TechSpot

\\System Check\\ virus

Inactive
By davidstl
Jan 25, 2012
Topic Status:
Not open for further replies.
  1. Dang Diddlely-ittlely!!
    I was surfing Yahoo the other day and my window suddenly closed. I thought: Oh no... but nothing happened. So, I just reopened my internet explorer and BOOM. My window closed again, my desktop disappeared, and my screen went black. I received dozens of pop up windows:
    Windows -Delayed Write Failed.
    Failed to save all the components for the file \\system32\\. The file is corrupted.
    I tried in vain to reboot my desktop, but all of my programs seemed to have been erased. My only option available was to click and run an obviously rouge scanner called System Check. -I did NOT run the scanner- I never personally downloaded this program. I knew I had a serious virus on my hands. So, here I am. Could someone please check my log files and help clean my PC?
    Thank You

    P.S. One important question. Using XP 'click by click' How do I Paste those Log files to my forum post? I am a computer novice.
     
  2. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Further Information about my System Check experience.

    I booted into my Bios hitting F8 on start up. From there I chose the option: Reboot in Safe Mode With Networking. I discovered the only program besides System Check on my computer was OpenOffice.org. -It seemed my hard drive had been wiped clean- I somehow used OpenOffice.org to open an explorer window to the internet. I then did some research on System Check virus and while in Safe Mode I ran MBAM. Malwarebytes found 14 instances of Hijackers and Trojans. Per my research, I also used the programs called UnHide & TDSSKiller. I think these three knocked out the virus, but I am seeking the help of you professionals on this one.
    Thanks again,
    David
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    David, did you want help on this issue? Sound like you may have followed instructions given to someone else. That is not recommended.

    Please describe the malware-related problems you still have. Then, If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Edit: Short but good lesson in copy and paste:http://www.webmasternow.com/copyandpaste.html

    Apply same principal to the logs. Be sure when you open Notepad to go up and click on Format> Uncheck 'Word Wrap.
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.
     
  4. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Dear Techspot, I have been away. I was summoned to Jury Duty. I was not allowed time and access to "electronic devices". But now I am back and I am following your prescribed instructions and starting the fresh malware scans. Scans can take my PC a couple of hours. I will repost as soon as I have completed them. Thank you for the instructions on Copy & Paste. I'm so dumb.
     
  5. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    okay here is the MBAM log showing the infection log from last week.Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.24.05

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Administrator :: GX620 [administrator]

    1/24/2012 8:15:48 PM
    mbam-log-2012-01-24 (20-15-48).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 191955
    Time elapsed: 11 minute(s), 34 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|nMdQvhGrqSMKfoq.exe (Trojan.FakeAlert) -> Data: C:\Documents and Settings\All Users\Application Data\nMdQvhGrqSMKfoq.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 8
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Documents and Settings\All Users\Application Data\nMdQvhGrqSMKfoq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\9\14a81f89-381bbac0 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    (end)
     
  6. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay, here is the fresh MBAM log from today.Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.01.04

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: GX620 [administrator]

    Protection: Enabled

    2/1/2012 12:15:31 PM
    mbam-log-2012-02-01 (12-15-31).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 194360
    Time elapsed: 31 minute(s), 24 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\Administrator\My Documents\Downloads\update.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

    (end)
     
