - System Checkpoint
RP394: 12/12/2011 7:29:11 PM - System Checkpoint
RP395: 12/15/2011 12:01:22 AM - System Checkpoint
RP396: 12/16/2011 1:03:04 AM - System Checkpoint
RP397: 12/16/2011 3:00:49 AM - Software Distribution Service 3.0
RP398: 12/19/2011 9:46:55 PM - System Checkpoint
RP399: 12/23/2011 8:17:02 PM - System Checkpoint
RP400: 12/26/2011 2:00:52 AM - System Checkpoint
RP401: 12/27/2011 3:51:40 AM - System Checkpoint
RP402: 12/28/2011 10:25:34 AM - System Checkpoint
RP403: 12/29/2011 4:40:13 PM - System Checkpoint
RP404: 12/31/2011 8:20:02 PM - System Checkpoint
RP405: 1/3/2012 5:20:40 AM - System Checkpoint
RP406: 1/3/2012 9:02:52 PM - Installed Boingo Wi-Finder
RP407: 1/4/2012 10:26:18 AM - Software Distribution Service 3.0
RP408: 1/5/2012 10:18:57 AM - Removed Boingo Wi-Finder
RP409: 1/7/2012 4:12:46 AM - System Checkpoint
RP410: 1/12/2012 4:52:50 AM - Software Distribution Service 3.0
RP411: 1/14/2012 5:44:13 AM - System Checkpoint
RP412: 1/15/2012 6:45:51 PM - System Checkpoint
RP413: 1/17/2012 1:04:57 AM - System Checkpoint
RP414: 1/18/2012 3:00:18 AM - Software Distribution Service 3.0
RP415: 1/19/2012 3:09:49 AM - System Checkpoint
RP416: 1/20/2012 11:50:12 AM - System Checkpoint
RP417: 1/21/2012 1:02:03 PM - System Checkpoint
RP418: 1/23/2012 9:01:46 PM - System Checkpoint
RP419: 1/25/2012 3:08:00 PM - System Checkpoint
RP420: 1/27/2012 8:38:58 PM - System Checkpoint
RP421: 1/31/2012 7:35:33 PM - System Checkpoint
RP422: 2/1/2012 7:50:43 PM - System Checkpoint
RP423: 2/4/2012 8:06:47 AM - System Checkpoint
RP424: 2/6/2012 4:20:00 PM - System Checkpoint
RP425: 2/7/2012 7:08:55 PM - System Checkpoint
RP426: 2/8/2012 9:38:47 PM - System Checkpoint
RP427: 2/10/2012 1:38:59 AM - System Checkpoint
RP428: 2/13/2012 8:49:41 AM - Installed Catan
RP429: 2/13/2012 10:26:28 AM - Norton 360 Registry Clean
.
==== Installed Programs ======================
.
.
Ad-Aware
Adobe Acrobat 8 Standard - English, Français, Deutsch
Adobe Acrobat 8.3.1 - CPSID_83708
Adobe Acrobat 8.3.1 Standard
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.0
Adobe Shockwave Player 11.6
Amazon Kindle
Apple Application Support
Apple Software Update
Aspell 0.6 Dictionary (Language: de)
Aspell 0.6 Dictionary (Language: en)
Aspell Data
Avadon
BatteryLifeExtender
calibre
Catan
Catan - Cities and Knights
Cisco Systems VPN Client 5.0.07.0410
Diablo II
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Dropbox
Easy Display Manager
Easy Network Manager
Easy Resolution Manager
Google Chrome
Google Gears
Google Talk Plugin
Google Update Helper
Hero Editor V0.96
Hero Editor V1.04
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
HP LaserJet Professional P1100-P1560-P1600 Series
imagine digital freedom - Samsung
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 29
LADSPA_plugins-win-0.4.15
LAME v3.98.3 for Audacity
Magic Keyboard
Malwarebytes Anti-Malware version 1.60.1.1000
Marvell Miniport Driver
Media Go
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WinUsb 1.0
MiKTeX 2.9
Mozilla Firefox 9.0.1 (x86 en-US)
Mozilla Thunderbird (7.0.1)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MusicBrainz Picard
Namuga 1.3M Webcam
Net Meter v3.6 build 437
Norton 360
NVIDIA PhysX
QuickTime
Realtek High Definition Audio Driver
REALTEK Wireless LAN Software
Samsung Battery Manager
Samsung Magic Doctor
Samsung Recovery Solution III
Samsung Update Plus
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype™ 5.5
Sony Ericsson PC Companion 2.02.002
SRS WOW XT and TSXT
swMSM
Torchlight
Ultra Defragmenter
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.6195
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.3
WavePad Sound Editor
WD SmartWare
WebFldrs XP
Winamp
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile Device Updater Component
Windows XP Service Pack 3
Xvid 1.2.1 final uninstall
Yahoo! Detect
Zune
Zune Language Pack (DEU)
Zune Language Pack (ESP)
Zune Language Pack (FRA)
Zune Language Pack (ITA)
Zune Language Pack (NLD)
Zune Language Pack (PTB)
Zune Language Pack (PTG)
.
==== Event Viewer Messages From Past Week ========
.
2/9/2012 6:05:48 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
2/8/2012 5:41:35 PM, error: i8042prt [40] - An error occurred while trying to acquire the device ID of the mouse
2/7/2012 2:53:06 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2/13/2012 12:23:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SymIRON SYMTDI Tcpip WS2IFSL
2/13/2012 12:06:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
2/13/2012 12:03:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/13/2012 11:59:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sptd SRTSP SRTSPX SymIRON SYMTDI Tcpip WS2IFSL
2/13/2012 11:58:35 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
2/13/2012 11:20:49 AM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
2/13/2012 11:20:47 AM, error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/13/2012 11:19:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/13/2012 11:18:44 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/13/2012 11:18:33 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SymIRON SYMTDI Tcpip
2/13/2012 11:18:33 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/13/2012 11:18:33 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/13/2012 11:18:33 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/13/2012 11:18:33 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/13/2012 10:55:01 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
2/13/2012 10:54:34 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP
2/13/2012 10:53:26 AM, error: SRTSP [5] - Error loading Symantec real time Anti-Virus driver.
2/13/2012 10:53:26 AM, error: SRTSP [4] - Error loading virus definitions.
2/13/2012 1:31:22 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
2/13/2012 1:07:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 eeCtrl Fips intelppm sptd SRTSP SRTSPX SymIRON SYMTDI
2/10/2012 5:46:55 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.0.6. The machine with the IP address 192.168.0.3 did not allow the name to be claimed by this machine.
.
==== End Of File ===========================
 
If you can run any of the following in Normal Mode, please do so.

If you cannot run in Normal Mode, do the following:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

Please go back and rerun Malwarebytes. Take care to check the section to remove the entries it finds. The entries show "No action taken."

Please disable the Norton 360 Registry Clean. I don't want a registry cleaner removing files while I'm helping you. (FYI: We don't recommend a registry cleaner to anyone. The potential risk outweighs any benefit.
========================================
If there are files, icons, program, etc. that seem to be missing, run the following. Be sure to read the note that this does not remove the malware.
Download Unhide.exe and save to the desktop.
  • Double-click on Unhide.exe icon to run the program.
  • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
Note 1: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue.
===========================================
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result. Save log to post.
  • A reboot is required after disinfection.
===========================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
==========================================
Please leave the new log for Malwarebytes, the TDSSKiller log and the Combofix log in your next reply.

I will help with remaining problems of desktop and start menu after we remove some of the malware entries.
=======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.
 
How can I go about disabling Norton 360? In safe mode it will only boot up running a scan, and normal mode still isn't working giving me just my desktop image.
 
Was able to boot into normal mode eventually. Task manager and my computer are still not runable, nor was Malwarebytes.

Reran the Malwarebytes utility(Had to be run in safe mode, it would not open in normal)- it came up with no errors. See below log

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.13.03

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Rachael :: LITTLEONE [administrator]

Protection: Disabled

2/13/2012 15:52:54 PM
mbam-log-2012-02-13 (15-52-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 267770
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Ran TDSSKiller in safemode- received no errors. Tried to boot into normal, was successful, ran in normal received one error. Only had to option to copy to quarantine. See below log.

