Inactive \\System Check\\ virus

D

davidstl

Posts: 94   +0
Dang Diddlely-ittlely!!
I was surfing Yahoo the other day and my window suddenly closed. I thought: Oh no... but nothing happened. So, I just reopened my internet explorer and BOOM. My window closed again, my desktop disappeared, and my screen went black. I received dozens of pop up windows:
Windows -Delayed Write Failed.
Failed to save all the components for the file \\system32\\. The file is corrupted.
I tried in vain to reboot my desktop, but all of my programs seemed to have been erased. My only option available was to click and run an obviously rouge scanner called System Check. -I did NOT run the scanner- I never personally downloaded this program. I knew I had a serious virus on my hands. So, here I am. Could someone please check my log files and help clean my PC?
Thank You

P.S. One important question. Using XP 'click by click' How do I Paste those Log files to my forum post? I am a computer novice.
 
Further Information about my System Check experience.

I booted into my Bios hitting F8 on start up. From there I chose the option: Reboot in Safe Mode With Networking. I discovered the only program besides System Check on my computer was OpenOffice.org. -It seemed my hard drive had been wiped clean- I somehow used OpenOffice.org to open an explorer window to the internet. I then did some research on System Check virus and while in Safe Mode I ran MBAM. Malwarebytes found 14 instances of Hijackers and Trojans. Per my research, I also used the programs called UnHide & TDSSKiller. I think these three knocked out the virus, but I am seeking the help of you professionals on this one.
Thanks again,
David
 
David, did you want help on this issue? Sound like you may have followed instructions given to someone else. That is not recommended.

Please describe the malware-related problems you still have. Then, If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Edit: Short but good lesson in copy and paste:http://www.webmasternow.com/copyandpaste.html

Apply same principal to the logs. Be sure when you open Notepad to go up and click on Format> Uncheck 'Word Wrap.
===================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.
 
Dear Techspot, I have been away. I was summoned to Jury Duty. I was not allowed time and access to "electronic devices". But now I am back and I am following your prescribed instructions and starting the fresh malware scans. Scans can take my PC a couple of hours. I will repost as soon as I have completed them. Thank you for the instructions on Copy & Paste. I'm so dumb.
 
okay here is the MBAM log showing the infection log from last week.Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.24.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: GX620 [administrator]

1/24/2012 8:15:48 PM
mbam-log-2012-01-24 (20-15-48).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191955
Time elapsed: 11 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|nMdQvhGrqSMKfoq.exe (Trojan.FakeAlert) -> Data: C:\Documents and Settings\All Users\Application Data\nMdQvhGrqSMKfoq.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 8
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\All Users\Application Data\nMdQvhGrqSMKfoq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\9\14a81f89-381bbac0 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)
 
Okay, here is the fresh MBAM log from today.Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.01.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: GX620 [administrator]

Protection: Enabled

2/1/2012 12:15:31 PM
mbam-log-2012-02-01 (12-15-31).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194360
Time elapsed: 31 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Administrator\My Documents\Downloads\update.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

(end)
 
Okay, here is my fresh GMER Log. Thanks.GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-01 16:34:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST380013AS rev.8.12
Running: 6uzgvw4u.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT 8A5200C0 ZwAlertResumeThread
SSDT 8A516278 ZwAlertThread
SSDT 8A98C208 ZwAllocateVirtualMemory
SSDT 8A5350F0 ZwAssignProcessToJobObject
SSDT 8A929490 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xABF49710]
SSDT 8A61EC90 ZwCreateMutant
SSDT 8A515580 ZwCreateSymbolicLinkObject
SSDT 8A525308 ZwCreateThread
SSDT 8A5340D8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xABF49990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xABF49EF0]
SSDT 8A972E50 ZwDuplicateObject
SSDT 8A963758 ZwFreeVirtualMemory
SSDT 8A527748 ZwImpersonateAnonymousToken
SSDT 8A5230D0 ZwImpersonateThread
SSDT 8A927DF0 ZwLoadDriver
SSDT 8A52D3B8 ZwMapViewOfSection
SSDT 8A52B798 ZwOpenEvent
SSDT 8A9AD378 ZwOpenProcess
SSDT 8AC77A70 ZwOpenProcessToken
SSDT 8A532A48 ZwOpenSection
SSDT 8A98E990 ZwOpenThread
SSDT 8A50CCE8 ZwProtectVirtualMemory
SSDT 8A516240 ZwResumeThread
SSDT 8A92A0C0 ZwSetContextThread
SSDT 8A93D3E0 ZwSetInformationProcess
SSDT 8A532C60 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xABF4A140]
SSDT 8A52FDF0 ZwSuspendProcess
SSDT 8A50F100 ZwSuspendThread
SSDT 8A43A1A8 ZwTerminateProcess
SSDT 8A50D108 ZwTerminateThread
SSDT 8A931120 ZwUnmapViewOfSection
SSDT 8AC28E10 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 276 804E4AD0 4 Bytes JMP C720D56D
.text ntoskrnl.exe!ZwYieldExecution + 29A 804E4AF4 4 Bytes CALL 84D89BC5
? nwdfb.sys The system cannot find the file specified. !
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9181000, 0x2A7064, 0xE8000020]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9049F80]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
 
