Jump to content

Recommended Posts

Hi

I think I have malware. MBAM blocks an IP nearly every mouse click or at least on entering sites. The IP is 95.211.132.98. MBAM scans are clean as are NAV scans. I think I have attached the logs and scans that are needed for step one. Thanks. CM

MBAM log

09:25:50 cam48 MESSAGE Protection started successfully

09:25:59 cam48 MESSAGE IP Protection started successfully

09:37:37 cam48 IP-BLOCK 95.211.132.98

09:37:40 cam48 IP-BLOCK 95.211.132.98

09:37:46 cam48 IP-BLOCK 95.211.132.98

09:37:58 cam48 IP-BLOCK 95.211.132.98

09:38:01 cam48 IP-BLOCK 95.211.132.98

09:38:02 cam48 IP-BLOCK 95.211.132.98

09:38:04 cam48 IP-BLOCK 95.211.132.98

09:38:05 cam48 IP-BLOCK 95.211.132.98

09:38:10 cam48 IP-BLOCK 95.211.132.98

09:38:11 cam48 IP-BLOCK 95.211.132.98

09:38:22 cam48 IP-BLOCK 95.211.132.98

09:38:23 cam48 IP-BLOCK 95.211.132.98

09:43:33 cam48 IP-BLOCK 95.211.132.98

09:43:36 cam48 IP-BLOCK 95.211.132.98

09:43:42 cam48 IP-BLOCK 95.211.132.98

09:43:48 cam48 IP-BLOCK 95.211.132.98

09:43:51 cam48 IP-BLOCK 95.211.132.98

09:43:54 cam48 IP-BLOCK 95.211.132.98

09:43:57 cam48 IP-BLOCK 95.211.132.98

09:44:09 cam48 IP-BLOCK 95.211.132.98

09:45:27 cam48 IP-BLOCK 95.211.132.98

09:45:30 cam48 IP-BLOCK 95.211.132.98

09:45:36 cam48 IP-BLOCK 95.211.132.98

09:45:48 cam48 IP-BLOCK 95.211.132.98

10:17:56 cam48 IP-BLOCK 95.211.132.98

10:17:59 cam48 IP-BLOCK 95.211.132.98

10:18:05 cam48 IP-BLOCK 95.211.132.98

10:18:07 cam48 IP-BLOCK 95.211.132.98

10:18:10 cam48 IP-BLOCK 95.211.132.98

10:18:16 cam48 IP-BLOCK 95.211.132.98

10:18:17 cam48 IP-BLOCK 95.211.132.98

10:18:28 cam48 IP-BLOCK 95.211.132.98

10:26:48 cam48 IP-BLOCK 95.211.132.98

10:26:51 cam48 IP-BLOCK 95.211.132.98

10:26:57 cam48 IP-BLOCK 95.211.132.98

10:27:09 cam48 IP-BLOCK 95.211.132.98

10:43:48 cam48 IP-BLOCK 95.211.132.98

10:43:51 cam48 IP-BLOCK 95.211.132.98

10:43:53 cam48 IP-BLOCK 95.211.132.98

10:43:56 cam48 IP-BLOCK 95.211.132.98

10:43:58 cam48 IP-BLOCK 95.211.132.98

10:44:02 cam48 IP-BLOCK 95.211.132.98

10:44:05 cam48 IP-BLOCK 95.211.132.98

10:44:08 cam48 IP-BLOCK 95.211.132.98

10:44:10 cam48 IP-BLOCK 95.211.132.98

10:44:14 cam48 IP-BLOCK 95.211.132.98

10:44:14 cam48 IP-BLOCK 95.211.132.98

10:45:51 cam48 IP-BLOCK 95.211.132.98

10:45:54 cam48 IP-BLOCK 95.211.132.98

10:46:00 cam48 IP-BLOCK 95.211.132.98

10:46:03 cam48 IP-BLOCK 95.211.132.98

10:46:06 cam48 IP-BLOCK 95.211.132.98

10:46:12 cam48 IP-BLOCK 95.211.132.98

10:46:12 cam48 IP-BLOCK 95.211.132.98

10:46:24 cam48 IP-BLOCK 95.211.132.98

11:09:04 cam48 IP-BLOCK 95.211.132.98

11:09:07 cam48 IP-BLOCK 95.211.132.98

11:09:13 cam48 IP-BLOCK 95.211.132.98

11:09:25 cam48 IP-BLOCK 95.211.132.98

11:10:22 cam48 IP-BLOCK 95.211.132.98

11:10:25 cam48 IP-BLOCK 95.211.132.98

11:10:31 cam48 IP-BLOCK 95.211.132.98

11:10:43 cam48 IP-BLOCK 95.211.132.98

11:55:17 cam48 IP-BLOCK 95.211.132.98

11:55:20 cam48 IP-BLOCK 95.211.132.98

11:55:26 cam48 IP-BLOCK 95.211.132.98

11:55:38 cam48 IP-BLOCK 95.211.132.98

12:01:31 cam48 MESSAGE Scheduled update executed successfully

12:01:31 cam48 MESSAGE IP Protection stopped

12:01:40 cam48 MESSAGE Database updated successfully

12:01:43 cam48 MESSAGE IP Protection started successfully

15:42:43 cam48 IP-BLOCK 95.211.132.98

15:42:45 cam48 IP-BLOCK 95.211.132.98

15:42:51 cam48 IP-BLOCK 95.211.132.98

15:43:03 cam48 IP-BLOCK 95.211.132.98

DDS (Ver_10-12-12.02) - NTFSx86

Run by CAM48 at 15:56:05.96 on Wed 01/26/2011

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.432 [GMT -5:00]