16:08:07.0296 1060 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
16:08:07.0328 1060 ============================================================
16:08:07.0328 1060 Current date / time: 2012/02/13 16:08:07.0328
16:08:07.0328 1060 SystemInfo:
16:08:07.0328 1060
16:08:07.0328 1060 OS Version: 5.1.2600 ServicePack: 3.0
16:08:07.0328 1060 Product type: Workstation
16:08:07.0328 1060 ComputerName: LITTLEONE
16:08:07.0328 1060 UserName: Rachael
16:08:07.0328 1060 Windows directory: C:\WINDOWS
16:08:07.0328 1060 System windows directory: C:\WINDOWS
16:08:07.0328 1060 Processor architecture: Intel x86
16:08:07.0328 1060 Number of processors: 2
16:08:07.0328 1060 Page size: 0x1000
16:08:07.0328 1060 Boot type: Normal boot
16:08:07.0328 1060 ============================================================
16:08:09.0812 1060 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
16:08:09.0859 1060 \Device\Harddisk0\DR0:
16:08:09.0859 1060 MBR used
16:08:09.0859 1060 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xC02F10, BlocksNum 0x10DFF817
16:08:09.0984 1060 Initialize success
16:08:09.0984 1060 ============================================================
16:08:11.0578 2044 ============================================================
16:08:11.0578 2044 Scan started
16:08:11.0578 2044 Mode: Manual;
16:08:11.0578 2044 ============================================================
16:08:12.0562 2044 Abiosdsk - ok
16:08:12.0578 2044 abp480n5 - ok
16:08:12.0671 2044 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:08:12.0687 2044 ACPI - ok
16:08:12.0718 2044 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
16:08:12.0718 2044 ACPIEC - ok
16:08:12.0734 2044 adpu160m - ok
16:08:12.0828 2044 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:08:12.0828 2044 aec - ok
16:08:12.0937 2044 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
16:08:12.0937 2044 AFD - ok
16:08:12.0953 2044 Aha154x - ok
16:08:12.0968 2044 aic78u2 - ok
16:08:12.0984 2044 aic78xx - ok
16:08:13.0015 2044 AliIde - ok
16:08:13.0125 2044 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
16:08:13.0203 2044 Ambfilt - ok
16:08:13.0218 2044 amsint - ok
16:08:13.0359 2044 AR5416 (c413e2e549488a5f1969decb5b03187a) C:\WINDOWS\system32\DRIVERS\athw.sys
16:08:13.0468 2044 AR5416 - ok
16:08:13.0484 2044 asc - ok
16:08:13.0500 2044 asc3350p - ok
16:08:13.0515 2044 asc3550 - ok
16:08:13.0593 2044 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:08:13.0609 2044 AsyncMac - ok
16:08:13.0656 2044 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:08:13.0656 2044 atapi - ok
16:08:13.0687 2044 Atdisk - ok
16:08:13.0718 2044 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:08:13.0718 2044 Atmarpc - ok
16:08:13.0781 2044 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:08:13.0781 2044 audstub - ok
16:08:13.0828 2044 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:08:13.0828 2044 Beep - ok
16:08:14.0093 2044 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120207.003\BHDrvx86.sys
16:08:14.0109 2044 BHDrvx86 - ok
16:08:14.0296 2044 BVRPMPR5 (51b327292408b5f3a42e295bce055859) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
16:08:14.0312 2044 BVRPMPR5 - ok
16:08:14.0500 2044 catchme - ok
16:08:14.0593 2044 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:08:14.0593 2044 cbidf2k - ok
16:08:14.0671 2044 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
16:08:14.0671 2044 CCDECODE - ok
16:08:14.0687 2044 cd20xrnt - ok
16:08:14.0734 2044 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:08:14.0734 2044 Cdaudio - ok
16:08:14.0781 2044 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:08:14.0781 2044 Cdfs - ok
16:08:14.0859 2044 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:08:14.0875 2044 Cdrom - ok
16:08:14.0890 2044 Changer - ok
16:08:14.0984 2044 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
16:08:14.0984 2044 CmBatt - ok
16:08:15.0000 2044 CmdIde - ok
16:08:15.0015 2044 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
16:08:15.0031 2044 Compbatt - ok
16:08:15.0062 2044 Cpqarray - ok
16:08:15.0109 2044 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
16:08:15.0125 2044 CVirtA - ok
16:08:15.0171 2044 CVPNDRVA (cb90b2762b1a1d0b40496400c55b6ade) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
16:08:15.0218 2044 CVPNDRVA - ok
16:08:15.0234 2044 dac2w2k - ok
16:08:15.0250 2044 dac960nt - ok
16:08:15.0312 2044 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:08:15.0312 2044 Disk - ok
16:08:15.0375 2044 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:08:15.0421 2044 dmboot - ok
16:08:15.0484 2044 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:08:15.0500 2044 dmio - ok
16:08:15.0546 2044 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:08:15.0562 2044 dmload - ok
16:08:15.0593 2044 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:08:15.0593 2044 DMusic - ok
16:08:15.0656 2044 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
16:08:15.0671 2044 DNE - ok
16:08:15.0703 2044 DOSMEMIO (8a4cb9438571814b128b6dc30d698064) C:\WINDOWS\system32\MEMIO.SYS
16:08:15.0750 2044 DOSMEMIO - ok
16:08:15.0781 2044 dpti2o - ok
16:08:15.0796 2044 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:08:15.0796 2044 drmkaud - ok
16:08:15.0921 2044 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
16:08:15.0937 2044 eeCtrl - ok
16:08:15.0968 2044 EraserUtilRebootDrv - ok
16:08:16.0062 2044 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:08:16.0078 2044 Fastfat - ok
16:08:16.0140 2044 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
16:08:16.0156 2044 Fdc - ok
16:08:16.0171 2044 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:08:16.0171 2044 Fips - ok
16:08:16.0234 2044 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
16:08:16.0234 2044 Flpydisk - ok
16:08:16.0343 2044 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:08:16.0343 2044 FltMgr - ok
16:08:16.0421 2044 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:08:16.0437 2044 Fs_Rec - ok
16:08:16.0453 2044 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:08:16.0453 2044 Ftdisk - ok
16:08:16.0500 2044 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
16:08:16.0531 2044 GEARAspiWDM - ok
16:08:16.0562 2044 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:08:16.0609 2044 Gpc - ok
16:08:16.0656 2044 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:08:16.0671 2044 HDAudBus - ok
16:08:16.0703 2044 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:08:16.0718 2044 HidUsb - ok
16:08:16.0734 2044 hpn - ok
16:08:16.0781 2044 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
16:08:16.0781 2044 HPZius12 - ok
16:08:16.0843 2044 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:08:16.0875 2044 HTTP - ok
16:08:16.0906 2044 i2omgmt - ok
16:08:16.0921 2044 i2omp - ok
16:08:16.0968 2044 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:08:16.0968 2044 i8042prt - ok
16:08:17.0203 2044 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:08:17.0359 2044 ialm - ok
16:08:17.0625 2044 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120210.002\IDSxpx86.sys
16:08:17.0640 2044 IDSxpx86 - ok
16:08:17.0828 2044 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:08:17.0828 2044 Imapi - ok
16:08:17.0859 2044 ini910u - ok
16:08:18.0156 2044 IntcAzAudAddService (0cacdcbbc8e6f11e2865c47bfc509848) C:\WINDOWS\system32\drivers\RtkHDAud.sys
16:08:18.0250 2044 IntcAzAudAddService - ok
16:08:18.0390 2044 IntelIde - ok
16:08:18.0421 2044 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:08:18.0421 2044 intelppm - ok
16:08:18.0453 2044 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:08:18.0453 2044 Ip6Fw - ok
16:08:18.0515 2044 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:08:18.0531 2044 IpFilterDriver - ok
16:08:18.0593 2044 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:08:18.0593 2044 IpInIp - ok
16:08:18.0656 2044 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:08:18.0656 2044 IpNat - ok
16:08:18.0703 2044 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:08:18.0718 2044 IPSec - ok
16:08:18.0765 2044 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:08:18.0765 2044 IRENUM - ok
16:08:18.0828 2044 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:08:18.0828 2044 isapnp - ok
16:08:18.0906 2044 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:08:18.0906 2044 Kbdclass - ok
16:08:18.0953 2044 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:08:18.0953 2044 kmixer - ok
16:08:19.0000 2044 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:08:19.0015 2044 KSecDD - ok
16:08:19.0156 2044 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
16:08:19.0171 2044 Lavasoft Kernexplorer - ok
16:08:19.0234 2044 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
16:08:19.0250 2044 Lbd - ok
16:08:19.0250 2044 lbrtfdc - ok
16:08:19.0328 2044 LHidFilt (f5e165b4e3df145f6e8bf3c0573f94d8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
16:08:19.0343 2044 LHidFilt - ok
16:08:19.0421 2044 LMouFilt (b46e39b8ae439d7ce75a923e7f950040) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
16:08:19.0437 2044 LMouFilt - ok
16:08:19.0500 2044 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
16:08:19.0500 2044 MBAMProtector - ok
16:08:19.0578 2044 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:08:19.0578 2044 mnmdd - ok
16:08:19.0671 2044 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:08:19.0671 2044 Modem - ok
16:08:19.0781 2044 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
16:08:19.0859 2044 Monfilt - ok
16:08:19.0937 2044 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
16:08:19.0953 2044 motccgp - ok
16:08:20.0015 2044 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
16:08:20.0015 2044 motccgpfl - ok
16:08:20.0093 2044 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:08:20.0093 2044 Mouclass - ok
16:08:20.0171 2044 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:08:20.0171 2044 mouhid - ok
16:08:20.0203 2044 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:08:20.0203 2044 MountMgr - ok
16:08:20.0218 2044 mraid35x - ok
16:08:20.0296 2044 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:08:20.0296 2044 MRxDAV - ok
16:08:20.0421 2044 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:08:20.0421 2044 MRxSmb - ok
16:08:20.0453 2044 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:08:20.0453 2044 Msfs - ok
16:08:20.0546 2044 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:08:20.0546 2044 MSKSSRV - ok
16:08:20.0625 2044 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:08:20.0625 2044 MSPCLOCK - ok
16:08:20.0640 2044 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:08:20.0656 2044 MSPQM - ok
16:08:20.0703 2044 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:08:20.0703 2044 mssmbios - ok
16:08:20.0734 2044 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
16:08:20.0734 2044 MSTEE - ok
16:08:20.0765 2044 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
16:08:20.0796 2044 Mup - ok
16:08:20.0859 2044 mvusbews (1889385f1825c0782c5c179a0518d490) C:\WINDOWS\system32\Drivers\mvusbews.sys
16:08:20.0875 2044 mvusbews - ok
16:08:20.0937 2044 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
16:08:20.0953 2044 NABTSFEC - ok
16:08:21.0203 2044 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120212.017\NAVENG.SYS
16:08:21.0234 2044 NAVENG - ok
