TechSpot

Help with Google redirect virus

By svleck
Aug 25, 2011
  1. Dear sirs,

    Have followed your 6-step program. However, the DDS program just produces gibberish. Here are the logs from the other two programs. Hope you can help.

    Thank you

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7569

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421

    8/25/2011 4:59:22 PM
    mbam-log-2011-08-25 (16-59-22).txt

    Scan type: Quick scan
    Objects scanned: 171924
    Time elapsed: 6 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\programdata\appinfo32.dll (Trojan.Tracur.S) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{00B1DCEA-3798-48E9-8E65-B53C29CC3FB6} (IPH.GenericBHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00B1DCEA-3798-48E9-8E65-B53C29CC3FB6} (IPH.GenericBHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00B1DCEA-3798-48E9-8E65-B53C29CC3FB6} (IPH.GenericBHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00B1DCEA-3798-48E9-8E65-B53C29CC3FB6} (IPH.GenericBHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Bad: (C:\ProgramData\appinfo32.dll) Good: () -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\appinfo32.dll (Trojan.Tracur.S) -> Delete on reboot.
    c:\Windows\System32\appinfo32.dll (IPH.GenericBHO) -> Quarantined and deleted successfully.
    c:\Windows\System32\02000000b0fdd7e31406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Windows\System32\02000000b0fdd7e31406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Windows\System32\02000000b0fdd7e31406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Windows\System32\02000000b0fdd7e31406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-25 17:16:04
    Windows 6.0.6002 Service Pack 2 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3320620AS rev.3.AAK
    Running: isq5mk2m.exe; Driver: C:\Users\Sheldon\AppData\Local\Temp\pxdirfod.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdePort0 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdePort1 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdePort2 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdePort3 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-4 84D2C1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-7 84D2C1F8
    Device \Driver\a7dezdif \Device\Scsi\a7dezdif1Port6Path0Target0Lun0 870BB500
    Device \Driver\JRAID \Device\Scsi\JRAID1 856E61F8
    Device \Driver\a7dezdif \Device\Scsi\a7dezdif1 870BB500
    Device \FileSystem\Ntfs \Ntfs 856E71F8
    Device \FileSystem\fastfat \Fat 85ABF1F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. svleck

