Jump to content

Antivirus Studio 2010 uninstalled but browser re-directs remain!


Recommended Posts

tdsskiller found nothing. here's the report:

2010/11/05 12:34:10.0263 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/05 12:34:10.0263 ================================================================================

2010/11/05 12:34:10.0263 SystemInfo:

2010/11/05 12:34:10.0263

2010/11/05 12:34:10.0263 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/05 12:34:10.0263 Product type: Workstation

2010/11/05 12:34:10.0263 ComputerName: LENOVO-C050FE47

2010/11/05 12:34:10.0263 UserName: ryan

2010/11/05 12:34:10.0263 Windows directory: C:\WINDOWS

2010/11/05 12:34:10.0263 System windows directory: C:\WINDOWS

2010/11/05 12:34:10.0263 Processor architecture: Intel x86

2010/11/05 12:34:10.0263 Number of processors: 2

2010/11/05 12:34:10.0263 Page size: 0x1000

2010/11/05 12:34:10.0263 Boot type: Normal boot

2010/11/05 12:34:10.0263 ================================================================================

2010/11/05 12:34:10.0513 Initialize success

2010/11/05 12:34:30.0591 ================================================================================

2010/11/05 12:34:30.0591 Scan started

2010/11/05 12:34:30.0591 Mode: Manual;

2010/11/05 12:34:30.0591 ================================================================================

2010/11/05 12:34:31.0185 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/11/05 12:34:31.0232 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/05 12:34:31.0263 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/11/05 12:34:31.0326 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/11/05 12:34:31.0404 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/05 12:34:31.0498 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/05 12:34:31.0513 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/05 12:34:31.0544 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/11/05 12:34:31.0560 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/11/05 12:34:31.0591 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/11/05 12:34:31.0607 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/11/05 12:34:31.0638 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/11/05 12:34:31.0701 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/11/05 12:34:31.0716 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/11/05 12:34:31.0732 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/11/05 12:34:31.0794 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/05 12:34:31.0810 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/11/05 12:34:31.0857 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/11/05 12:34:31.0873 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/11/05 12:34:32.0013 ASMMAP (7b4d08d2017ac06689d422e06c43f0aa) C:\Program Files\Lenovo\ATK Hotkey\ASMMAP.sys

2010/11/05 12:34:32.0060 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/05 12:34:32.0076 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/05 12:34:32.0138 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/05 12:34:32.0185 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/05 12:34:32.0216 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/05 12:34:32.0294 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

2010/11/05 12:34:32.0529 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/11/05 12:34:32.0544 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/05 12:34:32.0560 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/11/05 12:34:32.0591 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/05 12:34:32.0623 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/05 12:34:32.0654 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/05 12:34:32.0701 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/05 12:34:32.0716 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/11/05 12:34:32.0794 CnxtHdAudService (74d5c90052e936622e077d94121ec2c9) C:\WINDOWS\system32\drivers\CHDAU32.sys

2010/11/05 12:34:32.0826 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/05 12:34:32.0857 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/11/05 12:34:32.0904 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/11/05 12:34:32.0935 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/11/05 12:34:32.0966 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/05 12:34:33.0013 DLABMFSM (5b149ccfe275f4de0b4b8ec6b9f6821e) C:\WINDOWS\system32\DLA\DLABMFSM.SYS

2010/11/05 12:34:33.0044 DLABOIOM (ad4cb3d783634c90a9d0ce360933a63c) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2010/11/05 12:34:33.0060 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2010/11/05 12:34:33.0091 DLADResM (93d03238cc3f0ee3c0b3985d110ec575) C:\WINDOWS\system32\DLA\DLADResM.SYS

2010/11/05 12:34:33.0107 DLAIFS_M (6a82f77c4a6f5235bf352f0028e2ef52) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2010/11/05 12:34:33.0138 DLAOPIOM (0e6052c0ada37504896a847231a3907d) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2010/11/05 12:34:33.0154 DLAPoolM (29670bb4e2b973c5b55a76107d4910b2) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2010/11/05 12:34:33.0169 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS

2010/11/05 12:34:33.0201 DLAUDFAM (6b087732b86c1d866d69dbbe463ea90a) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2010/11/05 12:34:33.0216 DLAUDF_M (bbeecb95f2841ae4a3e3690d46d7153d) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2010/11/05 12:34:33.0294 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/05 12:34:33.0326 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/05 12:34:33.0357 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/05 12:34:33.0404 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/05 12:34:33.0466 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/11/05 12:34:33.0482 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/05 12:34:33.0513 DRVMCDB (83106585494d5eb96f59187200c144bd) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2010/11/05 12:34:33.0529 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2010/11/05 12:34:33.0716 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/11/05 12:34:33.0826 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/05 12:34:33.0857 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/11/05 12:34:33.0888 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/05 12:34:33.0904 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/11/05 12:34:33.0919 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/11/05 12:34:33.0966 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/05 12:34:34.0029 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/05 12:34:34.0076 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/05 12:34:34.0107 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/05 12:34:34.0185 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/05 12:34:34.0232 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/11/05 12:34:34.0294 HSFHWAZL (03a51d7d5666df3d4331581b3a3109dc) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2010/11/05 12:34:34.0357 HSF_DPV (d92272a376bba4a0ed61f92280d71a10) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/11/05 12:34:34.0451 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/05 12:34:34.0529 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/11/05 12:34:34.0576 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/11/05 12:34:34.0623 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/05 12:34:34.0873 ialm (4f3139829f1ac202ff0d29c2fd6c15b6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/11/05 12:34:35.0138 iaStor (71ecc07bc7c5e24c3dd01d8a29a24054) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2010/11/05 12:34:35.0185 IBMPMDRV (4a8ab38fdf3649c1fe3e9d16bf79927d) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys

2010/11/05 12:34:35.0216 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/05 12:34:35.0232 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/11/05 12:34:35.0294 IntcHdmiAddService (64c301d73db18ebdc8680ca82d82af2d) C:\WINDOWS\system32\drivers\IntcHdmi.sys

2010/11/05 12:34:35.0310 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/05 12:34:35.0341 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/05 12:34:35.0388 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/11/05 12:34:35.0404 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/05 12:34:35.0435 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/05 12:34:35.0482 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/05 12:34:35.0529 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/05 12:34:35.0544 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/05 12:34:35.0623 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/05 12:34:35.0654 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/05 12:34:35.0732 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/11/05 12:34:35.0857 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/05 12:34:35.0904 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/05 12:34:35.0951 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/11/05 12:34:36.0029 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/11/05 12:34:36.0123 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/05 12:34:36.0154 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/05 12:34:36.0232 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/05 12:34:36.0294 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/05 12:34:36.0326 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/05 12:34:36.0357 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/11/05 12:34:36.0388 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/05 12:34:36.0466 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/05 12:34:36.0498 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/05 12:34:36.0560 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/05 12:34:36.0591 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/05 12:34:36.0623 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/05 12:34:36.0669 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/05 12:34:36.0732 MTsensor (1c0f480b7c6136ddb5fb909995af014a) C:\WINDOWS\system32\DRIVERS\A0101X32.sys

2010/11/05 12:34:36.0763 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/05 12:34:36.0966 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101104.002\naveng.sys

2010/11/05 12:34:37.0029 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101104.002\navex15.sys

2010/11/05 12:34:37.0076 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/05 12:34:37.0107 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/05 12:34:37.0138 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/05 12:34:37.0169 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/05 12:34:37.0201 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/05 12:34:37.0232 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/05 12:34:37.0248 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/05 12:34:37.0482 NETw5x32 (ccdb8db66acd3c0a6c8e171b79f60ac4) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys

2010/11/05 12:34:37.0623 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/05 12:34:37.0638 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/05 12:34:37.0716 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/05 12:34:37.0748 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/05 12:34:37.0779 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/05 12:34:37.0794 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/05 12:34:37.0826 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/05 12:34:37.0857 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/11/05 12:34:37.0873 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/05 12:34:37.0888 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/05 12:34:37.0904 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/05 12:34:37.0951 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/05 12:34:37.0982 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/11/05 12:34:38.0060 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/11/05 12:34:38.0076 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/11/05 12:34:38.0138 pmem (dedef40e1d05842639491365cb2c069e) C:\WINDOWS\System32\drivers\pmemnt.sys

2010/11/05 12:34:38.0185 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/05 12:34:38.0216 psadd (f8a25f1dd8b2c332cbc663e3579566e7) C:\WINDOWS\system32\DRIVERS\psadd.sys

2010/11/05 12:34:38.0232 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/05 12:34:38.0248 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/05 12:34:38.0263 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/05 12:34:38.0294 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/11/05 12:34:38.0388 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/11/05 12:34:38.0498 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/11/05 12:34:38.0544 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/11/05 12:34:38.0591 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/11/05 12:34:38.0638 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/05 12:34:38.0685 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/05 12:34:38.0716 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/05 12:34:38.0779 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/05 12:34:38.0873 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/05 12:34:38.0904 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/05 12:34:38.0951 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/05 12:34:39.0013 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/05 12:34:39.0123 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/05 12:34:39.0232 rimmptsk (a5b12a4b3b774432db9b9fa221190e59) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

2010/11/05 12:34:39.0294 rimsptsk (c398bca91216755b098679a8da8a2300) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

2010/11/05 12:34:39.0326 rismxdp (2a2554cb24506e0a0508fc395c4a1b42) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