  7. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay, here is my fresh GMER Log. Thanks.GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-01 16:34:07
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST380013AS rev.8.12
    Running: 6uzgvw4u.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxtdqpob.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8A5200C0 ZwAlertResumeThread
    SSDT 8A516278 ZwAlertThread
    SSDT 8A98C208 ZwAllocateVirtualMemory
    SSDT 8A5350F0 ZwAssignProcessToJobObject
    SSDT 8A929490 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xABF49710]
    SSDT 8A61EC90 ZwCreateMutant
    SSDT 8A515580 ZwCreateSymbolicLinkObject
    SSDT 8A525308 ZwCreateThread
    SSDT 8A5340D8 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xABF49990]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xABF49EF0]
    SSDT 8A972E50 ZwDuplicateObject
    SSDT 8A963758 ZwFreeVirtualMemory
    SSDT 8A527748 ZwImpersonateAnonymousToken
    SSDT 8A5230D0 ZwImpersonateThread
    SSDT 8A927DF0 ZwLoadDriver
    SSDT 8A52D3B8 ZwMapViewOfSection
    SSDT 8A52B798 ZwOpenEvent
    SSDT 8A9AD378 ZwOpenProcess
    SSDT 8AC77A70 ZwOpenProcessToken
    SSDT 8A532A48 ZwOpenSection
    SSDT 8A98E990 ZwOpenThread
    SSDT 8A50CCE8 ZwProtectVirtualMemory
    SSDT 8A516240 ZwResumeThread
    SSDT 8A92A0C0 ZwSetContextThread
    SSDT 8A93D3E0 ZwSetInformationProcess
    SSDT 8A532C60 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xABF4A140]
    SSDT 8A52FDF0 ZwSuspendProcess
    SSDT 8A50F100 ZwSuspendThread
    SSDT 8A43A1A8 ZwTerminateProcess
    SSDT 8A50D108 ZwTerminateThread
    SSDT 8A931120 ZwUnmapViewOfSection
    SSDT 8AC28E10 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution + 276 804E4AD0 4 Bytes JMP C720D56D
    .text ntoskrnl.exe!ZwYieldExecution + 29A 804E4AF4 4 Bytes CALL 84D89BC5
    ? nwdfb.sys The system cannot find the file specified. !
    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9181000, 0x2A7064, 0xE8000020]
    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9049F80]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  8. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay, here is my DDS Attach.txt Log.
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/7/2010 5:15:43 PM
    System Uptime: 2/1/2012 12:48:48 PM (4 hours ago)
    .
    Motherboard: Dell Inc. | | 0HH807
    Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Microprocessor | 3391/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 59.914 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP131: 11/3/2011 7:12:32 PM - System Checkpoint
    RP132: 11/4/2011 7:37:20 PM - System Checkpoint
    RP133: 11/5/2011 7:47:26 PM - System Checkpoint
    RP134: 11/7/2011 9:07:05 PM - Software Distribution Service 3.0
    RP135: 11/9/2011 4:57:38 PM - System Checkpoint
    RP136: 11/10/2011 5:36:50 PM - System Checkpoint
    RP137: 11/11/2011 6:31:42 PM - System Checkpoint
    RP138: 11/13/2011 8:47:47 PM - System Checkpoint
    RP139: 11/15/2011 6:02:26 PM - System Checkpoint
    RP140: 11/17/2011 5:11:48 PM - System Checkpoint
    RP141: 11/18/2011 6:00:20 PM - System Checkpoint
    RP142: 11/19/2011 7:37:05 PM - System Checkpoint
    RP143: 11/23/2011 6:20:21 PM - System Checkpoint
    RP144: 11/25/2011 9:13:27 AM - System Checkpoint
    RP145: 11/26/2011 3:19:18 PM - System Checkpoint
    RP146: 11/28/2011 8:37:17 PM - System Checkpoint
    RP147: 11/29/2011 9:31:00 PM - System Checkpoint
    RP148: 11/30/2011 9:49:36 PM - System Checkpoint
    RP149: 12/2/2011 5:07:59 PM - System Checkpoint
    RP150: 12/3/2011 5:49:35 PM - System Checkpoint
    RP151: 12/5/2011 8:08:15 PM - System Checkpoint
    RP152: 12/6/2011 11:16:16 AM - Software Distribution Service 3.0
    RP153: 12/8/2011 4:27:12 PM - System Checkpoint
    RP154: 12/11/2011 11:03:00 PM - System Checkpoint
    RP155: 12/13/2011 4:57:09 PM - System Checkpoint
    RP156: 12/14/2011 5:34:28 PM - System Checkpoint
    RP157: 12/15/2011 6:33:16 PM - System Checkpoint
    RP158: 12/16/2011 8:01:54 PM - System Checkpoint
    RP159: 12/19/2011 6:17:19 PM - System Checkpoint
    RP160: 12/20/2011 7:13:39 PM - System Checkpoint
    RP161: 12/22/2011 5:19:29 PM - System Checkpoint
    RP162: 12/22/2011 9:11:53 PM - Removed Steam
    RP163: 12/23/2011 11:41:55 PM - System Checkpoint
    RP164: 12/25/2011 12:40:10 AM - System Checkpoint
    RP165: 12/28/2011 9:15:07 PM - System Checkpoint
    RP166: 12/30/2011 4:59:37 PM - System Checkpoint
    RP167: 12/31/2011 8:45:55 PM - System Checkpoint
    RP168: 1/2/2012 3:17:53 PM - Norton 360 Registry Clean
    RP169: 1/3/2012 11:00:13 PM - System Checkpoint
    RP170: 1/5/2012 6:11:09 PM - System Checkpoint
    RP171: 1/6/2012 8:02:35 PM - System Checkpoint
    RP172: 1/8/2012 9:42:13 AM - Software Distribution Service 3.0
    RP173: 1/9/2012 4:47:00 PM - System Checkpoint
    RP174: 1/10/2012 5:13:22 PM - System Checkpoint
    RP175: 1/10/2012 9:18:34 PM - Norton 360 Registry Clean
    RP176: 1/12/2012 9:45:39 AM - System Checkpoint
    RP177: 1/13/2012 1:58:34 PM - System Checkpoint
    RP178: 1/19/2012 2:03:27 PM - System Checkpoint
    RP179: 1/20/2012 3:54:26 PM - System Checkpoint
    RP180: 1/21/2012 4:27:21 PM - System Checkpoint
    RP181: 1/24/2012 9:45:31 PM - Installed HiJackThis
    RP182: 1/24/2012 11:26:20 PM - Norton 360 Registry Clean
    RP183: 1/26/2012 7:24:49 PM - System Checkpoint
    RP184: 2/1/2012 1:05:33 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.2)
    AMD APP SDK Runtime
    ATI AVIVO Codecs
    ATI Catalyst Install Manager
    Broadcom Gigabit Integrated Controller
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    ccc-utility
    CCC Help English
    CCleaner
    CDisplay 1.8
    Dell Driver Download Manager
    DVD Shrink 3.2
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    HP Deskjet 2050 J510 series Basic Device Software
    HP Deskjet 2050 J510 series Help
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 26
    Logitech Gaming Software 5.10
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox 9.0.1 (x86 en-US)
    Nero 6 Ultra Edition
    Norton 360
    OpenOffice.org 3.1
    Pando Media Booster
    PunkBuster Services
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB2530548)
    Security Update for Windows Internet Explorer 7 (KB2544521)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    SoundMAX
    SUPERAntiSpyware
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player Firefox Plugin
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/1/2012 3:07:01 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    2/1/2012 12:49:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    1/30/2012 7:27:56 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bf9dafb0, parameter3 a887abe0, parameter4 00000000.
    1/30/2012 7:27:28 PM, error: Dhcp [1002] - The IP address lease 192.168.100.2 for the Network Card with network address 0013727340F4 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
     