    svleck TS Rookie Topic Starter

    2011/08/26 10:13:36.0498 6436 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
    2011/08/26 10:13:38.0500 6436 ================================================================================
    2011/08/26 10:13:38.0500 6436 SystemInfo:
    2011/08/26 10:13:38.0500 6436
    2011/08/26 10:13:38.0500 6436 OS Version: 6.0.6002 ServicePack: 2.0
    2011/08/26 10:13:38.0500 6436 Product type: Workstation
    2011/08/26 10:13:38.0500 6436 ComputerName: SHELDON-PC
    2011/08/26 10:13:38.0500 6436 UserName: Sheldon
    2011/08/26 10:13:38.0500 6436 Windows directory: C:\Windows
    2011/08/26 10:13:38.0500 6436 System windows directory: C:\Windows
    2011/08/26 10:13:38.0500 6436 Processor architecture: Intel x86
    2011/08/26 10:13:38.0500 6436 Number of processors: 2
    2011/08/26 10:13:38.0500 6436 Page size: 0x1000
    2011/08/26 10:13:38.0500 6436 Boot type: Normal boot
    2011/08/26 10:13:38.0500 6436 ================================================================================
    2011/08/26 10:13:39.0129 6436 Initialize success
    2011/08/26 10:13:41.0229 2524 ================================================================================
    2011/08/26 10:13:41.0229 2524 Scan started
    2011/08/26 10:13:41.0229 2524 Mode: Manual;
    2011/08/26 10:13:41.0229 2524 ================================================================================
    2011/08/26 10:13:42.0642 2524 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    2011/08/26 10:13:42.0743 2524 ADIHdAudAddService (206232ef0d7508b5bfe297051a07adc8) C:\Windows\system32\drivers\ADIHdAud.sys
    2011/08/26 10:13:42.0848 2524 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
    2011/08/26 10:13:42.0917 2524 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
    2011/08/26 10:13:43.0027 2524 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
    2011/08/26 10:13:43.0083 2524 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
    2011/08/26 10:13:43.0160 2524 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
    2011/08/26 10:13:43.0211 2524 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
    2011/08/26 10:13:43.0271 2524 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    2011/08/26 10:13:43.0356 2524 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
    2011/08/26 10:13:43.0416 2524 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
    2011/08/26 10:13:43.0473 2524 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
    2011/08/26 10:13:43.0532 2524 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
    2011/08/26 10:13:43.0600 2524 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
    2011/08/26 10:13:43.0695 2524 AnyDVD (7684252281cfb197ac4c38b33ac5b2a6) C:\Windows\system32\Drivers\AnyDVD.sys
    2011/08/26 10:13:43.0827 2524 AR5416 (c413e2e549488a5f1969decb5b03187a) C:\Windows\system32\DRIVERS\athw.sys
    2011/08/26 10:13:43.0917 2524 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
    2011/08/26 10:13:43.0982 2524 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
    2011/08/26 10:13:44.0058 2524 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    2011/08/26 10:13:44.0126 2524 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    2011/08/26 10:13:44.0213 2524 athr (4d9d710254410a7caef269819ea7b53c) C:\Windows\system32\DRIVERS\athr.sys
    2011/08/26 10:13:44.0368 2524 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    2011/08/26 10:13:44.0443 2524 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    2011/08/26 10:13:44.0479 2524 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    2011/08/26 10:13:44.0519 2524 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    2011/08/26 10:13:44.0559 2524 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    2011/08/26 10:13:44.0591 2524 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    2011/08/26 10:13:44.0624 2524 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    2011/08/26 10:13:44.0652 2524 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    2011/08/26 10:13:44.0693 2524 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    2011/08/26 10:13:44.0757 2524 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    2011/08/26 10:13:44.0832 2524 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    2011/08/26 10:13:44.0865 2524 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
    2011/08/26 10:13:44.0910 2524 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    2011/08/26 10:13:44.0965 2524 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
    2011/08/26 10:13:45.0021 2524 COH_Mon (6186b6b953bdc884f0f379b84b3e3a98) C:\Windows\system32\Drivers\COH_Mon.sys
    2011/08/26 10:13:45.0061 2524 COMMONFX.DLL (8b7544fc15a4108ad981b0d46245a495) C:\Windows\system32\COMMONFX.DLL
    2011/08/26 10:13:45.0096 2524 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
    2011/08/26 10:13:45.0146 2524 CO_Mon (73f5d6835bfa66019c03e316d99649da) C:\Windows\system32\drivers\CO_Mon.sys
    2011/08/26 10:13:45.0184 2524 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
    2011/08/26 10:13:45.0229 2524 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
    2011/08/26 10:13:45.0293 2524 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
    2011/08/26 10:13:45.0349 2524 CT20XUT.DLL (cd60eee60061f6923ad52ad98164756a) C:\Windows\system32\CT20XUT.DLL
    2011/08/26 10:13:45.0398 2524 ctac32k (fc539ebd3f527c1a95056582be001333) C:\Windows\system32\drivers\ctac32k.sys
    2011/08/26 10:13:45.0466 2524 ctaud2k (c960b134abfefe628c73cb5910431784) C:\Windows\system32\drivers\ctaud2k.sys
    2011/08/26 10:13:45.0530 2524 CTAUDFX.DLL (0a83eee9ac3dc6cf5b3c4106d4534cad) C:\Windows\system32\CTAUDFX.DLL
    2011/08/26 10:13:45.0595 2524 ctdvda2k (7dc675bdeddd4585eaab4f3c96b8ee95) C:\Windows\system32\drivers\ctdvda2k.sys
    2011/08/26 10:13:47.0315 2524 CTEAPSFX.DLL (307c9b97fff47fa5b1b50fb782b8cebb) C:\Windows\system32\CTEAPSFX.DLL
    2011/08/26 10:13:47.0358 2524 CTEDSPFX.DLL (24a14b66977468a78722d74009b3ef66) C:\Windows\system32\CTEDSPFX.DLL
    2011/08/26 10:13:47.0401 2524 CTEDSPIO.DLL (07f5bfe4039f52767237c52968ac00fb) C:\Windows\system32\CTEDSPIO.DLL
    2011/08/26 10:13:47.0440 2524 CTEDSPSY.DLL (38fd006db54e12b10d57f357b125d832) C:\Windows\system32\CTEDSPSY.DLL
    2011/08/26 10:13:47.0483 2524 CTERFXFX.DLL (7c36c06faf603e45f5fdda8a159480a5) C:\Windows\system32\CTERFXFX.DLL
    2011/08/26 10:13:47.0563 2524 CTEXFIFX.DLL (1ad187452b93331e02db8e2b001caab2) C:\Windows\system32\CTEXFIFX.DLL
    2011/08/26 10:13:47.0784 2524 CTHWIUT.DLL (5993a4cff9d83708c5de6a5fd31f2e07) C:\Windows\system32\CTHWIUT.DLL
    2011/08/26 10:13:47.0837 2524 ctprxy2k (72d9f491120de6ff1b12145c4b7a228c) C:\Windows\system32\drivers\ctprxy2k.sys
    2011/08/26 10:13:47.0891 2524 CTSBLFX.DLL (568b182244309360edb3c445cb319395) C:\Windows\system32\CTSBLFX.DLL
    2011/08/26 10:13:48.0027 2524 ctsfm2k (e76c6a81b65ae230d0ddcffe3b06a806) C:\Windows\system32\drivers\ctsfm2k.sys
