Jump to content

Computer Booting Very Slow + IE Problems


Recommended Posts

Currently the computer is taking forever to boot up to the desktop (15-20 minutes). Internet Explorer is really slow when you try to run it.

IE was having redirected search results in Google. (the redirects were before the first time i ran MBAM, haven't really used ie after that on the computer.

In the body of the message is the DDS log and the log from the first time i ran MBAM yesterday and the last time i ran in today before posting here.

I tried running GMER twice, but both times during the scan I got a Blue Screen and the computer rebooted.

DDS (Ver_10-12-12.02) - NTFSx86

Run by Helen at 17:27:46.34 on Mon 12/13/2010

Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\ACS.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Common Files\AOL\1170360518\ee\AOLSoftware.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\DrvMon.exe

C:\Program Files\Common Files\AOL\Loader\aolload.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Helen\Desktop\dds.scr

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwX5bEaI0bVlcTvAc4vRWuuzkXplE+ogU9ODQ/1yHnGOleJ4Betjz8POkJ2LhqrNunGd8Pm/4Wsf45Lpg41/UG1eMajvUrVT+h4yFTpv2r3CQ=

uURLSearchHooks: H - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx

BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.7\NppBho.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll

TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.7\UIBHO.dll

TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe

mRun: [NDSTray.exe] c:\program files\toshiba\configfree\NDSTray.exe

mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [PINGER] c:\toshiba\ivp\ism\pinger.exe /run

mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [TPSMain] TPSMain.exe

mRun: [TFncKy] c:\program files\toshiba\toshiba controls\TFncKy.exe

mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Notebook Maximizer] c:\program files\notebook maximizer\maximizer_startup.exe

mRun: [CFSServ.exe] c:\program files\toshiba\configfree\CFSServ.exe -NoClient

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"

mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"

mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe

mRun: [HostManager] c:\program files\common files\aol\1170360518\ee\AOLSoftware.exe

mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB003" /M "Stylus C88"

mRun: [NSWosCheck] c:\program files\norton systemworks basic edition\osCheck.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks basic edition\norton cleanup\WCQuick.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-rainforest-adventure/gamehouseplayer.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://aolsvc.aol.com/onlinegames/free-trial-zenerchi/ZenerchiWeb.1.0.0.10.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-shangri-la-2-deluxe/zylomplayer.cab

DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-sandscript/SandScript.1.0.0.21.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R? NAVENG;NAVENG

R? NAVEX15;NAVEX15

S? ccEvtMgr;Symantec Event Manager

S? ccSetMgr;Symantec Settings Manager

S? NProtectService;Norton UnErase Protection

S? Symantec Core LC;Symantec Core LC

=============== Created Last 30 ================

2010-12-13 01:28:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure

2010-12-12 20:28:28 -------- d-----w- c:\docume~1\helen\applic~1\Malwarebytes

2010-12-12 20:28:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-12 20:28:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-12 20:28:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-12 20:28:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: TOSHIBA_MK8026GAX rev.PA000U -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84F26555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x84f2c7b0]; MOV EAX, [0x84f2c82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x84FA5030]

3 CLASSPNP[0xF76EFFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000007f[0x84F76170]

5 ACPI[0xF7646620] -> nt!IofCallDriver[0x804E37D5] -> [0x84FA8D98]

\Driver\atapi[0x84F960D8] -> IRP_MJ_CREATE -> 0x84F26555

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [sI], CH; JL 0x2d; JNZ 0x3b; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8026GAX_______________________PA000U__#5&207656b8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x84F2639B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 17:31:32.64 ===============

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5302

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/12/2010 3:58:54 PM

mbam-log-2010-12-12 (15-58-54).txt

Scan type: Quick scan

Objects scanned: 149239

Time elapsed: 15 minute(s), 51 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 4

Registry Data Items Infected: 1

Folders Infected: 40

Files Infected: 88

Memory Processes Infected:

c:\WINDOWS\andy145.exe (Worm.KoobFace) -> 1908 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\activex.DLL (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE} (Adware.Starware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE} (Adware.Starware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE} (Adware.Starware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE} (Adware.Starware) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuri49tkd (Worm.KoobFace) -> Value: xuri49tkd -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} (Adware.Zango) -> Value: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} (Adware.Zango) -> Value: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Adware.Starware) -> Value: SearchAssistant -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

c:\documents and settings\all users\application data\starware337 (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\contexts (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Games (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Games\images (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Games\images\default (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\images (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Movies (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Movies\images\default (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\screensaversmarketingsitepager (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\screensaversmarketingsitepager\images (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\screensaversmarketingsitepager\images\active (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\screensaversmarketingsitepager\images\default (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\simpleupdate (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337 (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\browsersearch (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\configurator (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\errorsearch (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Games (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Layouts (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Manager (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Movies (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Recipes (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\reference (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\relatedsearch (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\screensaversmarketingsitepager (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\searchassistplus (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\searchmatch (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\searchmatch\searchmatchpages (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\toolbarlogo (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\toolbarsearch (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\travelsearch (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Weather (Adware.Starware) -> Quarantined and deleted successfully.

