Backdoor.tidserv blocking access to task manager and Internet connection

Inactive
By Aspinxtreem
Oct 5, 2010
Topic Status:
Not open for further replies.
  1. Hi there,

    Yesterday I clicked on a link from a Google search result page and my computer was infected with a virus. After turning off system restore and running Symantec, several trojans and backdoor tidserv were located. I was able to temporarily access the Internet in safe mode and downloaded the Symantec FixTDSS. I ran it and my computer restarted successfully but I am not able to view/access any report. I've tried running it in both safe and normal modes to no avail.

    I am unable to access the Internet (I'm using a smart phone to post), task manager or regedit. I was able to open Msconfig and chose diagnostic startup and unchecked all of the suspicious files in the startup menu, most ending in "tssd". While that helped on reboot (my screen wasn't filled with phony symantec messages) I am still unable to get online to download the suggested programs listed in other similar posts.

    Does anyone have suggestions for next steps?

    Thank you in advance for your help.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Start with this:
    • Click on Start> type devmgmt.msc click OK
    • Choose > View> click on Show hidden devices
    • Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
    • Highlight that driver and right click on it and select DISABLE - NOT uninstall.
    • Reboot the your computer.

    See if you can get online to download Malwarebytes. If you can't, download the program to a flash drive and install it on the problem computer:

    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please paste this log with your reply
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    It's very important hat you do the check in red above. Hopefully it will remove enough so that you can run the preliminary malware scans.

    Let me know- we'll go from there.
  3. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    Thanks for the reply.

    I tried running Device Manager in both safe and normal modes and while the manager opens, none of the devices are listed. I selected show hidden devices but nothing came up.

    Also, I can't access the Internet anymore so I will have to download that program from a friend's computer. Are there any additional programs I should download at the same time?

    Thanks again!
  4. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    Malwarebytes Report:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    10/5/2010 9:45:33 PM
    mbam-log-2010-10-05 (21-45-33).txt

    Scan type: Quick scan
    Objects scanned: 125743
    Time elapsed: 7 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 2
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ihsjfxrt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlevmydi (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.130,93.188.160.210 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5fe717eb-6cd2-4b60-809a-fe7fb3375e36}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.130,93.188.160.210 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5fe717eb-6cd2-4b60-809a-fe7fb3375e36}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.130,93.188.160.210 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{67732a68-10d7-4955-aea9-9fbd11478d23}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.130,93.188.160.210 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


    Please let me know what I should do next. Thank you so much!!
  5. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    Sorry for the duplicate replies, but I just wanted to give you an update. I was able to turn my device manager back on by running services.msc in safe mode and changing device mgr to automatic (it was disabled, as was plug and play). I don't see TDSSserv.sys anywhere in the list. I am attaching a screenshot of the non plug and play list.

    Thanks!

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I see an entry in the Device Manager Fix TDSS. What is this? You have a DNS Changer malware infection- please do the following. you might want to print out for reference:
    DNS Changer
    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    Let me knw if you can get back online after and we'll go from there.
  7. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    Thanks Bobbye!

    Before I posted to this site, I went through the steps Symantec suggested, including downloading this Backdoor.Tidserv Removal Tool (found here http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99). The tool is supposed to run, restart your system, and give you a status of the removal upon reboot. Because the phony Windows security alert pops up and blocks everything else as soon as my system reboots, I was never able to view the status report from the FixTDSS tool. Should I remove this tool?

    I will take the steps you suggest and post my results shortly.

    Thanks again for your help!
  8. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    Bobbye,

    I tried to do the DNS flush but received an error message. Once I entered "ipconfig /flushdns" and hit enter, I received an error message that said "Windows IP Configuration - Could not flush the DNS resolver cache: function failed during execution"

    Any suggestions?
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The solution to fix this error message is to enable the DNS Client service again in the Services configuration menu.:
    Start> Run> type in services.msc> double click on DNS Client> set Startup Type to Automatic> Start the Service> then Exit Services.

    Try the flush again. If you get same message, reboot, then try.
  10. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    I had a lot of trouble getting online, but was able to access the internet after:

    - following your flush/reset instructions
    - using Microsoft help's page to change most of the settings in my service manager because the virus had disabled everything
    - creating a new user account because every time I tried to access IE from my user account, the virus phony Windows security window opened (even though my second MBAM scan came back clean)
    - downloading and reinstalling my network and chipset drivers

    After all that, I'm back online. Thank you.