    2011/08/26 10:13:48.0117 2524 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    2011/08/26 10:13:48.0174 2524 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    2011/08/26 10:13:48.0235 2524 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    2011/08/26 10:13:48.0287 2524 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    2011/08/26 10:13:48.0338 2524 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
    2011/08/26 10:13:48.0393 2524 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    2011/08/26 10:13:48.0469 2524 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2011/08/26 10:13:48.0579 2524 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) C:\Windows\system32\Drivers\ElbyCDIO.sys
    2011/08/26 10:13:48.0626 2524 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
    2011/08/26 10:13:48.0705 2524 emupia (ebbfe1141a6c8d93898280501bb03cea) C:\Windows\system32\drivers\emupia2k.sys
    2011/08/26 10:13:48.0790 2524 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2011/08/26 10:13:48.0887 2524 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    2011/08/26 10:13:48.0962 2524 f5ipfw (4a018575c59bb924bcbfe7389a841540) C:\Windows\system32\drivers\urfltwlh.sys
    2011/08/26 10:13:49.0037 2524 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    2011/08/26 10:13:49.0086 2524 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    2011/08/26 10:13:49.0146 2524 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    2011/08/26 10:13:49.0201 2524 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    2011/08/26 10:13:49.0243 2524 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    2011/08/26 10:13:49.0282 2524 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    2011/08/26 10:13:49.0330 2524 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    2011/08/26 10:13:49.0357 2524 fvevol (fecf4c2e42440a8d132bf94eee3c3fc9) C:\Windows\system32\DRIVERS\fvevol.sys
    2011/08/26 10:13:49.0420 2524 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
    2011/08/26 10:13:49.0501 2524 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
    2011/08/26 10:13:49.0611 2524 ha20x2k (963174d60fbd90722051383a7b207ab6) C:\Windows\system32\drivers\ha20x2k.sys
    2011/08/26 10:13:49.0712 2524 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
    2011/08/26 10:13:49.0771 2524 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2011/08/26 10:13:49.0826 2524 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    2011/08/26 10:13:49.0862 2524 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    2011/08/26 10:13:49.0922 2524 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    2011/08/26 10:13:49.0961 2524 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
    2011/08/26 10:13:50.0039 2524 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    2011/08/26 10:13:50.0080 2524 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
    2011/08/26 10:13:50.0135 2524 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    2011/08/26 10:13:50.0176 2524 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
    2011/08/26 10:13:50.0294 2524 IDSvix86 (b147ccf3b7a42b64af8ec0520b4b15e3) C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110819.002\IDSvix86.sys
    2011/08/26 10:13:50.0332 2524 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    2011/08/26 10:13:50.0390 2524 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
    2011/08/26 10:13:50.0412 2524 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    2011/08/26 10:13:50.0468 2524 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2011/08/26 10:13:50.0527 2524 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
    2011/08/26 10:13:50.0586 2524 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    2011/08/26 10:13:50.0642 2524 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    2011/08/26 10:13:50.0676 2524 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
    2011/08/26 10:13:50.0738 2524 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    2011/08/26 10:13:50.0776 2524 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    2011/08/26 10:13:50.0799 2524 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    2011/08/26 10:13:50.0847 2524 JGOGO (c995c0e8b4503fac38793bb0236ad246) C:\Windows\system32\drivers\jgogo.sys
    2011/08/26 10:13:50.0896 2524 JRAID (f4a31e66a61c0783f51157519b03280b) C:\Windows\system32\drivers\jraid.sys
    2011/08/26 10:13:50.0940 2524 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2011/08/26 10:13:51.0012 2524 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    2011/08/26 10:13:51.0090 2524 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    2011/08/26 10:13:51.0161 2524 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    2011/08/26 10:13:51.0215 2524 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
    2011/08/26 10:13:51.0257 2524 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
    2011/08/26 10:13:51.0288 2524 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
    2011/08/26 10:13:51.0342 2524 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    2011/08/26 10:13:51.0395 2524 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\Windows\system32\drivers\mbam.sys
    2011/08/26 10:13:51.0480 2524 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\Windows\system32\drivers\mbamswissarmy.sys
    2011/08/26 10:13:51.0523 2524 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
    2011/08/26 10:13:51.0573 2524 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    2011/08/26 10:13:51.0607 2524 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    2011/08/26 10:13:51.0628 2524 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    2011/08/26 10:13:51.0663 2524 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    2011/08/26 10:13:51.0702 2524 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    2011/08/26 10:13:51.0763 2524 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
    2011/08/26 10:13:51.0817 2524 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    2011/08/26 10:13:51.0858 2524 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    2011/08/26 10:13:51.0910 2524 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    2011/08/26 10:13:51.0960 2524 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2011/08/26 10:13:52.0024 2524 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2011/08/26 10:13:52.0069 2524 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2011/08/26 10:13:52.0123 2524 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
    2011/08/26 10:13:52.0190 2524 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
    2011/08/26 10:13:52.0260 2524 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    2011/08/26 10:13:52.0293 2524 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    2011/08/26 10:13:52.0360 2524 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    2011/08/26 10:13:52.0405 2524 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    2011/08/26 10:13:52.0463 2524 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    2011/08/26 10:13:52.0533 2524 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    2011/08/26 10:13:52.0586 2524 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    2011/08/26 10:13:52.0632 2524 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    2011/08/26 10:13:52.0697 2524 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\Windows\system32\DRIVERS\ASACPI.sys