Okay, here is my DDS Attach.txt Log.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/7/2010 5:15:43 PM
System Uptime: 2/1/2012 12:48:48 PM (4 hours ago)
.
Motherboard: Dell Inc. | | 0HH807
Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Microprocessor | 3391/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 59.914 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP131: 11/3/2011 7:12:32 PM - System Checkpoint
RP132: 11/4/2011 7:37:20 PM - System Checkpoint
RP133: 11/5/2011 7:47:26 PM - System Checkpoint
RP134: 11/7/2011 9:07:05 PM - Software Distribution Service 3.0
RP135: 11/9/2011 4:57:38 PM - System Checkpoint
RP136: 11/10/2011 5:36:50 PM - System Checkpoint
RP137: 11/11/2011 6:31:42 PM - System Checkpoint
RP138: 11/13/2011 8:47:47 PM - System Checkpoint
RP139: 11/15/2011 6:02:26 PM - System Checkpoint
RP140: 11/17/2011 5:11:48 PM - System Checkpoint
RP141: 11/18/2011 6:00:20 PM - System Checkpoint
RP142: 11/19/2011 7:37:05 PM - System Checkpoint
RP143: 11/23/2011 6:20:21 PM - System Checkpoint
RP144: 11/25/2011 9:13:27 AM - System Checkpoint
RP145: 11/26/2011 3:19:18 PM - System Checkpoint
RP146: 11/28/2011 8:37:17 PM - System Checkpoint
RP147: 11/29/2011 9:31:00 PM - System Checkpoint
RP148: 11/30/2011 9:49:36 PM - System Checkpoint
RP149: 12/2/2011 5:07:59 PM - System Checkpoint
RP150: 12/3/2011 5:49:35 PM - System Checkpoint
RP151: 12/5/2011 8:08:15 PM - System Checkpoint
RP152: 12/6/2011 11:16:16 AM - Software Distribution Service 3.0
RP153: 12/8/2011 4:27:12 PM - System Checkpoint
RP154: 12/11/2011 11:03:00 PM - System Checkpoint
RP155: 12/13/2011 4:57:09 PM - System Checkpoint
RP156: 12/14/2011 5:34:28 PM - System Checkpoint
RP157: 12/15/2011 6:33:16 PM - System Checkpoint
RP158: 12/16/2011 8:01:54 PM - System Checkpoint
RP159: 12/19/2011 6:17:19 PM - System Checkpoint
RP160: 12/20/2011 7:13:39 PM - System Checkpoint
RP161: 12/22/2011 5:19:29 PM - System Checkpoint
RP162: 12/22/2011 9:11:53 PM - Removed Steam
RP163: 12/23/2011 11:41:55 PM - System Checkpoint
RP164: 12/25/2011 12:40:10 AM - System Checkpoint
RP165: 12/28/2011 9:15:07 PM - System Checkpoint
RP166: 12/30/2011 4:59:37 PM - System Checkpoint
RP167: 12/31/2011 8:45:55 PM - System Checkpoint
RP168: 1/2/2012 3:17:53 PM - Norton 360 Registry Clean
RP169: 1/3/2012 11:00:13 PM - System Checkpoint
RP170: 1/5/2012 6:11:09 PM - System Checkpoint
RP171: 1/6/2012 8:02:35 PM - System Checkpoint
RP172: 1/8/2012 9:42:13 AM - Software Distribution Service 3.0
RP173: 1/9/2012 4:47:00 PM - System Checkpoint
RP174: 1/10/2012 5:13:22 PM - System Checkpoint
RP175: 1/10/2012 9:18:34 PM - Norton 360 Registry Clean
RP176: 1/12/2012 9:45:39 AM - System Checkpoint
RP177: 1/13/2012 1:58:34 PM - System Checkpoint
RP178: 1/19/2012 2:03:27 PM - System Checkpoint
RP179: 1/20/2012 3:54:26 PM - System Checkpoint
RP180: 1/21/2012 4:27:21 PM - System Checkpoint
RP181: 1/24/2012 9:45:31 PM - Installed HiJackThis
RP182: 1/24/2012 11:26:20 PM - Norton 360 Registry Clean
RP183: 1/26/2012 7:24:49 PM - System Checkpoint
RP184: 2/1/2012 1:05:33 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2)
AMD APP SDK Runtime
ATI AVIVO Codecs
ATI Catalyst Install Manager
Broadcom Gigabit Integrated Controller
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-utility
CCC Help English
CCleaner
CDisplay 1.8
Dell Driver Download Manager
DVD Shrink 3.2
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Deskjet 2050 J510 series Basic Device Software
HP Deskjet 2050 J510 series Help
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 26
Logitech Gaming Software 5.10
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 9.0.1 (x86 en-US)
Nero 6 Ultra Edition
Norton 360
OpenOffice.org 3.1
Pando Media Booster
PunkBuster Services
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SoundMAX
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
2/1/2012 3:07:01 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
2/1/2012 12:49:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
1/30/2012 7:27:56 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bf9dafb0, parameter3 a887abe0, parameter4 00000000.
1/30/2012 7:27:28 PM, error: Dhcp [1002] - The IP address lease 192.168.100.2 for the Network Card with network address 0013727340F4 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
 
