Jump to content

Malware -opens new window - help


Recommended Posts

Hi

I have what must be some form of malware. After browing with IE8 for a variable length of time (a few minutes through to hours), a new browser window opens unexpectedly, which goes to a seemingly random site, quickly transfers to another, and if I wait a few seconds it attempts to download malware (including Antimalware Doctor, but other things too).

The site that the new window goes to is different each time, and always seem to have some sort of search string as the address. I notice the java icon appears in the tray when the malware download is attempted. I have stopped Java update in case this was the trigger event, but that did not help. Nothing shows up on my AV software (Panda 2011) nor on Malwarebytes. I use IE8, but when I tried Firefox I got a similar problem with a new window opening.

Dell Dimension E520, Windows XP Home Service Pack 3, IE8. All up to date with patches etc.

Alan

Logs follow / attached.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4512

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

05/09/2010 12:19:38

mbam-log-2010-09-05 (12-19-38).txt

Scan type: Quick scan

Objects scanned: 144111

Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Alan at 12:36:25.43 on 05/09/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.501 [GMT 1:00]

AV: Panda Internet Security 2011 *On-access scanning enabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}

FW: Panda Personal Firewall 2011 *enabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Panda Security\Panda Internet Security 2011\TPSrv.exe

svchost.exe

C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2011\WebProxy.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PavFnSvr.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

c:\program files\panda security\panda internet security 2011\firewall\PSHOST.EXE

C:\Program Files\Panda Security\Panda Internet Security 2011\PsImSvc.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PskSvc.exe

C:\Program Files\PurgeIE\PurgeIE_Service.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\pavsrvx86.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Panda Security\Panda Internet Security 2011\AVENGINE.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PsCtrls.exe

C:\Documents and Settings\Alan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk

uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk

uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005

uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [EPSON Stylus DX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"

mRun: [<NO NAME>]

mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [APVXDWIN] "c:\program files\panda security\panda internet security 2011\APVXDWIN.EXE" /s

mRun: [sCANINICIO] "c:\program files\panda security\panda internet security 2011\Inicio.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

Trusted Zone: glass-forums.com\www

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246130761812

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {5A400435-CCDD-4C79-8784-2F8E02EB5CA6} = 208.67.222.222,208.67.220.220

Notify: avldr - avldr.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alan\applic~1\mozilla\firefox\profiles\0pben4j3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-7-6 26696]

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2010-8-28 76296]

R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2010-8-28 53256]

R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2010-8-28 22024]

R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2010-8-28 193800]

R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2010-8-28 159112]

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2010-8-28 37896]

R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2010-8-28 46856]

R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [2010-8-28 59080]

R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda internet security 2011\PsCtrlS.exe [2010-8-28 173312]

R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda internet security 2011\PavFnSvr.exe [2010-8-28 169216]

R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2010-8-28 163336]

R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda security\pavshld\PavPrSrv.exe [2010-8-28 62768]

R2 PAVSRV;Panda On-Access Anti-Malware Service;c:\program files\panda security\panda internet security 2011\pavsrvx86.exe [2010-8-28 314176]

R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda internet security 2011\psksvc.exe [2010-8-28 28928]

R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]

R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [2010-9-4 13880]

R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\system32\drivers\neti1642.sys [2010-8-28 199688]

R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]

R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1a.tmp --> c:\windows\system32\1A.tmp [?]

S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\rkpavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\RpcAgentSrv.exe [2009-6-29 98488]

S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 477696]

============== File Associations ===============

JSEFile=c:\progra~1\pandas~1\pandai~1\PavScrip.exe "%1" %*

VBEFile=c:\progra~1\pandas~1\pandai~1\PavScrip.exe "%1" %*

VBSFile=c:\progra~1\pandas~1\pandai~1\PavScrip.exe "%1" %*

=============== Created Last 30 ================

2010-09-05 11:31:27 0 ----a-w- c:\documents and settings\alan\defogger_reenable

2010-09-04 08:07:24 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys

2010-09-02 08:57:58 520 ----a-w- C:\ZB20100902095752001.xml

2010-08-30 16:35:09 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-08-30 16:35:09 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-30 16:20:05 0 d-----w- c:\program files\syst32

2010-08-30 16:19:58 0 d-----w- c:\program files\Microsoft

2010-08-30 09:24:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-30 09:24:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-30 09:24:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-30 08:36:41 0 d-----w- c:\program files\Sophos

2010-08-28 15:00:38 8627 ----a-w- c:\windows\system32\PAV_FOG.OPC

2010-08-28 14:52:18 8627 ----a-w- c:\documents and settings\alan\PAV_FOG.OPC

2010-08-28 14:34:02 262 ----a-w- c:\windows\system32\PavCPL.dat

2010-08-28 14:33:54 241428 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck

2010-08-28 14:33:54 241428 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT

2010-08-28 14:33:54 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck

2010-08-28 14:33:54 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG

2010-08-28 14:33:46 53256 ----a-w- c:\windows\system32\drivers\dsaflt.sys

2010-08-28 14:33:46 46856 ----a-w- c:\windows\system32\drivers\wnmflt.sys

2010-08-28 14:33:46 193800 ----a-w- c:\windows\system32\drivers\idsflt.sys

2010-08-28 14:33:21 76296 ----a-w- c:\windows\system32\drivers\APPFLT.SYS

2010-08-28 14:33:21 22024 ----a-w- c:\windows\system32\drivers\fnetmon.sys

2010-08-28 14:33:21 159112 ----a-w- c:\windows\system32\drivers\NETFLTDI.SYS

2010-08-28 14:33:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Backup

2010-08-28 14:32:48 54832 ----a-w- c:\windows\system32\pavcpl.cpl

2010-08-28 14:32:31 446464 ----a-w- c:\windows\system32\HHActiveX.dll

2010-08-28 14:32:19 87296 ----a-w- c:\windows\system32\PavLspHook.dll

2010-08-28 14:32:19 55552 ----a-w- c:\windows\system32\pavipc.dll

2010-08-28 14:32:19 193792 ----a-w- c:\windows\system32\TpUtil.dll

2010-08-28 14:32:19 107568 ----a-w- c:\windows\system32\SYSTOOLS.DLL

2010-08-28 14:32:17 518400 ----a-w- c:\windows\system32\PavSHook.dll

2010-08-28 14:32:14 199688 ----a-w- c:\windows\system32\drivers\neti1642.sys

2010-08-28 14:32:12 55552 ----a-w- c:\windows\system32\avldr.dll

2010-08-28 14:32:11 59080 ----a-w- c:\windows\system32\drivers\amm8651.sys

2010-08-28 14:32:11 0 d-----w- c:\windows\system32\PAV

2010-08-28 14:32:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Panda Security

2010-08-28 14:32:10 0 d-----w- c:\docume~1\alan\applic~1\Panda Security

2010-08-28 14:29:43 37896 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys

2010-08-28 14:29:43 163336 ----a-w- c:\windows\system32\drivers\PavProc.sys

2010-08-28 14:27:20 0 d-----w- c:\program files\common files\Panda Security

2010-08-28 06:38:35 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-27 13:36:52 0 d-----w- c:\docume~1\alan\applic~1\6B9B435B513582956D7B1C03B9A1DE2E

2010-08-21 14:22:50 0 d-sh--w- c:\documents and settings\alan\IECompatCache

2010-08-20 12:23:52 0 d-sh--w- c:\documents and settings\alan\PrivacIE

2010-08-20 12:19:30 0 d-sh--w- c:\documents and settings\alan\IETldCache

2010-08-20 12:12:51 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-08-20 12:12:50 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-08-20 12:12:49 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-08-20 12:12:34 0 d-----w- c:\windows\ie8updates

2010-08-20 12:12:14 16896 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-08-20 12:10:44 0 dc-h--w- c:\windows\ie8

2010-08-20 12:05:45 293376 ------w- c:\windows\system32\browserchoice.exe

2010-08-11 12:22:11 0 d-----w- c:\docume~1\alan\applic~1\Tywue

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-24 16:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll

2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll

2010-06-24 12:22:01 611840 ------w- c:\windows\system32\dllcache\mstime.dll

2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll

2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll

2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll

2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll

2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll

2010-06-24 12:15:26 133120 ------w- c:\windows\system32\dllcache\extmgr.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys

2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

2010-06-01 10:11:25 5003908 ----a-w- c:\program files\m4a-to-mp3-converter.exe

============= FINISH: 12:38:24.57 ===============

Attach.zip

Link to post
Share on other sites

:)

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller and GooredFix log.

Link to post
Share on other sites

Hi LDTate

Many thanks for the advice. Have followed your instructions - TDSS rootkit present. Logs below.

Alan

GooredFix by jpshortstuff (03.07.10.1)

Log created at 17:11 on 06/09/2010 (Alan)

Firefox version 3.6.8 (en-GB)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [09:06 03/03/2010]

{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [16:35 30/08/2010]

C:\Documents and Settings\Alan\Application Data\Mozilla\Firefox\Profiles\0pben4j3.default\extensions\

{20a82645-c095-46ed-80e3-08825760534b} [07:46 02/05/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:37 12/08/2009]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [16:34 30/08/2010]

-=E.O.F=-

2010/09/06 17:12:41.0015 TDSS rootkit removing tool 2.4.2.0 Sep 3 2010 10:26:06

2010/09/06 17:12:41.0015 ================================================================================

2010/09/06 17:12:41.0015 SystemInfo:

2010/09/06 17:12:41.0015

2010/09/06 17:12:41.0015 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/06 17:12:41.0015 Product type: Workstation

2010/09/06 17:12:41.0015 ComputerName: D50XRH2J

2010/09/06 17:12:41.0015 UserName: Alan

2010/09/06 17:12:41.0015 Windows directory: C:\WINDOWS

2010/09/06 17:12:41.0015 System windows directory: C:\WINDOWS

2010/09/06 17:12:41.0015 Processor architecture: Intel x86

2010/09/06 17:12:41.0015 Number of processors: 2

2010/09/06 17:12:41.0015 Page size: 0x1000

2010/09/06 17:12:41.0015 Boot type: Normal boot

2010/09/06 17:12:41.0015 ================================================================================

2010/09/06 17:12:41.0484 Initialize success

2010/09/06 17:12:47.0265 ================================================================================

2010/09/06 17:12:47.0265 Scan started

2010/09/06 17:12:47.0265 Mode: Manual;

2010/09/06 17:12:47.0265 ================================================================================

2010/09/06 17:12:47.0562 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/09/06 17:12:47.0671 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/06 17:12:47.0687 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/06 17:12:47.0703 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/09/06 17:12:47.0765 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/06 17:12:47.0828 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/06 17:12:47.0890 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/09/06 17:12:47.0921 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/09/06 17:12:47.0953 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/09/06 17:12:48.0031 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/09/06 17:12:48.0078 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/09/06 17:12:48.0109 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/09/06 17:12:48.0140 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/09/06 17:12:48.0156 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/09/06 17:12:48.0187 AmFSM (ef9dd27aa5a3baaf2fd2b44c08a3e622) C:\WINDOWS\system32\DRIVERS\amm8651.sys