    2011/08/26 10:13:52.0727 2524 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    2011/08/26 10:13:52.0776 2524 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    2011/08/26 10:13:52.0916 2524 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110825.018\NAVENG.SYS
    2011/08/26 10:13:53.0014 2524 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110825.018\NAVEX15.SYS
    2011/08/26 10:13:53.0126 2524 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    2011/08/26 10:13:53.0191 2524 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    2011/08/26 10:13:53.0218 2524 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    2011/08/26 10:13:53.0257 2524 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    2011/08/26 10:13:53.0284 2524 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    2011/08/26 10:13:53.0345 2524 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    2011/08/26 10:13:53.0383 2524 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    2011/08/26 10:13:53.0450 2524 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    2011/08/26 10:13:53.0501 2524 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    2011/08/26 10:13:53.0542 2524 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    2011/08/26 10:13:53.0605 2524 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    2011/08/26 10:13:53.0683 2524 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    2011/08/26 10:13:53.0730 2524 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    2011/08/26 10:13:53.0916 2524 nvlddmkm (484844c0d892b42ecc5e6b063d072a38) C:\Windows\system32\DRIVERS\nvlddmkm.sys
    2011/08/26 10:13:54.0157 2524 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
    2011/08/26 10:13:54.0197 2524 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
    2011/08/26 10:13:54.0241 2524 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
    2011/08/26 10:13:54.0369 2524 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
    2011/08/26 10:13:54.0426 2524 ossrv (58ed675e69dbe2f58213ec5577d9606a) C:\Windows\system32\drivers\ctoss2k.sys
    2011/08/26 10:13:54.0494 2524 PalmUSBD (dc450992eba6f914080c1f7fbeeed72c) C:\Windows\system32\drivers\PalmUSBD.sys
    2011/08/26 10:13:54.0555 2524 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
    2011/08/26 10:13:54.0606 2524 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    2011/08/26 10:13:54.0644 2524 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
    2011/08/26 10:13:54.0709 2524 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    2011/08/26 10:13:54.0752 2524 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
    2011/08/26 10:13:54.0791 2524 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    2011/08/26 10:13:54.0855 2524 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    2011/08/26 10:13:55.0007 2524 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    2011/08/26 10:13:55.0059 2524 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
    2011/08/26 10:13:55.0110 2524 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    2011/08/26 10:13:55.0162 2524 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
    2011/08/26 10:13:55.0223 2524 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    2011/08/26 10:13:55.0287 2524 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    2011/08/26 10:13:55.0334 2524 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    2011/08/26 10:13:55.0374 2524 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2011/08/26 10:13:55.0408 2524 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    2011/08/26 10:13:55.0438 2524 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    2011/08/26 10:13:55.0488 2524 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    2011/08/26 10:13:55.0513 2524 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2011/08/26 10:13:55.0577 2524 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
    2011/08/26 10:13:55.0599 2524 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    2011/08/26 10:13:55.0652 2524 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    2011/08/26 10:13:55.0746 2524 RemoteControl-USBLAN (7553d60b85ac53bd4486c418a0fbfcdf) C:\Windows\system32\DRIVERS\rcblan.sys
    2011/08/26 10:13:55.0819 2524 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    2011/08/26 10:13:55.0856 2524 rt61x86 (6de7a483204ca5a57b672dcb25716361) C:\Windows\system32\DRIVERS\WMP54Gv41x86.sys
    2011/08/26 10:13:55.0922 2524 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    2011/08/26 10:13:55.0978 2524 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2011/08/26 10:13:56.0030 2524 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
    2011/08/26 10:13:56.0060 2524 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
    2011/08/26 10:13:56.0104 2524 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    2011/08/26 10:13:56.0172 2524 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
    2011/08/26 10:13:56.0225 2524 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
    2011/08/26 10:13:56.0253 2524 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
    2011/08/26 10:13:56.0279 2524 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    2011/08/26 10:13:56.0331 2524 SilverLink (392834adb35deb199b03ae6a6caab23a) C:\Windows\system32\Drivers\SilvrLnk.sys
    2011/08/26 10:13:56.0379 2524 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
    2011/08/26 10:13:56.0424 2524 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
    2011/08/26 10:13:56.0459 2524 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
    2011/08/26 10:13:56.0564 2524 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    2011/08/26 10:13:56.0644 2524 SPBBCDrv (dc4dc886d3779c446f9b0e9d6b006e72) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    2011/08/26 10:13:56.0704 2524 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    2011/08/26 10:13:56.0754 2524 sptd (7f1b7c4d446cd3f926af45b8c48bd593) C:\Windows\system32\Drivers\sptd.sys
    2011/08/26 10:13:56.0755 2524 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 7f1b7c4d446cd3f926af45b8c48bd593
    2011/08/26 10:13:56.0760 2524 sptd - detected LockedFile.Multi.Generic (1)
    2011/08/26 10:13:56.0805 2524 SRTSP (e0e54a571d4323567e95e11fe76a5ff3) C:\Windows\system32\Drivers\SRTSP.SYS
    2011/08/26 10:13:56.0858 2524 SRTSPL (4e44f0e22df824d318988caa6f321c30) C:\Windows\system32\Drivers\SRTSPL.SYS
    2011/08/26 10:13:56.0914 2524 SRTSPX (d3bb40427cf3d02e56bba97feda0a3aa) C:\Windows\system32\Drivers\SRTSPX.SYS