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch

svchost.exe

C:WINDOWSSystem32svchost.exe -k netsvcs

C:Program FilesSymantec AntiVirusSmc.exe

svchost.exe

svchost.exe

C:Program FilesCommon FilesSymantec SharedccSvcHst.exe

C:WINDOWSsystem32spoolsv.exe

svchost.exe

C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe

C:Program FilesCisco SystemsVPN Clientcvpnd.exe

C:WINDOWSSYSTEM32DWRCS.EXE

C:Program FilesIntelIntel Matrix Storage Manageriaantmon.exe

C:Tivolilcfbinw32-ix86mrtlcfd.exe

C:Program FilesIntelAMTLMS.exe

C:Program FilesMalwarebytes' Anti-Malwarembamservice.exe

C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe

C:notesntmulti.exe

C:PROGRA~1AT&TGL~1NetCfgSv.EXE

C:Program FilesCommon FilesSafeNet SentinelSentinel Protection ServerWinNTspnsrvnt.exe

C:WINDOWSSystem32snmp.exe

C:Program FilesSymantec AntiVirusRtvscan.exe

C:WINDOWSsystem32wm.exe

C:Program FilesHewlett-PackardSharedhpqwmiex.exe

C:WINDOWSSYSTEM32DWRCST.exe

C:WINDOWSExplorer.EXE

C:Program FilesSymantec AntiVirusSmcGui.exe

C:WINDOWSsystem32igfxpers.exe

C:Program FilesSynapticsSynTPSynTPEnh.exe

C:WINDOWSsystem32NWTRAY.EXE

C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe

C:Program FilesHewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe

C:WINDOWSAGRSMMSG.exe

C:Program FilesInterVideoDVD CheckDVDCheck.exe

C:Program FilesAnalog DevicesCoresmax4pnp.exe

C:Program FilesCommon FilesSymantec SharedccApp.exe

C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe

C:WINDOWSsystem32ctfmon.exe

C:Program FilesSpybot - Search & DestroyTeaTimer.exe

C:PROGRA~1MICROS~4wcescomm.exe

C:Program FilesWIDCOMMBluetooth SoftwareBTTray.exe

C:Program FilesGPS Pathfinder Office 2.80conmgr.exe

C:Program FilesGPS Pathfinder Office 2.80PfPjChgr.exe

C:APPSUTILWinZip11WZQKPICK.EXE

C:Program FilesGoZoneGoZone_iSync.exe

C:PROGRA~1MICROS~4rapimgr.exe

C:PROGRA~1COMMON~1TrimbleREMOTE~1TRDMU.exe

C:Program FilesCisco SystemsVPN Clientvpngui.exe

c:windowsclntrust.exe

C:Program FilesMozilla Firefoxfirefox.exe

C:WorkDownloadsdds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.mw.com/

uWindow Title = Microsoft Internet Explorer provided by mw

mDefault_Page_URL = hxxp://home.mw.com

uInternet Connection Wizard,ShellNext = hxxp://home.mw.com/

mWinlogon: Userinit=c:windowssystem32userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.5.0_06binssv.dll

BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:program filesgooglegoogle gearsinternet explorer\0.5.30.0gears.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe

uRun: [spybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe

uRun: [H/PC Connection Agent] "c:progra~1micros~4wcescomm.exe"

uRunOnce: [FlashPlayerUpdate] c:windowssystem32macromedflashNPSWF32_FlashUtil.exe -p

mRun: [igfxtray] c:windowssystem32igfxtray.exe

mRun: [igfxhkcmd] c:windowssystem32hkcmd.exe

mRun: [igfxpers] c:windowssystem32igfxpers.exe

mRun: [synTPEnh] c:program filessynapticssyntpSynTPEnh.exe

mRun: [NWTRAY] NWTRAY.EXE

mRun: [soundMAX] c:program filesanalog devicessoundmaxSmax4.exe /tray

mRun: [iAAnotif] c:program filesintelintel matrix storage manageriaanotif.exe

mRun: [QlbCtrl] %ProgramFiles%Hewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe /Start

mRun: [Cpqset] c:program fileshpqdefault settingscpqset.exe

mRun: [PTHOSTTR] c:program fileshpqhp protecttools security managerPTHOSTTR.EXE /Start