2010/09/06 17:12:48.0203 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/09/06 17:12:48.0250 APPFLT (f57b596c8b6a143e9dc7ecc52b718a48) C:\WINDOWS\system32\Drivers\APPFLT.SYS

2010/09/06 17:12:48.0296 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/09/06 17:12:48.0328 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/09/06 17:12:48.0343 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/09/06 17:12:48.0421 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

2010/09/06 17:12:48.0484 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/06 17:12:48.0500 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/06 17:12:48.0546 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/06 17:12:48.0578 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/06 17:12:48.0625 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/06 17:12:48.0687 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/09/06 17:12:48.0718 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/06 17:12:48.0734 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/09/06 17:12:48.0750 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/06 17:12:48.0828 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/06 17:12:48.0843 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/06 17:12:48.0937 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/09/06 17:12:48.0968 ComFiltr (d9c33e68f61f27d8206f65b0190dc5cf) C:\WINDOWS\system32\DRIVERS\COMFiltr.sys

2010/09/06 17:12:49.0015 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/09/06 17:12:49.0062 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/09/06 17:12:49.0125 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/09/06 17:12:49.0156 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/06 17:12:49.0187 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2010/09/06 17:12:49.0218 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2010/09/06 17:12:49.0250 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS

2010/09/06 17:12:49.0296 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2010/09/06 17:12:49.0328 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2010/09/06 17:12:49.0343 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2010/09/06 17:12:49.0375 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2010/09/06 17:12:49.0390 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2010/09/06 17:12:49.0421 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2010/09/06 17:12:49.0484 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/06 17:12:49.0578 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/06 17:12:49.0625 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/06 17:12:49.0687 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/06 17:12:49.0765 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/09/06 17:12:49.0781 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/06 17:12:49.0796 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2010/09/06 17:12:49.0812 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2010/09/06 17:12:49.0859 DSAFLT (5bb0f91ffd84057d094d106d9ff53298) C:\WINDOWS\system32\Drivers\DSAFLT.SYS

2010/09/06 17:12:49.0937 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys

2010/09/06 17:12:50.0000 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/09/06 17:12:50.0046 e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2010/09/06 17:12:50.0140 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys

2010/09/06 17:12:50.0203 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/06 17:12:50.0218 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/06 17:12:50.0265 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/06 17:12:50.0296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/06 17:12:50.0328 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/06 17:12:50.0375 FNETMON (a38b9ba7a4c17f7dce9ec4e8f7870026) C:\WINDOWS\system32\Drivers\fnetmon.SYS

2010/09/06 17:12:50.0437 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/06 17:12:50.0468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/06 17:12:50.0484 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/09/06 17:12:50.0531 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/06 17:12:50.0562 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/09/06 17:12:50.0593 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/06 17:12:50.0765 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/09/06 17:12:50.0812 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2010/09/06 17:12:50.0875 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2010/09/06 17:12:50.0984 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/06 17:12:51.0031 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/09/06 17:12:51.0078 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/09/06 17:12:51.0125 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/06 17:12:51.0171 iastor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\drivers\iastor.sys

2010/09/06 17:12:51.0218 IDSFLT (188eed48de6dc75e1067e78ed99d928a) C:\WINDOWS\system32\Drivers\IDSFLT.SYS

2010/09/06 17:12:51.0296 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/06 17:12:51.0343 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/09/06 17:12:51.0390 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/09/06 17:12:51.0406 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/06 17:12:51.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/06 17:12:51.0531 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/06 17:12:51.0578 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/06 17:12:51.0625 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/06 17:12:51.0640 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/06 17:12:51.0687 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/06 17:12:51.0718 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/06 17:12:51.0750 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/06 17:12:51.0781 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/09/06 17:12:51.0812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/06 17:12:51.0843 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/06 17:12:51.0906 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/09/06 17:12:51.0984 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/06 17:12:52.0015 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/06 17:12:52.0046 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/09/06 17:12:52.0062 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/06 17:12:52.0093 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/09/06 17:12:52.0125 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/06 17:12:52.0140 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/09/06 17:12:52.0187 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/06 17:12:52.0234 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/06 17:12:52.0265 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/06 17:12:52.0296 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/06 17:12:52.0328 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/06 17:12:52.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/06 17:12:52.0375 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/06 17:12:52.0390 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/06 17:12:52.0406 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/06 17:12:52.0437 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/06 17:12:52.0468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/06 17:12:52.0500 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/06 17:12:52.0531 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/06 17:12:52.0546 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/06 17:12:52.0578 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/06 17:12:52.0656 NETFLTDI (d8f44fc13db193c9379297973ee42272) C:\WINDOWS\system32\Drivers\NETFLTDI.SYS

2010/09/06 17:12:52.0718 NETIMFLT01060042 (9eeb6df1f5ffd878a3a44874607eaaef) C:\WINDOWS\system32\DRIVERS\neti1642.sys

2010/09/06 17:12:52.0765 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/06 17:12:52.0796 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/06 17:12:52.0843 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/06 17:12:53.0062 nv (bf506d232c5e6f2dae80f5c11b45c60e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/09/06 17:12:53.0765 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/06 17:12:53.0796 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/06 17:12:53.0875 Packet (8f856dae19383bd69db444004d5d4f50) C:\WINDOWS\system32\DRIVERS\packet.sys