c:\program files\starware337 (Adware.Starware) -> Delete on reboot.

c:\program files\starware337\bin (Adware.Starware) -> Delete on reboot.

c:\program files\starware337\icons (Adware.Starware) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\andy145.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\local settings\application data\1011201014610110550.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\local settings\application data\10112010146103.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\local settings\application data\1011201014697.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

c:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\fs1235.dat (KoobFace.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Tem226.tmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\u1a28861e.exe (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\findithot.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\highlighthot.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\recipes.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\recipes.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\recipes_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\recipes_over.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\reference.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\referencehot.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\referencehotxp.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\referencexp.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\contexts\Related.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\contexts\Travel.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\images\walertXP.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\screensaversmarketingsitepager\images\active\screensaversmarketingsitepager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\simpleupdate\productmessagingconfig.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\simpleupdate\productmessagingconfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\simpleupdate\simpleupdateconfig.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\simpleupdate\simpleupdateconfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\simpleupdate\timermanagerconfig.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\starware337\simpleupdate\timermanagerconfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Tem227.tmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\browsersearch\browsersearch.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\browsersearch\browsersearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\configurator\configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\configurator\configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\errorsearch\errorsearchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\errorsearch\errorsearchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Games\gamesoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Games\gamesoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Layouts\pitchlayout.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Layouts\pitchlayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Layouts\toolbarlayout.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Layouts\toolbarlayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Manager\manageroptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Manager\manageroptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Movies\moviesoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Movies\moviesoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Recipes\recipesoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Recipes\recipesoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\reference\referenceoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\reference\referenceoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\relatedsearch\relatedsearchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\relatedsearch\relatedsearchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\screensaversmarketingsitepager\screensaversmarketingsitepageroptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\screensaversmarketingsitepager\screensaversmarketingsitepageroptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\searchassistplus\searchassistplusoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\searchassistplus\searchassistplusoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\searchmatch\searchmatchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\searchmatch\searchmatchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Toolbar\tbproductsoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Toolbar\tbproductsoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\toolbarlogo\toolbarlogooptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\toolbarlogo\toolbarlogooptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\toolbarsearch\toolbarsearchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\toolbarsearch\toolbarsearchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\travelsearch\travelsearchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\travelsearch\travelsearchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Weather\alertarchive.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Weather\weatheroptions.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\documents and settings\Helen\application data\starware337\Weather\weatheroptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.

c:\program files\starware337\brand.bmp (Adware.Starware) -> Quarantined and deleted successfully.

c:\program files\starware337\starware337config.xml (Adware.Starware) -> Quarantined and deleted successfully.

c:\program files\starware337\starware337uninstall.exe (Adware.Starware) -> Quarantined and deleted successfully.

c:\program files\starware337\bin\starware337.dll (Adware.Starware) -> Delete on reboot.

c:\program files\starware337\icons\star_16.ico (Adware.Starware) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5303

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/13/2010 5:17:06 PM

mbam-log-2010-12-13 (17-17-06).txt

Scan type: Quick scan

Objects scanned: 144462

Time elapsed: 28 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

Link to post
Share on other sites

Hello Alex954! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 2

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, change it to Cure and then click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Uninstalled Viewpoint Media Player

Here is the Log from TDSSKiller

2010/12/14 04:06:25.0734 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40

2010/12/14 04:06:25.0734 ================================================================================

2010/12/14 04:06:25.0734 SystemInfo:

2010/12/14 04:06:25.0734

2010/12/14 04:06:25.0734 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/14 04:06:25.0734 Product type: Workstation

2010/12/14 04:06:25.0734 ComputerName: TOSHIBA-USER

2010/12/14 04:06:25.0734 UserName: Helen

2010/12/14 04:06:25.0734 Windows directory: C:\WINDOWS

2010/12/14 04:06:25.0734 System windows directory: C:\WINDOWS

2010/12/14 04:06:25.0734 Processor architecture: Intel x86

2010/12/14 04:06:25.0734 Number of processors: 1

2010/12/14 04:06:25.0734 Page size: 0x1000

2010/12/14 04:06:25.0734 Boot type: Normal boot

2010/12/14 04:06:25.0734 ================================================================================