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [WatchDog] c:program filesintervideodvd checkDVDCheck.exe

mRun: [soundMAXPnP] c:program filesanalog devicescoresmax4pnp.exe

mRun: [PFO Check Settings] pfochk.exe

mRun: [swdisUsrPCN.pkg-rup3-m81049] "c:tivolilcfdat1cachelibw32-ix86wdusrpcn.exe" "c:tivoliswdis1wdusrpcn.envpkg-rup3-m81049"

mRun: [ccApp] "c:program filescommon filessymantec sharedccApp.exe"

mRun: [Malwarebytes' Anti-Malware] "c:program filesmalwarebytes' anti-malwarembamgui.exe" /starttray

mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"

mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"

dRun: [DWQueuedReporting] "c:progra~1common~1micros~1dwdwtrig20.exe" -t

StartupFolder: c:docume~1cam48startm~1programsstartupgozone~1.lnk - c:program filesgozoneGoZone_iSync.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupblueto~1.lnk - c:program fileswidcommbluetooth softwareBTTray.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupciscos~1.lnk - c:program filescisco systemsvpn clientvpngui.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupgpspat~2.lnk - c:program filesgps pathfinder office 2.80conmgr.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupgpspat~1.lnk - c:program filesgps pathfinder office 2.80PfPjChgr.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE

StartupFolder: c:docume~1alluse~1startm~1programsstartupwinzip~1.lnk - c:appsutilwinzip11WZQKPICK.EXE

uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: NoActiveDesktop = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = msblast.exe

uPolicies-disallowrun: 2 = penis32.exe

uPolicies-disallowrun: 3 = teekids.exe

uPolicies-system: Wallpaper = c:windowsVISTA.BMP

uPolicies-system: WallpaperStyle = 0

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

IE: E&xport to Microsoft Excel - c:progra~1micros~2office10EXCEL.EXE/3000

IE: Send To &Bluetooth - c:program fileswidcommbluetooth softwarebtsendto_ie_ctx.htm

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_06binssv.dll

IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:program filesgooglegoogle gearsinternet explorer\0.5.30.0gears.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:progra~1micros~4INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:progra~1micros~4INetRepl.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll

Trusted Zone: ariba.com

DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab

DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://dommlp06.mw.com/iNotes6W.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:program filessapfrontendsapguiSAPHTMLP.DLL

Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:program filessapfrontendsapguiSAPHTMLP.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 nwv1_0 TivoliAP

mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:windowsinfwmactedp.inf,PerUserStub,,4

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:docume~1cam48applic~1mozillafirefoxprofiles31q9twmu.default

FF - prefs.js: browser.startup.homepage - hxxp://home.mw.com/

FF - component: c:program filesgooglegoogle gearsfirefoxlibff35gears.dll

FF - plugin: c:program filesautodeskautodesk design review firefox add-on v1.1npADRdwf.dll

FF - plugin: c:program filesjavajre1.5.0_06binNPJava11.dll

FF - plugin: c:program filesjavajre1.5.0_06binNPJava12.dll

FF - plugin: c:program filesjavajre1.5.0_06binNPJava13.dll

FF - plugin: c:program filesjavajre1.5.0_06binNPJava14.dll

FF - plugin: c:program filesjavajre1.5.0_06binNPJava32.dll

FF - plugin: c:program filesjavajre1.5.0_06binNPJPI150_06.dll

FF - plugin: c:program filesjavajre1.5.0_06binNPOJI610.dll

FF - plugin: c:program filesmozilla firefoxpluginsnpicaN.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:program filesmozilla firefoxextensions{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - c:program filesmozilla firefoxextensions{6e84150a-d526-41f1-a480-a67d3fed910d}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationDotNetAssistantExtension

FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:program filesgooglegoogle gearsFirefox

FF - Ext: Personas: personas@christopher.beard - %profile%extensionspersonas@christopher.beard

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%extensions{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%extensionsisreaditlater@ideashower.com

FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%extensions{6e84150a-d526-41f1-a480-a67d3fed910d}

FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%extensions{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%extensions{37fa1426-b82d-11db-8314-0800200c9a66}

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:windowssystem32driversdwvkbd.sys [2007-2-15 26624]

R2 ccEvtMgr;Symantec Event Manager;c:program filescommon filessymantec sharedccSvcHst.exe [2009-3-17 108392]

R2 ccSetMgr;Symantec Settings Manager;c:program filescommon filessymantec sharedccSvcHst.exe [2009-3-17 108392]

R2 CITMDRV;CITMDRV;c:windowssystem32driversCITMDRV.SYS [2007-11-26 10752]

R2 lcfd;Tivoli Endpoint;c:tivolilcfbinw32-ix86mrtlcfd.exe [2007-11-26 184320]

R2 MBAMService;MBAMService;c:program filesmalwarebytes' anti-malwarembamservice.exe [2010-5-19 304464]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:program filessymantec antivirusRtvscan.exe [2009-5-12 2440632]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2010-6-2 102448]

R3 GTIPCI21;GTIPCI21;c:windowssystem32driversgtipci21.sys [2006-2-28 87808]

R3 IFXTPM;IFXTPM;c:windowssystem32driversifxtpm.sys [1979-12-31 35968]

R3 MBAMProtector;MBAMProtector;c:windowssystem32driversmbam.sys [2010-5-19 20952]

R3 NAVENG;NAVENG;c:progra~1common~1symant~1virusd~120110125.020NAVENG.SYS [2011-1-26 86008]

R3 NAVEX15;NAVEX15;c:progra~1common~1symant~1virusd~120110125.020NAVEX15.SYS [2011-1-26 1360760]

R3 NETwLx32; Intel

Attach.zip

ark.zip

Link to post
Share on other sites

:blink:

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Hi,

Thanks for your help first off.