2010/09/06 17:12:53.0937 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/06 17:12:53.0968 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/06 17:12:54.0000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/06 17:12:54.0015 pavboot (55d654258a9c509b671310c314bd30b4) C:\WINDOWS\system32\drivers\pavboot.sys

2010/09/06 17:12:54.0078 PavProc (018f51f5757819fcd9f32162c9808565) C:\WINDOWS\system32\DRIVERS\PavProc.sys

2010/09/06 17:12:54.0156 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/06 17:12:54.0187 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/06 17:12:54.0218 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/06 17:12:54.0359 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/09/06 17:12:54.0390 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/09/06 17:12:54.0453 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/06 17:12:54.0468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/06 17:12:54.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/06 17:12:54.0578 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/09/06 17:12:54.0593 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/09/06 17:12:54.0640 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/09/06 17:12:54.0671 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/09/06 17:12:54.0703 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/09/06 17:12:54.0734 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/09/06 17:12:54.0781 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/06 17:12:54.0812 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/06 17:12:54.0843 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/06 17:12:54.0875 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/06 17:12:54.0906 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/06 17:12:54.0937 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/06 17:12:54.0968 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/09/06 17:12:55.0031 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/06 17:12:55.0062 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/06 17:12:55.0218 SANDRA (361094945053c2c04312ef2e5f14eeaf) C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\WNt500x86\Sandra.sys

2010/09/06 17:12:55.0281 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/06 17:12:55.0328 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/06 17:12:55.0359 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/06 17:12:55.0406 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/06 17:12:55.0468 ShldDrv (a2f0bf07cac43a11555c173f7b1ad28a) C:\WINDOWS\system32\Drivers\ShlDrv51.sys

2010/09/06 17:12:55.0531 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/09/06 17:12:55.0578 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/09/06 17:12:55.0671 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/06 17:12:55.0718 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/06 17:12:55.0781 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/06 17:12:55.0859 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys

2010/09/06 17:12:55.0906 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/06 17:12:55.0953 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/06 17:12:56.0000 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/09/06 17:12:56.0031 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/09/06 17:12:56.0062 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/09/06 17:12:56.0093 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/09/06 17:12:56.0125 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/06 17:12:56.0187 tbhsd (4d46f63f7ddc2442941d63327c360b90) C:\WINDOWS\system32\drivers\tbhsd.sys

2010/09/06 17:12:56.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/06 17:12:56.0343 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/06 17:12:56.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/06 17:12:56.0390 TermDD (ab13ee8d8472c50c03da4fe0e9faad38) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/06 17:12:56.0390 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: ab13ee8d8472c50c03da4fe0e9faad38, Fake md5: 88155247177638048422893737429d9e

2010/09/06 17:12:56.0406 TermDD - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/09/06 17:12:56.0437 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/09/06 17:12:56.0500 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/06 17:12:56.0515 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/09/06 17:12:56.0578 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/06 17:12:56.0625 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/06 17:12:56.0640 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/06 17:12:56.0687 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/06 17:12:56.0703 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/09/06 17:12:56.0718 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/06 17:12:56.0750 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/06 17:12:56.0765 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/06 17:12:56.0796 VClone (1cdaa48cb2f7744b8d25650e050766a5) C:\WINDOWS\system32\DRIVERS\VClone.sys

2010/09/06 17:12:56.0812 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/06 17:12:56.0859 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/09/06 17:12:56.0875 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/09/06 17:12:56.0953 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/06 17:12:56.0984 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/06 17:12:57.0078 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/06 17:12:57.0125 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/09/06 17:12:57.0250 WNMFLT (0411d0433e8c48ad24b2ef32d7c97ae0) C:\WINDOWS\system32\Drivers\WNMFLT.SYS

2010/09/06 17:12:57.0312 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/06 17:12:57.0343 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/06 17:12:57.0421 ZD1211BU(SMC) (154fe6a5a608cd725266877901e883c2) C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys

2010/09/06 17:12:57.0500 ================================================================================

2010/09/06 17:12:57.0500 Scan finished

2010/09/06 17:12:57.0500 ================================================================================

2010/09/06 17:12:57.0500 Detected object count: 1

2010/09/06 17:13:34.0265 TermDD (ab13ee8d8472c50c03da4fe0e9faad38) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/06 17:13:34.0265 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: ab13ee8d8472c50c03da4fe0e9faad38, Fake md5: 88155247177638048422893737429d9e

2010/09/06 17:13:34.0593 Backup copy found, using it..

2010/09/06 17:13:34.0625 C:\WINDOWS\system32\DRIVERS\termdd.sys - will be cured after reboot

2010/09/06 17:13:34.0625 Rootkit.Win32.TDSS.tdl3(TermDD) - User select action: Cure

2010/09/06 17:13:44.0687 Deinitialize success

Link to post
Share on other sites

Hi

Here are the results of the ComboFix scan.

Computer seems okay - no obvious problems so far. I have re-enabled firewall and anti-virus.

Alan

ComboFix 10-09-06.01 - Alan 06/09/2010 18:08:39.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.525 [GMT 1:00]

Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe

AV: Panda Internet Security 2011 *On-access scanning disabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}

FW: Panda Personal Firewall 2011 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Alan\Application Data\Tywue

c:\documents and settings\Alan\Application Data\Tywue\gizum.eqa

c:\documents and settings\Alan\Application Data\Tywue\gizum.tmp

c:\documents and settings\Alan\GoToAssistDownloadHelper.exe

c:\documents and settings\All Users\Application Data\.wtav

c:\program files\Internet Explorer\complete.dat

c:\program files\Internet Explorer\dmlconf.dat

.