  9. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay, here is my DDS.txt Log. Thanks..
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Administrator at 16:36:35 on 2012-02-01
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2870 [GMT -6:00]
    .
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.2.0.13\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.2.0.13\ips\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.2.0.13\coIEPlg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1308372847343
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
    TCP: Interfaces\{2225B3BB-99B4-43AD-B80C-7B7402075F2B} : DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ga180uks.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys [2012-1-31 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys [2012-1-31 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.2.1\definitions\bashdefs\20120121.002\BHDrvx86.sys [2012-1-21 820344]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys [2012-1-31 136312]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-19 652360]
    R2 N360;Norton 360;c:\program files\norton 360\engine\5.2.0.13\ccsvchst.exe [2012-1-31 130008]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-6-19 101904]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-1-24 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.2.1\definitions\ipsdefs\20120131.002\IDSXpx86.sys [2012-2-1 356280]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-19 20464]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.2.1\definitions\virusdefs\20120201.003\NAVENG.SYS [2012-2-1 86136]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.2.1\definitions\virusdefs\20120201.003\NAVEX15.SYS [2012-2-1 1576312]
    .
    =============== Created Last 30 ================
    .
    2012-01-31 23:47:16 744568 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symefa.sys
    2012-01-31 23:47:16 516216 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\srtsp.sys
    2012-01-31 23:47:16 50168 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\srtspx.sys
    2012-01-31 23:47:16 369784 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdi.sys
    2012-01-31 23:47:16 340088 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symds.sys
    2012-01-31 23:47:16 331384 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdiv.sys
    2012-01-31 23:47:16 299640 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symnets.sys
    2012-01-31 23:47:16 136312 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys
    2012-01-31 23:46:52 -------- d-----w- c:\windows\system32\drivers\n360\0502000.00D
    2012-01-25 04:38:05 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2012-01-25 04:38:05 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2012-01-25 04:38:05 -------- d-----w- c:\program files\Symantec
    2012-01-25 04:38:05 -------- d-----w- c:\program files\common files\Symantec Shared
    2012-01-25 04:37:52 106928 ----a-w- c:\windows\system32\GEARAspi.dll
    2012-01-25 04:37:30 -------- d-----w- c:\windows\system32\drivers\N360
    2012-01-25 04:37:27 -------- d-----w- c:\program files\Norton 360
    2012-01-25 04:37:07 -------- d-----w- c:\program files\NortonInstaller
    2012-01-25 03:45:33 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2012-01-25 03:45:32 -------- d-----w- c:\program files\Trend Micro
    2012-01-23 21:20:12 353016 ----a-w- c:\documents and settings\all users\application data\t4B2Xjfe72LLip.exe
    2012-01-08 16:33:58 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2012-01-08 16:33:58 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2012-01-08 16:33:58 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2012-01-08 16:33:58 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2012-01-03 02:22:22 -------- d-----w- c:\program files\common files\Blizzard Entertainment
    2012-01-03 02:21:36 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment
    .
    ==================== Find3M ====================
    .
    2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-16 23:48:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
    .
    ============= FINISH: 16:36:56.57 ===============
     
  10. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Hopefully, I have gotten you the correct information in the correct fashion. I will wait patiently for your assistance. Thank you.
    davidstl
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome back David- good thing for you I was late closing the thread!

    Obviously someone used this computer and did something in the week between these logs: There were 2,405 more objects scanned the 2nd time.
    Full Scan: 1/24/2012 8:15:48 PM
    mbam-log-2012-01-24 (20-15-48).txt
    Objects scanned: 191955
    Time elapsed: 11 minute(s), 34 second(s)
    Registry Values Detected: 1> (Trojan.FakeAlert)
    Registry Data Items Detected: 8> 'missing' data-TaskMan, Strtup.
    (No malicious items detected)
    Files Detected: 2> Both (Trojan.FakeAlert)
    ---------------------------
    Full Scan: 2/1/2012 12:15:31 PM
    mbam-log-2012-02-01 (12-15-31).txt
    Objects scanned: 194360
    Time elapsed: 31 minute(s), 24 second(s)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 1. (Disabled Security Center)
    Files Detected: 1> (Trojan.Dropper)
    -------------------------
    So- please give me the status now:
    1. You ran Unhide -Are you still 'missing' programs, files, desktop, etc.?
    2. You ran the TDSSKiller> do you have the log from the TDSSKiller? If so, please paste it in next reply.
    3. Do you have internet access now?
    4. Can you get into Normal Mode?
    5. I notice this Restore Point: RP182: 1/24/2012 11:26:20 PM - Norton 360 Registry Clean- Please disable the registry clean part of Norton while I'm helping you.
    6. What problems are you still experiencing?
    ---------------------------------------
    Another lesson for you> you do not need to boot into the Bios for Safe Mode or Safe Mode with Networking:
    Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    =========================================
    Please run in Normal Mode.
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =============================
    Answers and logs (Eset and Combofix) in next reply please.
    TDSSKiller log if you have it.

    (Nice job on the copy and paste!)
     
     
  12. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Thank you for not closing my thread. I think I might still have pieces of malicious programs left behind. So I have come for your help.
    To answer your questions:
    Yes, once my PC begin to reboot, I went back to using the computer. I just had not the time required then to connect with Techspot and address this forum thread. I purchased Norton 360 5.0 and ran it a few times. Also I use SuperAntispyware Professional.
    1. I ran UnHide. And no I am not missing programs or my desktop.
    2. I ran TDSSKiller. and I will Paste last weeks log here for you.
    3. Yes, I have internet access.
    4. Yes, I can boot into normal mode.
    5. I will try to discover how to turn off Norton Registry Clean. I thought I already had disabled Norton for you...???.
    6. I am experiencing no problems that are overt. I was hoping you could check my scans. I could easily miss something malicious.