Unfortunately neither of the scans turned up anything. As to the behavior of the pc, it is while google searching MBAM pops up that it blocked an IP, 95.211.132.98, then it takes very long to load the page. Earlier today when clicking on search results to go to a page it would reroute me to some other site. The MBAM pop up also worked in IE.

Following is the TDSS log

2011/01/28 20:48:10.0546 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53

2011/01/28 20:48:10.0546 ================================================================================

2011/01/28 20:48:10.0546 SystemInfo:

2011/01/28 20:48:10.0546

2011/01/28 20:48:10.0546 OS Version: 5.1.2600 ServicePack: 2.0

2011/01/28 20:48:10.0546 Product type: Workstation

2011/01/28 20:48:10.0546 ComputerName: PKG-RUP3-M81049

2011/01/28 20:48:10.0546 UserName: CAM48

2011/01/28 20:48:10.0546 Windows directory: C:\WINDOWS

2011/01/28 20:48:10.0546 System windows directory: C:\WINDOWS

2011/01/28 20:48:10.0546 Processor architecture: Intel x86

2011/01/28 20:48:10.0546 Number of processors: 2

2011/01/28 20:48:10.0546 Page size: 0x1000

2011/01/28 20:48:10.0546 Boot type: Normal boot

2011/01/28 20:48:10.0546 ================================================================================

2011/01/28 20:48:10.0984 Initialize success

2011/01/28 20:48:17.0015 ================================================================================

2011/01/28 20:48:17.0015 Scan started

2011/01/28 20:48:17.0015 Mode: Manual;

2011/01/28 20:48:17.0015 ================================================================================

2011/01/28 20:48:18.0640 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2011/01/28 20:48:18.0703 Accelerometer (2ad11b75224bc6c54735fb6853105b8b) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys

2011/01/28 20:48:18.0781 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/01/28 20:48:18.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/01/28 20:48:18.0984 ADIHdAudAddService (1600cb3056c984af1987627128874e39) C:\WINDOWS\system32\drivers\ADIHdAud.sys

2011/01/28 20:48:19.0125 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2011/01/28 20:48:19.0234 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys

2011/01/28 20:48:19.0312 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2011/01/28 20:48:19.0375 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2011/01/28 20:48:19.0500 AgereSoftModem (9c7b1314d5e1212bd3d654177c06e24d) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/01/28 20:48:19.0625 agnwifi (685443afa5d1a94c5f47e4846b0e4c3d) C:\WINDOWS\system32\DRIVERS\agnwifi.sys

2011/01/28 20:48:19.0687 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/01/28 20:48:19.0734 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2011/01/28 20:48:19.0781 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2011/01/28 20:48:19.0828 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2011/01/28 20:48:19.0875 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2011/01/28 20:48:20.0000 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2011/01/28 20:48:20.0062 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2011/01/28 20:48:20.0078 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/01/28 20:48:20.0093 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2011/01/28 20:48:20.0109 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2011/01/28 20:48:20.0125 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2011/01/28 20:48:20.0140 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2011/01/28 20:48:20.0171 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/01/28 20:48:20.0203 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/01/28 20:48:20.0234 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/01/28 20:48:20.0296 ATSWPDRV (002ecb6f1197a7754cc87f2073f41841) C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys

2011/01/28 20:48:20.0375 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/01/28 20:48:20.0437 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/01/28 20:48:20.0515 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/01/28 20:48:20.0625 btaudio (3aa4bf555c00c5b87fd48dd7bdbd4e97) C:\WINDOWS\system32\drivers\btaudio.sys

2011/01/28 20:48:20.0687 BTDriver (07f0a66cfa550b13ad0674ae09e3cba0) C:\WINDOWS\system32\DRIVERS\btport.sys

2011/01/28 20:48:20.0859 BTKRNL (ec083290c783afe5ff903cbd411c1ab1) C:\WINDOWS\system32\DRIVERS\btkrnl.sys

2011/01/28 20:48:20.0984 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys

2011/01/28 20:48:21.0093 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys

2011/01/28 20:48:21.0156 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2011/01/28 20:48:21.0187 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/01/28 20:48:21.0234 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2011/01/28 20:48:21.0281 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/01/28 20:48:21.0296 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/01/28 20:48:21.0328 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/01/28 20:48:21.0406 CITMDRV (0d372973e20fbe283c727474e49e9de3) C:\WINDOWS\System32\drivers\CITMDRV.SYS

2011/01/28 20:48:21.0453 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/01/28 20:48:21.0500 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2011/01/28 20:48:21.0562 COH_Mon (86a22dff16e8ca67601044efe6825537) C:\WINDOWS\system32\Drivers\COH_Mon.sys

2011/01/28 20:48:21.0578 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/01/28 20:48:21.0609 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2011/01/28 20:48:21.0718 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys

2011/01/28 20:48:21.0812 CVirtA (72f820e457bc8a1c61aeb86df89dd41a) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2011/01/28 20:48:21.0875 CVPNDRVA (6416c11a89f23a70b576b83c03747cde) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2011/01/28 20:48:21.0937 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2011/01/28 20:48:21.0968 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2011/01/28 20:48:22.0031 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/01/28 20:48:22.0109 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/01/28 20:48:22.0218 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/01/28 20:48:22.0250 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/01/28 20:48:22.0328 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/01/28 20:48:22.0406 DNE (c86fbf607445bf693450d84b775f168c) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2011/01/28 20:48:22.0468 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2011/01/28 20:48:22.0546 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/01/28 20:48:22.0578 dwvkbd (5a402c57f621114c99f813c6ae7bc37a) C:\WINDOWS\system32\DRIVERS\dwvkbd.sys

2011/01/28 20:48:22.0625 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys

2011/01/28 20:48:22.0671 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys

2011/01/28 20:48:22.0765 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/01/28 20:48:22.0843 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/01/28 20:48:22.0937 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/01/28 20:48:22.0968 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys

2011/01/28 20:48:23.0015 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/01/28 20:48:23.0031 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/01/28 20:48:23.0062 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/01/28 20:48:23.0078 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/01/28 20:48:23.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/01/28 20:48:23.0171 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/01/28 20:48:23.0218 grmnusb (cd007d03a9284bfe67d49c01213132bf) C:\WINDOWS\system32\drivers\grmnusb.sys

2011/01/28 20:48:23.0265 GTIPCI21 (43c810f58b5c796f63d68ea91c1c98f2) C:\WINDOWS\system32\DRIVERS\gtipci21.sys

2011/01/28 20:48:23.0359 Hardlock (d95554949082fd29a04d351b58396718) C:\WINDOWS\system32\drivers\hardlock.sys

2011/01/28 20:48:23.0468 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

2011/01/28 20:48:23.0500 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/01/28 20:48:23.0546 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/01/28 20:48:23.0593 hpdskflt (b5e68a5d9e0aac82e4ddd340e1f0274a) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys

2011/01/28 20:48:23.0625 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2011/01/28 20:48:23.0703 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/01/28 20:48:23.0750 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/01/28 20:48:23.0750 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2011/01/28 20:48:23.0796 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/01/28 20:48:23.0921 ialm (d705558b6a678e894c5c67430eef67a2) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/01/28 20:48:24.0046 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys

2011/01/28 20:48:24.0093 IFXTPM (0b556e950404d90d097c687e65238730) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS

2011/01/28 20:48:24.0156 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/01/28 20:48:24.0218 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2011/01/28 20:48:24.0265 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/01/28 20:48:24.0343 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/01/28 20:48:24.0375 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/01/28 20:48:24.0421 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/01/28 20:48:24.0468 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/01/28 20:48:24.0500 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/01/28 20:48:24.0546 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/01/28 20:48:24.0593 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys

2011/01/28 20:48:24.0656 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/01/28 20:48:24.0750 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/01/28 20:48:24.0906 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/01/28 20:48:24.0937 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/01/28 20:48:25.0000 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2011/01/28 20:48:25.0046 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/01/28 20:48:25.0156 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys

2011/01/28 20:48:25.0203 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/01/28 20:48:25.0218 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/01/28 20:48:25.0234 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/01/28 20:48:25.0265 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/01/28 20:48:25.0328 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/01/28 20:48:25.0390 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2011/01/28 20:48:25.0468 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/01/28 20:48:25.0578 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/01/28 20:48:25.0640 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/01/28 20:48:25.0765 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/01/28 20:48:25.0843 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/01/28 20:48:25.0890 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/01/28 20:48:25.0968 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/01/28 20:48:26.0015 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/01/28 20:48:26.0265 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110127.052\NAVENG.SYS

2011/01/28 20:48:26.0328 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110127.052\NAVEX15.SYS

2011/01/28 20:48:26.0468 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/01/28 20:48:26.0515 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/01/28 20:48:26.0593 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/01/28 20:48:26.0640 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/01/28 20:48:26.0703 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/01/28 20:48:26.0765 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/01/28 20:48:26.0812 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/01/28 20:48:26.0984 NETw3x32 (f886500c285af271fdd33bf8ba7b32ef) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys

2011/01/28 20:48:27.0171 NETw4x32 (18b2d3e11ed7a3c898ade6a6692b6929) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys

2011/01/28 20:48:27.0343 NetwareWorkstation (dbcc7795bbfc8e591370b824900118c6) C:\WINDOWS\system32\NetWare\nwfs.sys

2011/01/28 20:48:27.0687 NETwLx32 (cbd6918929b5edacff9c782536019bbb) C:\WINDOWS\system32\DRIVERS\NETwLx32.sys

2011/01/28 20:48:28.0031 NICM (c501404558ea82e8a875de6331f0748d) C:\WINDOWS\system32\drivers\nicm.sys

2011/01/28 20:48:28.0140 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/01/28 20:48:28.0203 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/01/28 20:48:28.0250 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/01/28 20:48:28.0281 NWDHCP (a4b071419e0ea596ffb3da89c1f04e61) C:\WINDOWS\system32\NetWare\nwdhcp.sys