2010/11/05 12:34:39.0466 RTLE8023xp (76b0d8ea66af27b1492f70b7d8f8a320) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

2010/11/05 12:34:39.0576 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/11/05 12:34:39.0763 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\Symantec AntiVirus\savrt.sys

2010/11/05 12:34:39.0826 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

2010/11/05 12:34:39.0888 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/11/05 12:34:39.0951 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/05 12:34:40.0013 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/11/05 12:34:40.0123 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/05 12:34:40.0169 Shockprf (1310c5e81966e86b2ced7ae8ce3d74f1) C:\WINDOWS\system32\DRIVERS\Apsx86.sys

2010/11/05 12:34:40.0232 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/11/05 12:34:40.0341 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/11/05 12:34:40.0466 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2010/11/05 12:34:40.0544 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/05 12:34:40.0607 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/05 12:34:40.0685 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/05 12:34:40.0794 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/05 12:34:40.0873 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/05 12:34:40.0966 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/11/05 12:34:41.0013 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/11/05 12:34:41.0169 SymEvent (3feeb051c94f5005f56423619315273b) C:\Program Files\Symantec\SYMEVENT.SYS

2010/11/05 12:34:41.0263 SYMREDRV (8d668fe83a439e2166b7defff995cddc) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2010/11/05 12:34:41.0326 SYMTDI (b825e10cd61046672fef234820842c42) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2010/11/05 12:34:41.0388 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/11/05 12:34:41.0419 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/11/05 12:34:41.0544 SynTP (5b2b0ec5b08aec3cf3c8e41a28a51a4e) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/11/05 12:34:41.0654 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/05 12:34:41.0763 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/05 12:34:41.0841 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/05 12:34:41.0888 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/05 12:34:41.0966 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/05 12:34:42.0029 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/11/05 12:34:42.0123 TPDIGIMN (d7a29e343632e2fc5f7ebfc886f12675) C:\WINDOWS\system32\DRIVERS\ApsHM86.sys

2010/11/05 12:34:42.0232 TPHKDRV (8aef2188630f5ecd79ad9abba630630b) C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys

2010/11/05 12:34:42.0326 TPPWRIF (44672de6cea9569c21c4b7a8d2560750) C:\WINDOWS\system32\drivers\Tppwrif.sys

2010/11/05 12:34:42.0419 tvtfilter (49258a02a1e8d304ed88b0f1c56b1738) C:\WINDOWS\system32\DRIVERS\tvtfilter.sys

2010/11/05 12:34:42.0513 tvtumon (930b8b8ef659a714cf1c755928b8850c) C:\WINDOWS\system32\DRIVERS\tvtumon.sys

2010/11/05 12:34:42.0576 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/05 12:34:42.0638 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/11/05 12:34:42.0701 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/05 12:34:42.0841 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/05 12:34:42.0935 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/05 12:34:42.0982 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/05 12:34:43.0029 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/05 12:34:43.0076 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/05 12:34:43.0123 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/05 12:34:43.0138 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/05 12:34:43.0154 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/11/05 12:34:43.0201 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/05 12:34:43.0232 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/05 12:34:43.0279 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/05 12:34:43.0357 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/05 12:34:43.0435 winachsf (ed10a3d367dd5596506022d5e2a3cba0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/11/05 12:34:43.0591 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/11/05 12:34:43.0654 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/11/05 12:34:43.0716 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/05 12:34:43.0748 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/05 12:34:43.0810 ================================================================================

2010/11/05 12:34:43.0810 Scan finished

2010/11/05 12:34:43.0810 ================================================================================

Link to post
Share on other sites

  • Replies 91
  • Created
  • Last Reply

Top Posters In This Topic

bitdefender scan log:

QuickScan Beta 32-bit v0.9.9.50

-------------------------------

Scan date: Fri Nov 05 12:38:16 2010

Machine ID: D2D367EA

No infection found.

-------------------

Processes

---------

GFNEXSrv 1732 C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe

LFKAS Application 1792 C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe

AcroTray - Adobe Acrobat Distiller help 4264 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

ATK0101 756 C:\Program Files\Lenovo\ATK Hotkey\LControl.exe

Client and Host Security Platform 1972 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

Client and Host Security Platform 720 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

Client and Host Security Platform 676 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

Client Security Solution 864 C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

Control Center 3 4072 C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe

Drag-to-Disc 592 C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe

Fast Restore 3576 C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

GrooveMonitor Utility 4152 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

Hewlett-Packard hpwuSchd 3872 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

Hewlett-Packard T-TR Status Client 3932 C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

IBM Lotus Notes/Domino 2068 C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