16:08:21.0328 2044 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120212.017\NAVEX15.SYS
16:08:21.0421 2044 NAVEX15 - ok
16:08:21.0625 2044 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
16:08:21.0656 2044 NDIS - ok
16:08:21.0703 2044 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
16:08:21.0703 2044 NdisIP - ok
16:08:21.0750 2044 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:08:21.0765 2044 NdisTapi - ok
16:08:21.0796 2044 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:08:21.0796 2044 Ndisuio - ok
16:08:21.0812 2044 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:08:21.0843 2044 NdisWan - ok
16:08:21.0906 2044 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
16:08:21.0921 2044 NDProxy - ok
16:08:21.0953 2044 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:08:21.0953 2044 NetBIOS - ok
16:08:22.0031 2044 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:08:22.0046 2044 NetBT - ok
16:08:22.0109 2044 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:08:22.0109 2044 Npfs - ok
16:08:22.0171 2044 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:08:22.0203 2044 Ntfs - ok
16:08:22.0265 2044 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:08:22.0265 2044 Null - ok
16:08:22.0343 2044 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:08:22.0343 2044 NwlnkFlt - ok
16:08:22.0406 2044 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:08:22.0406 2044 NwlnkFwd - ok
16:08:22.0468 2044 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
16:08:22.0484 2044 Parport - ok
16:08:22.0500 2044 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:08:22.0500 2044 PartMgr - ok
16:08:22.0546 2044 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:08:22.0546 2044 ParVdm - ok
16:08:22.0593 2044 PCASp50 - ok
16:08:22.0609 2044 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:08:22.0609 2044 PCI - ok
16:08:22.0625 2044 PCIDump - ok
16:08:22.0671 2044 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:08:22.0671 2044 PCIIde - ok
16:08:22.0703 2044 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:08:22.0703 2044 Pcmcia - ok
16:08:22.0750 2044 PDCOMP - ok
16:08:22.0765 2044 PDFRAME - ok
16:08:22.0781 2044 PDRELI - ok
16:08:22.0796 2044 PDRFRAME - ok
16:08:22.0843 2044 perc2 - ok
16:08:22.0859 2044 perc2hib - ok
16:08:22.0921 2044 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:08:22.0937 2044 PptpMiniport - ok
16:08:22.0984 2044 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:08:22.0984 2044 PSched - ok
16:08:23.0015 2044 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:08:23.0015 2044 Ptilink - ok
16:08:23.0046 2044 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:08:23.0062 2044 PxHelp20 - ok
16:08:23.0078 2044 ql1080 - ok
16:08:23.0093 2044 Ql10wnt - ok
16:08:23.0109 2044 ql12160 - ok
16:08:23.0125 2044 ql1240 - ok
16:08:23.0140 2044 ql1280 - ok
16:08:23.0187 2044 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:08:23.0187 2044 RasAcd - ok
16:08:23.0218 2044 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:08:23.0218 2044 Rasl2tp - ok
16:08:23.0281 2044 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:08:23.0296 2044 RasPppoe - ok
16:08:23.0359 2044 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:08:23.0375 2044 Raspti - ok
16:08:23.0406 2044 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:08:23.0421 2044 Rdbss - ok
16:08:23.0484 2044 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:08:23.0500 2044 RDPCDD - ok
16:08:23.0578 2044 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
16:08:23.0593 2044 RDPWD - ok
16:08:23.0656 2044 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:08:23.0656 2044 redbook - ok
16:08:23.0750 2044 s1018bus (1c5c2cb892553d2cf3f45a4bb323fcd6) C:\WINDOWS\system32\DRIVERS\s1018bus.sys
16:08:23.0750 2044 s1018bus - ok
16:08:23.0812 2044 s1018mdfl (38f5ea219593f19b6b3a1b9c169e3b61) C:\WINDOWS\system32\DRIVERS\s1018mdfl.sys
16:08:23.0812 2044 s1018mdfl - ok
16:08:23.0890 2044 s1018mdm (666af6b64fc7df92d3ca4819ea91631d) C:\WINDOWS\system32\DRIVERS\s1018mdm.sys
16:08:23.0906 2044 s1018mdm - ok
16:08:23.0968 2044 s1018mgmt (f4ceda6e2ddff2af8bd745615a7ca9c0) C:\WINDOWS\system32\DRIVERS\s1018mgmt.sys
16:08:23.0968 2044 s1018mgmt - ok
16:08:24.0031 2044 s1018nd5 (3622d9ff2253dcbe885b10736609a4ca) C:\WINDOWS\system32\DRIVERS\s1018nd5.sys
16:08:24.0046 2044 s1018nd5 - ok
16:08:24.0109 2044 s1018obex (49431efda842b474531c29ffae9f5d09) C:\WINDOWS\system32\DRIVERS\s1018obex.sys
16:08:24.0109 2044 s1018obex - ok
16:08:24.0187 2044 s1018unic (ac6b514cb4474f4c867d7cdc9cd54f05) C:\WINDOWS\system32\DRIVERS\s1018unic.sys
16:08:24.0203 2044 s1018unic - ok
16:08:24.0281 2044 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:08:24.0281 2044 Secdrv - ok
16:08:24.0343 2044 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
16:08:24.0343 2044 Serial - ok
16:08:24.0421 2044 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:08:24.0421 2044 Sfloppy - ok
16:08:24.0453 2044 Simbad - ok
16:08:24.0484 2044 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
16:08:24.0484 2044 SLIP - ok
16:08:24.0515 2044 Sparrow - ok
16:08:24.0562 2044 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:08:24.0562 2044 splitter - ok
16:08:24.0656 2044 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
16:08:24.0671 2044 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
16:08:24.0671 2044 sptd ( LockedFile.Multi.Generic ) - warning
16:08:24.0671 2044 sptd - detected LockedFile.Multi.Generic (1)
16:08:24.0687 2044 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:08:24.0687 2044 sr - ok
16:08:24.0781 2044 SRS_PremiumSound_Service (7d7ad4aba007e20acc35cab03b28a935) C:\WINDOWS\system32\drivers\srs_PremiumSound_i386.sys
16:08:24.0812 2044 SRS_PremiumSound_Service - ok
16:08:24.0906 2044 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\N360\0502000.00D\SRTSP.SYS
16:08:24.0953 2044 SRTSP - ok
16:08:25.0000 2044 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0502000.00D\SRTSPX.SYS
16:08:25.0031 2044 SRTSPX - ok
16:08:25.0109 2044 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
16:08:25.0140 2044 Srv - ok
16:08:25.0203 2044 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
16:08:25.0203 2044 streamip - ok
16:08:25.0234 2044 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:08:25.0234 2044 swenum - ok
16:08:25.0281 2044 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:08:25.0281 2044 swmidi - ok
16:08:25.0328 2044 symc810 - ok
16:08:25.0343 2044 symc8xx - ok
16:08:25.0406 2044 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0502000.00D\SYMDS.SYS
16:08:25.0437 2044 SymDS - ok
16:08:25.0500 2044 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0502000.00D\SYMEFA.SYS
16:08:25.0562 2044 SymEFA - ok
16:08:25.0671 2044 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
16:08:25.0703 2044 SymEvent - ok
16:08:25.0781 2044 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0502000.00D\Ironx86.SYS
16:08:25.0781 2044 SymIRON - ok
16:08:25.0859 2044 SYMTDI (336cace58f0359d5cbb1ae6b8a2fb205) C:\WINDOWS\System32\Drivers\N360\0502000.00D\SYMTDI.SYS
16:08:25.0859 2044 SYMTDI - ok
16:08:25.0890 2044 sym_hi - ok
16:08:25.0906 2044 sym_u3 - ok
16:08:25.0968 2044 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:08:25.0968 2044 sysaudio - ok
16:08:26.0015 2044 tbhsd (4d46f63f7ddc2442941d63327c360b90) C:\WINDOWS\system32\drivers\tbhsd.sys
16:08:26.0031 2044 tbhsd - ok
16:08:26.0109 2044 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:08:26.0109 2044 Tcpip - ok
16:08:26.0156 2044 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:08:26.0156 2044 TDPIPE - ok
16:08:26.0171 2044 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:08:26.0187 2044 TDTCP - ok
16:08:26.0203 2044 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:08:26.0218 2044 TermDD - ok
16:08:26.0234 2044 TosIde - ok
16:08:26.0281 2044 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:08:26.0281 2044 Udfs - ok
16:08:26.0296 2044 ultra - ok
16:08:26.0375 2044 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:08:26.0390 2044 Update - ok
16:08:26.0453 2044 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:08:26.0453 2044 usbccgp - ok
16:08:26.0531 2044 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:08:26.0531 2044 usbehci - ok
16:08:26.0593 2044 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:08:26.0593 2044 usbhub - ok
16:08:26.0671 2044 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:08:26.0671 2044 usbprint - ok
16:08:26.0734 2044 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:08:26.0750 2044 usbscan - ok
16:08:26.0812 2044 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:08:26.0812 2044 usbstor - ok
16:08:26.0859 2044 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:08:26.0875 2044 usbuhci - ok
16:08:26.0921 2044 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
16:08:26.0921 2044 usbvideo - ok
16:08:26.0984 2044 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:08:26.0984 2044 VgaSave - ok
16:08:27.0000 2044 ViaIde - ok
16:08:27.0109 2044 VMC326 (20a559a25c4ae3f9b35f8229636ee5a7) C:\WINDOWS\system32\Drivers\VMC326.sys
16:08:27.0140 2044 VMC326 - ok
16:08:27.0187 2044 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:08:27.0203 2044 VolSnap - ok
16:08:27.0250 2044 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys
16:08:27.0343 2044 vsdatant - ok
16:08:27.0421 2044 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:08:27.0421 2044 Wanarp - ok
16:08:27.0484 2044 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
16:08:27.0484 2044 WDC_SAM - ok
16:08:27.0578 2044 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
16:08:27.0593 2044 Wdf01000 - ok
16:08:27.0609 2044 WDICA - ok
16:08:27.0656 2044 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:08:27.0656 2044 wdmaud - ok
16:08:27.0765 2044 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
16:08:27.0765 2044 WinUSB - ok
16:08:27.0875 2044 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
16:08:27.0875 2044 WpdUsb - ok
16:08:27.0953 2044 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:08:27.0953 2044 WS2IFSL - ok
16:08:28.0000 2044 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
16:08:28.0000 2044 WSTCODEC - ok
16:08:28.0062 2044 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:08:28.0062 2044 WudfPf - ok
16:08:28.0140 2044 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:08:28.0140 2044 WudfRd - ok
16:08:28.0234 2044 yukonwxp (7578410b1512fad9c485b134561e8b78) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
16:08:28.0281 2044 yukonwxp - ok
16:08:28.0343 2044 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
16:08:28.0359 2044 zumbus - ok
16:08:28.0437 2044 MBR (0x1B8) (6aefa2bac284226f1a5aed86e53d7bb9) \Device\Harddisk0\DR0
16:08:28.0484 2044 \Device\Harddisk0\DR0 - ok
16:08:28.0515 2044 Boot (0x1200) (27a5293f3e174c1d1864e778a2122dfd) \Device\Harddisk0\DR0\Partition0
16:08:28.0515 2044 \Device\Harddisk0\DR0\Partition0 - ok
16:08:28.0531 2044 ============================================================
16:08:28.0531 2044 Scan finished
16:08:28.0531 2044 ============================================================
16:08:28.0546 1128 Detected object count: 1
16:08:28.0546 1128 Actual detected object count: 1
16:09:45.0828 1128 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
16:09:45.0828 1128 sptd ( LockedFile.Multi.Generic ) - User select action: Quarantine