2011/01/28 20:48:28.0312 NWDNS (5fe8761fe5fa3761f778fb8d7c0a6763) C:\WINDOWS\system32\NetWare\nwdns.sys

2011/01/28 20:48:28.0343 NWFILTER (7bbf493e2b4979312fa5b350fcf5a4c4) C:\WINDOWS\system32\NetWare\nwfilter.sys

2011/01/28 20:48:28.0390 NWHOST (baa75acf404bebce7065663664a7c3e4) C:\WINDOWS\system32\NetWare\NWHOST.sys

2011/01/28 20:48:28.0406 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/01/28 20:48:28.0437 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/01/28 20:48:28.0484 NWSAP (2726a6792bbb080ff345ed9a8111360f) C:\WINDOWS\system32\NetWare\NWSAP.sys

2011/01/28 20:48:28.0578 NWSIPX32 (0c19ea7bf54f23ef37d8a14c61f64891) C:\WINDOWS\system32\NetWare\nwsipx32.sys

2011/01/28 20:48:28.0609 NWSLP (0b5c354bebc5381b59a196bd7e517814) C:\WINDOWS\system32\NetWare\nwslp.sys

2011/01/28 20:48:28.0640 NWSNS (172308996609da67e99c87fa784df8bc) C:\WINDOWS\system32\NetWare\NWSNS.sys

2011/01/28 20:48:28.0687 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/01/28 20:48:28.0734 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/01/28 20:48:28.0765 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/01/28 20:48:28.0796 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/01/28 20:48:28.0828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/01/28 20:48:28.0843 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/01/28 20:48:28.0906 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2011/01/28 20:48:28.0921 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2011/01/28 20:48:28.0984 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/01/28 20:48:29.0000 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/01/28 20:48:29.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/01/28 20:48:29.0031 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2011/01/28 20:48:29.0062 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2011/01/28 20:48:29.0078 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2011/01/28 20:48:29.0093 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2011/01/28 20:48:29.0109 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2011/01/28 20:48:29.0125 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/01/28 20:48:29.0171 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

2011/01/28 20:48:29.0203 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/01/28 20:48:29.0250 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/01/28 20:48:29.0296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/01/28 20:48:29.0375 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/01/28 20:48:29.0437 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/01/28 20:48:29.0515 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/01/28 20:48:29.0593 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/01/28 20:48:29.0687 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/01/28 20:48:29.0765 RESMGR (16c27d650113b0aa0c8255c561a71cd4) C:\WINDOWS\system32\NetWare\resmgr.sys

2011/01/28 20:48:29.0859 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2011/01/28 20:48:29.0937 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/01/28 20:48:30.0078 Sentinel (7e5c2c58fc4e3862e7bf88bfb809a9b0) C:\WINDOWS\System32\Drivers\SENTINEL.SYS

2011/01/28 20:48:30.0171 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/01/28 20:48:30.0234 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/01/28 20:48:30.0312 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/01/28 20:48:30.0390 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2011/01/28 20:48:30.0437 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys

2011/01/28 20:48:30.0468 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2011/01/28 20:48:30.0609 SPBBCDrv (d7bb213566e16bca372e2cb517eda907) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2011/01/28 20:48:30.0734 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2011/01/28 20:48:30.0828 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/01/28 20:48:30.0875 SRTSP (3cb2f35789632f0bae8a1b9edb08e965) C:\WINDOWS\system32\Drivers\SRTSP.SYS

2011/01/28 20:48:30.0953 SRTSPL (d69f1be5fd6da685a4c0e36d58a29e85) C:\WINDOWS\system32\Drivers\SRTSPL.SYS

2011/01/28 20:48:31.0062 SRTSPX (1af60c53c43e2e672bbda3ba9a947d48) C:\WINDOWS\system32\Drivers\SRTSPX.SYS

2011/01/28 20:48:31.0125 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/01/28 20:48:31.0218 SRVLOC (21d0242d37ab7b275261ed030adaaad5) C:\WINDOWS\system32\NetWare\srvloc.sys

2011/01/28 20:48:31.0312 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/01/28 20:48:31.0406 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/01/28 20:48:31.0484 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2011/01/28 20:48:31.0515 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2011/01/28 20:48:31.0656 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2011/01/28 20:48:31.0750 SYMREDRV (be3c117150c055e50a4caf23e548c856) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2011/01/28 20:48:31.0828 SYMTDI (7b0af4e22b32f8c5bfba5a5d53522160) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2011/01/28 20:48:31.0890 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2011/01/28 20:48:31.0921 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2011/01/28 20:48:31.0984 SynTP (5876072999220ef2fba1ddec86d2b97e) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/01/28 20:48:32.0062 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/01/28 20:48:32.0171 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/01/28 20:48:32.0265 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/01/28 20:48:32.0343 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/01/28 20:48:32.0421 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/01/28 20:48:32.0500 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys

2011/01/28 20:48:32.0562 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2011/01/28 20:48:32.0609 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/01/28 20:48:32.0703 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2011/01/28 20:48:32.0781 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2011/01/28 20:48:32.0843 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/01/28 20:48:32.0953 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/01/28 20:48:33.0062 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/01/28 20:48:33.0140 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/01/28 20:48:33.0265 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/01/28 20:48:33.0343 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2011/01/28 20:48:33.0390 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/01/28 20:48:33.0421 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/01/28 20:48:33.0500 vsdatant (baa5668909a0edcc61a6a8099bb07659) C:\WINDOWS\system32\vsdatant.sys

2011/01/28 20:48:33.0562 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/01/28 20:48:33.0640 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

2011/01/28 20:48:33.0750 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/01/28 20:48:33.0859 WGX (5cc011033b758376b6cdf0487649547e) C:\WINDOWS\system32\Drivers\WGX.SYS

2011/01/28 20:48:33.0937 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/01/28 20:48:34.0031 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/01/28 20:48:34.0125 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/01/28 20:48:34.0234 ================================================================================

2011/01/28 20:48:34.0234 Scan finished

2011/01/28 20:48:34.0234 ================================================================================

Thanks again

cm

Link to post
Share on other sites

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Well that seemed to find a couple things but when searching in google and clicking a result to visit the site MBAM pops up blocking a site...the same as it was doing before.

ComboFix 11-01-28.02 - CAM48 01/28/2011 21:38:33.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.493 [GMT -5:00]

Running from: c:\documents and settings\CAM48\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\10.tmp

C:\11.tmp

C:\12.tmp

C:\13.tmp

C:\14.tmp

C:\15.tmp

C:\16.tmp

C:\17.tmp

C:\18.tmp

C:\19.tmp

C:\1A.tmp

C:\1B.tmp

C:\1C.tmp

C:\1D.tmp

C:\1E.tmp

C:\1E4.tmp

C:\1F.tmp

C:\20.tmp

C:\21.tmp

C:\22.tmp

C:\23.tmp

C:\24.tmp

C:\25.tmp

C:\26.tmp

C:\27.tmp

C:\28.tmp

C:\29.tmp

C:\2A.tmp

C:\2B.tmp

C:\2C.tmp

C:\2D.tmp

C:\2E.tmp

C:\2F.tmp

C:\30.tmp

C:\32.tmp

C:\33.tmp

C:\34.tmp

C:\35.tmp

C:\36.tmp

C:\37.tmp

C:\38.tmp

C:\39.tmp

C:\3A.tmp

C:\3B.tmp

C:\3C.tmp

C:\3D.tmp

C:\3E.tmp

C:\3F.tmp

C:\40.tmp

C:\41.tmp

C:\42.tmp

C:\43.tmp

C:\44.tmp

C:\45.tmp

C:\46.tmp

C:\47.tmp

C:\48.tmp

C:\49.tmp

C:\4A.tmp

C:\4B.tmp

C:\4C.tmp

C:\4D.tmp

C:\4E.tmp

C:\4F.tmp

C:\5.tmp

C:\50.tmp

C:\52.tmp

C:\53.tmp

C:\54.tmp

C:\55.tmp

C:\5A.tmp

C:\5D0.tmp

C:\5E.tmp

C:\5F.tmp

C:\6.tmp

C:\62.tmp

C:\64.tmp

C:\64E.tmp

C:\65.tmp

C:\656.tmp

C:\69.tmp

C:\6C.tmp

C:\6F.tmp

C:\7.tmp

C:\70.tmp

C:\74.tmp

C:\76.tmp

C:\7A.tmp

C:\7B.tmp

C:\7C.tmp

C:\8.tmp

C:\84.tmp

C:\85.tmp

C:\9.tmp

C:\A.tmp

C:\B.tmp

C:\C.tmp

C:\D.tmp

C:\D2.tmp

C:\DD.tmp

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\CAM48\Favorites\Online Security Guide.lnk

C:\E.tmp

C:\E7.tmp

C:\ED.tmp

C:\F.tmp

c:\windows\run.log

c:\windows\system32\_000006_.tmp.dll

----- BITS: Possible infected sites -----

hxxp://ews-pgh1-wscp1

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))

.

2011-01-29 02:48 . 2011-01-29 02:48 53248 ----a-w- c:\temp\catchme.dll

2011-01-29 02:48 . 2011-01-29 02:48 25088 ----a-w- c:\temp\mbr.sys

2011-01-28 16:45 . 2011-01-28 16:45 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

------- Sigcheck -------

[-] 2004-08-04 . 2AB261AAE088469AFA456B925CE60810 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2004-08-04 . 0EDF2D962E90E4657800DB1C77BD9369 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]

"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88203]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"PFO Check Settings"="pfochk.exe" [2001-02-26 57344]

"SwdisUsrPCN.pkg-rup3-m81049"="c:\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" [2010-01-08 16384]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-17 115560]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\CAM48\Start Menu\Programs\Startup\

GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2009-3-5 431608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-8-22 1421328]

GPS Pathfinder Office Connection Manager.lnk - c:\program files\GPS Pathfinder Office 2.80\conmgr.exe [2007-11-26 65536]

GPS Pathfinder Office Project Changer.lnk - c:\program files\GPS Pathfinder Office 2.80\PfPjChgr.exe [2007-11-26 36864]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

WinZip Quick Pick.lnk - c:\apps\UTIL\WinZip11\WZQKPICK.EXE [2008-10-30 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\CLNTRUST.EXE"=