IBM wnsd 948 C:\Program Files\IBM\Lotus\Notes\nsd.exe

Intel® Common User Interface 3320 C:\WINDOWS\system32\hkcmd.exe

Intel® Common User Interface 2524 C:\WINDOWS\system32\igfxpers.exe

Intel® Common User Interface 2272 C:\WINDOWS\system32\igfxsrvc.exe

Intel® Common User Interface 2424 C:\WINDOWS\system32\igfxtray.exe

Intel® PROSet/Wireless 2128 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

Intel® PROSet/Wireless 280 C:\Program Files\Intel\WiFi\bin\EvtEng.exe

Intel® PROSet/Wireless 1932 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

IviRegMgr Module 872 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

Java Platform SE Auto Updater 2 0 4856 C:\Program Files\Common Files\Java\Java Update\jusched.exe

javaw.exe 4532 C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

LKFA 2164 C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe

Microsoft Office Outlook 2007 with Busi 1904 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

Microsoft Search Client Server 1608 C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

Microsoft Search Enhancement Pack 2576 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

Microsoft SQL Server 2980 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

Microsoft SQL Server 3008 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

Microsoft

Link to post
Share on other sites

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.

How is your system now icon_question.gif

Link to post
Share on other sites

my system appears to be fine, but i thought that was the case a few days back until the issue started popping up again. of concern to me is that certain virus scanners that i mentioned above found the bamital virus or something like that and i don't think anything has removed anything from my pc as most of the scans we've completed have come up clean. or at least i think they did. but you know better than me!

i'm performing the scan as we speak.

Link to post
Share on other sites

Let me know results of last scan.

Do these next steps:

Go to Start button > Select RUN > type in

CMD

and press Enter-key

Copy and Paste or type the exact (entire) contents of Code box

ipconfig /flushdns

and press Enter-key

Close Command prompt window.

Let's follow up with scan using DrWeb Cure-It.

Download DrWeb Cure-it from this link

http://www.freedrweb.com/download+cureit/

You'll be prompted to accept the EULA. Checkmark "I accept" box and press Continue.

Save the download to your Desktop. The file will have a random 8 character name.

Next, restart the system in SAFE mode.

See this article How to start Windows in Safe Mode

RUN the DrWeb download.

Accept the enhanced version, and run the Express scan.

  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, choose the Complete Scan.
  • Select C: drive. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Logoff and Restart Windows to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Link to post
Share on other sites

here's the kaspersky scan results. nothing was found.

Monday, November 8, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, October 05, 2010 00:12:03

Records in database: 4291359

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

C:\

D:\

E:\

J:\

K:\

N:\

P:\

Scan statistics

Objects scanned 255953

Threats found 0

Infected objects found 0

Suspicious objects found 0

Scan duration 05:38:48

No threats found. Scanned area is clean.

Selected area has been scanned.

Link to post
Share on other sites

ok, so the dr webcure scan found a few things, but your directions were a bit different than the options coming up on the screen. i never saw that particular icon next to the infected files after the scan and i didn't get the option to move incurable. i chose "select all" and then "delete" because the virus scanner was warning me that i should take action and not leave these files infected.

here's the results of the scan:

Combo-Fix.exe\32788R22FWJFW\Create.cmd;C:\Documents and Settings\ryan\Desktop\Combo-Fix.exe;Probably BATCH.Virus;;

Combo-Fix.exe;C:\Documents and Settings\ryan\Desktop;Archive contains infected objects;Deleted.;

OTL.exe;C:\Documents and Settings\ryan\Desktop\misc virus;Trojan.Siggen2.7261;Incurable.Moved.;

cwparser.dll;C:\Program Files\CaseWare;Trojan.Click.origin;Incurable.Moved.;

Client Security - Password Manager.msi/stream033/csswiz.chm1.E69CB083_828B_4A0D_9B34_A9A7FA17F94F\$FIftiMain;C:\WINDOWS\Downloaded Installations\{AE124339-6CC7-472C-8F3A-633EC608CDAE}\Client Security - Password Manager.msi/stream033/css;Modification of Trojan.BAT.222;;

csswiz.chm1.E69CB083_828B_4A0D_9B34_A9A7FA17F94F;C:\WINDOWS\Downloaded Installations\{AE124339-6CC7-472C-8F3A-633EC608CDAE};Container contains infected objects;;

Client Security - Password Manager.msi/stream033/csswiz.chm16.E69CB083_828B_4A0D_9B34_A9A7FA17F94F\$FIftiMain;C:\WINDOWS\Downloaded Installations\{AE124339-6CC7-472C-8F3A-633EC608CDAE}\Client Security - Password Manager.msi/stream033/css;Modification of Trojan.BAT.222;;

csswiz.chm16.E69CB083_828B_4A0D_9B34_A9A7FA17F94F;C:\WINDOWS\Downloaded Installations\{AE124339-6CC7-472C-8F3A-633EC608CDAE};Container contains infected objects;;

stream033;C:\WINDOWS\Downloaded Installations\{AE124339-6CC7-472C-8F3A-633EC608CDAE};Archive contains infected objects;;