    2011/08/26 10:13:56.0952 2524 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    2011/08/26 10:13:57.0050 2524 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    2011/08/26 10:13:57.0098 2524 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    2011/08/26 10:13:57.0168 2524 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    2011/08/26 10:13:57.0225 2524 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    2011/08/26 10:13:57.0279 2524 SYMDNS (fe9f8b3a8bc22d85332b42e92308ddf9) C:\Windows\System32\Drivers\SYMDNS.SYS
    2011/08/26 10:13:57.0325 2524 SymEvent (06b95820df51502099a8a15c93e87986) C:\Windows\system32\Drivers\SYMEVENT.SYS
    2011/08/26 10:13:57.0370 2524 SYMFW (a0ea9d273889e53cfaabf2444692ccbf) C:\Windows\System32\Drivers\SYMFW.SYS
    2011/08/26 10:13:57.0423 2524 SymIM (8eab28dd6cd25355b951ae460fa86b48) C:\Windows\system32\DRIVERS\SymIMv.sys
    2011/08/26 10:13:57.0471 2524 SYMNDISV (c94eaca4b522012ee0691f1e79c42a7d) C:\Windows\System32\Drivers\SYMNDISV.SYS
    2011/08/26 10:13:57.0505 2524 SYMREDRV (7c6505ea598e58099d3b7e1f70426864) C:\Windows\System32\Drivers\SYMREDRV.SYS
    2011/08/26 10:13:57.0545 2524 SYMTDI (e6ff7ace71d07ca90119f2c6ab592ba4) C:\Windows\System32\Drivers\SYMTDI.SYS
    2011/08/26 10:13:57.0587 2524 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    2011/08/26 10:13:57.0624 2524 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    2011/08/26 10:13:57.0706 2524 Tcpip (2756186e287139310997090797e0182b) C:\Windows\system32\drivers\tcpip.sys
    2011/08/26 10:13:57.0780 2524 Tcpip6 (2756186e287139310997090797e0182b) C:\Windows\system32\DRIVERS\tcpip.sys
    2011/08/26 10:13:57.0836 2524 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    2011/08/26 10:13:57.0901 2524 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    2011/08/26 10:13:57.0935 2524 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    2011/08/26 10:13:57.0997 2524 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    2011/08/26 10:13:58.0096 2524 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    2011/08/26 10:13:58.0151 2524 TIEHDUSB (a1124ebc672aa3ae1b327096c1dcc346) C:\Windows\system32\drivers\tiehdusb.sys
    2011/08/26 10:13:58.0218 2524 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2011/08/26 10:13:58.0258 2524 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    2011/08/26 10:13:58.0292 2524 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    2011/08/26 10:13:58.0340 2524 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
    2011/08/26 10:13:58.0392 2524 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    2011/08/26 10:13:58.0458 2524 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
    2011/08/26 10:13:58.0497 2524 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
    2011/08/26 10:13:58.0544 2524 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    2011/08/26 10:13:58.0586 2524 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    2011/08/26 10:13:58.0643 2524 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    2011/08/26 10:13:58.0701 2524 urvpndrv (463f1dcfbcd4daea4c19791c88c13e98) C:\Windows\system32\DRIVERS\covpnwlh.sys
    2011/08/26 10:13:58.0740 2524 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
    2011/08/26 10:13:58.0787 2524 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    2011/08/26 10:13:58.0819 2524 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    2011/08/26 10:13:58.0869 2524 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    2011/08/26 10:13:58.0952 2524 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    2011/08/26 10:13:58.0990 2524 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    2011/08/26 10:13:59.0048 2524 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    2011/08/26 10:13:59.0120 2524 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
    2011/08/26 10:13:59.0172 2524 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2011/08/26 10:13:59.0222 2524 USBTINSP (6112ecb865b57ebada4e06c167943ee6) C:\Windows\system32\DRIVERS\tinspusb.sys
    2011/08/26 10:13:59.0276 2524 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    2011/08/26 10:13:59.0323 2524 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
    2011/08/26 10:13:59.0371 2524 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    2011/08/26 10:13:59.0407 2524 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
    2011/08/26 10:13:59.0441 2524 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
    2011/08/26 10:13:59.0478 2524 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
    2011/08/26 10:13:59.0516 2524 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    2011/08/26 10:13:59.0552 2524 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    2011/08/26 10:13:59.0597 2524 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    2011/08/26 10:13:59.0640 2524 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
    2011/08/26 10:13:59.0697 2524 VSTHWBS2 (c466021d31ff6c0a6069d12299d80c0b) C:\Windows\system32\DRIVERS\VSTBS23.SYS
    2011/08/26 10:13:59.0747 2524 VST_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
    2011/08/26 10:13:59.0854 2524 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    2011/08/26 10:13:59.0906 2524 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/08/26 10:13:59.0917 2524 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/08/26 10:13:59.0965 2524 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
    2011/08/26 10:14:00.0038 2524 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
    2011/08/26 10:14:00.0122 2524 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
    2011/08/26 10:14:00.0183 2524 WinDriver6 (097a8291df541f9b9af2c500797cdcaa) C:\Windows\system32\drivers\windrvr6.sys
    2011/08/26 10:14:00.0261 2524 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
    2011/08/26 10:14:00.0343 2524 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    2011/08/26 10:14:00.0401 2524 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    2011/08/26 10:14:00.0469 2524 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    2011/08/26 10:14:00.0546 2524 yukonwlh (e0e5150b5081a30afeea97cec5f181ad) C:\Windows\system32\DRIVERS\yk60x86.sys
    2011/08/26 10:14:00.0580 2524 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk1\DR1
    2011/08/26 10:14:00.0602 2524 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
    2011/08/26 10:14:00.0617 2524 Boot (0x1200) (8c6ab8b3a4c5475774148cd9c78b039d) \Device\Harddisk1\DR1\Partition0
    2011/08/26 10:14:00.0628 2524 Boot (0x1200) (c3080a39d8cb6fe34b92722c5ff1d7aa) \Device\Harddisk0\DR0\Partition0
    2011/08/26 10:14:00.0632 2524 ================================================================================
    2011/08/26 10:14:00.0632 2524 Scan finished
    2011/08/26 10:14:00.0632 2524 ================================================================================
    2011/08/26 10:14:00.0641 7352 Detected object count: 1
    2011/08/26 10:14:00.0641 7352 Actual detected object count: 1
    2011/08/26 10:14:05.0498 7352 LockedFile.Multi.Generic(sptd) - User select action: Skip
     