Ran ComboFix in Normal mode, it would go through the initial run down, but then would quit. Went to safe mod, uninstalled norton 360, still got the errormessage saying that it was there. Went ahead and ran it because it told me the uninstall was successful, and received the following log.

ComboFix 12-02-12.01 - Rachael 02/13/2012 17:30:02.4.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1735 [GMT 0:00]
Running from: c:\documents and settings\Rachael\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))
.
.
2012-02-13 17:15 . 2012-02-13 17:15 -------- d-----w- c:\windows\LastGood
2012-02-13 16:09 . 2012-02-13 16:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-13 16:07 . 2012-02-13 16:12 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\documents and settings\Rachael\Application Data\Malwarebytes
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-13 14:21 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-13 11:42 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-13 11:00 . 2012-02-13 14:02 32808 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-02-13 10:03 . 2012-02-13 11:07 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-13 10:01 . 2012-02-13 10:01 -------- d-----w- c:\program files\Catan
2012-02-13 08:50 . 2012-02-13 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2012-02-13 08:49 . 2012-02-13 08:49 -------- d-----w- c:\program files\Oberon
2012-02-11 18:27 . 2012-02-13 08:51 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-03 20:47 . 2012-02-03 20:47 -------- d-----w- c:\documents and settings\Rachael\Application Data\NCH Software
2012-02-03 20:47 . 2012-02-03 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-02-03 20:46 . 2012-02-03 20:46 -------- d-----w- c:\program files\NCH Software
2012-02-03 20:41 . 2012-02-03 20:41 -------- d-----w- c:\documents and settings\Rachael\Application Data\MtStudio
2012-01-31 11:58 . 2012-01-31 11:58 -------- d-----w- c:\documents and settings\Rachael\Application Data\DDMSettings
2012-01-23 00:02 . 2012-01-23 00:02 -------- d-----w- c:\windows\_swf_imagine digital freedom_work
2012-01-22 21:02 . 2012-01-22 21:02 -------- d-----w- c:\program files\Lame For Audacity
2012-01-22 20:58 . 2012-02-03 21:10 -------- d-----w- c:\documents and settings\Rachael\Application Data\Audacity
2012-01-22 20:29 . 2012-02-08 19:00 -------- d-----w- c:\program files\Audacity
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-05 10:16 . 2011-05-27 07:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2011-11-25 21:57 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-12 14:09 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-12 14:03 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-12 14:09 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-12 14:04 152064 ----a-w- c:\windows\system32\schannel.dll
2012-01-11 07:42 . 2012-01-11 07:42 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-13_12.50.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-16 19:36 . 2012-02-13 13:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-01-16 19:36 . 2012-02-13 12:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-02-13 17:15 . 2011-07-06 12:44 27888 c:\windows\LastGood\system32\DRIVERS\GEARAspiWDM.sys
+ 2010-05-17 07:40 . 2008-04-17 21:12 107368 c:\windows\system32\GEARAspi.dll
+ 2012-02-13 17:15 . 2010-08-21 03:59 106928 c:\windows\LastGood\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetMeter"="c:\program files\HooTech Net Meter\HooNetMeter.exe" [2008-12-06 577536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
.
c:\documents and settings\Rachael\Start Menu\Programs\Startup\
Easy Display Manager for XP.lnk - c:\program files\Samsung\Easy Display Manager\DMLauncher_XP.exe [2010-5-14 466944]
Magic Keyboard.lnk - c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe [2010-1-16 151552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2010-11-23 6144]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Rachael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Rachael\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/15/2011 3:23 PM 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/21/2011 6:59 PM 2152152]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/19/2010 1:31 AM 691696]
S2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [1/16/2010 7:50 PM 4300]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 3:39 PM 135664]
S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [6/23/2011 2:21 PM 99896]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/13/2012 2:21 PM 652360]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe --> c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [?]
S2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe [5/19/2009 9:39 AM 66792]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 1:22 PM 98304]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [8/12/2004 2:06 PM 14336]
S3 70979179;70979179; [x]
S3 78673605;78673605; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/16/2010 7:44 PM 1684736]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 3:39 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [7/21/2011 6:59 PM 15232]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/13/2012 2:21 PM 20464]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 4:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 4:49 AM 8320]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [6/23/2011 2:20 PM 17408]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [9/7/2010 2:03 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [9/7/2010 2:03 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [9/7/2010 2:03 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [9/7/2010 2:03 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [9/7/2010 2:03 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [9/7/2010 2:03 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [9/7/2010 2:03 PM 109864]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [5/28/2011 9:02 AM 155344]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [3/14/2010 8:56 AM 233512]
S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [8/9/2011 5:14 PM 238464]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/20/2010 10:31 AM 11520]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 12:19 PM 268528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ yksvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vserial
aswrdr
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 07:40]
.
2012-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:57]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 15:38]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 15:38]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-484061587-725345543-1004Core.job
- c:\documents and settings\Rachael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 00:08]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-484061587-725345543-1004UA.job
- c:\documents and settings\Rachael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 00:08]
.
2012-02-03 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2012-02-03 20:46]
.
2012-02-06 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2012-02-03 20:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2704262
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rachael\Application Data\Mozilla\Firefox\Profiles\90841v1g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2704262&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-13 17:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-484061587-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0c,dc,26,dc,bf,be,97,e2,c4,5a,8a,cc,49,21,a4,9c,76,80,2b,41,03,ca,75,
fd,42,68,c8,9b,c0,70,76,aa,cb,c5,94,6a,52,4b,0c,a3,9f,97,cf,5d,ac,aa,cd,cf,\
"??"=hex:5a,2d,06,f2,75,07,34,72,16,00,f2,7c,6f,d4,1e,45
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1700)
c:\windows\system32\WININET.dll
c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-02-13 17:47:59
ComboFix-quarantined-files.txt 2012-02-13 17:47
ComboFix2.txt 2012-02-13 17:04
ComboFix3.txt 2012-02-13 13:44
ComboFix4.txt 2012-02-13 12:55
.
Pre-Run: 68,605,718,528 bytes free
Post-Run: 68,611,379,200 bytes free
.
- - End Of File - - E510D94ADA451F4DF3E16A8BE2522E7B
 
I'm not really sure what has been done here:
2012-02-13 17:15 -------- d-----w- c:\windows\LastGood

Did you roll the system back to the Last Known Good Configuration
---------------------------------------------------
About Norton: I just wanted you to disable the Norton 360 Registry Cleaner
A Restore Point was set here: RP429: 2/13/2012 10:26:28 AM - Norton 360 Registry Clean
So that may be when the registry cleaner was scheduled to run

You just need to open the 360 Settings> choose Task Scheduler option> In the settings panel> Uncheck Registry Cleaner> Save the settings.
This will stop if from running automatically.

But the Norton AV and FW should be disabled when Combofix is run:[You do not have to uninstall the program, just disable it.
  • Right-click the Norton 360 Premier Edition icon in the system tray and select Disable Antivirus Automatic-Protect.
  • You will get a new dialog box with five options: 15 minutes, 1 hour, 5 hours, Until system restart, Permanently.
  • Choose 5 hours.
======================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\drivers\FixZeroAccess.sys
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\vsdatant.sys
DDS::
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2704262
Extra::
Firefox::
Firefox-:- Profile - c:\documents and settings\rachael\application data\mozilla\firefox\profiles\90841v1g.default\
Firefox-:  prefs.js - Search.DefaultURL
RegNull::
[HKEY_USERS\S-1-5-21-1960408961-484061587-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
Clearjavacache::
Driver::
70979179
vsdatant
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Did you know you still had a process running from ZoneAlarm? (2007) I removed it.

Tell me please what problems you are still having.
 
Thanks a bunch for all your help. I did not intentionally roll back the system to the last good configuration, but at one point ComboFix did mention that it was looking for the last good configuration.

I only uninstalled norton because in safe mode it is not possible to open the program beyond scanning, and I was being prevented from opening it in normal windows. It will be reinstalled once my computer is cleaned. (I hope that it was ok that I did this, but it was the only way to prevent it from running at the time.)

Below is the log for the CFScript.

ComboFix 12-02-12.01 - Rachael 02/13/2012 22:29:19.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1654 [GMT 0:00]
Running from: c:\documents and settings\Rachael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rachael\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\windows\system32\dds_trash_log.cmd"
"c:\windows\system32\drivers\FixZeroAccess.sys"
"c:\windows\system32\vsdatant.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_70979179
-------\Legacy_VSDATANT
-------\Service_70979179
-------\Service_vsdatant
.
.
((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))
.
.
2012-02-13 16:09 . 2012-02-13 16:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-13 16:07 . 2012-02-13 16:12 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\documents and settings\Rachael\Application Data\Malwarebytes
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-13 14:21 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-13 11:42 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-13 11:00 . 2012-02-13 14:02 32808 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-02-13 10:03 . 2012-02-13 11:07 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-13 10:01 . 2012-02-13 10:01 -------- d-----w- c:\program files\Catan
2012-02-13 08:50 . 2012-02-13 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2012-02-13 08:49 . 2012-02-13 08:49 -------- d-----w- c:\program files\Oberon
2012-02-11 18:27 . 2012-02-13 08:51 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-03 20:47 . 2012-02-03 20:47 -------- d-----w- c:\documents and settings\Rachael\Application Data\NCH Software
2012-02-03 20:47 . 2012-02-03 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-02-03 20:46 . 2012-02-03 20:46 -------- d-----w- c:\program files\NCH Software
2012-02-03 20:41 . 2012-02-03 20:41 -------- d-----w- c:\documents and settings\Rachael\Application Data\MtStudio
2012-01-31 11:58 . 2012-01-31 11:58 -------- d-----w- c:\documents and settings\Rachael\Application Data\DDMSettings
2012-01-23 00:02 . 2012-01-23 00:02 -------- d-----w- c:\windows\_swf_imagine digital freedom_work
2012-01-22 21:02 . 2012-01-22 21:02 -------- d-----w- c:\program files\Lame For Audacity
2012-01-22 20:58 . 2012-02-03 21:10 -------- d-----w- c:\documents and settings\Rachael\Application Data\Audacity
2012-01-22 20:29 . 2012-02-08 19:00 -------- d-----w- c:\program files\Audacity
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-05 10:16 . 2011-05-27 07:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2011-11-25 21:57 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-12 14:09 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-12 14:03 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-12 14:09 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-12 14:04 152064 ----a-w- c:\windows\system32\schannel.dll
2012-01-11 07:42 . 2012-01-11 07:42 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-13_12.50.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-13 22:46 . 2012-02-13 22:46 16384 c:\windows\temp\Perflib_Perfdata_20c.dat
+ 2012-02-13 22:49 . 2012-02-13 22:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-16 19:36 . 2012-02-13 22:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-01-16 19:36 . 2012-02-13 12:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-02-13 22:15 . 2012-02-13 22:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-01-16 19:36 . 2012-02-13 12:26 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-17 07:40 . 2008-04-17 21:12 107368 c:\windows\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetMeter"="c:\program files\HooTech Net Meter\HooNetMeter.exe" [2008-12-06 577536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
.
c:\documents and settings\Rachael\Start Menu\Programs\Startup\
Easy Display Manager for XP.lnk - c:\program files\Samsung\Easy Display Manager\DMLauncher_XP.exe [2010-5-14 466944]
Magic Keyboard.lnk - c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe [2010-1-16 151552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2010-11-23 6144]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Rachael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Rachael\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/15/2011 3:23 PM 64512]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/19/2010 1:31 AM 691696]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [1/16/2010 7:50 PM 4300]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [6/23/2011 2:21 PM 99896]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/21/2011 6:59 PM 2152152]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/13/2012 2:21 PM 652360]
R2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe [5/19/2009 9:39 AM 66792]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 1:22 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [8/12/2004 2:06 PM 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/13/2012 2:21 PM 20464]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [3/14/2010 8:56 AM 233512]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [8/9/2011 5:14 PM 238464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 3:39 PM 135664]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe --> c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [?]
S3 78673605;78673605; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/16/2010 7:44 PM 1684736]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 3:39 PM 135664]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 4:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 4:49 AM 8320]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [6/23/2011 2:20 PM 17408]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [9/7/2010 2:03 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [9/7/2010 2:03 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [9/7/2010 2:03 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [9/7/2010 2:03 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [9/7/2010 2:03 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [9/7/2010 2:03 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [9/7/2010 2:03 PM 109864]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [5/28/2011 9:02 AM 155344]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/20/2010 10:31 AM 11520]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 12:19 PM 268528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ yksvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vserial
aswrdr
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 07:40]
.
2012-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:57]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 15:38]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 15:38]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-484061587-725345543-1004Core.job
- c:\documents and settings\Rachael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 00:08]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-484061587-725345543-1004UA.job
- c:\documents and settings\Rachael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 00:08]
.
2012-02-03 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2012-02-03 20:46]
.
2012-02-06 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2012-02-03 20:46]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rachael\Application Data\Mozilla\Firefox\Profiles\90841v1g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2704262&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-13 22:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(712)
c:\windows\system32\WININET.dll
c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.3.21.99\GoogleCrashHandler.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe
.
**************************************************************************
.
Completion time: 2012-02-13 22:53:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-13 22:53
ComboFix2.txt 2012-02-13 20:56
ComboFix3.txt 2012-02-13 17:48
ComboFix4.txt 2012-02-13 17:04
ComboFix5.txt 2012-02-13 22:19
.
Pre-Run: 68,581,384,192 bytes free
Post-Run: 68,590,616,576 bytes free
.
- - End Of File - - F4ED1C0B15F5921E372B87943A8FB88F

==================================
Problems resolved-
Task manager once again reappears
It no longer takes ages to boot up
I can once again access My Computer, and the command line
Internet is once again accessible in normal mode

Problems still seen-
It still takes about 2x times as long to boot up as it did preinfection.
Plug and Play still not happening(not a huge deal)
 
I have kept the computer disconnected from the internet, and booted it up yesterday. It is still running much slower than usual in normal mode,and a scan with TDSSKiller still shows one infected area that it can only copy to quarantine, not actually get rid of. What would your advice be on proceeding further?
 