Client Security - Password Manager.msi;C:\WINDOWS\Downloaded Installations\{AE124339-6CC7-472C-8F3A-633EC608CDAE};Container contains infected objects;Moved.;

csswiz.chm\$FIftiMain;C:\WINDOWS\Help\csswiz.chm;Modification of Trojan.BAT.222;;

csswiz.chm;C:\WINDOWS\Help;Container contains infected objects;Moved.;

csswiz.chm\$FIftiMain;C:\WINDOWS\Help\MUI\0405\csswiz.chm;Modification of Trojan.BAT.222;;

csswiz.chm;C:\WINDOWS\Help\MUI\0405;Container contains infected objects;Moved.;

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Okay, since Maurice is away I'll take over for him.

Your computer started out with the following issue found by Combofix

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

As shown in this post #2: http://forums.malwarebytes.org/index.php?s...st&p=334868

I do not see that it was every corrected by Combofix and it no longer seems to be detected. It's possible that some other security application or Malware was tampering with CF.

You also show that you either have or have had a hacked Terminal Server file on the system which should be removed and replaced with an up to date valid one.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"AllowMultipleTSSessions"= 1 (0x1)

Please run the following fixes in the provided order and post back your results.

STEP 01

Your Java though not out of date is probably filled with corrupted cache. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 22 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 22 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u22 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

STEP 02

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

STEP 03

From within Internet Explorer go to Tools/Internet Options/Advanced and click on the RESET button and then close IE

STEP 04

Please visit this site and restore Firefox back to the factory default settings.

Restore Firefox Default Settings Without Uninstalling It

STEP 05

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C netsh winsock reset catalog

STEP 06

Turn your computer off and leave it off temporarily.

Reset your router back to factory default settings. (if you're on a larger Cisco type business router you can ignore this reset step.)

Here is a mini-guide on doing that for a Linksys but many routers are similar

Once you've reset the router then go ahead and start your computer back up again and make sure you go and set an Admin password for your router.

http://www.wikihow.com/Reset-a-Linksys-Router

http://compnetworking.about.com/b/2009/03/...for-routers.htm

STEP 07

Select all and copy the contents of the code box below into a new NOTEPAD document. It must be notepad and not Wordpad or other.

@ECHO OFF
SC CONFIG "Symantec AntiVirus" start= disabled
SC CONFIG "SAVRoam" start= disabled
SC CONFIG "DefWatch" start= disabled
SC CONFIG "ccEvtMgr" start= disabled
SC CONFIG "ccSetMgr" start= disabled
SC CONFIG "SPBBCSvc" start= disabled
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v vptray /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v ccApp /f
ECHO The system needs to restart now to reset the Symantec AV
SHUTDOWN -r -f -t 120

Now save the new document to your Desktop using File Save-As and chose the drop down box for "Save as type:" and chose "All Files (*.*) and in the name type in "disable_symantec_av.bat" make sure you also include the quote marks.

STEP 08

Select all and copy the contents of the code box below into a new NOTEPAD document. It must be notepad and not Wordpad or other.

@ECHO OFF
SC CONFIG "Symantec AntiVirus" start= auto
SC CONFIG "SAVRoam" start= auto
SC CONFIG "DefWatch" start= auto
SC CONFIG "ccEvtMgr" start= auto
SC CONFIG "ccSetMgr" start= auto
SC CONFIG "SPBBCSvc" start= auto
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v vptray /t REG_SZ /d "C:\PROGRA~1\SYMANT~1\VPTray.exe" /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v ccApp /t REG_SZ /d "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /f
ECHO.
ECHO The system needs to restart now to reset the Symantec AV
SHUTDOWN -r -f -t 120

Now save the new document to your Desktop using File Save-As and chose the drop down box for "Save as type:" and chose "All Files (*.*) and in the name type in "enable_symantec_av.bat" make sure you also include the quote marks.

STEP 09

Download the following application to your Desktop.

Now close ALL applications and double click on the new disable_symantec_av.bat file and let it restart your computer.

STEP 10

After the computer restarts extract and run the KatesKiller.exe file and send back the log on your next reply.

STEP 11

Now download a NEW fresh copy of Combofix from below.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Your AntiVirus should already be disabled but ensure that other AntiSpyware applications are as well, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------

STEP 12

Now let's have you also run a DDS scan and send back those logs as well on your next reply.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.

    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 13

Please download the Microsoft Genuine Advantage Diagnostic Tool

Double-click to run it and press the CONTINUE button and allow the program to check your system. When completed cick the COPY button and post back the results.