  4. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. svleck

    svleck TS Rookie Topic Starter

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-08-27 11:05:44
    -----------------------------
    11:05:44.842 OS Version: Windows 6.0.6002 Service Pack 2
    11:05:44.842 Number of processors: 2 586 0xF06
    11:05:44.842 ComputerName: SHELDON-PC UserName: Sheldon
    11:05:48.805 Initialize success
    11:08:49.179 AVAST engine defs: 11082700
    11:09:20.067 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-7
    11:09:20.067 Disk 0 Vendor: ST3320620AS 3.AAK Size: 305245MB BusType: 3
    11:09:20.082 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0
    11:09:20.082 Disk 1 Vendor: ST3320620AS 3.AAK Size: 305245MB BusType: 3
    11:09:22.095 Disk 1 MBR read successfully
    11:09:22.095 Disk 1 MBR scan
    11:09:22.110 Disk 1 Windows VISTA default MBR code
    11:09:22.110 Disk 1 scanning sectors +625139712
    11:09:22.204 Disk 1 scanning C:\Windows\system32\drivers
    11:09:41.657 Service scanning
    11:09:42.874 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    11:09:43.701 Modules scanning
    11:09:49.847 Disk 1 trace - called modules:
    11:09:49.863 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84d2c1f8]<<
    11:09:49.863 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x861ac260]
    11:09:49.863 3 CLASSPNP.SYS[8a9ca8b3] -> nt!IofCallDriver -> [0x857abf08]
    11:09:49.878 5 acpi.sys[807c16bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85759528]
    11:09:49.878 \Driver\atapi[0x85797030] -> IRP_MJ_CREATE -> 0x84d2c1f8
    11:09:51.423 AVAST engine scan C:\Windows
    11:09:56.727 AVAST engine scan C:\Windows\system32
    11:12:08.578 File: C:\Windows\system32\offfilt32.exe **INFECTED** Win32:Tracur-DG [Trj]
    11:13:17.124 AVAST engine scan C:\Windows\system32\drivers
    11:13:33.972 AVAST engine scan C:\Users\Sheldon
    11:26:14.871 Disk 1 MBR has been saved successfully to "C:\Users\Sheldon\Desktop\MBR.dat"
    11:26:14.879 The log file has been saved successfully to "C:\Users\Sheldon\Desktop\aswMBR.txt"