    Please let me know what steps I should take next.
  11. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    One note - I am able to access webpages if I type in the exact web address. I am unable to use search engines to locate a webpage. I tried searching using Google, Yahoo, and Bing and each time I clicked on a result, I was redirected to a bogus page.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Yes, please.

    You did a good job! The system is likely in better shape now due to your hard work.
    Since we jump started, I'd like to back up and have you run the following:
    • Download DDS by sUBs and save it to your desktop.

      After downloading the tool, disconnect from the internet and disable all antivirus protection.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click no to the Optional_Scan
    • Follow the instructions that pop up for posting the results.
    • When done, DDS will open two (2) logs: Please paste both in your next reply.
      [o]DDS.txt
      [o]Attach.txt
    • Close the program window, and delete the program from your desktop.
    • Enable your Antivirus protection and reconnect to the internet.
    Please note: You may have to disable any script protection running if the scan fails to run.
    ========================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ==========================================
    When you have finished, paste the logs for review in your next reply . OK to use multiple posts if needed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.Pleas
  13. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    Thank you again for your help.

    Here is the DDS.txt log


    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Admin at 22:06:08.64 on Sat 10/09/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.641 [GMT -4:00]

    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\wuauclt.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    svchost.exe
    C:\Documents and Settings\Admin\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    mWinlogon: Userinit=c:\windows\system32\Userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxps://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {971127BB-259F-48C2-BD75-5F97A3331551} - hxxp://connect.ontrackinview.com/msrdp.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    Hosts: 212.117.178.25 www.google.com
    Hosts: 212.117.163.43 search.yahoo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\d1gk3n47.default\
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-17 64160]
    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
    R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-1 102448]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101001.002\naveng.sys [2010-10-1 86064]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101001.002\navex15.sys [2010-10-1 1371184]
    R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2009-3-18 73368]
    S0 FixTDSS;FixTDSS; [x]
    S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
    S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
    S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
    S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
    S4 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2009-3-18 139264]
    S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
    S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
    S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-11 24652]

    =============== Created Last 30 ================

    2010-10-10 01:23:03 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes
    2010-10-10 01:20:35 -------- d-sh--w- c:\documents and settings\admin\IECompatCache
    2010-10-10 00:36:27 -------- d-----w- c:\program files\ESET
    2010-10-10 00:23:29 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\Symantec
    2010-10-09 17:57:30 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\Mozilla
    2010-10-09 17:38:42 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
    2010-10-09 17:35:13 457 ----a-w- c:\windows\system32\vcredist_x86.bat
    2010-10-09 17:35:12 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
    2010-10-09 17:35:09 155648 ----a-w- c:\windows\system32\bcmwlapi.dll
    2010-10-06 01:29:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 01:29:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-06 01:29:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-06 01:29:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-05 02:20:22 0 ----a-w- c:\windows\Mxaqup.bin
    2010-10-05 02:17:36 843264 ----a-w- c:\windows\system32\drivers\irrvpg.sys
    2010-10-05 02:17:27 194560 ----a-w- c:\windows\Jzigia.exe
    2010-10-05 02:17:20 67072 --sha-r- c:\windows\system32\nlsfuncg.dll
    2010-10-05 02:16:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
    2010-10-05 02:16:34 41984 ----a-w- c:\windows\system32\wupdate.exe

    ==================== Find3M ====================


    ============= FINISH: 22:07:02.98 ===============
     
  14. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    Here is the attach.txt log:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-10.03)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/17/2009 1:50:05 AM
    System Uptime: 10/9/2010 9:32:24 PM (1 hours ago)

    Motherboard: Dell Inc. | |
    Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | Microprocessor | 1664/166mhz
    Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | Microprocessor | 1664/166mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 75 GiB total, 24.545 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: Modem Device on High Definition Audio Bus
    Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&10575340&0&0102
    Manufacturer:
    Name: Modem Device on High Definition Audio Bus
    PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&10575340&0&0102
    Service:

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Center 2.0
    Adobe Photoshop Elements 4.0
    Adobe Reader 9.1
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Boingo Wi-Fi
    Bonjour
    Broadcom Gigabit Integrated Controller
    Citrix Access Gateway Plugin
    Citrix Web Client
    Dell ResourceCD
    DJ_SF_03_D2500_Software_Min
    DW WLAN Card Utility
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB921411)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB945060-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Deskjet D2500 Printer Driver Software 10.0 Rel .3
    HP Deskjet D2500 Printer Driver Software 11.0 Rel .3
    iPhone Configuration Utility
    iTunes
    Java(TM) 6 Update 13
    LiveUpdate 3.1 (Symantec Corporation)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard 2007
    Microsoft Office Standard 2007 Trial
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 Redistributable
    Mobile Broadband Generic Drivers
    Modem Helper
    Mozilla Firefox (3.6.3)
    MSN
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    NVIDIA Drivers
    OZ776 SCR CardBus Windows Driver
    Photosmart 140,240,7200,7600,7700,7900 Series
    Picasa 3
    PowerDVD 5.7
    PS140
    QuickTime
    Remote Desktop Web Connection
    Roxio DLA
    Roxio Express Labeler
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    SigmaTel Audio
    Skyhook Wireless Wi-Fi Service
    Sonic Update Manager
    Symantec AntiVirus
    SyncBack
    Toolbox
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Verizon Wireless USB760 Firmware Updates
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VZAccess Manager
    WebFldrs XP
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB839210
    WM Converter 2.0
    XLS Viewer Components v3.2
    Zinio Reader

    ==== Event Viewer Messages From Past Week ========

    10/9/2010 1:37:38 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
    10/9/2010 1:36:51 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
    10/5/2010 11:54:57 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/5/2010 11:31:02 AM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\rasacd.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
    10/5/2010 11:30:30 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\rasacd.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
    10/5/2010 11:21:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/5/2010 11:17:28 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm OMCI SAVRT SAVRTPEL SPBBCDrv SYMTDI
    10/5/2010 11:17:03 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    10/5/2010 11:17:03 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    10/5/2010 11:12:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    10/5/2010 11:11:39 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    10/5/2010 10:43:41 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
    10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/5/2010 10:19:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: RasAcd
    10/4/2010 10:18:29 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
    10/3/2010 11:01:24 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

    ==== End Of File ===========================
  15. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    and finally, here is the Eset log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=db17033a6b76944ca3c3c50d79b3cf8f
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-10-10 01:16:18
    # local_time=2010-10-09 09:16:18 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=42153
    # found=4
    # cleaned=0
    # scan_time=1996
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EB trojan 00000000000000000000000000000000 I
    C:\WINDOWS\Jzigia.exe a variant of Win32/Kryptik.HEG trojan 00000000000000000000000000000000 I
    C:\WINDOWS\WMSvasri.dll a variant of Win32/Kryptik.HDE trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll Win32/Olmarik.ACK trojan 00000000000000000000000000000000 I
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The following 2 IPs for Hosts files are listed as:
    Hosts: 212.117.178.25 www.google.com
    Hosts: 212.117.163.43 search.yahoo.com

    But the 2 IPs are for:
    netname: SERVER-NETWORK
    descr: root SA
    country: LU > Luxemburg.
    I notice you have the Corporate and Enterprise versions of some programs and also run Remote Desktop Web Connection
    Is this network related to your work? If not, it's why you're having the redirect> the searches are being routed through Luxemburg for Yahoo and Google.

    There are also several infections in the Eset log, so you are still getting active infections:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      :Files 
      C:\Documents and Settings\All Users\Documents\Server\hlp.dat 
      C:\WINDOWS\Jzigia.exe 
      C:\WINDOWS\WMSvasri.dll 
      C:\WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===================================
    After removing the above entries:
    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.

    Leave both the OTMoveIt log and TDSSKiller log in next reply.
    See if you can now run Combofix:


    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
  17. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    The remote desktop web connection (I believe this is related to Citrix?) is how I access my work server from my personal computer.

    As far as the corp/enterprise editions, I'm not sure exactly which programs they are but I can think of two things:
    - Symantec: A few years ago, when I was in school, I was able to download Symantec for free from the school's IT site. Maybe that was a corporate/enterprise version.
    - MS Office: I received a discount on MS Office by purchasing the disc through my husband's work. I don't have the disc handy, but maybe that is also a corp/ent edition?


    Also, I was able to successfully run OTMovit. I was required to reboot to complete the process, and the log is below:

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat moved successfully.
    C:\WINDOWS\Jzigia.exe moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\WMSvasri.dll
    C:\WINDOWS\WMSvasri.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll
    C:\WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Admin
    ->Temp folder emptied: 52899898 bytes
    ->Temporary Internet Files folder emptied: 661506 bytes
    ->FireFox cache emptied: 29412580 bytes
    ->Flash cache emptied: 742 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Emily

    User: Guest
    ->Temp folder emptied: 222 bytes
    ->Temporary Internet Files folder emptied: 145634 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 134 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 831488 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 519843 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 81.00 mb

    OTM by OldTimer - Version 3.1.16.1 log created on 10102010_114759

    Files moved on Reboot...
    File C:\WINDOWS\bcm52.tmp not found!