Please be sure to copy everything in the code box when you run the script.

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
"c:\windows\system32\dds_trash_log.cmd"
"c:\windows\system32\drivers\FixZeroAccess.sys"
"c:\windows\system32\vsdatant.sys"
FileLook::
C:\WINDOWS\system32\Drivers\sptd.sys
Extra::
Firefox::
Firefox-:- Profile - c:\documents and settings\rachael\application data\mozilla\firefox\profiles\90841v1g.default\
Firefox-:  prefs.js - Search.DefaultURL
DDS::
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2704262
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
RegNull::
[HKEY_USERS\S-1-5-21-1960408961-484061587-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
Clearjavacache::
Driver::
70979179
78673605
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Commnents:
1. It looks like you're using a Netbook with Duel Boot with Windows XP SP3 and Ubuntu(most current version)
Install Date: 1/16/2010 7:34:44 PM. Was this reinstall? Or is the original only 2 years old?

2. Did you run TDSSKiller again after this scan> Current date / time: 2012/02/13 16:08:07.0328. If yes, log please.

3. The system is already slow yet you are adding programs:The first log is dated 2012-02-13:
2012-02-13 10:01:08 -------- d-----w- c:\program files\Catan
2012-02-13 08:50:58 -------- d-----w- c:\documents and settings\all users\application data\Protexis
2012-02-13 08:49:43 -------- d-----w- c:\program files\Oberon
2012-02-11 18:27:38 -------- d-----w- c:\program files\common files\PC Tools

4. How much RAM is installed?
The computer was running 'slower than normal' before the infection, was it not? The only way this cleaning will affect that is if there were so many processes from the malware running to 'choke' the system and slow it down and they were found and removed.[/QUOTE]
=======================================
Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
Java(TM) > Current is v6u30> Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
=====================================
 
Thank you very much, I will post the logs when I get home from work tomorrow, I have gotten swamped and been up able to get back to fixing my computer these past few days. Please do not shut down the thread.
 
1. It looks like you're using a Netbook with Duel Boot with Windows XP SP3 and Ubuntu(most current version)
Install Date: 1/16/2010 7:34:44 PM. Was this reinstall? Or is the original only 2 years old?

Original install for windows, I partitioned the drive to add Ubuntu

2. Did you run TDSSKiller again after this scan> Current date / time: 2012/02/13 16:08:07.0328. If yes, log please.

See below, rerun upon turning the computer on today(it has remained off since last run of the CFScript.

3. The system is already slow yet you are adding programs:The first log is dated 2012-02-13:
2012-02-13 10:01:08 -------- d-----w- c:\program files\Catan
2012-02-13 08:50:58 -------- d-----w- c:\documents and settings\all users\application data\Protexis
2012-02-13 08:49:43 -------- d-----w- c:\program files\Oberon
2012-02-11 18:27:38 -------- d-----w- c:\program files\common files\PC Tools

I have not added any programs since the rootkit infected the computer. Prior to the rootkit the netbook was running at its normal speed, and I deemed it allowable to install programs.

4. How much RAM is installed?
The computer was running 'slower than normal' before the infection, was it not?
No it was not running "slower than normal prior" prior to the infection. It is a netbook, so it does tend to run a bit slower than most computer, but it was running at the same speed it always had. It has 2gig of ram, I installed the upgrade about a year ago. Since cleaning started it has sped back up in all but the logging into windows stage.