2010/12/14 04:06:26.0703 Initialize success

2010/12/14 04:06:35.0906 ================================================================================

2010/12/14 04:06:35.0906 Scan started

2010/12/14 04:06:35.0906 Mode: Manual;

2010/12/14 04:06:35.0906 ================================================================================

2010/12/14 04:06:39.0593 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/14 04:06:40.0640 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/12/14 04:06:42.0593 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/14 04:06:43.0828 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/14 04:06:46.0062 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/12/14 04:06:54.0296 ALCXWDM (bea942ff21154fee4f71ddd477621c70) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/12/14 04:06:59.0953 AR5211 (37e1a3630872b3ccaa45e2468f437df0) C:\WINDOWS\system32\DRIVERS\ar5211.sys

2010/12/14 04:07:01.0421 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/12/14 04:07:05.0062 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

2010/12/14 04:07:06.0015 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/14 04:07:07.0109 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/14 04:07:10.0031 ati2mtag (9dc33d25ee0ed27752455a52f25ddb6e) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/12/14 04:07:12.0156 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/14 04:07:13.0156 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/14 04:07:14.0109 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/14 04:07:15.0312 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/14 04:07:17.0171 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/14 04:07:18.0171 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/14 04:07:19.0265 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/14 04:07:21.0203 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/12/14 04:07:23.0093 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/12/14 04:07:26.0843 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/14 04:07:28.0937 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/14 04:07:30.0843 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/14 04:07:31.0921 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/14 04:07:33.0031 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/14 04:07:34.0921 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/14 04:07:35.0953 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys

2010/12/14 04:07:36.0984 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys

2010/12/14 04:07:37.0718 eeCtrl (e89cc1363cb7f5320ae3b41c1333d0c3) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/12/14 04:07:39.0250 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/14 04:07:40.0406 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/12/14 04:07:41.0406 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/14 04:07:42.0531 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/12/14 04:07:43.0765 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/14 04:07:44.0781 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/14 04:07:45.0875 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/14 04:07:46.0906 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/14 04:07:49.0109 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/14 04:07:52.0171 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/14 04:07:53.0234 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/14 04:07:55.0968 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/12/14 04:07:56.0968 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/14 04:07:58.0062 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/14 04:07:59.0015 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/14 04:08:00.0140 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/14 04:08:01.0296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/14 04:08:02.0312 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/14 04:08:03.0312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/14 04:08:04.0312 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys

2010/12/14 04:08:05.0265 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/14 04:08:06.0375 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/14 04:08:07.0781 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/14 04:08:08.0734 L8042Kbd (702e5ffd2dd24b4b00f798953320fc20) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys

2010/12/14 04:08:10.0671 LHidKe (04540f5b4c0760bf6d78311b04439afa) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys

2010/12/14 04:08:12.0062 LHidUsbK (1c9414f926e5a8546a58b0e8e1bc5ddc) C:\WINDOWS\system32\Drivers\LHidUsbK.Sys

2010/12/14 04:08:13.0562 LMouKE (d98216e171e82524d0b9d8f13f7c96ea) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys

2010/12/14 04:08:14.0546 MDC8021X (8fee53c104223973ed9919936d9cd156) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys

2010/12/14 04:08:15.0609 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys

2010/12/14 04:08:16.0546 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/14 04:08:17.0500 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/14 04:08:18.0921 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/14 04:08:20.0296 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/14 04:08:21.0281 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/14 04:08:23.0359 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/14 04:08:24.0937 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/14 04:08:26.0312 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/14 04:08:27.0250 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/14 04:08:28.0187 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/14 04:08:29.0109 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/14 04:08:30.0140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/14 04:08:31.0203 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/14 04:08:31.0640 NAVENG (872d1ad3071441d1de9d2294792c9ffe) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080227.003\NAVENG.SYS

2010/12/14 04:08:32.0906 NAVEX15 (6e2d8a517321ffa0b3f9e0ede9ebee8d) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080227.003\NAVEX15.SYS

2010/12/14 04:08:35.0109 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/14 04:08:36.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/14 04:08:37.0140 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/14 04:08:38.0218 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/14 04:08:39.0250 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/14 04:08:40.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/14 04:08:41.0328 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/14 04:08:42.0468 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys

2010/12/14 04:08:43.0500 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/12/14 04:08:44.0562 NPDriver (57883a0c8ab1d93fce74d79b5fe8b4ff) C:\WINDOWS\system32\Drivers\NPDRIVER.SYS