STEP 14

RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any active real-time protection
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. UNcheck the rest. then Click OK.
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. (eg. desktop) then Click Close.
  • Copy the entire contents of the report and paste it in a reply here.
  • Note: Do not run any programs while RKUnHooker is running

STEP 15

Ensure your AntiVirus and AntiSpyware applications are re-enabled.

You can re-enable your Symantec Anti-Virus now by double-clicking the enable_symantec_av.bat on your Desktop and allowing the computer to reboot again.

Link to post
Share on other sites

combofix results below. by the way, it still detected that my anti-virus is active? i thought we had disabled it. i'm connected through a server, so maybe that has something to do with it?

ComboFix 10-11-30.01 - ryan 11/30/2010 12:03:19.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2414 [GMT -5:00]

Running from: c:\documents and settings\ryan\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\desktop.ini

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://au.download.wij+|Cv+@J:NGD_DQ{zcxLJS@l&GG0y'{AC76BA86-1033-F400-7761-000000000004}-S-1-5-21-789336058-1979792683-839522115-1615XtD$?O

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))

.

2010-11-30 14:57 . 2010-11-30 14:57 -------- d-----w- c:\program files\Common Files\Java

2010-11-30 14:57 . 2010-11-30 14:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-30 14:56 . 2010-11-30 14:56 -------- d-----w- c:\program files\Java

2010-11-26 21:44 . 2010-11-26 21:44 -------- d-----w- c:\windows\SchCache

2010-11-08 19:36 . 2010-11-08 19:36 -------- d-----w- c:\documents and settings\ryan\Local Settings\Application Data\VS Revo Group

2010-11-08 19:36 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-11-08 19:36 . 2010-11-08 19:36 -------- d-----w- c:\program files\VS Revo Group

2010-11-08 19:17 . 2010-11-08 19:17 -------- d-----w- C:\Copy (5) of My Received Files

2010-11-08 19:17 . 2010-11-08 19:17 -------- d-----w- C:\Copy (5) of My Music

2010-11-08 19:17 . 2010-11-08 19:17 -------- d-----w- C:\Copy (5) of Favorites

2010-11-08 19:17 . 2010-11-08 19:17 -------- d-----w- C:\Copy (5) of Access Connections

2010-11-08 19:17 . 2010-11-08 19:17 -------- d-----w- C:\Copy (4) of Downloads

2010-11-08 19:17 . 2010-11-08 19:17 -------- d-----w- C:\Copy (4) of Simply Accounting

2010-11-08 14:38 . 2010-11-08 15:05 -------- d-----w- c:\documents and settings\ryan\DoctorWeb

2010-11-06 16:37 . 2010-11-06 16:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2010-11-05 16:38 . 2010-11-05 16:38 -------- d-----w- c:\documents and settings\ryan\Application Data\QuickScan

2010-11-03 16:37 . 2010-11-03 16:37 -------- d-----w- c:\program files\ESET

2010-11-02 20:57 . 2010-11-22 14:36 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-11-02 20:57 . 2010-11-02 20:57 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-11-02 20:57 . 2010-11-22 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-30 14:56 . 2010-10-29 13:35 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-04 13:48 . 2010-10-27 20:27 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-09-18 16:23 . 2008-07-21 22:49 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-07-21 22:49 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-07-21 22:49 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-07-21 22:49 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-09 13:38 . 2008-07-21 22:50 832512 ----a-w- c:\windows\system32\wininet.dll

2010-09-09 13:38 . 2008-07-21 22:49 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-09 13:38 . 2008-07-21 22:49 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-09-09 13:38 . 2008-07-21 22:49 17408 ----a-w- c:\windows\system32\corpol.dll

2010-09-08 15:57 . 2008-07-21 22:49 389120 ----a-w- c:\windows\system32\html.iec

.

((((((((((((((((((((((((((((( SnapShot@2010-11-04_13.45.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-11-30 16:59 . 2010-11-30 16:59 16384 c:\windows\Temp\Perflib_Perfdata_f4.dat

+ 2008-07-21 22:50 . 2010-11-08 18:52 90276 c:\windows\system32\perfc009.dat

- 2009-09-21 17:41 . 2010-10-13 21:31 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

+ 2008-07-21 22:50 . 2010-11-08 18:52 491752 c:\windows\system32\perfh009.dat

+ 2010-11-30 14:57 . 2010-11-30 14:56 153376 c:\windows\system32\javaws.exe

- 2010-10-29 13:35 . 2010-10-29 13:35 153376 c:\windows\system32\javaws.exe

+ 2010-11-30 14:57 . 2010-11-30 14:56 145184 c:\windows\system32\javaw.exe

- 2010-10-29 13:35 . 2010-10-29 13:35 145184 c:\windows\system32\javaw.exe

+ 2010-11-30 14:57 . 2010-11-30 14:56 145184 c:\windows\system32\java.exe

- 2010-10-29 13:35 . 2010-10-29 13:35 145184 c:\windows\system32\java.exe

+ 2010-11-30 14:57 . 2010-11-30 14:57 180224 c:\windows\Installer\443a5.msi

+ 2010-11-30 14:56 . 2010-11-30 14:56 677376 c:\windows\Installer\443a0.msi

+ 2009-09-21 17:41 . 2010-11-10 22:28 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