    Registry entries deleted on Reboot...


    When I extracted TDSSKiller.exe to the desktop and typed
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    in the Run box, I received an error (image of the error message attached).

    When I opened the .exe file, there is a button labeled "log" on the bottom. I didn't run anything, I just wanted to let you know everything I saw.

    Thank you!!

    Attached Files:

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, for TDSSServ, omit the Command and pick it up here after the extraction:
    • Double click on the file TDSSKiller.exe.
    • Wait for the scan and disinfection process to be over.
    • When the scan is over, the utility outputs a list of detected objects with description.
      [o]The utility automatically selects an action (Cure or Delete) for malicious objects.
      [o]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
    • After clicking Next, the utility applies selected actions and outputs the result.
    • is necessary to reboot the PC after the disinfection is over.
    The default quarantine folder is in the system disk root folder, e.g.C:\TDSSKiller_Quarantine\
    A log file named report.txt should have been created and saved to the root directory:

    See if that works better for you.
  19. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    I was able to run both programs. I hope this isn't a huge problem but I think I accidentally selected delete instead of quarantine on the TDSS Killer option menu. Sorry!!

    TDSS Killer and ComboFix logs are below (in multiple replies):

    TDSS Killer (Part I)

    2010/10/10 12:06:32.0812 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
    2010/10/10 12:06:32.0812 ================================================================================
    2010/10/10 12:06:32.0812 SystemInfo:
    2010/10/10 12:06:32.0812
    2010/10/10 12:06:32.0812 OS Version: 5.1.2600 ServicePack: 2.0
    2010/10/10 12:06:32.0812 Product type: Workstation
    2010/10/10 12:06:32.0812 ComputerName: E-BB33648EF8934
    2010/10/10 12:06:32.0812 UserName: Admin
    2010/10/10 12:06:32.0812 Windows directory: C:\WINDOWS
    2010/10/10 12:06:32.0812 System windows directory: C:\WINDOWS
    2010/10/10 12:06:32.0812 Processor architecture: Intel x86
    2010/10/10 12:06:32.0812 Number of processors: 2
    2010/10/10 12:06:32.0812 Page size: 0x1000
    2010/10/10 12:06:32.0812 Boot type: Normal boot
    2010/10/10 12:06:32.0812 ================================================================================
    2010/10/10 12:06:32.0984 Initialize success
    2010/10/10 12:06:37.0187 ================================================================================
    2010/10/10 12:06:37.0187 Scan started
    2010/10/10 12:06:37.0187 Mode: Manual;
    2010/10/10 12:06:37.0187 ================================================================================
    2010/10/10 12:06:38.0734 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/10/10 12:06:38.0781 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/10/10 12:06:38.0890 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2010/10/10 12:06:38.0968 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2010/10/10 12:06:39.0421 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/10/10 12:06:39.0468 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/10/10 12:06:39.0531 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/10/10 12:06:39.0593 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/10/10 12:06:39.0671 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    2010/10/10 12:06:39.0812 BCM43XX (345d38f298368dd6b0df5c4f37457a22) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2010/10/10 12:06:40.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/10/10 12:06:40.0109 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/10/10 12:06:40.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/10/10 12:06:40.0265 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/10/10 12:06:40.0328 Cdrom (882b4257e5a5adfb6b5c03e8a02d4bf1) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/10/10 12:06:40.0421 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
    2010/10/10 12:06:40.0531 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2010/10/10 12:06:40.0812 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2010/10/10 12:06:40.0937 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    2010/10/10 12:06:41.0015 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/10/10 12:06:41.0093 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
    2010/10/10 12:06:41.0109 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
    2010/10/10 12:06:41.0140 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
    2010/10/10 12:06:41.0156 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
    2010/10/10 12:06:41.0375 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
    2010/10/10 12:06:41.0390 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
    2010/10/10 12:06:41.0437 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
    2010/10/10 12:06:41.0453 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
    2010/10/10 12:06:41.0546 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
    2010/10/10 12:06:41.0625 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/10/10 12:06:41.0843 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2010/10/10 12:06:41.0937 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/10/10 12:06:42.0000 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/10/10 12:06:42.0046 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/10/10 12:06:42.0125 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
    2010/10/10 12:06:42.0156 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
    2010/10/10 12:06:42.0359 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2010/10/10 12:06:42.0406 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2010/10/10 12:06:42.0718 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/10/10 12:06:42.0750 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/10/10 12:06:42.0781 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2010/10/10 12:06:42.0812 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/10/10 12:06:42.0890 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/10/10 12:06:42.0921 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/10/10 12:06:42.0937 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/10/10 12:06:43.0000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2010/10/10 12:06:43.0250 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/10/10 12:06:43.0328 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/10/10 12:06:43.0421 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2010/10/10 12:06:43.0453 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2010/10/10 12:06:43.0531 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2010/10/10 12:06:43.0625 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/10/10 12:06:43.0937 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/10/10 12:06:44.0000 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/10/10 12:06:44.0078 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/10/10 12:06:44.0125 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2010/10/10 12:06:44.0203 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/10/10 12:06:44.0234 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/10/10 12:06:44.0250 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/10/10 12:06:44.0484 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/10/10 12:06:44.0562 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/10/10 12:06:44.0562 Suspicious service (NoAccess): irrvpg