2010/12/14 04:08:45.0656 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/14 04:08:47.0218 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/14 04:08:48.0718 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/14 04:08:49.0656 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/14 04:08:50.0718 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/14 04:08:51.0765 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/12/14 04:08:52.0796 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/12/14 04:08:53.0875 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/14 04:08:54.0781 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/14 04:08:55.0781 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/14 04:08:57.0562 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/12/14 04:08:58.0640 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/12/14 04:09:04.0968 Pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys

2010/12/14 04:09:05.0953 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/14 04:09:06.0968 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/14 04:09:07.0937 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/14 04:09:08.0968 PxHelp20 (25f7c4453f189f79eb3846d3e23805a0) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/12/14 04:09:14.0328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/14 04:09:15.0281 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/14 04:09:16.0359 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/14 04:09:17.0328 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/14 04:09:18.0437 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/14 04:09:19.0500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/14 04:09:20.0546 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/14 04:09:21.0718 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/14 04:09:22.0781 RTL8023xp (4a0ae7891fcf74acc848b109294cb80f) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2010/12/14 04:09:23.0781 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/12/14 04:09:24.0968 SDdriver (ac2e5fa94155bc0c4c7ab8f97e181f6f) C:\WINDOWS\system32\Drivers\sddriver.sys

2010/12/14 04:09:25.0984 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/14 04:09:27.0031 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/12/14 04:09:28.0015 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/14 04:09:30.0953 SPBBCDrv (cdea9a0a0e547fef4c44ccae35a9b09c) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2010/12/14 04:09:32.0796 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/14 04:09:33.0875 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/14 04:09:35.0250 SRTSP (655773f2f1a3730c6cf20280a49f4ee1) C:\WINDOWS\system32\Drivers\SRTSP.SYS

2010/12/14 04:09:36.0796 SRTSPL (2a0aaf370d4c6574a34ae2f4a0709cae) C:\WINDOWS\system32\Drivers\SRTSPL.SYS

2010/12/14 04:09:38.0093 SRTSPX (3104bdceace2d5710776dd05e6a286c1) C:\WINDOWS\system32\Drivers\SRTSPX.SYS

2010/12/14 04:09:39.0500 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/14 04:09:40.0875 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys

2010/12/14 04:09:41.0828 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys

2010/12/14 04:09:42.0843 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/14 04:09:43.0812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/14 04:09:46.0593 SYMDNS (3adcc83bc09afd901640fb5f7b2de805) C:\WINDOWS\System32\Drivers\SYMDNS.SYS

2010/12/14 04:09:47.0671 SymEvent (06b95820df51502099a8a15c93e87986) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2010/12/14 04:09:48.0875 SYMFW (f8b9c44e32ae1bf1362a037b89c671d3) C:\WINDOWS\System32\Drivers\SYMFW.SYS

2010/12/14 04:09:50.0031 SYMIDS (56e465ec84ffc6ea28fed08b16e71d10) C:\WINDOWS\System32\Drivers\SYMIDS.SYS

2010/12/14 04:09:50.0625 SYMIDSCO (1db45c243188f7b4c51dd7305d7e5cbb) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20080226.002\SymIDSCo.sys

2010/12/14 04:09:51.0859 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

2010/12/14 04:09:52.0843 SYMNDIS (94c2d86545943e5bb9c024fe10c137b5) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS

2010/12/14 04:09:53.0828 SYMREDRV (5e5723b168cc224a4e166bda42b088a6) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2010/12/14 04:09:55.0062 SYMTDI (dc8744a9d3d80462e62427dedce0f0aa) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2010/12/14 04:09:58.0125 SynTP (f6770219b73bd989d5613d2e9c78a227) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/12/14 04:09:59.0312 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/14 04:10:00.0343 TBiosDrv (eeca2b57545e7b7be949b5e70e31444f) C:\WINDOWS\system32\drivers\TBiosDrv.sys

2010/12/14 04:10:01.0812 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/14 04:10:03.0187 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/14 04:10:04.0156 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/14 04:10:05.0187 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/14 04:10:06.0140 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys

2010/12/14 04:10:07.0062 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys

2010/12/14 04:10:07.0937 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys

2010/12/14 04:10:08.0796 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys

2010/12/14 04:10:09.0734 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys

2010/12/14 04:10:10.0718 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys

2010/12/14 04:10:11.0562 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys

2010/12/14 04:10:12.0531 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys

2010/12/14 04:10:13.0609 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys

2010/12/14 04:10:15.0625 TVALD (ef88219dbdd15a7f28b434c72a3d7233) C:\WINDOWS\system32\DRIVERS\NBSMI.sys