    Okay, I am running ComboFix next. And then ESET. I will return with those log files. Thanks again.
     
  13. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay,21:24:40.0640 0308 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
    21:24:40.0937 0308 ============================================================
    21:24:40.0937 0308 Current date / time: 2012/01/24 21:24:40.0937
    21:24:40.0937 0308 SystemInfo:
    21:24:40.0937 0308
    21:24:40.0937 0308 OS Version: 5.1.2600 ServicePack: 3.0
    21:24:40.0937 0308 Product type: Workstation
    21:24:40.0937 0308 ComputerName: GX620
    21:24:40.0937 0308 UserName: Administrator
    21:24:40.0937 0308 Windows directory: C:\WINDOWS
    21:24:40.0937 0308 System windows directory: C:\WINDOWS
    21:24:40.0937 0308 Processor architecture: Intel x86
    21:24:40.0937 0308 Number of processors: 2
    21:24:40.0937 0308 Page size: 0x1000
    21:24:40.0937 0308 Boot type: Normal boot
    21:24:40.0937 0308 ============================================================
    21:24:42.0453 0308 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    21:24:42.0484 0308 Initialize success
    21:25:18.0250 3940 ============================================================
    21:25:18.0250 3940 Scan started
    21:25:18.0250 3940 Mode: Manual;
    21:25:18.0250 3940 ============================================================
    21:25:18.0515 3940 Abiosdsk - ok
    21:25:18.0531 3940 abp480n5 - ok
    21:25:18.0562 3940 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    21:25:18.0578 3940 ACPI - ok
    21:25:18.0609 3940 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    21:25:18.0609 3940 ACPIEC - ok
    21:25:18.0625 3940 adpu160m - ok
    21:25:18.0656 3940 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    21:25:18.0656 3940 aec - ok
    21:25:18.0718 3940 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    21:25:18.0718 3940 AFD - ok
    21:25:18.0734 3940 Aha154x - ok
    21:25:18.0750 3940 aic78u2 - ok
    21:25:18.0750 3940 aic78xx - ok
    21:25:18.0765 3940 AliIde - ok
    21:25:18.0781 3940 amsint - ok
    21:25:18.0796 3940 asc - ok
    21:25:18.0796 3940 asc3350p - ok
    21:25:18.0812 3940 asc3550 - ok
    21:25:18.0859 3940 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    21:25:18.0859 3940 AsyncMac - ok
    21:25:18.0859 3940 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    21:25:18.0859 3940 atapi - ok
    21:25:18.0875 3940 Atdisk - ok
    21:25:19.0093 3940 ati2mtag (011388ddc5b83ef4a0b2b829735c646f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    21:25:19.0125 3940 ati2mtag - ok
    21:25:19.0156 3940 AtiHDAudioService (af7ee20d8ecc163d30bd2ab594a74baf) C:\WINDOWS\system32\drivers\AtihdXP3.sys
    21:25:19.0156 3940 AtiHDAudioService - ok
    21:25:19.0187 3940 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    21:25:19.0187 3940 Atmarpc - ok
    21:25:19.0218 3940 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    21:25:19.0218 3940 audstub - ok
    21:25:19.0250 3940 b57w2k (241474d01380e9ed41d4c07f4f5fd401) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    21:25:19.0250 3940 b57w2k - ok
    21:25:19.0265 3940 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    21:25:19.0265 3940 Beep - ok
    21:25:19.0421 3940 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys
    21:25:19.0437 3940 BHDrvx86 - ok
    21:25:19.0484 3940 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    21:25:19.0484 3940 cbidf2k - ok
    21:25:19.0484 3940 cd20xrnt - ok
    21:25:19.0500 3940 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    21:25:19.0500 3940 Cdaudio - ok
    21:25:19.0531 3940 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    21:25:19.0531 3940 Cdfs - ok
    21:25:19.0546 3940 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    21:25:19.0546 3940 Cdrom - ok
    21:25:19.0578 3940 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
    21:25:19.0578 3940 cercsr6 - ok
    21:25:19.0593 3940 Changer - ok
    21:25:19.0609 3940 CmdIde - ok
    21:25:19.0625 3940 Cpqarray - ok
    21:25:19.0625 3940 dac2w2k - ok
    21:25:19.0640 3940 dac960nt - ok
    21:25:19.0671 3940 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    21:25:19.0671 3940 Disk - ok
    21:25:19.0718 3940 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    21:25:19.0718 3940 dmboot - ok
    21:25:19.0750 3940 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    21:25:19.0750 3940 dmio - ok
    21:25:19.0781 3940 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    21:25:19.0781 3940 dmload - ok
    21:25:19.0812 3940 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    21:25:19.0812 3940 DMusic - ok
    21:25:19.0828 3940 dpti2o - ok
    21:25:19.0859 3940 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    21:25:19.0859 3940 drmkaud - ok
    21:25:19.0953 3940 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    21:25:19.0953 3940 eeCtrl - ok
    21:25:19.0968 3940 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    21:25:19.0984 3940 EraserUtilRebootDrv - ok
    21:25:20.0015 3940 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    21:25:20.0015 3940 Fastfat - ok
    21:25:20.0031 3940 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    21:25:20.0031 3940 Fdc - ok
    21:25:20.0046 3940 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    21:25:20.0046 3940 Fips - ok
    21:25:20.0062 3940 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    21:25:20.0062 3940 Flpydisk - ok
    21:25:20.0078 3940 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    21:25:20.0078 3940 FltMgr - ok
    21:25:20.0109 3940 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    21:25:20.0109 3940 Fs_Rec - ok
    21:25:20.0125 3940 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    21:25:20.0125 3940 Ftdisk - ok
    21:25:20.0171 3940 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    21:25:20.0171 3940 GEARAspiWDM - ok
    21:25:20.0203 3940 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    21:25:20.0203 3940 Gpc - ok
    21:25:20.0250 3940 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    21:25:20.0250 3940 HDAudBus - ok
    21:25:20.0265 3940 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    21:25:20.0265 3940 HidUsb - ok
    21:25:20.0281 3940 hpn - ok
    21:25:20.0328 3940 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    21:25:20.0328 3940 HTTP - ok
    21:25:20.0343 3940 i2omgmt - ok
    21:25:20.0343 3940 i2omp - ok
    21:25:20.0375 3940 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    21:25:20.0375 3940 i8042prt - ok
    21:25:20.0437 3940 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    21:25:20.0437 3940 ialm - ok
    21:25:20.0656 3940 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120112.002\IDSxpx86.sys