    2010/10/10 12:06:44.0625 irrvpg (f7cabb38fd9350f065e974ac1fea2ae9) C:\WINDOWS\system32\drivers\irrvpg.sys
    2010/10/10 12:06:44.0625 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\irrvpg.sys. md5: f7cabb38fd9350f065e974ac1fea2ae9
    2010/10/10 12:06:44.0640 irrvpg - detected Locked service (1)
    2010/10/10 12:06:44.0671 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/10/10 12:06:44.0734 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/10/10 12:06:44.0812 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/10/10 12:06:45.0093 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/10/10 12:06:45.0156 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys
    2010/10/10 12:06:45.0312 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/10/10 12:06:45.0390 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2010/10/10 12:06:45.0546 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/10/10 12:06:45.0703 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/10/10 12:06:45.0750 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/10/10 12:06:45.0828 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/10/10 12:06:45.0953 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/10/10 12:06:46.0156 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/10/10 12:06:46.0171 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/10/10 12:06:46.0203 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/10/10 12:06:46.0281 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/10/10 12:06:46.0312 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/10/10 12:06:46.0515 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101001.002\naveng.sys
    2010/10/10 12:06:46.0593 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101001.002\navex15.sys
    2010/10/10 12:06:46.0890 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/10/10 12:06:46.0906 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/10/10 12:06:46.0937 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/10/10 12:06:46.0968 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/10/10 12:06:46.0984 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/10/10 12:06:47.0031 Net6IM (aa6443f0dd9f554db9889f17f7dddb7c) C:\WINDOWS\system32\DRIVERS\net6im51.sys
    2010/10/10 12:06:47.0093 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/10/10 12:06:47.0328 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/10/10 12:06:47.0375 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/10/10 12:06:47.0484 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/10/10 12:06:47.0734 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/10/10 12:06:48.0140 nv (5796a04ccc99542fdfb43f2accd803df) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/10/10 12:06:48.0250 NWADI (fc2a8aaa0f3321f41231ede0af1968ae) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
    2010/10/10 12:06:48.0468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/10/10 12:06:48.0656 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/10/10 12:06:48.0687 NWUSBCDFIL (224131778c92aee8c13afac5fbff19ca) C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys
    2010/10/10 12:06:48.0765 NWUSBModem (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
    2010/10/10 12:06:48.0859 NWUSBPort (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwusbser.sys
    2010/10/10 12:06:48.0921 NWUSBPort2 (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwusbser2.sys
    2010/10/10 12:06:49.0015 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
    2010/10/10 12:06:49.0203 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    2010/10/10 12:06:49.0234 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/10/10 12:06:49.0312 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/10/10 12:06:49.0375 PCASp50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\WINDOWS\system32\Drivers\PCASp50.sys
    2010/10/10 12:06:49.0500 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/10/10 12:06:49.0546 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/10/10 12:06:49.0718 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2010/10/10 12:06:49.0937 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/10/10 12:06:49.0953 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/10/10 12:06:49.0984 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/10/10 12:06:50.0062 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/10/10 12:06:50.0281 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/10/10 12:06:50.0421 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/10/10 12:06:50.0437 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/10/10 12:06:50.0468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/10/10 12:06:50.0500 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/10/10 12:06:50.0515 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/10/10 12:06:50.0609 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/10/10 12:06:50.0656 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/10/10 12:06:50.0687 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/10/10 12:06:50.0921 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
    2010/10/10 12:06:50.0953 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    2010/10/10 12:06:51.0234 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/10/10 12:06:51.0296 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/10/10 12:06:51.0343 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/10/10 12:06:51.0390 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/10/10 12:06:51.0609 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
    2010/10/10 12:06:51.0984 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    2010/10/10 12:06:52.0078 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2010/10/10 12:06:52.0171 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/10/10 12:06:52.0390 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/10/10 12:06:52.0468 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
    2010/10/10 12:06:52.0562 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/10/10 12:06:52.0640 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/10/10 12:06:52.0828 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
    2010/10/10 12:06:53.0046 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    2010/10/10 12:06:53.0140 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    2010/10/10 12:06:53.0296 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/10/10 12:06:53.0406 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/10/10 12:06:53.0687 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/10/10 12:06:53.0765 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/10/10 12:06:53.0843 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/10/10 12:06:53.0937 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/10/10 12:06:54.0000 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/10/10 12:06:54.0078 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2010/10/10 12:06:54.0312 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/10/10 12:06:54.0406 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
    2010/10/10 12:06:54.0468 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/10/10 12:06:54.0500 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/10/10 12:06:54.0546 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/10/10 12:06:54.0781 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/10/10 12:06:54.0875 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/10/10 12:06:54.0937 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
  20. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    TDSS Killer (Part II)