    ComboFix 11-08-27.01 - Sheldon 08/27/2011 11:30:29.1.2 - x86
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3006.1401 [GMT -4:00]
    Running from: c:\users\Sheldon\Desktop\ComboFix.exe
    AV: Norton 360 *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Norton 360 *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\appinfo32.dll
    c:\programdata\cngaudit32.exe
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{2b9d4a59-ce75-4148-9429-3be048dc35e9}
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{2b9d4a59-ce75-4148-9429-3be048dc35e9}\chrome.manifest
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{2b9d4a59-ce75-4148-9429-3be048dc35e9}\chrome\xulcache.jar
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{2b9d4a59-ce75-4148-9429-3be048dc35e9}\defaults\preferences\xulcache.js
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{2b9d4a59-ce75-4148-9429-3be048dc35e9}\install.rdf
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{601f956a-d34a-4235-b6bd-ce27d41eb4d1}
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{601f956a-d34a-4235-b6bd-ce27d41eb4d1}\chrome.manifest
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{601f956a-d34a-4235-b6bd-ce27d41eb4d1}\chrome\xulcache.jar
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{601f956a-d34a-4235-b6bd-ce27d41eb4d1}\defaults\preferences\xulcache.js
    c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\extensions\{601f956a-d34a-4235-b6bd-ce27d41eb4d1}\install.rdf
    c:\users\Sheldon\g2mdlhlpx.exe
    c:\users\Sheldon\GoToAssistDownloadHelper.exe
    c:\users\Sheldon\WINDOWS
    c:\windows\MailSwitch.ocx
    c:\windows\system32\comct332.ocx
    c:\windows\system32\offfilt32.exe
    F:\install.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_ehSched32
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-27 15:43 . 2011-08-27 15:43 270336 ----a-w- c:\programdata\CNQI480432.dll
    2011-08-27 15:40 . 2011-08-27 15:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-08-27 15:39 . 2011-08-16 22:02 1208832 ----a-w- c:\programdata\appinfo32.exe
    2011-08-25 20:51 . 2011-08-25 20:51 -------- d-----w- c:\users\Sheldon\AppData\Roaming\Malwarebytes
    2011-08-25 20:51 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-25 20:51 . 2011-08-25 20:51 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-25 20:51 . 2011-08-25 20:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-25 20:51 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-25 12:18 . 2011-08-25 12:18 -------- d-----w- c:\users\Sheldon\AppData\Roaming\Sammsoft
    2011-08-25 12:18 . 2011-08-25 12:18 -------- d-----w- c:\program files\ARO 2011
    2011-08-24 04:48 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-08-17 17:14 . 2011-08-17 17:14 0 ---ha-w- c:\windows\keslmyjgtf.tmp
    2011-08-11 07:11 . 2011-07-22 02:44 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-08-11 07:10 . 2011-07-22 03:00 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
    2011-08-11 07:10 . 2011-07-22 02:46 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
    2011-08-11 07:10 . 2011-07-22 02:54 1797632 ----a-w- c:\windows\system32\jscript9.dll
    2011-08-11 07:10 . 2011-07-22 02:48 1126912 ----a-w- c:\windows\system32\wininet.dll
    2011-08-10 13:25 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-08-10 13:25 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-08-10 13:25 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-08-10 13:25 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-08-10 13:25 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-28 10:27 . 2011-07-28 10:27 121464 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
    2011-07-21 18:53 . 2011-06-11 14:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-29 12:06 . 2011-06-29 12:06 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-06-29 12:06 . 2011-06-29 12:06 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-06-29 12:06 . 2011-06-29 12:06 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-06-29 12:06 . 2011-06-29 12:06 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-06-29 12:06 . 2011-06-29 12:06 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-29 12:06 . 2011-06-29 12:06 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-06-29 12:06 . 2011-06-29 12:06 367104 ----a-w- c:\windows\system32\html.iec
    2011-06-29 12:06 . 2011-06-29 12:06 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-06-29 12:06 . 2011-06-29 12:06 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-29 12:06 . 2011-06-29 12:06 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-29 12:06 . 2011-06-29 12:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-06-29 12:06 . 2011-06-29 12:06 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-06-29 12:06 . 2011-06-29 12:06 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-06-29 12:06 . 2011-06-29 12:06 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-06-29 12:06 . 2011-06-29 12:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-06-29 12:06 . 2011-06-29 12:06 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-06-29 12:06 . 2011-06-29 12:06 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-06-29 12:06 . 2011-06-29 12:06 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-06-17 16:03 . 2011-08-10 13:25 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-06 19:55 . 2011-06-06 19:55 47512 ----a-w- c:\windows\system32\AdobePDF.dll
    2011-06-06 19:55 . 2011-06-06 19:55 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
    2011-06-02 13:34 . 2011-07-13 07:38 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-08-19 12:25 . 2011-03-28 21:59 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2009-04-01 02:47 . 2008-04-28 20:43 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2741616]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-07-28 5242488]
    "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
    "PowerSuite"="c:\progra~1\Uniblue\POWERS~1\launcher.exe" [2011-07-18 67448]
    "AROReminder"="c:\program files\ARO 2011\ARO.exe" [2011-01-25 2312048]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
    "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
    "OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
    "JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
    "JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-31 1953792]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "CTXFIREG"="CTxfiReg.exe" [2007-03-05 43520]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
    "CTHelper"="CTHELPER.EXE" [2007-03-05 19456]
    "CTxfiHlp"="CTXFIHLP.EXE" [2007-03-05 19968]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-06-06 36760]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-06-06 2903448]
    "Simpo PDF Creator Lite Server"="c:\program files\Simpo PDF Creator Lite\SpcLiteSrv.exe" [2010-08-18 101376]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DevconDefaultDB"="c:\windows\system32\READREG" [X]
    "CtxfiReg"="CTXFIREG.exe" [2007-03-05 43520]
    .
    c:\users\Sheldon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2007-6-7 1392640]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Snagit 10.lnk - c:\program files\TechSmith\Snagit 10\Snagit32.exe [2011-3-21 7067464]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
    R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys [2010-10-20 13944]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\DRIVERS\rcblan.sys [2007-01-24 39704]
    R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x86.sys [2007-06-26 286208]
    R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
    R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
    R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
    R3 USBTINSP;TI-Nspire(TM) Handheld Device Driver;c:\windows\system32\DRIVERS\tinspusb.sys [2008-12-05 123392]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-10 716272]
    S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110826.001\IDSvix86.sys [2010-09-15 287792]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
    S2 hidserv32;Human Interface Device Access ;c:\programdata\appinfo32.exe [2011-08-16 1208832]
    S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-08-05 105592]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
    S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
    S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpnwlh.sys [2010-10-20 36472]
    S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
    S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - COMHOST
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    Akamai REG_MULTI_SZ Akamai
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2011-03-04 16:29 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    .
    ------- Supplementary Scan -------
    .
    uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
    uStart Page = https://mail.nycboe.net/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.nycboe.net/owa/
    mStart Page = hxxp://www.dellnet.com/
    uInternet Settings,ProxyServer = 80.179.251.233:80
    uInternet Settings,ProxyOverride = hxxp://localhost;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: citadelgroup.com\login
    TCP: DhcpNameServer = 167.206.251.129 167.206.251.130 192.168.1.1
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
    FF - ProfilePath - c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    .
    .
    ------- File Associations -------
    .
    .scr=AutoCADLTScriptFile
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{00ACAA42-6967-407A-878C-6AB1EA5B4ABa} - c:\windows\system32\appinfo32.dll
    HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{00ACAA42-6967-407A-878C-6AB1EA5B4ABA}"=hex:51,66,7a,6c,4c,1d,38,12,2c,a9,bf,
    04,55,27,14,05,f8,9a,29,f1,ef,05,0e,ae
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\EarthLink\6.0\Components]
    @DACL=(02 0000)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000001
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccProxy.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\AstSrv.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\programdata\cngaudit32.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\windows\System32\CtHelper.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    c:\windows\system32\WerFault.exe
    c:\progra~1\Uniblue\POWERS~1\powersuite.exe
    c:\program files\Adobe\Acrobat 10.0\Acrobat\AcroDist.exe
    c:\program files\Common Files\Java\Java Update\jucheck.exe
    c:\program files\TechSmith\Snagit 10\TSCHelp.exe
    c:\program files\TechSmith\Snagit 10\SnagPriv.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-27 11:52:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-27 15:51
    .
    Pre-Run: 179,304,275,968 bytes free
    Post-Run: 178,877,583,360 bytes free
    .
    - - End Of File - - A602CB86221B69743A48D164EF934731
     