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))

.

2010-09-04 08:07 . 2010-09-06 16:16 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys

2010-09-01 08:49 . 2010-09-01 08:49 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-08-31 05:30 . 2010-08-31 05:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Panda Security

2010-08-30 16:36 . 2010-08-30 16:36 61440 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1f545e15-n\decora-sse.dll

2010-08-30 16:36 . 2010-08-30 16:36 503808 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-676eaf5e-n\msvcp71.dll

2010-08-30 16:36 . 2010-08-30 16:36 499712 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-676eaf5e-n\jmc.dll

2010-08-30 16:36 . 2010-08-30 16:36 348160 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-676eaf5e-n\msvcr71.dll

2010-08-30 16:36 . 2010-08-30 16:36 12800 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1f545e15-n\decora-d3d.dll

2010-08-30 16:35 . 2010-08-30 16:35 -------- d-----w- c:\program files\Common Files\Java

2010-08-30 16:35 . 2010-08-30 16:34 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-30 16:20 . 2010-08-31 11:05 -------- d-----w- c:\program files\syst32

2010-08-30 16:19 . 2010-08-30 18:00 -------- d-----w- c:\program files\Microsoft

2010-08-30 12:00 . 2010-09-01 08:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-08-30 09:24 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-30 09:24 . 2010-08-30 09:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-30 09:24 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-30 08:36 . 2010-08-30 08:36 -------- d-----w- c:\program files\Sophos

2010-08-28 14:49 . 2010-08-28 14:49 46904 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-28 14:37 . 2010-08-28 14:37 -------- d-----w- c:\documents and settings\Alan\Local Settings\Application Data\Panda Security

2010-08-28 14:34 . 2010-08-28 14:34 262 ----a-w- c:\windows\system32\PavCPL.dat

2010-08-28 14:33 . 2010-09-05 08:27 241428 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT

2010-08-28 14:33 . 2009-09-25 13:54 46856 ----a-w- c:\windows\system32\drivers\wnmflt.sys

2010-08-28 14:33 . 2009-09-25 13:54 193800 ----a-w- c:\windows\system32\drivers\idsflt.sys

2010-08-28 14:33 . 2009-09-25 13:54 53256 ----a-w- c:\windows\system32\drivers\dsaflt.sys

2010-08-28 14:33 . 2010-02-18 18:31 76296 ----a-w- c:\windows\system32\drivers\APPFLT.SYS

2010-08-28 14:33 . 2009-09-25 13:54 159112 ----a-w- c:\windows\system32\drivers\NETFLTDI.SYS

2010-08-28 14:33 . 2009-09-25 13:54 22024 ----a-w- c:\windows\system32\drivers\fnetmon.sys

2010-08-28 14:33 . 2010-08-28 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup

2010-08-28 14:32 . 2003-10-22 17:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll

2010-08-28 14:32 . 2009-10-06 11:33 193792 ----a-w- c:\windows\system32\TpUtil.dll

2010-08-28 14:32 . 2009-03-30 17:22 87296 ----a-w- c:\windows\system32\PavLspHook.dll

2010-08-28 14:32 . 2009-03-30 17:22 55552 ----a-w- c:\windows\system32\pavipc.dll

2010-08-28 14:32 . 2007-02-08 09:53 107568 ----a-w- c:\windows\system32\SYSTOOLS.DLL

2010-08-28 14:32 . 2009-03-30 17:22 518400 ----a-w- c:\windows\system32\PavSHook.dll

2010-08-28 14:32 . 2010-02-18 18:31 199688 ----a-w- c:\windows\system32\drivers\neti1642.sys

2010-08-28 14:32 . 2010-03-24 11:55 55552 ----a-w- c:\windows\system32\avldr.dll

2010-08-28 14:32 . 2010-08-28 14:32 -------- d-----w- c:\windows\system32\PAV

2010-08-28 14:32 . 2010-05-21 12:50 59080 ----a-w- c:\windows\system32\drivers\amm8651.sys

2010-08-28 14:32 . 2010-08-28 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2010-08-28 14:32 . 2010-08-28 14:32 -------- d-----w- c:\documents and settings\Alan\Application Data\Panda Security

2010-08-28 14:29 . 2009-10-27 11:07 37896 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys

2010-08-28 14:29 . 2009-09-14 15:18 163336 ----a-w- c:\windows\system32\drivers\PavProc.sys

2010-08-28 14:27 . 2010-08-28 14:27 -------- d-----w- c:\program files\Common Files\Panda Security

2010-08-28 06:38 . 2010-08-28 06:38 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-27 13:49 . 2010-08-27 13:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-08-27 13:36 . 2010-08-28 14:53 -------- d-----w- c:\documents and settings\Alan\Application Data\6B9B435B513582956D7B1C03B9A1DE2E

2010-08-27 13:36 . 2010-08-27 13:36 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache

2010-08-21 14:22 . 2010-08-21 14:22 -------- d-sh--w- c:\documents and settings\Alan\IECompatCache

2010-08-20 12:23 . 2010-08-20 12:23 -------- d-sh--w- c:\documents and settings\Alan\PrivacIE