    2010/10/10 12:06:54.0984 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2010/10/10 12:06:55.0031 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/10/10 12:06:55.0078 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/10/10 12:06:55.0265 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/10/10 12:06:55.0406 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2010/10/10 12:06:55.0500 Wpsnuio (904571ee28f8f7d98b3ef1635a77c6d4) C:\WINDOWS\system32\DRIVERS\wpsnuio.sys
    2010/10/10 12:06:55.0812 ==================================================================
    ==============
    2010/10/10 12:06:55.0812 Scan finished
    2010/10/10 12:06:55.0812 ================================================================================
    2010/10/10 12:06:55.0828 Detected object count: 1
    2010/10/11 19:31:51.0546 HKLM\SYSTEM\ControlSet001\services\irrvpg - will be deleted after reboot
    2010/10/11 19:31:51.0546 HKLM\SYSTEM\ControlSet002\services\irrvpg - will be deleted after reboot
    2010/10/11 19:31:51.0546 C:\WINDOWS\system32\drivers\irrvpg.sys - will be deleted after reboot
    2010/10/11 19:31:51.0546 Locked service(irrvpg) - User select action: Delete
    2010/10/11 19:32:29.0625 Deinitialize success


    ComboFix

    ComboFix 10-10-09.06 - Admin 10/11/2010 22:10:34.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.408 [GMT -4:00]
    Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Documents\Server\admin.txt
    c:\documents and settings\All Users\Documents\Server\server.dat
    c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}
    c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}\chrome.manifest
    c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}\chrome\content\_cfg.js
    c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}\chrome\content\overlay.xul
    c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}\install.rdf
    c:\windows\system32\bidisp.dll
    c:\windows\system32\wupdate.exe
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
    .