Okay, here is my DDS.txt Log. Thanks..
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 16:36:35 on 2012-02-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2870 [GMT -6:00]
.
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.2.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.2.0.13\ips\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.2.0.13\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1308372847343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
TCP: Interfaces\{2225B3BB-99B4-43AD-B80C-7B7402075F2B} : DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ga180uks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys [2012-1-31 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys [2012-1-31 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.2.1\definitions\bashdefs\20120121.002\BHDrvx86.sys [2012-1-21 820344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys [2012-1-31 136312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-19 652360]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.2.0.13\ccsvchst.exe [2012-1-31 130008]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-6-19 101904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-1-24 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.2.1\definitions\ipsdefs\20120131.002\IDSXpx86.sys [2012-2-1 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-19 20464]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.2.1\definitions\virusdefs\20120201.003\NAVENG.SYS [2012-2-1 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.2.1\definitions\virusdefs\20120201.003\NAVEX15.SYS [2012-2-1 1576312]
.
=============== Created Last 30 ================
.
2012-01-31 23:47:16 744568 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symefa.sys
2012-01-31 23:47:16 516216 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\srtsp.sys
2012-01-31 23:47:16 50168 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\srtspx.sys
2012-01-31 23:47:16 369784 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdi.sys
2012-01-31 23:47:16 340088 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symds.sys
2012-01-31 23:47:16 331384 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdiv.sys
2012-01-31 23:47:16 299640 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symnets.sys
2012-01-31 23:47:16 136312 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys
2012-01-31 23:46:52 -------- d-----w- c:\windows\system32\drivers\n360\0502000.00D
2012-01-25 04:38:05 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-25 04:38:05 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-25 04:38:05 -------- d-----w- c:\program files\Symantec
2012-01-25 04:38:05 -------- d-----w- c:\program files\common files\Symantec Shared
2012-01-25 04:37:52 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-01-25 04:37:30 -------- d-----w- c:\windows\system32\drivers\N360
2012-01-25 04:37:27 -------- d-----w- c:\program files\Norton 360
2012-01-25 04:37:07 -------- d-----w- c:\program files\NortonInstaller
2012-01-25 03:45:33 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-01-25 03:45:32 -------- d-----w- c:\program files\Trend Micro
2012-01-23 21:20:12 353016 ----a-w- c:\documents and settings\all users\application data\t4B2Xjfe72LLip.exe
2012-01-08 16:33:58 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-08 16:33:58 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-08 16:33:58 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-08 16:33:58 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-01-03 02:22:22 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2012-01-03 02:21:36 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment
.
==================== Find3M ====================
.
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-16 23:48:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 16:36:56.57 ===============
 
Hopefully, I have gotten you the correct information in the correct fashion. I will wait patiently for your assistance. Thank you.
davidstl
 
Welcome back David- good thing for you I was late closing the thread!

Obviously someone used this computer and did something in the week between these logs: There were 2,405 more objects scanned the 2nd time.
Full Scan: 1/24/2012 8:15:48 PM
mbam-log-2012-01-24 (20-15-48).txt
Objects scanned: 191955
Time elapsed: 11 minute(s), 34 second(s)
Registry Values Detected: 1> (Trojan.FakeAlert)
Registry Data Items Detected: 8> 'missing' data-TaskMan, Strtup.
(No malicious items detected)
Files Detected: 2> Both (Trojan.FakeAlert)
---------------------------
Full Scan: 2/1/2012 12:15:31 PM
mbam-log-2012-02-01 (12-15-31).txt
Objects scanned: 194360
Time elapsed: 31 minute(s), 24 second(s)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1. (Disabled Security Center)
Files Detected: 1> (Trojan.Dropper)
-------------------------
So- please give me the status now:
1. You ran Unhide -Are you still 'missing' programs, files, desktop, etc.?
2. You ran the TDSSKiller> do you have the log from the TDSSKiller? If so, please paste it in next reply.
3. Do you have internet access now?
4. Can you get into Normal Mode?
5. I notice this Restore Point: RP182: 1/24/2012 11:26:20 PM - Norton 360 Registry Clean- Please disable the registry clean part of Norton while I'm helping you.
6. What problems are you still experiencing?
---------------------------------------
Another lesson for you> you do not need to boot into the Bios for Safe Mode or Safe Mode with Networking:
Boot into Safe Mode with Networking
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
=========================================
Please run in Normal Mode.
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=============================
Answers and logs (Eset and Combofix) in next reply please.
TDSSKiller log if you have it.

(Nice job on the copy and paste!)
 
Thank you for not closing my thread. I think I might still have pieces of malicious programs left behind. So I have come for your help.
To answer your questions:
Yes, once my PC begin to reboot, I went back to using the computer. I just had not the time required then to connect with Techspot and address this forum thread. I purchased Norton 360 5.0 and ran it a few times. Also I use SuperAntispyware Professional.
1. I ran UnHide. And no I am not missing programs or my desktop.
2. I ran TDSSKiller. and I will Paste last weeks log here for you.
3. Yes, I have internet access.
4. Yes, I can boot into normal mode.
5. I will try to discover how to turn off Norton Registry Clean. I thought I already had disabled Norton for you...???.
6. I am experiencing no problems that are overt. I was hoping you could check my scans. I could easily miss something malicious.

Okay, I am running ComboFix next. And then ESET. I will return with those log files. Thanks again.
 