2010/12/14 04:10:16.0593 Tvs (7bc87d123f504d161693f672cfe99ec4) C:\WINDOWS\system32\DRIVERS\Tvs.sys

2010/12/14 04:10:17.0593 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/14 04:10:19.0781 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/14 04:10:21.0187 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/12/14 04:10:22.0218 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/14 04:10:23.0203 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/12/14 04:10:24.0156 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/12/14 04:10:25.0125 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/14 04:10:26.0296 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/14 04:10:28.0171 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/14 04:10:29.0171 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/14 04:10:30.0156 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2010/12/14 04:10:32.0093 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/14 04:10:33.0218 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/12/14 04:10:34.0328 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/12/14 04:10:35.0390 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/12/14 04:10:35.0625 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/12/14 04:10:35.0671 ================================================================================

2010/12/14 04:10:35.0671 Scan finished

2010/12/14 04:10:35.0671 ================================================================================

2010/12/14 04:10:35.0703 Detected object count: 1

2010/12/14 04:11:09.0640 \HardDisk0 - will be cured after reboot

2010/12/14 04:11:09.0640 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/12/14 04:11:17.0203 Deinitialize success

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix Log

ComboFix 10-12-14.01 - Helen 12/14/2010 14:20:10.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.175 [GMT -5:00]

Running from: c:\documents and settings\Helen\Desktop\Combo-Fix.exe

AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Helen\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\Helen\Local Settings\temp\IadHide5.dll

.

((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))

.

2010-12-13 01:28 . 2010-12-13 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2010-12-12 20:28 . 2010-12-12 20:28 -------- d-----w- c:\documents and settings\Helen\Application Data\Malwarebytes

2010-12-12 20:28 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-12 20:28 . 2010-12-12 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-12 20:28 . 2010-12-12 20:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-12 20:28 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 16:23 . 2005-04-20 18:44 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2005-04-20 18:44 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2005-04-20 18:44 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2005-04-20 18:44 953856 ----a-w- c:\windows\system32\mfc40u.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2006-04-29 36864]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]

"DrvMon.exe"="c:\windows\system32\DrvMon.exe" [2006-05-15 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 339968]

"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2005-02-08 962560]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 122880]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]

"PINGER"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-04-12 184320]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 88358]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"TPSMain"="TPSMain.exe" [2004-12-28 270336]

"TFncKy"="c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe" [2004-10-25 114688]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-06-05 116328]

"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]

"CFSServ.exe"="c:\program files\TOSHIBA\ConfigFree\CFSServ.exe" [2005-04-13 794624]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]

"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-07-19 135168]

"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-07-19 53248]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2005-02-07 99480]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-20 98304]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"HostManager"="c:\program files\Common Files\AOL\1170360518\ee\AOLSoftware.exe" [2007-10-08 41824]

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-06-26 771440]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]

"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]

"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2007-12-03 25472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-4-28 196608]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-1-17 438272]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\1170360518\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

S2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~2\NORTON~1\NPROTECT.EXE [2005-11-04 95832]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

2010-11-09 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Helen.job

- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-06-26 08:27]

2010-12-14 c:\windows\Tasks\User_Feed_Synchronization-{18D9D3D3-E04E-4D28-A36A-00DA9AFA59EF}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwX5bEaI0bVlcTvAc4vRWuuzkXplE+ogU9ODQ/1yHnGOleJ4Betjz8POkJ2LhqrNunGd8Pm/4Wsf45Lpg41/UG1eMajvUrVT+h4yFTpv2r3CQ=

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-rainforest-adventure/gamehouseplayer.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-shangri-la-2-deluxe/zylomplayer.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-14 14:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1980)

c:\windows\system32\WININET.dll

c:\docume~1\Helen\LOCALS~1\Temp\IadHide5.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\TPwrCfg.DLL

c:\windows\system32\TPwrReg.dll

c:\windows\system32\TPSTrace.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\ACS.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\Ati2evxx.exe

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

c:\windows\wanmpsvc.exe

c:\windows\AGRSMMSG.exe

c:\windows\system32\TPSMain.exe

c:\windows\system32\TPSBattM.exe

c:\program files\TOSHIBA\ConfigFree\CFXFER.exe

c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE

c:\program files\Symantec\LiveUpdate\AUPDATE.EXE

c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

.

**************************************************************************

.

Completion time: 2010-12-14 15:21:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-14 20:20

ComboFix2.txt 2010-12-13 10:22

Pre-Run: 63,964,139,520 bytes free

Post-Run: 63,800,774,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - EC4C072EB814818AA3A2E750DA1926CF

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.