+ 2010-09-22 22:10 . 2010-09-22 22:10 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\nppdf32.dll

+ 2010-10-16 03:14 . 2010-11-05 16:38 721640 c:\windows\Downloaded Program Files\qsax.dll

+ 2010-11-08 07:14 . 2010-11-08 07:14 3402752 c:\windows\Installer\6bb64.msp

+ 2010-09-17 11:04 . 2010-09-17 11:04 9401856 c:\windows\Installer\1b76d3b.msp

+ 2010-10-21 23:12 . 2010-10-21 23:12 3359744 c:\windows\Installer\1b76d25.msp

+ 2010-10-07 23:43 . 2010-10-07 23:43 1980416 c:\windows\Installer\1b76d0f.msp

+ 2009-09-21 17:41 . 2010-11-10 22:28 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

+ 2009-09-21 17:41 . 2010-11-10 22:28 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

- 2009-09-21 17:41 . 2010-10-13 21:31 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-09-16 07:08 . 2010-09-16 07:08 6210560 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\authplay.dll

+ 2008-11-10 07:41 . 2008-11-10 07:41 2014584 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PPTVIEW.EXE

+ 2009-11-04 22:00 . 2010-11-10 22:25 35758536 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"Google Update"="c:\documents and settings\ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-26 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-04-10 122880]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-10 524288]

"TpShocks"="TpShocks.exe" [2008-06-07 181536]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\LVOSDSVC.exe" [2008-03-24 64368]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-02 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-02 178712]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-02 150040]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-11-24 487424]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]

"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]

"LCONTROL"="c:\program files\Lenovo\ATK Hotkey\LCONTROL.exe" [2008-03-20 77824]

"LFKA"="c:\program files\Lenovo\ATK Hotkey\LFKA.exe" [2008-04-16 315392]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-10-26 335872]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-10-26 208896]

"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-03 40960]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2009-08-23 91432]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]

"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]

"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]

"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 188416]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2008-08-08 10:14 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 6:21 PM 19496]

R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 7:50 PM 46144]

R2 LFKAS;Service of LFKA;c:\program files\Lenovo\ATK Hotkey\LFKAS.exe [8/13/2009 10:13 AM 208896]

R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\IBM\Lotus\Notes\nsd.exe [12/6/2008 7:36 AM 3315080]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/13/2009 10:16 AM 94208]

R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [8/23/2009 29992]

R2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRunTimeService\SSIRuntimeService.exe [3/30/2010 1:42 PM 40960]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [11/24/2008 5:34 PM 520192]

R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 7:50 PM 360448]

R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [5/18/2007 11:57 AM 229856]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/13/2009 10:04 AM 110080]

S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [4/25/2008 10:18 AM 362992]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [4/25/2008 10:16 AM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [4/25/2008 10:15 AM 166384]

S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\129.tmp --> c:\windows\system32\129.tmp [?]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [11/8/2010 2:36 PM 27064]

S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [4/25/2008 10:18 AM 313840]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 10:15 AM 1120752]

S3 Simply Accounting Transaction Manager 2010 - CDN;Simply Accounting Transaction Manager 2010 - CDN;c:\program files\winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe [6/8/2010 11:00 PM 42312]

S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 6:27 PM 124608]

.

Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1979792683-839522115-1615Core.job

- c:\documents and settings\ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-26 15:54]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1979792683-839522115-1615UA.job

- c:\documents and settings\ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-26 15:54]

2009-08-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]

2010-11-04 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-08-13 16:48]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://lenovo.live.com

mStart Page = hxxp://lenovo.live.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

FF - ProfilePath - c:\documents and settings\ryan\Application Data\Mozilla\Firefox\Profiles\afhxl84a.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\documents and settings\ryan\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\ryan\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-30 12:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\129.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)

c:\program files\Lenovo\HOTKEY\tphklock.dll

.

Completion time: 2010-11-30 12:10:09

ComboFix-quarantined-files.txt 2010-11-30 17:10

ComboFix2.txt 2010-11-04 13:47

Pre-Run: 122,745,225,216 bytes free

Post-Run: 122,861,182,976 bytes free

- - End Of File - - D1418B101D9DCDD0BEFF9AD21A6D2760

Link to post
Share on other sites

dds logs

attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 9/10/2009 9:25:34 AM

System Uptime: 11/30/2010 11:57:12 AM (1 hours ago)

Motherboard: LENOVO | | 2746NDU

Processor: Intel® Core2 Duo CPU T5870 @ 2.00GHz | Socket 478 | 1994/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 143 GiB total, 114.459 GiB free.