    21:25:20.0656 3940 IDSxpx86 - ok
    21:25:20.0687 3940 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    21:25:20.0687 3940 Imapi - ok
    21:25:20.0703 3940 ini910u - ok
    21:25:20.0718 3940 IntelIde - ok
    21:25:20.0765 3940 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    21:25:20.0765 3940 intelppm - ok
    21:25:20.0781 3940 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    21:25:20.0781 3940 Ip6Fw - ok
    21:25:20.0796 3940 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    21:25:20.0796 3940 IpFilterDriver - ok
    21:25:20.0828 3940 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    21:25:20.0828 3940 IpInIp - ok
    21:25:20.0843 3940 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    21:25:20.0859 3940 IpNat - ok
    21:25:20.0890 3940 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    21:25:20.0890 3940 IPSec - ok
    21:25:20.0906 3940 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    21:25:20.0906 3940 IRENUM - ok
    21:25:20.0921 3940 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    21:25:20.0921 3940 isapnp - ok
    21:25:20.0937 3940 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    21:25:20.0937 3940 Kbdclass - ok
    21:25:20.0968 3940 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    21:25:20.0968 3940 kbdhid - ok
    21:25:21.0000 3940 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    21:25:21.0000 3940 kmixer - ok
    21:25:21.0031 3940 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    21:25:21.0031 3940 KSecDD - ok
    21:25:21.0031 3940 lbrtfdc - ok
    21:25:21.0078 3940 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
    21:25:21.0078 3940 MBAMProtector - ok
    21:25:21.0093 3940 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    21:25:21.0093 3940 mnmdd - ok
    21:25:21.0140 3940 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    21:25:21.0140 3940 Modem - ok
    21:25:21.0156 3940 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    21:25:21.0156 3940 Mouclass - ok
    21:25:21.0203 3940 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    21:25:21.0203 3940 mouhid - ok
    21:25:21.0218 3940 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    21:25:21.0218 3940 MountMgr - ok
    21:25:21.0218 3940 mraid35x - ok
    21:25:21.0250 3940 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    21:25:21.0250 3940 MRxDAV - ok
    21:25:21.0296 3940 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    21:25:21.0296 3940 MRxSmb - ok
    21:25:21.0312 3940 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    21:25:21.0312 3940 Msfs - ok
    21:25:21.0328 3940 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    21:25:21.0328 3940 MSKSSRV - ok
    21:25:21.0343 3940 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    21:25:21.0343 3940 MSPCLOCK - ok
    21:25:21.0343 3940 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    21:25:21.0343 3940 MSPQM - ok
    21:25:21.0375 3940 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    21:25:21.0375 3940 mssmbios - ok
    21:25:21.0390 3940 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    21:25:21.0390 3940 Mup - ok
    21:25:21.0546 3940 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120113.003\NAVENG.SYS
    21:25:21.0546 3940 NAVENG - ok
    21:25:21.0609 3940 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120113.003\NAVEX15.SYS
    21:25:21.0625 3940 NAVEX15 - ok
    21:25:21.0718 3940 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    21:25:21.0718 3940 NDIS - ok
    21:25:21.0750 3940 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    21:25:21.0750 3940 NdisTapi - ok
    21:25:21.0765 3940 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    21:25:21.0765 3940 Ndisuio - ok
    21:25:21.0781 3940 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    21:25:21.0781 3940 NdisWan - ok
    21:25:21.0828 3940 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    21:25:21.0828 3940 NDProxy - ok
    21:25:21.0843 3940 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    21:25:21.0843 3940 NetBIOS - ok
    21:25:21.0859 3940 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    21:25:21.0875 3940 NetBT - ok
    21:25:21.0890 3940 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    21:25:21.0890 3940 Npfs - ok
    21:25:21.0921 3940 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    21:25:21.0921 3940 Ntfs - ok
    21:25:21.0953 3940 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    21:25:21.0953 3940 Null - ok
    21:25:21.0984 3940 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    21:25:21.0984 3940 NwlnkFlt - ok
    21:25:22.0000 3940 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    21:25:22.0000 3940 NwlnkFwd - ok
    21:25:22.0015 3940 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    21:25:22.0015 3940 Parport - ok
    21:25:22.0031 3940 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    21:25:22.0031 3940 PartMgr - ok
    21:25:22.0046 3940 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    21:25:22.0046 3940 ParVdm - ok
    21:25:22.0046 3940 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    21:25:22.0062 3940 PCI - ok
    21:25:22.0062 3940 PCIDump - ok
    21:25:22.0093 3940 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    21:25:22.0093 3940 PCIIde - ok
    21:25:22.0125 3940 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    21:25:22.0125 3940 Pcmcia - ok
    21:25:22.0125 3940 PDCOMP - ok
    21:25:22.0140 3940 PDFRAME - ok
    21:25:22.0156 3940 PDRELI - ok
    21:25:22.0156 3940 PDRFRAME - ok
    21:25:22.0171 3940 perc2 - ok
    21:25:22.0187 3940 perc2hib - ok
    21:25:22.0203 3940 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    21:25:22.0203 3940 PptpMiniport - ok
    21:25:22.0234 3940 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    21:25:22.0234 3940 PSched - ok
    21:25:22.0265 3940 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    21:25:22.0265 3940 Ptilink - ok
    21:25:22.0281 3940 ql1080 - ok
    21:25:22.0281 3940 Ql10wnt - ok
    21:25:22.0296 3940 ql12160 - ok
    21:25:22.0312 3940 ql1240 - ok
    21:25:22.0312 3940 ql1280 - ok
    21:25:22.0343 3940 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    21:25:22.0343 3940 RasAcd - ok
    21:25:22.0359 3940 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    21:25:22.0359 3940 Rasl2tp - ok
    21:25:22.0375 3940 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    21:25:22.0375 3940 RasPppoe - ok
    21:25:22.0375 3940 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    21:25:22.0375 3940 Raspti - ok
    21:25:22.0406 3940 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    21:25:22.0406 3940 Rdbss - ok