Okay,21:24:40.0640 0308 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
21:24:40.0937 0308 ============================================================
21:24:40.0937 0308 Current date / time: 2012/01/24 21:24:40.0937
21:24:40.0937 0308 SystemInfo:
21:24:40.0937 0308
21:24:40.0937 0308 OS Version: 5.1.2600 ServicePack: 3.0
21:24:40.0937 0308 Product type: Workstation
21:24:40.0937 0308 ComputerName: GX620
21:24:40.0937 0308 UserName: Administrator
21:24:40.0937 0308 Windows directory: C:\WINDOWS
21:24:40.0937 0308 System windows directory: C:\WINDOWS
21:24:40.0937 0308 Processor architecture: Intel x86
21:24:40.0937 0308 Number of processors: 2
21:24:40.0937 0308 Page size: 0x1000
21:24:40.0937 0308 Boot type: Normal boot
21:24:40.0937 0308 ============================================================
21:24:42.0453 0308 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:24:42.0484 0308 Initialize success
21:25:18.0250 3940 ============================================================
21:25:18.0250 3940 Scan started
21:25:18.0250 3940 Mode: Manual;
21:25:18.0250 3940 ============================================================
21:25:18.0515 3940 Abiosdsk - ok
21:25:18.0531 3940 abp480n5 - ok
21:25:18.0562 3940 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:25:18.0578 3940 ACPI - ok
21:25:18.0609 3940 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:25:18.0609 3940 ACPIEC - ok
21:25:18.0625 3940 adpu160m - ok
21:25:18.0656 3940 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:25:18.0656 3940 aec - ok
21:25:18.0718 3940 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:25:18.0718 3940 AFD - ok
21:25:18.0734 3940 Aha154x - ok
21:25:18.0750 3940 aic78u2 - ok
21:25:18.0750 3940 aic78xx - ok
21:25:18.0765 3940 AliIde - ok
21:25:18.0781 3940 amsint - ok
21:25:18.0796 3940 asc - ok
21:25:18.0796 3940 asc3350p - ok
21:25:18.0812 3940 asc3550 - ok
21:25:18.0859 3940 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:25:18.0859 3940 AsyncMac - ok
21:25:18.0859 3940 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:25:18.0859 3940 atapi - ok
21:25:18.0875 3940 Atdisk - ok
21:25:19.0093 3940 ati2mtag (011388ddc5b83ef4a0b2b829735c646f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:25:19.0125 3940 ati2mtag - ok
21:25:19.0156 3940 AtiHDAudioService (af7ee20d8ecc163d30bd2ab594a74baf) C:\WINDOWS\system32\drivers\AtihdXP3.sys
21:25:19.0156 3940 AtiHDAudioService - ok
21:25:19.0187 3940 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:25:19.0187 3940 Atmarpc - ok
21:25:19.0218 3940 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:25:19.0218 3940 audstub - ok
21:25:19.0250 3940 b57w2k (241474d01380e9ed41d4c07f4f5fd401) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
21:25:19.0250 3940 b57w2k - ok
21:25:19.0265 3940 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:25:19.0265 3940 Beep - ok
21:25:19.0421 3940 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys
21:25:19.0437 3940 BHDrvx86 - ok
21:25:19.0484 3940 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:25:19.0484 3940 cbidf2k - ok
21:25:19.0484 3940 cd20xrnt - ok
21:25:19.0500 3940 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:25:19.0500 3940 Cdaudio - ok
21:25:19.0531 3940 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:25:19.0531 3940 Cdfs - ok
21:25:19.0546 3940 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:25:19.0546 3940 Cdrom - ok
21:25:19.0578 3940 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
21:25:19.0578 3940 cercsr6 - ok
21:25:19.0593 3940 Changer - ok
21:25:19.0609 3940 CmdIde - ok
21:25:19.0625 3940 Cpqarray - ok
21:25:19.0625 3940 dac2w2k - ok
21:25:19.0640 3940 dac960nt - ok
21:25:19.0671 3940 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:25:19.0671 3940 Disk - ok
21:25:19.0718 3940 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:25:19.0718 3940 dmboot - ok
21:25:19.0750 3940 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:25:19.0750 3940 dmio - ok
21:25:19.0781 3940 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:25:19.0781 3940 dmload - ok
21:25:19.0812 3940 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:25:19.0812 3940 DMusic - ok
21:25:19.0828 3940 dpti2o - ok
21:25:19.0859 3940 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:25:19.0859 3940 drmkaud - ok
21:25:19.0953 3940 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
21:25:19.0953 3940 eeCtrl - ok
21:25:19.0968 3940 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
21:25:19.0984 3940 EraserUtilRebootDrv - ok
21:25:20.0015 3940 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:25:20.0015 3940 Fastfat - ok
21:25:20.0031 3940 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:25:20.0031 3940 Fdc - ok
21:25:20.0046 3940 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:25:20.0046 3940 Fips - ok
21:25:20.0062 3940 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:25:20.0062 3940 Flpydisk - ok
21:25:20.0078 3940 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:25:20.0078 3940 FltMgr - ok
21:25:20.0109 3940 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:25:20.0109 3940 Fs_Rec - ok
21:25:20.0125 3940 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:25:20.0125 3940 Ftdisk - ok
21:25:20.0171 3940 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:25:20.0171 3940 GEARAspiWDM - ok
21:25:20.0203 3940 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:25:20.0203 3940 Gpc - ok
21:25:20.0250 3940 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:25:20.0250 3940 HDAudBus - ok
21:25:20.0265 3940 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:25:20.0265 3940 HidUsb - ok
21:25:20.0281 3940 hpn - ok
21:25:20.0328 3940 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:25:20.0328 3940 HTTP - ok
21:25:20.0343 3940 i2omgmt - ok
21:25:20.0343 3940 i2omp - ok
21:25:20.0375 3940 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:25:20.0375 3940 i8042prt - ok
21:25:20.0437 3940 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
21:25:20.0437 3940 ialm - ok
21:25:20.0656 3940 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120112.002\IDSxpx86.sys
21:25:20.0656 3940 IDSxpx86 - ok