2010-08-20 12:19 . 2010-08-20 12:19 -------- d-sh--w- c:\documents and settings\Alan\IETldCache

2010-08-20 12:12 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-08-20 12:12 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-08-20 12:12 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-08-20 12:12 . 2010-08-21 06:28 -------- d-----w- c:\windows\ie8updates

2010-08-20 12:12 . 2010-06-18 11:39 16896 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-08-20 12:10 . 2010-08-20 12:12 -------- dc-h--w- c:\windows\ie8

2010-08-20 12:05 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-06 16:16 . 2010-08-28 14:33 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck

2010-09-06 16:16 . 2010-08-28 14:33 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG

2010-09-06 16:14 . 2004-08-10 12:01 40840 ----a-w- c:\windows\system32\drivers\termdd.sys

2010-09-06 16:02 . 2009-06-27 17:16 -------- d-----w- c:\documents and settings\Alan\Application Data\U3

2010-09-05 08:27 . 2010-08-28 14:33 241428 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck

2010-09-05 06:31 . 2010-04-20 12:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-02 16:40 . 2009-06-29 06:20 -------- d-----w- c:\program files\Simple Sudoku

2010-09-02 16:39 . 2009-06-29 06:20 -------- d-----w- c:\documents and settings\Alan\Application Data\Simple Sudoku

2010-09-01 21:15 . 2009-06-29 14:37 -------- d-----w- c:\program files\PurgeIE

2010-08-30 16:32 . 2006-10-04 23:09 -------- d-----w- c:\program files\Java

2010-08-30 16:20 . 2009-06-30 21:07 28672 ----a-w- c:\documents and settings\Alan\Application Data\Adobe\Adobe GoLive\Settings8\Opera\plugins\PlugDef.dll

2010-08-28 16:19 . 2010-07-09 20:47 -------- d-----w- c:\program files\gaming

2010-08-28 14:33 . 2010-07-06 10:56 -------- d-----w- c:\program files\Panda Security

2010-08-28 14:32 . 2006-10-04 23:13 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-28 14:27 . 2009-06-27 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\CA

2010-08-28 14:27 . 2009-06-27 19:02 -------- d-----w- c:\program files\CA

2010-08-28 06:38 . 2009-07-17 13:52 -------- d-----w- c:\program files\SSC Service Utility

2010-08-11 10:14 . 2009-06-28 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-21 06:36 . 2010-07-21 06:36 388096 ----a-r- c:\documents and settings\Alan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-11 15:55 . 2009-07-09 16:02 -------- d-----w- c:\program files\MailNavigator

2010-07-11 13:45 . 2009-06-29 06:22 -------- d-----w- c:\program files\PrestoNotes

2010-06-30 12:31 . 2004-08-10 11:51 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-10 11:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-10 11:51 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-22 17:13 . 2010-07-06 10:56 26696 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-06-21 15:27 . 2004-08-10 11:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-10 11:51 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-10 12:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-10 11:51 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-01 10:11 . 2010-06-01 10:11 5003908 ----a-w- c:\program files\m4a-to-mp3-converter.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]

"EPSON Stylus DX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE" [2005-02-08 98304]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"nwiz"="nwiz.exe" [2009-06-10 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE" [2010-07-07 984384]

"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2011\Inicio.exe" [2010-06-11 68928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-5 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2010-03-24 11:55 55552 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-06-27 16:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Alan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Alan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk

backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]

2008-04-23 01:08 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 02:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-07-12 18:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2006-10-04 23:18 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [06/07/2010 11:56 26696]

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [28/08/2010 15:33 76296]

R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [28/08/2010 15:33 53256]

R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [28/08/2010 15:33 22024]

R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [28/08/2010 15:33 193800]

R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [28/08/2010 15:33 159112]

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [28/08/2010 15:29 37896]

R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [28/08/2010 15:33 46856]

R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [28/08/2010 15:32 59080]

R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [28/08/2010 15:29 163336]

R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2011\psksvc.exe [28/08/2010 15:33 28928]

R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]

R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [04/09/2010 09:07 13880]

R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\system32\drivers\neti1642.sys [28/08/2010 15:32 199688]

R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]

R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1A.tmp --> c:\windows\system32\1A.tmp [?]

S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\RpcAgentSrv.exe [29/06/2009 17:07 98488]

S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [24/08/2006 06:44 477696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmd25

*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]

2010-02-16 18:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{F9079E89-818D-48F1-A175-E1E603C51603}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005

uInternet Settings,ProxyOverride = *.local

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp

Trusted Zone: glass-forums.com\www

TCP: {5A400435-CCDD-4C79-8784-2F8E02EB5CA6} = 208.67.222.222,208.67.220.220

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB

FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\0pben4j3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)

SafeBoot-klmdb.sys

MSConfigStartUp-boincmgr - c:\program files\BOINC\boincmgr.exe

MSConfigStartUp-boinctray - c:\program files\BOINC\boinctray.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

MSConfigStartUp-{92714FCA-E5A1-5DD2-FB34-F70BCBB9179D} - c:\documents and settings\Alan\Application Data\Ecew\imulp.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-06 18:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\1A.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)

c:\windows\system32\avldr.dll

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

.

Completion time: 2010-09-06 18:16:39

ComboFix-quarantined-files.txt 2010-09-06 17:16

Pre-Run: 57,899,425,792 bytes free

Post-Run: 57,857,212,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5F8C66814AE66BC3D2DF82B1516A114E

Link to post
Share on other sites

Hi

here is the latest ComboFix scan result.