    21:25:22.0421 3940 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    21:25:22.0421 3940 RDPCDD - ok
    21:25:22.0437 3940 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    21:25:22.0437 3940 rdpdr - ok
    21:25:22.0484 3940 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    21:25:22.0484 3940 RDPWD - ok
    21:25:22.0500 3940 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    21:25:22.0500 3940 redbook - ok
    21:25:22.0609 3940 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    21:25:22.0609 3940 SASDIFSV - ok
    21:25:22.0625 3940 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    21:25:22.0625 3940 SASKUTIL - ok
    21:25:22.0656 3940 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    21:25:22.0656 3940 Secdrv - ok
    21:25:22.0718 3940 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    21:25:22.0718 3940 senfilt - ok
    21:25:22.0734 3940 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    21:25:22.0734 3940 Serenum - ok
    21:25:22.0750 3940 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    21:25:22.0750 3940 Serial - ok
    21:25:22.0765 3940 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    21:25:22.0765 3940 Sfloppy - ok
    21:25:22.0781 3940 Simbad - ok
    21:25:22.0812 3940 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
    21:25:22.0812 3940 smwdm - ok
    21:25:22.0828 3940 Sparrow - ok
    21:25:22.0843 3940 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    21:25:22.0843 3940 splitter - ok
    21:25:22.0859 3940 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    21:25:22.0859 3940 sr - ok
    21:25:22.0921 3940 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSP.SYS
    21:25:22.0937 3940 SRTSP - ok
    21:25:23.0015 3940 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS
    21:25:23.0015 3940 SRTSPX - ok
    21:25:23.0046 3940 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    21:25:23.0046 3940 Srv - ok
    21:25:23.0078 3940 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    21:25:23.0078 3940 swenum - ok
    21:25:23.0109 3940 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    21:25:23.0109 3940 swmidi - ok
    21:25:23.0125 3940 symc810 - ok
    21:25:23.0125 3940 symc8xx - ok
    21:25:23.0203 3940 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS
    21:25:23.0203 3940 SymDS - ok
    21:25:23.0250 3940 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS
    21:25:23.0250 3940 SymEFA - ok
    21:25:23.0281 3940 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    21:25:23.0281 3940 SymEvent - ok
    21:25:23.0296 3940 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS
    21:25:23.0296 3940 SymIRON - ok
    21:25:23.0328 3940 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMTDI.SYS
    21:25:23.0328 3940 SYMTDI - ok
    21:25:23.0328 3940 sym_hi - ok
    21:25:23.0343 3940 sym_u3 - ok
    21:25:23.0390 3940 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    21:25:23.0390 3940 sysaudio - ok
    21:25:23.0437 3940 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    21:25:23.0437 3940 Tcpip - ok
    21:25:23.0453 3940 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    21:25:23.0453 3940 TDPIPE - ok
    21:25:23.0468 3940 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    21:25:23.0468 3940 TDTCP - ok
    21:25:23.0484 3940 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    21:25:23.0484 3940 TermDD - ok
    21:25:23.0500 3940 TosIde - ok
    21:25:23.0515 3940 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    21:25:23.0531 3940 Udfs - ok
    21:25:23.0531 3940 ultra - ok
    21:25:23.0562 3940 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    21:25:23.0562 3940 Update - ok
    21:25:23.0578 3940 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    21:25:23.0578 3940 usbccgp - ok
    21:25:23.0609 3940 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    21:25:23.0609 3940 usbehci - ok
    21:25:23.0625 3940 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    21:25:23.0625 3940 usbhub - ok
    21:25:23.0640 3940 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    21:25:23.0640 3940 usbprint - ok
    21:25:23.0640 3940 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    21:25:23.0640 3940 usbscan - ok
    21:25:23.0656 3940 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    21:25:23.0656 3940 USBSTOR - ok
    21:25:23.0671 3940 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    21:25:23.0671 3940 usbuhci - ok
    21:25:23.0687 3940 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    21:25:23.0687 3940 VgaSave - ok
    21:25:23.0703 3940 ViaIde - ok
    21:25:23.0718 3940 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    21:25:23.0718 3940 VolSnap - ok
    21:25:23.0750 3940 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    21:25:23.0750 3940 Wanarp - ok
    21:25:23.0765 3940 WDICA - ok
    21:25:23.0781 3940 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    21:25:23.0781 3940 wdmaud - ok
    21:25:23.0828 3940 WmBEnum (5d410936831f7fb58eff941eac3f6d3d) C:\WINDOWS\system32\drivers\WmBEnum.sys
    21:25:23.0828 3940 WmBEnum - ok
    21:25:23.0843 3940 WmFilter (7a13cfde92956ca61a0927d766c5ad4f) C:\WINDOWS\system32\drivers\WmFilter.sys
    21:25:23.0843 3940 WmFilter - ok
    21:25:23.0859 3940 WmVirHid (6f04646bc690f8bbfc344be32a60796d) C:\WINDOWS\system32\drivers\WmVirHid.sys
    21:25:23.0859 3940 WmVirHid - ok
    21:25:23.0875 3940 WmXlCore (1d6ca43d562333f4dfb40bcef2453f3a) C:\WINDOWS\system32\drivers\WmXlCore.sys
    21:25:23.0875 3940 WmXlCore - ok
    21:25:23.0906 3940 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    21:25:23.0906 3940 WudfPf - ok
    21:25:23.0921 3940 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    21:25:23.0921 3940 WudfRd - ok
    21:25:23.0937 3940 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    21:25:23.0968 3940 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
    21:25:23.0968 3940 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
    21:25:23.0968 3940 Boot (0x1200) (ae4cf141f1ae3a31135ae7b689ae3ff8) \Device\Harddisk0\DR0\Partition0
    21:25:23.0968 3940 \Device\Harddisk0\DR0\Partition0 - ok
    21:25:23.0968 3940 ============================================================
    21:25:23.0968 3940 Scan finished
    21:25:23.0968 3940 ============================================================
    21:25:23.0984 3888 Detected object count: 1
    21:25:23.0984 3888 Actual detected object count: 1
    21:25:41.0625 3888 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
    21:25:41.0625 3888 \Device\Harddisk0\DR0 - ok
    21:25:41.0625 3888 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
    21:25:52.0296 0480 Deinitialize success
    here is my TDSSKiller Log from last week.
     