Log for TDSSKiller:
19:18:20.0484 3848 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
19:18:20.0515 3848 ============================================================
19:18:20.0515 3848 Current date / time: 2012/02/20 19:18:20.0515
19:18:20.0515 3848 SystemInfo:
19:18:20.0515 3848
19:18:20.0515 3848 OS Version: 5.1.2600 ServicePack: 3.0
19:18:20.0515 3848 Product type: Workstation
19:18:20.0515 3848 ComputerName: LITTLEONE
19:18:20.0515 3848 UserName: Rachael
19:18:20.0515 3848 Windows directory: C:\WINDOWS
19:18:20.0515 3848 System windows directory: C:\WINDOWS
19:18:20.0515 3848 Processor architecture: Intel x86
19:18:20.0515 3848 Number of processors: 2
19:18:20.0515 3848 Page size: 0x1000
19:18:20.0515 3848 Boot type: Normal boot
19:18:20.0515 3848 ============================================================
19:18:22.0203 3848 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:18:22.0203 3848 \Device\Harddisk0\DR0:
19:18:22.0203 3848 MBR used
19:18:22.0203 3848 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xC02F10, BlocksNum 0x10DFF817
19:18:22.0234 3848 Initialize success
19:18:22.0234 3848 ============================================================
19:18:28.0312 3868 ============================================================
19:18:28.0312 3868 Scan started
19:18:28.0312 3868 Mode: Manual;
19:18:28.0312 3868 ============================================================
19:18:28.0515 3868 78673605 - ok
19:18:28.0531 3868 Abiosdsk - ok
19:18:28.0546 3868 abp480n5 - ok
19:18:28.0609 3868 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:18:28.0609 3868 ACPI - ok
19:18:28.0656 3868 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
19:18:28.0656 3868 ACPIEC - ok
19:18:28.0671 3868 adpu160m - ok
19:18:28.0718 3868 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:18:28.0734 3868 aec - ok
19:18:28.0812 3868 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:18:28.0812 3868 AFD - ok
19:18:28.0828 3868 Aha154x - ok
19:18:28.0843 3868 aic78u2 - ok
19:18:28.0859 3868 aic78xx - ok
19:18:28.0890 3868 AliIde - ok
19:18:29.0000 3868 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
19:18:29.0015 3868 Ambfilt - ok
19:18:29.0109 3868 amsint - ok
19:18:29.0234 3868 AR5416 (c413e2e549488a5f1969decb5b03187a) C:\WINDOWS\system32\DRIVERS\athw.sys
19:18:29.0250 3868 AR5416 - ok
19:18:29.0265 3868 asc - ok
19:18:29.0281 3868 asc3350p - ok
19:18:29.0296 3868 asc3550 - ok
19:18:29.0375 3868 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:18:29.0375 3868 AsyncMac - ok
19:18:29.0421 3868 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:18:29.0421 3868 atapi - ok
19:18:29.0421 3868 Atdisk - ok
19:18:29.0484 3868 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:18:29.0484 3868 Atmarpc - ok
19:18:29.0531 3868 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:18:29.0546 3868 audstub - ok
19:18:29.0578 3868 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:18:29.0578 3868 Beep - ok
19:18:29.0640 3868 BVRPMPR5 (51b327292408b5f3a42e295bce055859) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
19:18:29.0640 3868 BVRPMPR5 - ok
19:18:29.0812 3868 catchme - ok
19:18:29.0859 3868 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:18:29.0859 3868 cbidf2k - ok
19:18:29.0921 3868 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:18:29.0921 3868 CCDECODE - ok
19:18:29.0937 3868 cd20xrnt - ok
19:18:29.0953 3868 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:18:29.0953 3868 Cdaudio - ok
19:18:29.0968 3868 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:18:29.0968 3868 Cdfs - ok
19:18:30.0046 3868 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:18:30.0046 3868 Cdrom - ok
19:18:30.0062 3868 Changer - ok
19:18:30.0125 3868 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:18:30.0125 3868 CmBatt - ok
19:18:30.0140 3868 CmdIde - ok
19:18:30.0156 3868 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:18:30.0171 3868 Compbatt - ok
19:18:30.0187 3868 Cpqarray - ok
19:18:30.0265 3868 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
19:18:30.0265 3868 CVirtA - ok
19:18:30.0312 3868 CVPNDRVA (cb90b2762b1a1d0b40496400c55b6ade) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
19:18:30.0328 3868 CVPNDRVA - ok
19:18:30.0328 3868 dac2w2k - ok
19:18:30.0359 3868 dac960nt - ok
19:18:30.0375 3868 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:18:30.0375 3868 Disk - ok
19:18:30.0453 3868 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:18:30.0453 3868 dmboot - ok
19:18:30.0500 3868 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:18:30.0500 3868 dmio - ok
19:18:30.0546 3868 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:18:30.0546 3868 dmload - ok
19:18:30.0593 3868 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:18:30.0593 3868 DMusic - ok
19:18:30.0625 3868 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
19:18:30.0625 3868 DNE - ok
19:18:30.0703 3868 DOSMEMIO (8a4cb9438571814b128b6dc30d698064) C:\WINDOWS\system32\MEMIO.SYS
19:18:30.0703 3868 DOSMEMIO - ok
19:18:30.0718 3868 dpti2o - ok
19:18:30.0734 3868 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:18:30.0734 3868 drmkaud - ok
19:18:30.0828 3868 EraserUtilRebootDrv - ok
19:18:30.0890 3868 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:18:30.0890 3868 Fastfat - ok
19:18:30.0937 3868 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:18:30.0937 3868 Fdc - ok
19:18:30.0968 3868 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:18:30.0968 3868 Fips - ok
19:18:30.0984 3868 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:18:30.0984 3868 Flpydisk - ok
19:18:31.0046 3868 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:18:31.0062 3868 FltMgr - ok
19:18:31.0078 3868 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:18:31.0078 3868 Fs_Rec - ok
19:18:31.0093 3868 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:18:31.0093 3868 Ftdisk - ok
19:18:31.0109 3868 GEARAspiWDM - ok
19:18:31.0156 3868 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:18:31.0156 3868 Gpc - ok
19:18:31.0187 3868 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:18:31.0203 3868 HDAudBus - ok
19:18:31.0250 3868 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:18:31.0250 3868 HidUsb - ok
19:18:31.0265 3868 hpn - ok
19:18:31.0312 3868 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
19:18:31.0312 3868 HPZius12 - ok
19:18:31.0421 3868 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:18:31.0437 3868 HTTP - ok
19:18:31.0515 3868 i2omgmt - ok
19:18:31.0593 3868 i2omp - ok
19:18:31.0718 3868 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:18:31.0718 3868 i8042prt - ok
19:18:32.0046 3868 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
19:18:32.0109 3868 ialm - ok
19:18:32.0250 3868 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:18:32.0250 3868 Imapi - ok
19:18:32.0281 3868 ini910u - ok
19:18:32.0625 3868 IntcAzAudAddService (0cacdcbbc8e6f11e2865c47bfc509848) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:18:32.0687 3868 IntcAzAudAddService - ok
19:18:32.0828 3868 IntelIde - ok
19:18:32.0906 3868 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:18:32.0906 3868 intelppm - ok
19:18:32.0937 3868 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:18:32.0937 3868 Ip6Fw - ok
19:18:33.0015 3868 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:18:33.0015 3868 IpFilterDriver - ok
19:18:33.0062 3868 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:18:33.0062 3868 IpInIp - ok
19:18:33.0078 3868 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:18:33.0093 3868 IpNat - ok
19:18:33.0109 3868 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:18:33.0109 3868 IPSec - ok
19:18:33.0140 3868 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:18:33.0140 3868 IRENUM - ok
19:18:33.0187 3868 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:18:33.0203 3868 isapnp - ok
19:18:33.0250 3868 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:18:33.0250 3868 Kbdclass - ok
19:18:33.0312 3868 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:18:33.0312 3868 kmixer - ok
19:18:33.0343 3868 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:18:33.0343 3868 KSecDD - ok
19:18:33.0375 3868 lbrtfdc - ok
19:18:33.0437 3868 LHidFilt (f5e165b4e3df145f6e8bf3c0573f94d8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
19:18:33.0453 3868 LHidFilt - ok
19:18:33.0468 3868 LMouFilt (b46e39b8ae439d7ce75a923e7f950040) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
19:18:33.0468 3868 LMouFilt - ok
19:18:33.0515 3868 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
19:18:33.0515 3868 MBAMProtector - ok
19:18:33.0546 3868 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:18:33.0546 3868 mnmdd - ok
19:18:33.0562 3868 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:18:33.0578 3868 Modem - ok
19:18:33.0671 3868 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
19:18:33.0703 3868 Monfilt - ok
19:18:33.0750 3868 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
19:18:33.0750 3868 motccgp - ok
19:18:33.0781 3868 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
19:18:33.0781 3868 motccgpfl - ok
19:18:33.0812 3868 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:18:33.0812 3868 Mouclass - ok
19:18:33.0875 3868 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:18:33.0875 3868 mouhid - ok
19:18:33.0921 3868 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:18:33.0921 3868 MountMgr - ok
19:18:33.0937 3868 mraid35x - ok
19:18:33.0984 3868 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:18:33.0984 3868 MRxDAV - ok
19:18:34.0062 3868 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:18:34.0078 3868 MRxSmb - ok
19:18:34.0093 3868 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:18:34.0093 3868 Msfs - ok
19:18:34.0156 3868 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:18:34.0156 3868 MSKSSRV - ok
19:18:34.0187 3868 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:18:34.0187 3868 MSPCLOCK - ok
19:18:34.0203 3868 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:18:34.0203 3868 MSPQM - ok
19:18:34.0250 3868 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:18:34.0250 3868 mssmbios - ok
19:18:34.0281 3868 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
19:18:34.0296 3868 MSTEE - ok
19:18:34.0328 3868 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:18:34.0328 3868 Mup - ok
19:18:34.0359 3868 mvusbews (1889385f1825c0782c5c179a0518d490) C:\WINDOWS\system32\Drivers\mvusbews.sys
19:18:34.0359 3868 mvusbews - ok
19:18:34.0406 3868 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:18:34.0406 3868 NABTSFEC - ok
19:18:34.0437 3868 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
19:18:34.0437 3868 NDIS - ok
19:18:34.0468 3868 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:18:34.0468 3868 NdisIP - ok
19:18:34.0546 3868 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:18:34.0546 3868 NdisTapi - ok
19:18:34.0562 3868 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:18:34.0578 3868 Ndisuio - ok
19:18:34.0593 3868 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:18:34.0593 3868 NdisWan - ok
19:18:34.0671 3868 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:18:34.0671 3868 NDProxy - ok
19:18:34.0687 3868 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:18:34.0687 3868 NetBIOS - ok
19:18:34.0703 3868 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:18:34.0718 3868 NetBT - ok
19:18:34.0750 3868 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:18:34.0750 3868 Npfs - ok
19:18:34.0812 3868 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:18:34.0828 3868 Ntfs - ok
19:18:34.0859 3868 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:18:34.0859 3868 Null - ok
19:18:34.0921 3868 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:18:34.0921 3868 NwlnkFlt - ok
19:18:34.0968 3868 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:18:34.0968 3868 NwlnkFwd - ok
19:18:35.0015 3868 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
19:18:35.0031 3868 Parport - ok
19:18:35.0046 3868 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:18:35.0046 3868 PartMgr - ok
19:18:35.0078 3868 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:18:35.0093 3868 ParVdm - ok
19:18:35.0093 3868 PCASp50 - ok
19:18:35.0125 3868 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:18:35.0125 3868 PCI - ok
19:18:35.0140 3868 PCIDump - ok
19:18:35.0171 3868 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:18:35.0171 3868 PCIIde - ok
19:18:35.0203 3868 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:18:35.0203 3868 Pcmcia - ok
19:18:35.0218 3868 PDCOMP - ok
19:18:35.0234 3868 PDFRAME - ok
19:18:35.0250 3868 PDRELI - ok
19:18:35.0265 3868 PDRFRAME - ok
19:18:35.0281 3868 perc2 - ok
19:18:35.0296 3868 perc2hib - ok
19:18:35.0375 3868 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:18:35.0375 3868 PptpMiniport - ok
19:18:35.0390 3868 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:18:35.0390 3868 PSched - ok
19:18:35.0406 3868 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:18:35.0406 3868 Ptilink - ok
19:18:35.0453 3868 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:18:35.0453 3868 PxHelp20 - ok
19:18:35.0468 3868 ql1080 - ok
19:18:35.0484 3868 Ql10wnt - ok
19:18:35.0500 3868 ql12160 - ok
19:18:35.0515 3868 ql1240 - ok
19:18:35.0531 3868 ql1280 - ok
19:18:35.0546 3868 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:18:35.0562 3868 RasAcd - ok
19:18:35.0609 3868 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:18:35.0609 3868 Rasl2tp - ok
19:18:35.0625 3868 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:18:35.0625 3868 RasPppoe - ok
19:18:35.0640 3868 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:18:35.0640 3868 Raspti - ok
19:18:35.0687 3868 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:18:35.0687 3868 Rdbss - ok
19:18:35.0703 3868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:18:35.0703 3868 RDPCDD - ok
19:18:35.0781 3868 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:18:35.0781 3868 RDPWD - ok
19:18:35.0828 3868 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:18:35.0828 3868 redbook - ok
19:18:35.0906 3868 s1018bus (1c5c2cb892553d2cf3f45a4bb323fcd6) C:\WINDOWS\system32\DRIVERS\s1018bus.sys
19:18:35.0906 3868 s1018bus - ok
19:18:35.0968 3868 s1018mdfl (38f5ea219593f19b6b3a1b9c169e3b61) C:\WINDOWS\system32\DRIVERS\s1018mdfl.sys
19:18:35.0968 3868 s1018mdfl - ok
19:18:36.0031 3868 s1018mdm (666af6b64fc7df92d3ca4819ea91631d) C:\WINDOWS\system32\DRIVERS\s1018mdm.sys
19:18:36.0031 3868 s1018mdm - ok
19:18:36.0093 3868 s1018mgmt (f4ceda6e2ddff2af8bd745615a7ca9c0) C:\WINDOWS\system32\DRIVERS\s1018mgmt.sys
19:18:36.0093 3868 s1018mgmt - ok
19:18:36.0171 3868 s1018nd5 (3622d9ff2253dcbe885b10736609a4ca) C:\WINDOWS\system32\DRIVERS\s1018nd5.sys
19:18:36.0171 3868 s1018nd5 - ok
19:18:36.0218 3868 s1018obex (49431efda842b474531c29ffae9f5d09) C:\WINDOWS\system32\DRIVERS\s1018obex.sys
19:18:36.0218 3868 s1018obex - ok
19:18:36.0281 3868 s1018unic (ac6b514cb4474f4c867d7cdc9cd54f05) C:\WINDOWS\system32\DRIVERS\s1018unic.sys
19:18:36.0281 3868 s1018unic - ok
19:18:36.0359 3868 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:18:36.0359 3868 Secdrv - ok
19:18:36.0421 3868 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:18:36.0421 3868 Serial - ok
19:18:36.0468 3868 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:18:36.0468 3868 Sfloppy - ok
19:18:36.0484 3868 Simbad - ok
19:18:36.0531 3868 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:18:36.0531 3868 SLIP - ok
19:18:36.0546 3868 Sparrow - ok
19:18:36.0593 3868 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:18:36.0593 3868 splitter - ok
19:18:36.0687 3868 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
19:18:36.0687 3868 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
19:18:36.0687 3868 sptd ( LockedFile.Multi.Generic ) - warning
19:18:36.0687 3868 sptd - detected LockedFile.Multi.Generic (1)
19:18:36.0718 3868 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:18:36.0718 3868 sr - ok
19:18:36.0796 3868 SRS_PremiumSound_Service (7d7ad4aba007e20acc35cab03b28a935) C:\WINDOWS\system32\drivers\srs_PremiumSound_i386.sys
19:18:36.0796 3868 SRS_PremiumSound_Service - ok
19:18:36.0859 3868 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:18:36.0859 3868 Srv - ok
19:18:36.0937 3868 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:18:36.0937 3868 streamip - ok
19:18:36.0968 3868 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:18:36.0968 3868 swenum - ok
19:18:36.0984 3868 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:18:36.0984 3868 swmidi - ok
19:18:37.0015 3868 symc810 - ok
19:18:37.0031 3868 symc8xx - ok
19:18:37.0046 3868 sym_hi - ok
19:18:37.0062 3868 sym_u3 - ok
19:18:37.0078 3868 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:18:37.0078 3868 sysaudio - ok
19:18:37.0125 3868 tbhsd (4d46f63f7ddc2442941d63327c360b90) C:\WINDOWS\system32\drivers\tbhsd.sys
19:18:37.0125 3868 tbhsd - ok
19:18:37.0187 3868 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:18:37.0203 3868 Tcpip - ok
19:18:37.0234 3868 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:18:37.0234 3868 TDPIPE - ok
19:18:37.0265 3868 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:18:37.0265 3868 TDTCP - ok
19:18:37.0281 3868 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:18:37.0281 3868 TermDD - ok
19:18:37.0312 3868 TosIde - ok
19:18:37.0359 3868 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:18:37.0359 3868 Udfs - ok
19:18:37.0375 3868 ultra - ok
19:18:37.0421 3868 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:18:37.0421 3868 Update - ok
19:18:37.0484 3868 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:18:37.0484 3868 usbccgp - ok
19:18:37.0531 3868 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:18:37.0531 3868 usbehci - ok
19:18:37.0562 3868 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:18:37.0562 3868 usbhub - ok
19:18:37.0609 3868 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:18:37.0609 3868 usbprint - ok
19:18:37.0687 3868 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:18:37.0687 3868 usbscan - ok
19:18:37.0734 3868 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:18:37.0734 3868 usbstor - ok
19:18:37.0765 3868 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:18:37.0765 3868 usbuhci - ok
19:18:37.0812 3868 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
19:18:37.0812 3868 usbvideo - ok
19:18:37.0968 3868 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:18:37.0968 3868 VgaSave - ok
19:18:38.0046 3868 ViaIde - ok
19:18:38.0328 3868 VMC326 (20a559a25c4ae3f9b35f8229636ee5a7) C:\WINDOWS\system32\Drivers\VMC326.sys
19:18:38.0328 3868 VMC326 - ok
19:18:38.0484 3868 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:18:38.0484 3868 VolSnap - ok
19:18:38.0500 3868 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:18:38.0500 3868 Wanarp - ok
19:18:38.0562 3868 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
19:18:38.0562 3868 WDC_SAM - ok
19:18:38.0625 3868 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
19:18:38.0625 3868 Wdf01000 - ok
19:18:38.0640 3868 WDICA - ok
19:18:38.0671 3868 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:18:38.0687 3868 wdmaud - ok
19:18:38.0750 3868 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
19:18:38.0750 3868 WinUSB - ok
19:18:38.0812 3868 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
19:18:38.0812 3868 WpdUsb - ok
19:18:38.0859 3868 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:18:38.0875 3868 WS2IFSL - ok
19:18:38.0921 3868 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:18:38.0921 3868 WSTCODEC - ok
19:18:38.0984 3868 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:18:38.0984 3868 WudfPf - ok
19:18:39.0031 3868 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:18:39.0031 3868 WudfRd - ok
19:18:39.0140 3868 yukonwxp (7578410b1512fad9c485b134561e8b78) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
19:18:39.0140 3868 yukonwxp - ok
19:18:39.0203 3868 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
19:18:39.0203 3868 zumbus - ok
19:18:39.0281 3868 MBR (0x1B8) (6aefa2bac284226f1a5aed86e53d7bb9) \Device\Harddisk0\DR0
19:18:39.0328 3868 \Device\Harddisk0\DR0 - ok
19:18:39.0359 3868 Boot (0x1200) (27a5293f3e174c1d1864e778a2122dfd) \Device\Harddisk0\DR0\Partition0
19:18:39.0359 3868 \Device\Harddisk0\DR0\Partition0 - ok
19:18:39.0359 3868 ============================================================
19:18:39.0359 3868 Scan finished
19:18:39.0359 3868 ============================================================
19:18:39.0375 3860 Detected object count: 1
19:18:39.0375 3860 Actual detected object count: 1
19:18:49.0890 3860 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
19:18:49.0890 3860 sptd ( LockedFile.Multi.Generic ) - User select action: Quarantine