D: is CDROM ()

E: is Removable

J: is NetworkDisk (NTFS) - 238 GiB total, 188.778 GiB free.

K: is NetworkDisk (NTFS) - 238 GiB total, 188.778 GiB free.

N: is NetworkDisk (NTFS) - 238 GiB total, 188.778 GiB free.

P: is NetworkDisk (NTFS) - 238 GiB total, 188.778 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/2/2010 9:01:52 AM - System Checkpoint

RP2: 11/4/2010 9:39:34 AM - ComboFix created restore point

RP3: 11/5/2010 1:36:23 PM - System Checkpoint

RP4: 11/6/2010 2:13:19 PM - System Checkpoint

RP5: 11/7/2010 2:13:18 PM - System Checkpoint

RP6: 11/8/2010 2:22:07 PM - Installed Manuel de l'ICCA - CICA Handbook

RP7: 11/8/2010 2:24:29 PM - Installed IFIFRS-FRICIFRS

RP8: 11/8/2010 2:38:55 PM - Removed Client Security - Password Manager.

RP9: 11/10/2010 5:25:23 PM - Software Distribution Service 3.0

RP10: 11/19/2010 1:26:27 PM - System Checkpoint

RP11: 11/25/2010 2:56:02 PM - System Checkpoint

RP12: 11/30/2010 9:50:46 AM - Removed Java 6 Update 22

RP13: 11/30/2010 9:56:45 AM - Installed Java 6 Update 22

==== Installed Programs ======================

Adobe Acrobat 9 Pro Extended - English, Fran

Link to post
Share on other sites

microsoft genuine advantage diagnostic tool:

Diagnostic Report (1.9.0027.0):

-----------------------------------------

Windows Validation Data-->

Validation Status: Genuine

Validation Code: 0

Cached Validation Code: N/A

Windows Product Key: *****-*****-RY7BM-HM3KT-BKVRW

Windows Product Key Hash: 6994t4LQCbvkXhtNbqQCL4+auQs=

Windows Product ID: 76487-OEM-2211906-00107

Windows Product ID Type: 2

Windows License Type: OEM SLP

Windows OS version: 5.1.2600.2.00010100.3.0.pro

ID: {C9B7AC1E-62E0-4552-8253-183AE6396D43}(3)

Is Admin: Yes

TestCab: 0x0

LegitcheckControl ActiveX: Registered, 1.9.40.0

Signed By: Microsoft

Product Name: N/A

Architecture: N/A

Build lab: N/A

TTS Error: N/A

Validation Diagnostic: 025D1FF3-230-1

Resolution Status: N/A

Vista WgaER Data-->

ThreatID(s): N/A

Version: N/A

Windows XP Notifications Data-->

Cached Result: 0

File Exists: Yes

Version: 1.9.40.0

WgaTray.exe Signed By: Microsoft

WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->

Cached Result: N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002

OGAExec.exe Signed By: N/A, hr = 0x80070002

OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->

Office Status: 103 Blocked VLK

Microsoft Office Enterprise 2007 - 103 Blocked VLK

OGA Version: N/A, 0x80070002

Signed By: N/A, hr = 0x80070002

Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->

Proxy settings: N/A

User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)

Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe

Download signed ActiveX controls: Prompt

Download unsigned ActiveX controls: Disabled

Run ActiveX controls and plug-ins: Allowed

Initialize and script ActiveX controls not marked as safe: Disabled

Allow scripting of Internet Explorer Webbrowser control: Disabled

Active scripting: Allowed

Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->

Office Details: <GenuineResults><MachineData><UGUID>{C9B7AC1E-62E0-4552-8253-183AE6396D43}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-BKVRW</PKey><PID>76487-OEM-2211906-00107</PID><PIDType>2</PIDType><SID>S-1-5-21-3344187210-3739150887-692415601</SID><SYSTEM><Manufacturer>LENOVO </Manufacturer><Model>2746NDU</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>6AET58WW</Version><SMBIOSVersion major="2" minor="5"/><Date>20090529000000.000000+000</Date><SLPBIOS>LENOVO,LENOVO</SLPBIOS></BIOS><HWID>BE813FAF0184607A</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>2</stat><msppid></msppid><name>Lenovo</name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>103</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65432</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults>

Licensing Data-->

N/A

Windows Activation Technologies-->

N/A

HWID Data-->

N/A

OEM Activation 1.0 Data-->

BIOS string matches: yes

Marker string from BIOS: 13C1F:GENUINE C&C INC|1D7B8:Lenovo

Marker string from OEMBIOS.DAT: LENOVO,LENOVO

OEM Activation 2.0 Data-->

N/A

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.