  14. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay, here is the ComboFix Log.
    ComboFix 12-02-01.01 - Administrator 02/01/2012 19:41:49.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2962 [GMT -6:00]
    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\~t4B2Xjfe72LLip
    c:\documents and settings\All Users\Application Data\~t4B2Xjfe72LLipr
    c:\documents and settings\All Users\Application Data\t4B2Xjfe72LLip
    c:\windows\system32\SET6B.tmp
    c:\windows\system32\SET70.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-25 05:28 . 2012-01-25 05:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2012-01-25 04:38 . 2012-01-25 05:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2012-01-25 04:38 . 2012-01-25 04:59 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2012-01-25 04:38 . 2012-01-25 04:59 -------- d-----w- c:\program files\Symantec
    2012-01-25 04:38 . 2012-01-25 04:59 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2012-01-25 04:37 . 2010-08-21 03:59 106928 ----a-w- c:\windows\system32\GEARAspi.dll
    2012-01-25 04:37 . 2012-02-01 16:50 -------- d-----w- c:\windows\system32\drivers\N360
    2012-01-25 04:37 . 2012-01-25 04:37 -------- d-----w- c:\program files\Norton 360
    2012-01-25 04:37 . 2012-01-25 04:37 -------- d-----w- c:\program files\NortonInstaller
    2012-01-25 03:45 . 2012-01-25 03:45 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-01-25 03:45 . 2012-01-25 03:45 -------- d-----w- c:\program files\Trend Micro
    2012-01-08 16:33 . 2012-01-08 16:33 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-08 16:33 . 2012-01-08 16:33 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-08 16:33 . 2012-01-08 16:33 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-08 16:33 . 2012-01-08 16:33 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2012-01-03 02:22 . 2012-01-09 20:30 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2012-01-03 02:21 . 2012-01-03 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 21:24 . 2011-06-19 21:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-16 23:48 . 2011-06-17 22:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
    2012-01-08 16:33 . 2011-06-18 04:26 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
    path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
    backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-03-24 01:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-03-24 01:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-03-24 01:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2012-01-13 20:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-12-25 03:00 32768 ----a-w- c:\windows\system32\rmctrl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
    2010-06-14 23:10 153672 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2011-07-08 04:05 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56351:TCP"= 56351:TCP:pando Media Booster
    "56351:UDP"= 56351:UDP:pando Media Booster
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\symds.sys [1/31/2012 5:47 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\symefa.sys [1/31/2012 5:47 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\BASHDefs\20120121.002\BHDrvx86.sys [1/21/2012 2:27 AM 820344]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\ironx86.sys [1/31/2012 5:47 PM 136312]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/19/2011 3:20 PM 652360]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.0.13\ccsvchst.exe [1/31/2012 5:47 PM 130008]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/19/2011 11:41 AM 101904]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/24/2012 10:58 PM 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\IPSDefs\20120131.002\IDSXpx86.sys [2/1/2012 1:21 PM 356280]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/19/2011 3:20 PM 20464]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-02 c:\windows\Tasks\User_Feed_Synchronization-{7F981BCB-ABC9-4C36-9EBA-E7880CC42B20}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ga180uks.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-01 19:50
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-790525478-796845957-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(688)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    .
    Completion time: 2012-02-01 20:03:10
    ComboFix-quarantined-files.txt 2012-02-02 02:02
    .
    Pre-Run: 64,122,736,640 bytes free
    Post-Run: 64,075,862,016 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 85D6CE7EDA74374126BD8B8C0C51B824
     