    2010-10-10 16:00 . 2010-10-10 16:00 -------- dc----w- C:\TDSSKiller_Quarantine
    2010-10-10 15:57 . 2010-10-10 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-10-10 15:47 . 2010-10-10 15:47 -------- dc----w- C:\_OTM
    2010-10-10 02:28 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
    2010-10-10 02:01 . 2010-10-10 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-10-10 00:36 . 2010-10-10 00:36 -------- d-----w- c:\program files\ESET
    2010-10-09 17:38 . 2010-10-09 17:38 -------- d-----w- c:\program files\Intel
    2010-10-09 17:35 . 2009-10-07 19:01 457 ----a-w- c:\windows\system32\vcredist_x86.bat
    2010-10-09 17:35 . 2009-10-07 19:01 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
    2010-10-09 17:35 . 2009-10-07 19:01 155648 ----a-w- c:\windows\system32\bcmwlapi.dll
    2010-10-09 16:35 . 2010-10-10 02:33 -------- d-----w- c:\documents and settings\Admin
    2010-10-06 01:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 01:29 . 2010-10-10 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-06 01:29 . 2010-10-06 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-06 01:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-05 17:48 . 2010-10-05 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
    2010-10-05 15:17 . 2010-10-05 15:17 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-10-05 02:20 . 2010-10-05 13:17 0 ----a-w- c:\windows\Mxaqup.bin
    2010-10-05 02:17 . 2010-10-05 02:17 67072 --sha-r- c:\windows\system32\nlsfuncg.dll
    2010-10-05 02:16 . 2010-10-05 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
    2010-04-11 03:38 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-09-09 05:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
    2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Fi]
    2010-10-06 04:57 2179 -c--a-w- c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2009-10-07 19:01 2498560 ----a-w- c:\windows\system32\WLTRAY.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
    2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-01-19 14:14 7401472 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
    2006-01-19 14:14 73728 ----a-w- c:\windows\system32\nvhotkey.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-01-19 14:14 1519616 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-03-24 22:30 282624 ----a-w- c:\windows\stsystra.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-04-01 04:05 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    2006-09-28 01:33 125168 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
    2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "PlugPlay"=2 (0x2)
    "Netman"=3 (0x3)
    "CryptSvc"=2 (0x2)
    "AudioSrv"=2 (0x2)
    "aspnet_state"=3 (0x3)
    "AppMgmt"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    "ALG"=3 (0x3)
    "ADVService"=2 (0x2)
    "AdobeActiveFileMonitor4.0"=2 (0x2)
    "ACDaemon"=3 (0x3)
    "xmlprov"=3 (0x3)
    "WZCSVC"=2 (0x2)
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)
    "WmiApSrv"=3 (0x3)
    "Wmi"=2 (0x2)
    "WmdmPmSN"=2 (0x2)
    "wltrysvc"=2 (0x2)
    "winmgmt"=2 (0x2)
    "WebClient"=2 (0x2)
    "W32Time"=2 (0x2)
    "VSS"=3 (0x3)
    "UPS"=3 (0x3)
    "upnphost"=3 (0x3)
    "TlntSvr"=3 (0x3)
    "Themes"=2 (0x2)
    "TermService"=3 (0x3)
    "TapiSrv"=3 (0x3)
    "SysmonLog"=3 (0x3)
    "Symantec AntiVirus"=2 (0x2)
    "SwPrv"=3 (0x3)
    "stisvc"=3 (0x3)
    "SSDPSRV"=3 (0x3)
    "srservice"=2 (0x2)
    "Spooler"=2 (0x2)
    "SNDSrvc"=2 (0x2)
    "ShellHWDetection"=2 (0x2)
    "SharedAccess"=2 (0x2)
    "SENS"=2 (0x2)
    "seclogon"=2 (0x2)
    "Schedule"=2 (0x2)
    "SCardSvr"=3 (0x3)
    "SamSs"=2 (0x2)
    "RSVP"=3 (0x3)
    "RemoteRegistry"=2 (0x2)
    "RemoteAccess"=3 (0x3)
    "RDSessMgr"=3 (0x3)
    "RasMan"=3 (0x3)
    "RasAuto"=3 (0x3)
    "ProtectedStorage"=2 (0x2)
    "PolicyAgent"=2 (0x2)
    "odserv"=2 (0x2)
    "NtmsSvc"=3 (0x3)
    "NtLmSsp"=3 (0x3)
    "Nla"=3 (0x3)
    "Netlogon"=2 (0x2)
    "NetDDEdsdm"=3 (0x3)
    "NetDDE"=3 (0x3)
    "MSIServer"=3 (0x3)
    "mnmsrvc"=3 (0x3)
    "Messenger"=2 (0x2)
    "LmHosts"=2 (0x2)
    "lanmanworkstation"=2 (0x2)
    "lanmanserver"=2 (0x2)
    "helpsvc"=2 (0x2)
    "EventSystem"=3 (0x3)
    "Eventlog"=2 (0x2)
    "ERSvc"=2 (0x2)
    "Dnscache"=2 (0x2)
    "dmserver"=2 (0x2)
    "dmadmin"=3 (0x3)
    "Dhcp"=2 (0x2)
    "DefWatch"=2 (0x2)
    "COMSysApp"=3 (0x3)
    "ClipSrv"=3 (0x3)
    "ccSetMgr"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    "Browser"=2 (0x2)
    "BITS"=3 (0x3)
    "Alerter"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/17/2009 3:13 AM 64160]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/1/2010 8:06 PM 102448]
    R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/18/2009 12:19 PM 73368]
    S0 FixTDSS;FixTDSS; [x]
    S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 12:13 PM 20480]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 12:12 PM 174720]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
    S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
    S4 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/18/2009 12:19 PM 139264]
    S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 3:33 PM 24652]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMDB
    *Deregistered* - klmd25
    *Deregistered* - klmdb