  6. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    How is redirection?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\programdata\CNQI480432.dll
    c:\programdata\appinfo32.exe
    c:\windows\keslmyjgtf.tmp
    
    
    DDS::
    uInternet Settings,ProxyServer = 80.179.251.233:80
    uInternet Settings,ProxyOverride = hxxp://localhost;*.local
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  7. svleck

    svleck TS Rookie Topic Starter

    ComboFix 11-08-27.01 - Sheldon 08/27/2011 12:28:49.2.2 - x86
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3006.1654 [GMT -4:00]
    Running from: c:\users\Sheldon\Desktop\ComboFix.exe
    Command switches used :: c:\users\Sheldon\Desktop\CFScript.txt
    AV: Norton 360 *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Norton 360 *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    .
    FILE ::
    "c:\programdata\appinfo32.exe"
    "c:\programdata\CNQI480432.dll"
    "c:\windows\keslmyjgtf.tmp"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\appinfo32.exe
    c:\programdata\CNQI480432.dll
    c:\windows\keslmyjgtf.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_hidserv32
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-25 20:51 . 2011-08-25 20:51 -------- d-----w- c:\users\Sheldon\AppData\Roaming\Malwarebytes
    2011-08-25 20:51 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-25 20:51 . 2011-08-25 20:51 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-25 20:51 . 2011-08-25 20:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-25 20:51 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-25 12:18 . 2011-08-27 16:12 -------- d-----w- c:\users\Sheldon\AppData\Roaming\Sammsoft
    2011-08-24 04:48 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-08-11 07:11 . 2011-07-22 02:44 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-08-11 07:10 . 2011-07-22 03:00 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
    2011-08-11 07:10 . 2011-07-22 02:46 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
    2011-08-11 07:10 . 2011-07-22 02:54 1797632 ----a-w- c:\windows\system32\jscript9.dll
    2011-08-11 07:10 . 2011-07-22 02:48 1126912 ----a-w- c:\windows\system32\wininet.dll
    2011-08-10 13:25 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-08-10 13:25 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-08-10 13:25 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-08-10 13:25 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-08-10 13:25 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-08-10 13:25 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-28 10:27 . 2011-07-28 10:27 121464 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
    2011-07-21 18:53 . 2011-06-11 14:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-29 12:06 . 2011-06-29 12:06 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-06-29 12:06 . 2011-06-29 12:06 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-06-29 12:06 . 2011-06-29 12:06 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-06-29 12:06 . 2011-06-29 12:06 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-06-29 12:06 . 2011-06-29 12:06 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-29 12:06 . 2011-06-29 12:06 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-06-29 12:06 . 2011-06-29 12:06 367104 ----a-w- c:\windows\system32\html.iec
    2011-06-29 12:06 . 2011-06-29 12:06 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-06-29 12:06 . 2011-06-29 12:06 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-29 12:06 . 2011-06-29 12:06 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-29 12:06 . 2011-06-29 12:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-06-29 12:06 . 2011-06-29 12:06 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-06-29 12:06 . 2011-06-29 12:06 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-06-29 12:06 . 2011-06-29 12:06 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-06-29 12:06 . 2011-06-29 12:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-06-29 12:06 . 2011-06-29 12:06 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-06-29 12:06 . 2011-06-29 12:06 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-06-29 12:06 . 2011-06-29 12:06 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-06-06 19:55 . 2011-06-06 19:55 47512 ----a-w- c:\windows\system32\AdobePDF.dll
    2011-06-06 19:55 . 2011-06-06 19:55 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
    2011-06-02 13:34 . 2011-07-13 07:38 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-08-19 12:25 . 2011-03-28 21:59 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2009-04-01 02:47 . 2008-04-28 20:43 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2741616]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-07-28 5242488]
    "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
    "PowerSuite"="c:\progra~1\Uniblue\POWERS~1\launcher.exe" [2011-07-18 67448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
    "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
    "OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
    "JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
    "JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-31 1953792]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "CTXFIREG"="CTxfiReg.exe" [2007-03-05 43520]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
    "CTHelper"="CTHELPER.EXE" [2007-03-05 19456]
    "CTxfiHlp"="CTXFIHLP.EXE" [2007-03-05 19968]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-06-06 36760]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-06-06 2903448]
    "Simpo PDF Creator Lite Server"="c:\program files\Simpo PDF Creator Lite\SpcLiteSrv.exe" [2010-08-18 101376]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DevconDefaultDB"="c:\windows\system32\READREG" [X]
    "CtxfiReg"="CTXFIREG.exe" [2007-03-05 43520]
    .
    c:\users\Sheldon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2007-6-7 1392640]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Snagit 10.lnk - c:\program files\TechSmith\Snagit 10\Snagit32.exe [2011-3-21 7067464]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
    R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys [2010-10-20 13944]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\DRIVERS\rcblan.sys [2007-01-24 39704]
    R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x86.sys [2007-06-26 286208]
    R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
    R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
    R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
    R3 USBTINSP;TI-Nspire(TM) Handheld Device Driver;c:\windows\system32\DRIVERS\tinspusb.sys [2008-12-05 123392]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-10 716272]
    S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110826.001\IDSvix86.sys [2010-09-15 287792]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
    S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-08-05 105592]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
    S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
    S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpnwlh.sys [2010-10-20 36472]
    S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
    S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - COMHOST
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    Akamai REG_MULTI_SZ Akamai
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2011-03-04 16:29 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    .
    ------- Supplementary Scan -------
    .
    uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
    uStart Page = https://mail.nycboe.net/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.nycboe.net/owa/
    mStart Page = hxxp://www.dellnet.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: citadelgroup.com\login
    TCP: DhcpNameServer = 167.206.251.129 167.206.251.130 192.168.1.1
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
    FF - ProfilePath - c:\users\Sheldon\AppData\Roaming\Mozilla\Firefox\Profiles\c1woehdc.default\
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 12:43
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{00ACAA42-6967-407A-878C-6AB1EA5B4ABA}"=hex:51,66,7a,6c,4c,1d,38,12,2c,a9,bf,
    04,55,27,14,05,f8,9a,29,f1,ef,05,0e,ae
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\EarthLink\6.0\Components]
    @DACL=(02 0000)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000001
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5104)
    c:\program files\SlySoft\AnyDVD\ADvdDiscHlp1.dll
    c:\windows\System32\NLSData0009.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccProxy.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\AstSrv.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\System32\rundll32.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\progra~1\Uniblue\POWERS~1\powersuite.exe
    c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    c:\program files\TechSmith\Snagit 10\TSCHelp.exe
    c:\program files\TechSmith\Snagit 10\SnagPriv.exe
    c:\program files\TechSmith\Snagit 10\snagiteditor.exe
    c:\progra~1\Uniblue\SPEEDU~1\sump.exe
    c:\windows\system32\DllHost.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-27 12:48:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-27 16:48
    ComboFix2.txt 2011-08-27 15:52
    .
    Pre-Run: 178,890,440,704 bytes free
    Post-Run: 178,866,778,112 bytes free
    .
     
  8. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    You didn't say:
     
  9. svleck

    svleck TS Rookie Topic Starter

    I believe it has been zapped. Thank you very much
     
  10. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Good :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...