  15. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay, I completed the ESET online scan. There were 0 -zero- infections.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ===============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    DDS::
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    Registry::
    [HKEY_USERS\S-1-5-21-790525478-796845957-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62, \
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62, \
    Clearjavacache::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the boot cleaner.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
    Logs in next reply please.
     
  17. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay here is the fresh Malwarebytes log.
    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.06.06

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: GX620 [administrator]

    Protection: Disabled

    2/6/2012 5:03:06 PM
    mbam-log-2012-02-06 (17-03-06).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 190871
    Time elapsed: 12 minute(s), 51 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    I will follow this with a fresh Combofix scan. Thanks.
     
  18. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay, here is the fresh ComboFix.txt scan log.

    ComboFix 12-02-06.02 - Administrator 02/06/2012 17:36:01.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2857 [GMT -6:00]
    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\messenger\msmsgs.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-06 to 2012-02-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-25 05:28 . 2012-01-25 05:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2012-01-25 04:38 . 2012-01-25 05:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2012-01-25 04:38 . 2012-01-25 04:59 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2012-01-25 04:38 . 2012-01-25 04:59 -------- d-----w- c:\program files\Symantec
    2012-01-25 04:38 . 2012-01-25 04:59 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2012-01-25 04:37 . 2010-08-21 03:59 106928 ----a-w- c:\windows\system32\GEARAspi.dll
    2012-01-25 04:37 . 2012-02-01 16:50 -------- d-----w- c:\windows\system32\drivers\N360
    2012-01-25 04:37 . 2012-01-25 04:37 -------- d-----w- c:\program files\Norton 360
    2012-01-25 04:37 . 2012-01-25 04:37 -------- d-----w- c:\program files\NortonInstaller
    2012-01-25 03:45 . 2012-01-25 03:45 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-01-25 03:45 . 2012-01-25 03:45 -------- d-----w- c:\program files\Trend Micro
    2012-01-08 16:33 . 2012-01-08 16:33 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-08 16:33 . 2012-01-08 16:33 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-08 16:33 . 2012-01-08 16:33 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-08 16:33 . 2012-01-08 16:33 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 21:24 . 2011-06-19 21:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 23:48 . 2011-06-17 22:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-16 14:21 . 2004-08-04 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2004-08-04 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
    2012-01-08 16:33 . 2011-06-18 04:26 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
    path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
    backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-03-24 01:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-03-24 01:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-03-24 01:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2012-01-13 20:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-12-25 03:00 32768 ----a-w- c:\windows\system32\rmctrl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
    2010-06-14 23:10 153672 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2011-07-08 04:05 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56351:TCP"= 56351:TCP:pando Media Booster
    "56351:UDP"= 56351:UDP:pando Media Booster
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\symds.sys [1/31/2012 5:47 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\symefa.sys [1/31/2012 5:47 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\BASHDefs\20120121.002\BHDrvx86.sys [1/21/2012 2:27 AM 820344]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\ironx86.sys [1/31/2012 5:47 PM 136312]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/19/2011 3:20 PM 652360]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.0.13\ccsvchst.exe [1/31/2012 5:47 PM 130008]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/19/2011 11:41 AM 101904]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/4/2012 1:31 PM 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\IPSDefs\20120203.002\IDSXpx86.sys [2/4/2012 1:31 PM 356280]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/19/2011 3:20 PM 20464]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    *Deregistered* - MBAMSwissArmy
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-06 c:\windows\Tasks\User_Feed_Synchronization-{7F981BCB-ABC9-4C36-9EBA-E7880CC42B20}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ga180uks.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-06 17:44
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-790525478-796845957-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(684)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    .
    Completion time: 2012-02-06 17:56:47
    ComboFix-quarantined-files.txt 2012-02-06 23:56
    ComboFix2.txt 2012-02-02 02:03
    .
    Pre-Run: 66,071,441,408 bytes free
    Post-Run: 66,058,428,416 bytes free
    .
    - - End Of File - - 5B179A54A148F1ED507158BEBA36F742


    I will return and post the new Bootkit Remover scan log.
     
  19. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay, here is the new BootkitRemover log.

    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ga180uks.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-06 17:44
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-790525478-796845957-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(684)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    .
    Completion time: 2012-02-06 17:56:47
    ComboFix-quarantined-files.txt 2012-02-06 23:56
    ComboFix2.txt 2012-02-02 02:03
    .
    Pre-Run: 66,071,441,408 bytes free
    Post-Run: 66,058,428,416 bytes free
    .
    - - End Of File - - 5B179A54A148F1ED507158BEBA36F742


    I hope I have completed your requests to your satisfaction. Thanks for the help with this.
     
  20. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Due to all of the virus scans and such; I have all my 'show all hidden files & programs' box unchecked still. Is this safe? Or should I re-check the box to hide the 'hidden' & 'windows system program files'...?
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    ======================================
    Please note: I will be Offline on Wednesday, 2/8 and Thursday, 2/9. When I return on Friday, 2/10, I will pick up the oldest threads first.
     
  22. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    Okay. No rush. Thanks for the help. I learn a lot from you.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    David, you said this- "Okay, here is the new BootkitRemover log." but what you left was 2 FF entries and a piece of the Combofix report.

    Please run this and paste the log in next reply- it's a a very short log:
    Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the boot cleaner.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
    Are you noticing any remaining malware related problems?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.