21:25:20.0687 3940 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:25:20.0687 3940 Imapi - ok
21:25:20.0703 3940 ini910u - ok
21:25:20.0718 3940 IntelIde - ok
21:25:20.0765 3940 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:25:20.0765 3940 intelppm - ok
21:25:20.0781 3940 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:25:20.0781 3940 Ip6Fw - ok
21:25:20.0796 3940 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:25:20.0796 3940 IpFilterDriver - ok
21:25:20.0828 3940 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:25:20.0828 3940 IpInIp - ok
21:25:20.0843 3940 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:25:20.0859 3940 IpNat - ok
21:25:20.0890 3940 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:25:20.0890 3940 IPSec - ok
21:25:20.0906 3940 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:25:20.0906 3940 IRENUM - ok
21:25:20.0921 3940 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:25:20.0921 3940 isapnp - ok
21:25:20.0937 3940 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:25:20.0937 3940 Kbdclass - ok
21:25:20.0968 3940 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:25:20.0968 3940 kbdhid - ok
21:25:21.0000 3940 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:25:21.0000 3940 kmixer - ok
21:25:21.0031 3940 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:25:21.0031 3940 KSecDD - ok
21:25:21.0031 3940 lbrtfdc - ok
21:25:21.0078 3940 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
21:25:21.0078 3940 MBAMProtector - ok
21:25:21.0093 3940 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:25:21.0093 3940 mnmdd - ok
21:25:21.0140 3940 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:25:21.0140 3940 Modem - ok
21:25:21.0156 3940 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:25:21.0156 3940 Mouclass - ok
21:25:21.0203 3940 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:25:21.0203 3940 mouhid - ok
21:25:21.0218 3940 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:25:21.0218 3940 MountMgr - ok
21:25:21.0218 3940 mraid35x - ok
21:25:21.0250 3940 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:25:21.0250 3940 MRxDAV - ok
21:25:21.0296 3940 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:25:21.0296 3940 MRxSmb - ok
21:25:21.0312 3940 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:25:21.0312 3940 Msfs - ok
21:25:21.0328 3940 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:25:21.0328 3940 MSKSSRV - ok
21:25:21.0343 3940 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:25:21.0343 3940 MSPCLOCK - ok
21:25:21.0343 3940 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:25:21.0343 3940 MSPQM - ok
21:25:21.0375 3940 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:25:21.0375 3940 mssmbios - ok
21:25:21.0390 3940 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:25:21.0390 3940 Mup - ok
21:25:21.0546 3940 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120113.003\NAVENG.SYS
21:25:21.0546 3940 NAVENG - ok
21:25:21.0609 3940 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120113.003\NAVEX15.SYS
21:25:21.0625 3940 NAVEX15 - ok
21:25:21.0718 3940 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:25:21.0718 3940 NDIS - ok
21:25:21.0750 3940 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:25:21.0750 3940 NdisTapi - ok
21:25:21.0765 3940 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:25:21.0765 3940 Ndisuio - ok
21:25:21.0781 3940 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:25:21.0781 3940 NdisWan - ok
21:25:21.0828 3940 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:25:21.0828 3940 NDProxy - ok
21:25:21.0843 3940 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:25:21.0843 3940 NetBIOS - ok
21:25:21.0859 3940 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:25:21.0875 3940 NetBT - ok
21:25:21.0890 3940 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:25:21.0890 3940 Npfs - ok
21:25:21.0921 3940 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:25:21.0921 3940 Ntfs - ok
21:25:21.0953 3940 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:25:21.0953 3940 Null - ok
21:25:21.0984 3940 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:25:21.0984 3940 NwlnkFlt - ok
21:25:22.0000 3940 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:25:22.0000 3940 NwlnkFwd - ok
21:25:22.0015 3940 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
21:25:22.0015 3940 Parport - ok
21:25:22.0031 3940 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:25:22.0031 3940 PartMgr - ok
21:25:22.0046 3940 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:25:22.0046 3940 ParVdm - ok
21:25:22.0046 3940 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:25:22.0062 3940 PCI - ok
21:25:22.0062 3940 PCIDump - ok
21:25:22.0093 3940 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:25:22.0093 3940 PCIIde - ok
21:25:22.0125 3940 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:25:22.0125 3940 Pcmcia - ok
21:25:22.0125 3940 PDCOMP - ok
21:25:22.0140 3940 PDFRAME - ok
21:25:22.0156 3940 PDRELI - ok
21:25:22.0156 3940 PDRFRAME - ok
21:25:22.0171 3940 perc2 - ok
21:25:22.0187 3940 perc2hib - ok
21:25:22.0203 3940 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:25:22.0203 3940 PptpMiniport - ok
21:25:22.0234 3940 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:25:22.0234 3940 PSched - ok
21:25:22.0265 3940 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:25:22.0265 3940 Ptilink - ok
21:25:22.0281 3940 ql1080 - ok
21:25:22.0281 3940 Ql10wnt - ok
21:25:22.0296 3940 ql12160 - ok
21:25:22.0312 3940 ql1240 - ok
21:25:22.0312 3940 ql1280 - ok
21:25:22.0343 3940 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:25:22.0343 3940 RasAcd - ok
21:25:22.0359 3940 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:25:22.0359 3940 Rasl2tp - ok
21:25:22.0375 3940 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:25:22.0375 3940 RasPppoe - ok
21:25:22.0375 3940 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:25:22.0375 3940 Raspti - ok
21:25:22.0406 3940 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:25:22.0406 3940 Rdbss - ok
21:25:22.0421 3940 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:25:22.0421 3940 RDPCDD - ok