Alan

ComboFix 10-09-06.02 - Alan 06/09/2010 19:42:49.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.494 [GMT 1:00]

Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe

AV: Panda Internet Security 2011 *On-access scanning disabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}

FW: Panda Personal Firewall 2011 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

.

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))

.

2010-09-04 08:07 . 2010-09-06 16:16 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys

2010-09-01 08:49 . 2010-09-01 08:49 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-08-31 05:30 . 2010-08-31 05:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Panda Security

2010-08-30 16:36 . 2010-08-30 16:36 61440 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1f545e15-n\decora-sse.dll

2010-08-30 16:36 . 2010-08-30 16:36 503808 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-676eaf5e-n\msvcp71.dll

2010-08-30 16:36 . 2010-08-30 16:36 499712 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-676eaf5e-n\jmc.dll

2010-08-30 16:36 . 2010-08-30 16:36 348160 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-676eaf5e-n\msvcr71.dll

2010-08-30 16:36 . 2010-08-30 16:36 12800 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1f545e15-n\decora-d3d.dll

2010-08-30 16:35 . 2010-08-30 16:35 -------- d-----w- c:\program files\Common Files\Java

2010-08-30 16:35 . 2010-08-30 16:34 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-30 16:20 . 2010-08-31 11:05 -------- d-----w- c:\program files\syst32

2010-08-30 16:19 . 2010-08-30 18:00 -------- d-----w- c:\program files\Microsoft

2010-08-30 12:00 . 2010-09-01 08:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-08-30 09:24 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-30 09:24 . 2010-08-30 09:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-30 09:24 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-30 08:36 . 2010-08-30 08:36 -------- d-----w- c:\program files\Sophos

2010-08-28 14:49 . 2010-08-28 14:49 46904 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-28 14:37 . 2010-08-28 14:37 -------- d-----w- c:\documents and settings\Alan\Local Settings\Application Data\Panda Security

2010-08-28 14:34 . 2010-08-28 14:34 262 ----a-w- c:\windows\system32\PavCPL.dat

2010-08-28 14:33 . 2010-09-05 08:27 241428 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT

2010-08-28 14:33 . 2009-09-25 13:54 46856 ----a-w- c:\windows\system32\drivers\wnmflt.sys

2010-08-28 14:33 . 2009-09-25 13:54 193800 ----a-w- c:\windows\system32\drivers\idsflt.sys

2010-08-28 14:33 . 2009-09-25 13:54 53256 ----a-w- c:\windows\system32\drivers\dsaflt.sys

2010-08-28 14:33 . 2010-02-18 18:31 76296 ----a-w- c:\windows\system32\drivers\APPFLT.SYS

2010-08-28 14:33 . 2009-09-25 13:54 159112 ----a-w- c:\windows\system32\drivers\NETFLTDI.SYS

2010-08-28 14:33 . 2009-09-25 13:54 22024 ----a-w- c:\windows\system32\drivers\fnetmon.sys

2010-08-28 14:33 . 2010-08-28 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup

2010-08-28 14:32 . 2003-10-22 17:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll

2010-08-28 14:32 . 2009-10-06 11:33 193792 ----a-w- c:\windows\system32\TpUtil.dll

2010-08-28 14:32 . 2009-03-30 17:22 87296 ----a-w- c:\windows\system32\PavLspHook.dll

2010-08-28 14:32 . 2009-03-30 17:22 55552 ----a-w- c:\windows\system32\pavipc.dll

2010-08-28 14:32 . 2007-02-08 09:53 107568 ----a-w- c:\windows\system32\SYSTOOLS.DLL

2010-08-28 14:32 . 2009-03-30 17:22 518400 ----a-w- c:\windows\system32\PavSHook.dll

2010-08-28 14:32 . 2010-02-18 18:31 199688 ----a-w- c:\windows\system32\drivers\neti1642.sys

2010-08-28 14:32 . 2010-03-24 11:55 55552 ----a-w- c:\windows\system32\avldr.dll

2010-08-28 14:32 . 2010-08-28 14:32 -------- d-----w- c:\windows\system32\PAV

2010-08-28 14:32 . 2010-05-21 12:50 59080 ----a-w- c:\windows\system32\drivers\amm8651.sys

2010-08-28 14:32 . 2010-08-28 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2010-08-28 14:32 . 2010-08-28 14:32 -------- d-----w- c:\documents and settings\Alan\Application Data\Panda Security

2010-08-28 14:29 . 2009-10-27 11:07 37896 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys

2010-08-28 14:29 . 2009-09-14 15:18 163336 ----a-w- c:\windows\system32\drivers\PavProc.sys

2010-08-28 14:27 . 2010-08-28 14:27 -------- d-----w- c:\program files\Common Files\Panda Security

2010-08-28 06:38 . 2010-08-28 06:38 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-27 13:49 . 2010-08-27 13:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-08-27 13:36 . 2010-08-28 14:53 -------- d-----w- c:\documents and settings\Alan\Application Data\6B9B435B513582956D7B1C03B9A1DE2E

2010-08-27 13:36 . 2010-08-27 13:36 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache

2010-08-21 14:22 . 2010-08-21 14:22 -------- d-sh--w- c:\documents and settings\Alan\IECompatCache

2010-08-20 12:23 . 2010-08-20 12:23 -------- d-sh--w- c:\documents and settings\Alan\PrivacIE

2010-08-20 12:19 . 2010-08-20 12:19 -------- d-sh--w- c:\documents and settings\Alan\IETldCache