Log for CFScript run on ComboFix:

ComboFix 12-02-19.02 - Rachael 02/20/2012 19:47:19.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1694 [GMT 0:00]
Running from: c:\documents and settings\Rachael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rachael\Desktop\CFScript.txt
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\windows\system32\dds_trash_log.cmd"
"c:\windows\system32\drivers\FixZeroAccess.sys"
"c:\windows\system32\vsdatant.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_78673605
-------\Service_78673605
.
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-13 16:09 . 2012-02-20 19:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\documents and settings\Rachael\Application Data\Malwarebytes
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-13 14:21 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-13 11:42 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-13 11:00 . 2012-02-13 14:02 32808 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-02-13 10:03 . 2012-02-13 11:07 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-13 10:01 . 2012-02-20 19:34 -------- d-----w- c:\program files\Catan
2012-02-13 08:50 . 2012-02-13 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2012-02-11 18:27 . 2012-02-13 08:51 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-03 20:47 . 2012-02-03 20:47 -------- d-----w- c:\documents and settings\Rachael\Application Data\NCH Software
2012-02-03 20:47 . 2012-02-03 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-02-03 20:46 . 2012-02-03 20:46 -------- d-----w- c:\program files\NCH Software
2012-02-03 20:41 . 2012-02-03 20:41 -------- d-----w- c:\documents and settings\Rachael\Application Data\MtStudio
2012-01-31 11:58 . 2012-01-31 11:58 -------- d-----w- c:\documents and settings\Rachael\Application Data\DDMSettings
2012-01-23 00:02 . 2012-01-23 00:02 -------- d-----w- c:\windows\_swf_imagine digital freedom_work
2012-01-22 21:02 . 2012-01-22 21:02 -------- d-----w- c:\program files\Lame For Audacity
2012-01-22 20:58 . 2012-02-03 21:10 -------- d-----w- c:\documents and settings\Rachael\Application Data\Audacity
2012-01-22 20:29 . 2012-02-08 19:00 -------- d-----w- c:\program files\Audacity
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-05 10:16 . 2011-05-27 07:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2011-11-25 21:57 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-12 14:09 1859584 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 07:42 . 2012-01-11 07:42 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\Drivers\sptd.sys ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 691696
Created time: 2010-09-19 01:31
Modified time: 2010-09-19 01:31
MD5: !HASH: COULD NOT OPEN FILE !!!!!
SHA1: !HASH: COULD NOT OPEN FILE !!!!!
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-13_12.50.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-20 20:04 . 2012-02-20 20:04 16384 c:\windows\temp\Perflib_Perfdata_138.dat
+ 2010-01-16 19:36 . 2012-02-14 19:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-01-16 19:36 . 2012-02-13 12:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-17 07:40 . 2008-04-17 21:12 107368 c:\windows\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetMeter"="c:\program files\HooTech Net Meter\HooNetMeter.exe" [2008-12-06 577536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
.
c:\documents and settings\Rachael\Start Menu\Programs\Startup\
Easy Display Manager for XP.lnk - c:\program files\Samsung\Easy Display Manager\DMLauncher_XP.exe [2010-5-14 466944]
Magic Keyboard.lnk - c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe [2010-1-16 151552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2010-11-23 6144]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Rachael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Rachael\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/19/2010 1:31 AM 691696]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [1/16/2010 7:50 PM 4300]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [6/23/2011 2:21 PM 99896]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/13/2012 2:21 PM 652360]
R2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe [5/19/2009 9:39 AM 66792]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 1:22 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [8/12/2004 2:06 PM 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/13/2012 2:21 PM 20464]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [3/14/2010 8:56 AM 233512]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [8/9/2011 5:14 PM 238464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 3:39 PM 135664]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe --> c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/16/2010 7:44 PM 1684736]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 3:39 PM 135664]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 4:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 4:49 AM 8320]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [6/23/2011 2:20 PM 17408]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [9/7/2010 2:03 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [9/7/2010 2:03 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [9/7/2010 2:03 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [9/7/2010 2:03 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [9/7/2010 2:03 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [9/7/2010 2:03 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [9/7/2010 2:03 PM 109864]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [5/28/2011 9:02 AM 155344]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/20/2010 10:31 AM 11520]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 12:19 PM 268528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ yksvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vserial
aswrdr
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:57]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 15:38]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 15:38]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-484061587-725345543-1004Core.job
- c:\documents and settings\Rachael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 00:08]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-484061587-725345543-1004UA.job
- c:\documents and settings\Rachael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 00:08]
.
2012-02-03 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2012-02-03 20:46]
.
2012-02-06 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2012-02-03 20:46]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Rachael\Application Data\Mozilla\Firefox\Profiles\90841v1g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2704262&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 20:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3640)
c:\windows\system32\WININET.dll
c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.3.21.99\GoogleCrashHandler.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe
.
**************************************************************************
.
Completion time: 2012-02-20 20:12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 20:12
ComboFix2.txt 2012-02-14 20:36
ComboFix3.txt 2012-02-13 23:34
ComboFix4.txt 2012-02-13 22:53
ComboFix5.txt 2012-02-20 19:37
.
Pre-Run: 71,530,520,576 bytes free
Post-Run: 71,546,286,080 bytes free
.
- - End Of File - - 070B8DED591843B33C385DC4A3541AD3
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    sptd.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
=============================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\drivers\FixZeroAccess.sys
Extra::
File::
Firefox::
Firefox-: - Profile- c:\documents and settings\Rachael\Application Data\Mozilla\Firefox\Profiles\90841v1g.default\
Firefox-: prefs.js Search.Default
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=
Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
I was trying to offer suggestions for you to check for posible contributors to the slowness.
=====================
Last scans.
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
  • Extract it to the directory on your hard drive you created C:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
===================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
 
My apologies, I have been very sick, I will run the above instructed on my computer tomorrow morning first thing and post the logs.
 
Systemlook

SystemLook 30.07.11 by jpshortstuff
Log created at 07:53 on 27/02/2012 by Rachael
Administrator - Elevation successful

========== filefind ==========

Searching for "sptd.*"
C:\WINDOWS\system32\drivers\sptd.sys --a---- 691696 bytes [01:31 19/09/2010] [01:31 19/09/2010] (Unable to calculate MD5)