21:25:22.0437 3940 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:25:22.0437 3940 rdpdr - ok
21:25:22.0484 3940 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:25:22.0484 3940 RDPWD - ok
21:25:22.0500 3940 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:25:22.0500 3940 redbook - ok
21:25:22.0609 3940 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
21:25:22.0609 3940 SASDIFSV - ok
21:25:22.0625 3940 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
21:25:22.0625 3940 SASKUTIL - ok
21:25:22.0656 3940 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:25:22.0656 3940 Secdrv - ok
21:25:22.0718 3940 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
21:25:22.0718 3940 senfilt - ok
21:25:22.0734 3940 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:25:22.0734 3940 Serenum - ok
21:25:22.0750 3940 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
21:25:22.0750 3940 Serial - ok
21:25:22.0765 3940 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:25:22.0765 3940 Sfloppy - ok
21:25:22.0781 3940 Simbad - ok
21:25:22.0812 3940 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
21:25:22.0812 3940 smwdm - ok
21:25:22.0828 3940 Sparrow - ok
21:25:22.0843 3940 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:25:22.0843 3940 splitter - ok
21:25:22.0859 3940 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:25:22.0859 3940 sr - ok
21:25:22.0921 3940 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSP.SYS
21:25:22.0937 3940 SRTSP - ok
21:25:23.0015 3940 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS
21:25:23.0015 3940 SRTSPX - ok
21:25:23.0046 3940 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:25:23.0046 3940 Srv - ok
21:25:23.0078 3940 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:25:23.0078 3940 swenum - ok
21:25:23.0109 3940 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:25:23.0109 3940 swmidi - ok
21:25:23.0125 3940 symc810 - ok
21:25:23.0125 3940 symc8xx - ok
21:25:23.0203 3940 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS
21:25:23.0203 3940 SymDS - ok
21:25:23.0250 3940 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS
21:25:23.0250 3940 SymEFA - ok
21:25:23.0281 3940 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
21:25:23.0281 3940 SymEvent - ok
21:25:23.0296 3940 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS
21:25:23.0296 3940 SymIRON - ok
21:25:23.0328 3940 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMTDI.SYS
21:25:23.0328 3940 SYMTDI - ok
21:25:23.0328 3940 sym_hi - ok
21:25:23.0343 3940 sym_u3 - ok
21:25:23.0390 3940 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:25:23.0390 3940 sysaudio - ok
21:25:23.0437 3940 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:25:23.0437 3940 Tcpip - ok
21:25:23.0453 3940 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:25:23.0453 3940 TDPIPE - ok
21:25:23.0468 3940 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:25:23.0468 3940 TDTCP - ok
21:25:23.0484 3940 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:25:23.0484 3940 TermDD - ok
21:25:23.0500 3940 TosIde - ok
21:25:23.0515 3940 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:25:23.0531 3940 Udfs - ok
21:25:23.0531 3940 ultra - ok
21:25:23.0562 3940 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:25:23.0562 3940 Update - ok
21:25:23.0578 3940 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:25:23.0578 3940 usbccgp - ok
21:25:23.0609 3940 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:25:23.0609 3940 usbehci - ok
21:25:23.0625 3940 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:25:23.0625 3940 usbhub - ok
21:25:23.0640 3940 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:25:23.0640 3940 usbprint - ok
21:25:23.0640 3940 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:25:23.0640 3940 usbscan - ok
21:25:23.0656 3940 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:25:23.0656 3940 USBSTOR - ok
21:25:23.0671 3940 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:25:23.0671 3940 usbuhci - ok
21:25:23.0687 3940 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:25:23.0687 3940 VgaSave - ok
21:25:23.0703 3940 ViaIde - ok
21:25:23.0718 3940 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:25:23.0718 3940 VolSnap - ok
21:25:23.0750 3940 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:25:23.0750 3940 Wanarp - ok
21:25:23.0765 3940 WDICA - ok
21:25:23.0781 3940 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:25:23.0781 3940 wdmaud - ok
21:25:23.0828 3940 WmBEnum (5d410936831f7fb58eff941eac3f6d3d) C:\WINDOWS\system32\drivers\WmBEnum.sys
21:25:23.0828 3940 WmBEnum - ok
21:25:23.0843 3940 WmFilter (7a13cfde92956ca61a0927d766c5ad4f) C:\WINDOWS\system32\drivers\WmFilter.sys
21:25:23.0843 3940 WmFilter - ok
21:25:23.0859 3940 WmVirHid (6f04646bc690f8bbfc344be32a60796d) C:\WINDOWS\system32\drivers\WmVirHid.sys
21:25:23.0859 3940 WmVirHid - ok
21:25:23.0875 3940 WmXlCore (1d6ca43d562333f4dfb40bcef2453f3a) C:\WINDOWS\system32\drivers\WmXlCore.sys
21:25:23.0875 3940 WmXlCore - ok
21:25:23.0906 3940 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:25:23.0906 3940 WudfPf - ok
21:25:23.0921 3940 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:25:23.0921 3940 WudfRd - ok
21:25:23.0937 3940 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:25:23.0968 3940 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
21:25:23.0968 3940 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
21:25:23.0968 3940 Boot (0x1200) (ae4cf141f1ae3a31135ae7b689ae3ff8) \Device\Harddisk0\DR0\Partition0
21:25:23.0968 3940 \Device\Harddisk0\DR0\Partition0 - ok
21:25:23.0968 3940 ============================================================
21:25:23.0968 3940 Scan finished
21:25:23.0968 3940 ============================================================
21:25:23.0984 3888 Detected object count: 1
21:25:23.0984 3888 Actual detected object count: 1
21:25:41.0625 3888 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
21:25:41.0625 3888 \Device\Harddisk0\DR0 - ok
21:25:41.0625 3888 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
21:25:52.0296 0480 Deinitialize success
here is my TDSSKiller Log from last week.
 