2010-08-20 12:12 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-08-20 12:12 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-08-20 12:12 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-08-20 12:12 . 2010-08-21 06:28 -------- d-----w- c:\windows\ie8updates

2010-08-20 12:12 . 2010-06-18 11:39 16896 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-08-20 12:10 . 2010-08-20 12:12 -------- dc-h--w- c:\windows\ie8

2010-08-20 12:05 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-06 17:42 . 2010-08-28 14:33 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck

2010-09-06 17:42 . 2010-08-28 14:33 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG

2010-09-06 16:14 . 2004-08-10 12:01 40840 ----a-w- c:\windows\system32\drivers\termdd.sys

2010-09-06 16:02 . 2009-06-27 17:16 -------- d-----w- c:\documents and settings\Alan\Application Data\U3

2010-09-05 08:27 . 2010-08-28 14:33 241428 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck

2010-09-05 06:31 . 2010-04-20 12:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-02 16:40 . 2009-06-29 06:20 -------- d-----w- c:\program files\Simple Sudoku

2010-09-02 16:39 . 2009-06-29 06:20 -------- d-----w- c:\documents and settings\Alan\Application Data\Simple Sudoku

2010-09-01 21:15 . 2009-06-29 14:37 -------- d-----w- c:\program files\PurgeIE

2010-08-30 16:32 . 2006-10-04 23:09 -------- d-----w- c:\program files\Java

2010-08-30 16:20 . 2009-06-30 21:07 28672 ----a-w- c:\documents and settings\Alan\Application Data\Adobe\Adobe GoLive\Settings8\Opera\plugins\PlugDef.dll

2010-08-28 16:19 . 2010-07-09 20:47 -------- d-----w- c:\program files\gaming

2010-08-28 14:33 . 2010-07-06 10:56 -------- d-----w- c:\program files\Panda Security

2010-08-28 14:32 . 2006-10-04 23:13 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-28 14:27 . 2009-06-27 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\CA

2010-08-28 14:27 . 2009-06-27 19:02 -------- d-----w- c:\program files\CA

2010-08-28 06:38 . 2009-07-17 13:52 -------- d-----w- c:\program files\SSC Service Utility

2010-08-11 10:14 . 2009-06-28 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-21 06:36 . 2010-07-21 06:36 388096 ----a-r- c:\documents and settings\Alan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-11 15:55 . 2009-07-09 16:02 -------- d-----w- c:\program files\MailNavigator

2010-07-11 13:45 . 2009-06-29 06:22 -------- d-----w- c:\program files\PrestoNotes

2010-06-30 12:31 . 2004-08-10 11:51 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-10 11:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-10 11:51 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-22 17:13 . 2010-07-06 10:56 26696 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-06-21 15:27 . 2004-08-10 11:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-10 11:51 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-10 12:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-10 11:51 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-01 10:11 . 2010-06-01 10:11 5003908 ----a-w- c:\program files\m4a-to-mp3-converter.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]

"EPSON Stylus DX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE" [2005-02-08 98304]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"nwiz"="nwiz.exe" [2009-06-10 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE" [2010-07-07 984384]

"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2011\Inicio.exe" [2010-06-11 68928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-5 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2010-03-24 11:55 55552 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-06-27 16:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Alan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Alan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk

backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]

2008-04-23 01:08 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 02:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-07-12 18:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2006-10-04 23:18 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [06/07/2010 11:56 26696]

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [28/08/2010 15:33 76296]

R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [28/08/2010 15:33 53256]

R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [28/08/2010 15:33 22024]

R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [28/08/2010 15:33 193800]

R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [28/08/2010 15:33 159112]

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [28/08/2010 15:29 37896]

R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [28/08/2010 15:33 46856]

R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [28/08/2010 15:32 59080]

R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [28/08/2010 15:29 163336]

R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2011\psksvc.exe [28/08/2010 15:33 28928]

R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]

R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [04/09/2010 09:07 13880]

R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\system32\drivers\neti1642.sys [28/08/2010 15:32 199688]

R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]

R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1A.tmp --> c:\windows\system32\1A.tmp [?]

S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\RpcAgentSrv.exe [29/06/2009 17:07 98488]

S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [24/08/2006 06:44 477696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmd25

*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]

2010-02-16 18:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{F9079E89-818D-48F1-A175-E1E603C51603}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005

uInternet Settings,ProxyOverride = *.local

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp

Trusted Zone: glass-forums.com\www

TCP: {5A400435-CCDD-4C79-8784-2F8E02EB5CA6} = 208.67.222.222,208.67.220.220

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB

FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\0pben4j3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-06 19:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\1A.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)

c:\windows\system32\avldr.dll

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(4168)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-06 19:50:57

ComboFix-quarantined-files.txt 2010-09-06 18:50

ComboFix2.txt 2010-09-06 17:16

Pre-Run: 57,867,673,600 bytes free

Post-Run: 57,868,783,616 bytes free

- - End Of File - - 49714049B88D7CB5F0CF9847ABBB9313

Link to post
Share on other sites

The following will implement some cleanup procedures as well as reset System Restore points:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

Link to post
Share on other sites

Hi

Thanks for your help. I use an external hard drive for back-up, and sometimes use a USB memory stick. Would it be possible for either or both to have been infected with TDSS rootkit virus? They showed clean on Malwarebytes, but I realise that would not pick this up. Is it safe to use them?

Alan

Anything is possible.

I haven't tried to run those tools on external devices so I don't know if TDSS will scan them.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.