-= EOF =-


Combofix with CFScript
ComboFix 12-02-25.02 - Rachael 02/27/2012 8:13.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1687 [GMT 0:00]
Running from: c:\documents and settings\Rachael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rachael\Desktop\CFScript.txt
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\windows\system32\drivers\FixZeroAccess.sys"
.
.
((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))
.
.
2012-02-27 07:49 . 2012-02-27 07:49 -------- d-----w- C:\HijackThis
2012-02-20 19:34 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-20 19:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-13 16:09 . 2012-02-20 19:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\documents and settings\Rachael\Application Data\Malwarebytes
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-13 14:21 . 2012-02-13 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-13 14:21 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-13 11:42 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-13 10:03 . 2012-02-13 11:07 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-13 10:01 . 2012-02-20 19:34 -------- d-----w- c:\program files\Catan
2012-02-13 08:50 . 2012-02-13 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2012-02-11 18:27 . 2012-02-13 08:51 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-03 20:47 . 2012-02-03 20:47 -------- d-----w- c:\documents and settings\Rachael\Application Data\NCH Software
2012-02-03 20:47 . 2012-02-03 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-02-03 20:46 . 2012-02-03 20:46 -------- d-----w- c:\program files\NCH Software
2012-02-03 20:41 . 2012-02-03 20:41 -------- d-----w- c:\documents and settings\Rachael\Application Data\MtStudio
2012-01-31 11:58 . 2012-01-31 11:58 -------- d-----w- c:\documents and settings\Rachael\Application Data\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-05 10:16 . 2011-05-27 07:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-01-11 07:42 . 2012-01-11 07:42 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-13_12.50.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-27 08:11 . 2012-02-27 08:11 16384 c:\windows\temp\Perflib_Perfdata_14c.dat
- 2010-01-16 19:36 . 2012-02-13 12:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-16 19:36 . 2012-02-14 19:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-01-23 16:01 . 2012-01-12 04:56 35088 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-01-23 16:01 . 2012-02-27 07:52 35088 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-01-23 16:01 . 2012-01-12 04:56 18704 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
+ 2010-01-23 16:01 . 2012-02-27 07:52 18704 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
- 2010-01-23 16:01 . 2012-01-12 04:56 20240 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-01-23 16:01 . 2012-02-27 07:52 20240 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-10-01 18:07 . 2012-02-27 07:54 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-10-01 18:07 . 2011-10-13 07:34 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-05-17 07:40 . 2008-04-17 21:12 107368 c:\windows\system32\GEARAspi.dll
+ 2010-01-23 16:01 . 2012-02-27 07:52 888080 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-01-23 16:01 . 2012-01-12 04:56 888080 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-01-23 16:01 . 2012-01-12 04:56 272648 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-01-23 16:01 . 2012-02-27 07:52 272648 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
- 2010-01-23 16:01 . 2012-01-12 04:56 922384 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-01-23 16:01 . 2012-02-27 07:52 922384 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-01-23 16:01 . 2012-02-27 07:52 845584 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
- 2010-01-23 16:01 . 2012-01-12 04:56 845584 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
- 2010-01-23 16:01 . 2012-01-12 04:56 217864 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
+ 2010-01-23 16:01 . 2012-02-27 07:52 217864 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
+ 2012-02-03 15:13 . 2012-02-03 15:13 4988928 c:\windows\Installer\80c6d.msp
+ 2010-01-23 16:01 . 2012-02-27 07:52 1172240 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
- 2010-01-23 16:01 . 2012-01-12 04:56 1172240 c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
+ 2012-02-27 07:52 . 2012-02-27 07:52 20333056 c:\windows\Installer\80c78.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Rachael\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetMeter"="c:\program files\HooTech Net Meter\HooNetMeter.exe" [2008-12-06 577536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
.
c:\documents and settings\Rachael\Start Menu\Programs\Startup\
Easy Display Manager for XP.lnk - c:\program files\Samsung\Easy Display Manager\DMLauncher_XP.exe [2010-5-14 466944]
Magic Keyboard.lnk - c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe [2010-1-16 151552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2010-11-23 6144]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Rachael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Rachael\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/19/2010 1:31 AM 691696]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [1/16/2010 7:50 PM 4300]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [6/23/2011 2:21 PM 99896]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/13/2012 2:21 PM 652360]
R2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe [5/19/2009 9:39 AM 66792]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 1:22 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [8/12/2004 2:06 PM 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/13/2012 2:21 PM 20464]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [3/14/2010 8:56 AM 233512]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [8/9/2011 5:14 PM 238464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 3:39 PM 135664]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe --> c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/16/2010 7:44 PM 1684736]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 3:39 PM 135664]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 4:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 4:49 AM 8320]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [6/23/2011 2:20 PM 17408]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [9/7/2010 2:03 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [9/7/2010 2:03 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [9/7/2010 2:03 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [9/7/2010 2:03 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [9/7/2010 2:03 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [9/7/2010 2:03 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [9/7/2010 2:03 PM 109864]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [5/28/2011 9:02 AM 155344]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/20/2010 10:31 AM 11520]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 12:19 PM 268528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ yksvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vserial
aswrdr
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:57]
.
2012-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 15:38]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 15:38]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-484061587-725345543-1004Core.job
- c:\documents and settings\Rachael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 00:08]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-484061587-725345543-1004UA.job
- c:\documents and settings\Rachael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 00:08]
.
2012-02-03 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2012-02-03 20:46]
.
2012-02-06 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2012-02-03 20:46]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rachael\Application Data\Mozilla\Firefox\Profiles\90841v1g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2704262&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-27 08:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-02-27 08:30:12
ComboFix-quarantined-files.txt 2012-02-27 08:29
ComboFix2.txt 2012-02-20 20:12
ComboFix3.txt 2012-02-14 20:36
ComboFix4.txt 2012-02-13 23:34
ComboFix5.txt 2012-02-27 08:04
.
Pre-Run: 71,321,272,320 bytes free
Post-Run: 71,331,414,016 bytes free
.
- - End Of File - - 8EBB2259097269CE3B88C200D6C9E393


HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:33:48 AM, on 2/27/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Google\Update\1.3.21.99\GoogleCrashHandler.exe
C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rachael\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SUPBackGround] C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NetMeter] C:\Program Files\HooTech Net Meter\HooNetMeter.exe
O4 - Startup: Easy Display Manager for XP.lnk = ?
O4 - Startup: Magic Keyboard.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (file missing)
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ehrecvr (aswrdr) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP SI Service (HPSIService) - HP - C:\WINDOWS\system32\HPSIsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe (file missing)
O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe
O23 - Service: SRS WOWXT/TSXT Service (SRS_WOWXT_Service) - SRS Labs, Inc. - C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

--
End of file - 8964 bytes


ESET Log to come in a bit
 
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir a variant of Win32/Rootkit.Kryptik.JK trojan
C:\System Volume Information\_restore{E1F33385-A01D-4131-BFE1-739C8A0617D2}\RP429\A0272891.sys a variant of Win32/Rootkit.Kryptik.JK trojan
C:\System Volume Information\_restore{E1F33385-A01D-4131-BFE1-739C8A0617D2}\RP429\A0273892.sys a variant of Win32/Rootkit.Kryptik.JK trojan
C:\System Volume Information\_restore{E1F33385-A01D-4131-BFE1-739C8A0617D2}\RP429\A0275064.sys a variant of Win32/Rootkit.Kryptik.JK trojan
C:\System Volume Information\_restore{E1F33385-A01D-4131-BFE1-739C8A0617D2}\RP429\A0279527.dll probably a variant of Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{E1F33385-A01D-4131-BFE1-739C8A0617D2}\RP429\A0279528.dll probably a variant of Win32/Sirefef.ER trojan
 
I hope you're feeling better.

Please tell me how the system is doing now. Are there any problems you are aware of?

There is a file of concern. Did you have Daemon Tools installed? There is a non-standard driver from that program.

I'd like you to run the following and leave the log in your net reply, along with current description of problems.

Oops!
oops.gif
Forgot to leave the scan:
Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
=====================================
 
The system seems running fine/it no longer seems slow. My plug and play function is not working for things like USB sticks, and My Computer still seems a bit glitchy, with basic settings like window size being reset every time I open it. Once I get home I will run the CKScanner and post it here, I will also check on Daemon Tools.
 
You haven't told me what happens or how Plug N Play doesn't work, just mentioned a couple of time there was a problem :
1. Are you wanting it to autorun and it isn't?
2. Did you check the Device Manager for error? Control Panel> System> Hardware tab> Device Manager> click on + sign to expand System Devices> Plug and Play Device Enumerator> Do you see and error icon
alert-icon.gif

Right click on check for hardware changes
Right click> Properties> Troubleshoot> follow the Help Center.
3. Did you check to make sure Plug N Play Service is set to Automatic?
Click on Start> run> type in services.msc> Enter> Double click on Plug N Play> Startup type should be Automatic. If it isn't, set it in the dialog box.

That's the best I can do on PNP without knowing the problem.
=================================
My Computer still seems a bit glitchy, with basic settings like window size being reset every time I open it.
I can't do much for "glitchy"- that's an 'unnown.' But I can help with the Windows size. Please tell me if you are referring to the default Windows size or the 'Open new Window' feature.

If a Window opens too small and you use the Maximize box to resize, it will revert back to the smaller size when it opens again>>unless you reset by hand without using the Maximize button:

Open the Window> Do not use the Maximize box to change it> Instead, to enlarge hold left mouse button own on top frame of Window and drag the Window up to top left corner> If you want it larger-or maximized-hold left mouse button down on the /// diagonal lines on the lower right corner of the Window> while holding left mouse button down, drag corner to larger or smaller, the size you want it to reopen next time> when finished, click the X on to right to close the Window.

Next time you call up that Windows, it should be the size you set. The trick to keeping the setting is not to use the Maximize button.

You can also set a Window to open smaller using the same principal.

If the particular Window you're working with does not have the /// at lower right corner: Run the cursor over the right side and the bottom of the Window (one at a time) until you see the double arrow> then hold left mouse button down and either move to the right or go down and drag the Windows edges to the size you want. Same as the other-don't use the Maximize box-Close on X when through.
====================
The rootkit frequently leaves the system with the following 'glitches.' If you notice them, reset as instructed:
Correct Display Changes if needed:
If the desktop background is black or if the theme has been removed:
  • Click on Start> Control Panel> Appearance & Personalization
  • Select Change Theme or Change Desktop Background
=====================================
Some items may not show on the Start menu. To add them back:
  • Right click on Start> Properties
  • Taskbar and Start Menu Properties screen appears
  • choose Start Menu tab> Click on Customize
  • For Windows XP> Choose Advanced tab
  • Check the items you want back on the Start Menu
  • When finished> click on OK> Apply and close.
=====================================
 
Ok below is the CKScanner log. The plug n play problem has appeared to be fixed, as has the window size problem, and as of now I am not seeing any problems.

I did at one time have daemon tools installed, but I do no longer, so I m not sure what the driver that you are talking about is. Please let me know if anything else needs to be done to declare the system clean.

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\rachael\application data\macromedia\flash player\#sharedobjects\fnj4cs4e\crackle.com\cracklesettings.sol
c:\documents and settings\rachael\application data\macromedia\flash player\#sharedobjects\fnj4cs4e\www.crackle.com\cracklesettings.sol
c:\documents and settings\rachael\application data\macromedia\flash player\macromedia.com\support\flashplayer\sys\#crackle.com\settings.sol
c:\documents and settings\rachael\application data\macromedia\flash player\macromedia.com\support\flashplayer\sys\#www.crackle.com\settings.sol
c:\program files\hootech net meter\crack\hoonetmeter.exe
scanner sequence 3.DF.11.IQAPTA
----- EOF -----
 
This is a pirated program: c:\program files\hootech net meter\crack\hoonetmeter.exe

To continue support, any pirated software will have to be removed.
 
My apologies, I had forgotten to delete the crack after I realized I liked the program and subsequently bought it. I have uninstalled it for now, and will reactivate it with my purchased key after cleaning.
 
Okay- there are no 'missing' icons, programs files etc? Desktop isn't black?/ Start menu is set correctly? If these are 2 'no' and last 'yes', then the possible after effects of the rootkit have been resolved and you can remove the cleaning tools:

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Let me know if you have any questions.
 
Status
Not open for further replies.
Back