Okay, here is the ComboFix Log.
ComboFix 12-02-01.01 - Administrator 02/01/2012 19:41:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2962 [GMT -6:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~t4B2Xjfe72LLip
c:\documents and settings\All Users\Application Data\~t4B2Xjfe72LLipr
c:\documents and settings\All Users\Application Data\t4B2Xjfe72LLip
c:\windows\system32\SET6B.tmp
c:\windows\system32\SET70.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
.
.
2012-01-25 05:28 . 2012-01-25 05:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-25 04:38 . 2012-01-25 05:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-01-25 04:38 . 2012-01-25 04:59 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-25 04:38 . 2012-01-25 04:59 -------- d-----w- c:\program files\Symantec
2012-01-25 04:38 . 2012-01-25 04:59 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-25 04:37 . 2010-08-21 03:59 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-01-25 04:37 . 2012-02-01 16:50 -------- d-----w- c:\windows\system32\drivers\N360
2012-01-25 04:37 . 2012-01-25 04:37 -------- d-----w- c:\program files\Norton 360
2012-01-25 04:37 . 2012-01-25 04:37 -------- d-----w- c:\program files\NortonInstaller
2012-01-25 03:45 . 2012-01-25 03:45 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-25 03:45 . 2012-01-25 03:45 -------- d-----w- c:\program files\Trend Micro
2012-01-08 16:33 . 2012-01-08 16:33 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-08 16:33 . 2012-01-08 16:33 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-08 16:33 . 2012-01-08 16:33 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-08 16:33 . 2012-01-08 16:33 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-03 02:22 . 2012-01-09 20:30 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2012-01-03 02:21 . 2012-01-03 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2011-06-19 21:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-16 23:48 . 2011-06-17 22:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2012-01-08 16:33 . 2011-06-18 04:26 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 01:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 01:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 01:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-13 20:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-25 03:00 32768 ----a-w- c:\windows\system32\rmctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2010-06-14 23:10 153672 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-07-08 04:05 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56351:TCP"= 56351:TCP:pando Media Booster
"56351:UDP"= 56351:UDP:pando Media Booster
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\symds.sys [1/31/2012 5:47 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\symefa.sys [1/31/2012 5:47 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\BASHDefs\20120121.002\BHDrvx86.sys [1/21/2012 2:27 AM 820344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\ironx86.sys [1/31/2012 5:47 PM 136312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/19/2011 3:20 PM 652360]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.0.13\ccsvchst.exe [1/31/2012 5:47 PM 130008]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/19/2011 11:41 AM 101904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/24/2012 10:58 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\IPSDefs\20120131.002\IDSXpx86.sys [2/1/2012 1:21 PM 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/19/2011 3:20 PM 20464]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-02 c:\windows\Tasks\User_Feed_Synchronization-{7F981BCB-ABC9-4C36-9EBA-E7880CC42B20}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ga180uks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-01 19:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-796845957-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2012-02-01 20:03:10
ComboFix-quarantined-files.txt 2012-02-02 02:02
.
Pre-Run: 64,122,736,640 bytes free
Post-Run: 64,075,862,016 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 85D6CE7EDA74374126BD8B8C0C51B824
 
Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:
scan-finished.jpg

  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
===============================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
DDS::
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
Registry::
[HKEY_USERS\S-1-5-21-790525478-796845957-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62, \
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62, \
Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Bootkit Remover:

Download Bootkit Remover.zip and save to your desktop.
  1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the boot cleaner.exe file to run the program.
    (Vista/7 users,right click on remover.exe and click Run As Administrator.)
  3. You will see a black screen with data
  4. Right click on the screen and click Select All.
  5. Press CTRL+C
  6. Open a Notepad and press CTRL+V
  7. Paste the output in your next reply.
=====================================
Logs in next reply please.
 
Okay here is the fresh Malwarebytes log.
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.06.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: GX620 [administrator]

Protection: Disabled

2/6/2012 5:03:06 PM
mbam-log-2012-02-06 (17-03-06).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190871
Time elapsed: 12 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


I will follow this with a fresh Combofix scan. Thanks.
 
Okay, here is the fresh ComboFix.txt scan log.

ComboFix 12-02-06.02 - Administrator 02/06/2012 17:36:01.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2857 [GMT -6:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\messenger\msmsgs.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-06 to 2012-02-06 )))))))))))))))))))))))))))))))
.
.
2012-01-25 05:28 . 2012-01-25 05:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-25 04:38 . 2012-01-25 05:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-01-25 04:38 . 2012-01-25 04:59 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-25 04:38 . 2012-01-25 04:59 -------- d-----w- c:\program files\Symantec
2012-01-25 04:38 . 2012-01-25 04:59 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-25 04:37 . 2010-08-21 03:59 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-01-25 04:37 . 2012-02-01 16:50 -------- d-----w- c:\windows\system32\drivers\N360
2012-01-25 04:37 . 2012-01-25 04:37 -------- d-----w- c:\program files\Norton 360
2012-01-25 04:37 . 2012-01-25 04:37 -------- d-----w- c:\program files\NortonInstaller
2012-01-25 03:45 . 2012-01-25 03:45 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-25 03:45 . 2012-01-25 03:45 -------- d-----w- c:\program files\Trend Micro
2012-01-08 16:33 . 2012-01-08 16:33 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-08 16:33 . 2012-01-08 16:33 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-08 16:33 . 2012-01-08 16:33 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-08 16:33 . 2012-01-08 16:33 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2011-06-19 21:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 23:48 . 2011-06-17 22:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 14:21 . 2004-08-04 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
2012-01-08 16:33 . 2011-06-18 04:26 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 01:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 01:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 01:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-13 20:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-25 03:00 32768 ----a-w- c:\windows\system32\rmctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2010-06-14 23:10 153672 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-07-08 04:05 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56351:TCP"= 56351:TCP:pando Media Booster
"56351:UDP"= 56351:UDP:pando Media Booster
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\symds.sys [1/31/2012 5:47 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\symefa.sys [1/31/2012 5:47 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\BASHDefs\20120121.002\BHDrvx86.sys [1/21/2012 2:27 AM 820344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\ironx86.sys [1/31/2012 5:47 PM 136312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/19/2011 3:20 PM 652360]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.0.13\ccsvchst.exe [1/31/2012 5:47 PM 130008]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/19/2011 11:41 AM 101904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/4/2012 1:31 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\IPSDefs\20120203.002\IDSXpx86.sys [2/4/2012 1:31 PM 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/19/2011 3:20 PM 20464]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - MBAMSwissArmy
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-06 c:\windows\Tasks\User_Feed_Synchronization-{7F981BCB-ABC9-4C36-9EBA-E7880CC42B20}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ga180uks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-06 17:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-796845957-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2012-02-06 17:56:47
ComboFix-quarantined-files.txt 2012-02-06 23:56
ComboFix2.txt 2012-02-02 02:03
.
Pre-Run: 66,071,441,408 bytes free
Post-Run: 66,058,428,416 bytes free
.
- - End Of File - - 5B179A54A148F1ED507158BEBA36F742


I will return and post the new Bootkit Remover scan log.
 
Okay, here is the new BootkitRemover log.

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ga180uks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-06 17:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-796845957-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,fa,d3,ba,3d,bf,3c,4e,a6,be,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2012-02-06 17:56:47
ComboFix-quarantined-files.txt 2012-02-06 23:56
ComboFix2.txt 2012-02-02 02:03
.
Pre-Run: 66,071,441,408 bytes free
Post-Run: 66,058,428,416 bytes free
.
- - End Of File - - 5B179A54A148F1ED507158BEBA36F742


I hope I have completed your requests to your satisfaction. Thanks for the help with this.
 
Due to all of the virus scans and such; I have all my 'show all hidden files & programs' box unchecked still. Is this safe? Or should I re-check the box to hide the 'hidden' & 'windows system program files'...?
 
I have all my 'show all hidden files & programs' box unchecked still. Is this safe? Or should I re-check the box to hide the 'hidden' & 'windows system program files'...?
Click to expand...
======================================
Please note: I will be Offline on Wednesday, 2/8 and Thursday, 2/9. When I return on Friday, 2/10, I will pick up the oldest threads first.
 
David, you said this- "Okay, here is the new BootkitRemover log." but what you left was 2 FF entries and a piece of the Combofix report.

Please run this and paste the log in next reply- it's a a very short log:
Bootkit Remover:

Download Bootkit Remover.zip and save to your desktop.
  1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the boot cleaner.exe file to run the program.
    (Vista/7 users,right click on remover.exe and click Run As Administrator.)
  3. You will see a black screen with data
  4. Right click on the screen and click Select All.
  5. Press CTRL+C
  6. Open a Notepad and press CTRL+V
  7. Paste the output in your next reply.
=====================================
Are you noticing any remaining malware related problems?
 

Similar threads

T
Trying to Get Image Tags
Replies
1
Views
683
TheBorgInva
T
S
Nike faces $5M lawsuit after CloneX NFTs go dark due to hosting error
Replies
6
Views
80
BuckarooBonzaii
B
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
5K
Broni
Broni

Latest posts

Back