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:38]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxps://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
    FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-klmdb.sys
    MSConfigStartUp-Csaperiwedok - c:\windows\WMSvasri.dll
    MSConfigStartUp-KOO9RV9K4Z - c:\docume~1\Emily\LOCALS~1\Temp\Jhp.exe
    MSConfigStartUp-Nzafucegaqabih - c:\windows\amekuhup.dll
    MSConfigStartUp-SMH2B46TDP - c:\docume~1\Emily\LOCALS~1\Temp\Jhm.exe
    MSConfigStartUp-wupdate - c:\windows\system32\wupdate.exe
    AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
    AddRemove-Skyhook Wireless Wi-Fi Service - c:\program files\Skyhook Wireless\Wi-Fi Service\svcsetup.exe
    AddRemove-{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E} - c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzscr01.exe
    AddRemove-{89998BCF-F415-468a-8282-CB042765A26F} - c:\program files\Hewlett-Packard\Digital Imaging\{89998BCF-F415-468a-8282-CB042765A26F}\setup\hpzscr01.exe
    AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe


    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1260)
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2010-10-11 22:17:06
    ComboFix-quarantined-files.txt 2010-10-12 02:17

    Pre-Run: 26,041,073,664 bytes free
    Post-Run: 26,016,153,600 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 6E1F2C477CDE27958F561BB051600433
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Questions:
    1.
    I'm not sure what you did for this, but the Services shouldn't be listed under msconfig in the Registry. There is a way to set Services directly from within the MMC Services module> There are 89 Services being started from the registry.
    2. Did you put everything in the system on Startup in msconfig? You are going to have to get the system pared back down to only starting up what is needed and you don't have everything running in the background.
    3. Is there any change in the system at this point? What?
    4. How is startup and shutdown speed? Slow?

    I'd like you to update and run a new scan with Malwarebytes: You do check for removal in this, but I will see what is found:

    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Additional comments:
    1. Look here for the list: C:\TDSSKiller_Quarantine
    2. Do you need to have Boingo Wi-Fi start on boot and run in the background?
    3. Why do you have the ZinioReader starting on boot and running in the background? It's used to read magazines in digital rather than paper format
    4. The Hosts I asked you about in Luxenburg> are they involved in your work connections?
      Hosts: 212.117.178.25 www.google.com
      Hosts: 212.117.163.43 search.yahoo.com
      But the 2 IPs are for:
      netname: SERVER-NETWORK
      descr: root SA
      country: LU > Luxemburg.
    5. Please submit these files to VirScan for identificcation. If you get message they have already been identified, request a repeat:
    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file paths into the Suspicious files to scan box on the top of the page. Do one at a time and wait for each scan:


      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
    ===================================
    Java(TM) 6 Update 13 is very old. Please update t current version v6u21:
    Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    I think a big problem for you may be lack of maintenance, not uninstalling programs you no longer use, Services set incorrectly and excess processes starting on boot and running in the background.
  23. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    When I went to services.msc, all of the services were disabled. I went to the Windows help site, which lists the default setting for Microsoft services and I changed them accordingly. When I would restart the computer, all of the services would default to disabled again. That isn't happening anymore.

    I am still running the selective startup on msconfig. I am only running what is necessary for startup.

    The system is running much better and more quickly. I am still receiving some errors, but things are looking much better!

    Startup and shut down are much quicker.
  24. Aspinxtreem

    Aspinxtreem Newcomer, in training Topic Starter Posts: 31

    Hi Bobeye,

    Here is my latest MBAM log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4826

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    10/15/2010 9:00:21 AM
    mbam-log-2010-10-15 (09-00-21).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 210001
    Time elapsed: 1 hour(s), 31 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Emily\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\wupdate.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{D93BFF2F-54EE-4543-8B33-39D9E81A57B4}\RP1\A0000021.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\TDSSKiller_Quarantine\10.10.2010_11.58.47\susp0000\svc0000\tsk0000.dta (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\_OTM\MovedFiles\10102010_114759\C_WINDOWS\Jzigia.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\_OTM\MovedFiles\10102010_114759\C_WINDOWS\WMSvasri.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
    C:\_OTM\MovedFiles\10102010_114759\C_WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


    Thank you!!
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    There is one new infection plus the TDSS Quarantine: The 'new' entry is actually another files from the Trojan.Fake Alert which was removed in the First Mbam scan. So we still haven't found the source. Unfortunately there is no date to go by.

    The entries for System Volume are for restore points and not active in the system. I will have you drop the old restore points and set a new, clean one when we're through. The Qoobox files are where the quarantined files found in Combofix are sent. they also aren't active and will be removed.

    Please reboot the computer, then run the Eset scan again: You also need to submit the files I left to VirScan.

    The file above, hotfix.exe is from Trojan.Fake Alert.

    When we're finished, I'm going to refer you to a site for the Services. There are too many on Automatic. Microsoft tends to throw everything on startup at boot and it isn't necessary. Only a few need to be on Automatic startup- the rest can be set to Manual and some can even be set to Disabled.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.