"c:\\WINDOWS\\SYSTEM32\\SESSMGR.EXE"=

"c:\\TIVOLI\\LCF\\BIN\\W32-IX86\\MRT\\LCFD.EXE"=

"c:\\TIVOLI\\LCF\\INV\\SCAN\\WEPMCOLL.EXE"=

"c:\\TIVOLI\\LCF\\DAT\\1\\CACHE\\BIN\\W32-IX86\\TME\\SWDIS\\SPDE\\SPD_ENG.EXE"=

"c:\\PROGRAM FILES\\SAP\\FRONTEND\\SAPGUI\\SAPLOGON.EXE"=

"c:\\PROGRAM FILES\\SAP\\FRONTEND\\SAPGUI\\SAPLGPAD.EXE"=

"c:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE"=

"c:\\PROGRAM FILES\\CISCO SYSTEMS\\VPN CLIENT\\IPSECDIALER.EXE"=

"c:\\PROGRAM FILES\\CISCO SYSTEMS\\VPN CLIENT\\VPNGUI.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"52311:TCP"= 52311:TCP:BESPortTCP

"52311:UDP"= 52311:UDP:BESPortUDP

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 6:00 AM 26624]

R2 CITMDRV;CITMDRV;c:\windows\system32\drivers\CITMDRV.SYS [11/26/2007 3:33 PM 10752]

R2 lcfd;Tivoli Endpoint;c:\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [11/26/2007 4:14 PM 184320]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/19/2010 2:08 PM 304464]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [6/2/2010 2:12 PM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 4:05 PM 87808]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/31/1979 7:00 PM 35968]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/19/2010 2:08 PM 20952]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [11/8/2010 1:04 PM 6607744]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]

S3 OracleORA_V901_HOMEClientCache;OracleORA_V901_HOMEClientCache;c:\oracle\Product\V901\bin\ONRSD.EXE [8/14/2001 6:25 PM 425828]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

2004-08-04 08:00 99840 ----a-w- c:\windows\system32\advpack.dll

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.mw.com/

uInternet Connection Wizard,ShellNext = hxxp://home.mw.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Trusted Zone: ariba.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\CAM48\Application Data\Mozilla\Firefox\Profiles\31q9twmu.default\

FF - prefs.js: browser.startup.homepage - hxxp://home.mw.com/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - c:\program files\Mozilla Firefox\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}

FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

Notify-NavLogon - (no file)

SafeBoot-Symantec Antvirus

AddRemove-fGIS - Forestry GIS - c:\dnrapps\fGIS\uninst.exe

AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-28 21:48

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xX??????(?@???????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)

c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL

c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

- - - - - - - > 'Explorer.exe'(3904)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec AntiVirus\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\System32\SCardSvr.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\windows\SYSTEM32\DWRCS.EXE

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\notes\ntmulti.exe

c:\progra~1\AT&TGL~1\NetCfgSv.EXE

c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

c:\windows\System32\snmp.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wm.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\SYSTEM32\DWRCST.exe

c:\program files\Symantec AntiVirus\SmcGui.exe

c:\windows\system32\NWTRAY.EXE

c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

c:\windows\AGRSMMSG.exe

c:\progra~1\MICROS~4\wcescomm.exe

c:\progra~1\MICROS~4\rapimgr.exe

c:\progra~1\COMMON~1\Trimble\REMOTE~1\TRDMU.exe

.

**************************************************************************

.

Completion time: 2011-01-28 21:56:49 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-29 02:56

Pre-Run: 12,559,994,880 bytes free

Post-Run: 12,498,636,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BA1F7F7A513A4715A6EE75325CCBCC34

Thanks

cm

Link to post
Share on other sites

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run

Accept the enhanced version

Then run the quick scan

About halfway through you will be prompted to buy - just X the box closed

Once finished it will generate a log please post the results

Link to post
Share on other sites

I downloaded Dr Web and ran and I also told it to cure the stuff it found. I assume that was right my browser on quick inspection is acting properly now. The program also did not give me the option to write a log, just to save the list that it cured which follows:

dll;C:\WINDOWS\system32;Trojan.Hottrend.34;Deleted.;

winlogon.exe;C:\WINDOWS\system32;Win32.Dat.15;Cured.;

zx.dll;C:\WINDOWS\system32;Trojan.Starter.1602;Deleted.;

explorer.exe;c:\windows;Win32.Dat.15;Cured.;

I hope that will work.

cm

Link to post
Share on other sites

ugh, I must have forgot to cross my fingers.

ComboFix 11-01-28.03 - CAM48 01/29/2011 10:53:25.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.414 [GMT -5:00]

Running from: c:\documents and settings\CAM48\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))

.

2011-01-29 16:06 . 2011-01-29 16:06 53248 ----a-w- c:\temp\catchme.dll

2011-01-29 16:06 . 2011-01-29 16:06 25088 ----a-w- c:\temp\mbr.sys

2011-01-29 03:40 . 2011-01-29 03:40 -------- d-----w- c:\documents and settings\CAM48\DoctorWeb

2011-01-28 16:45 . 2011-01-28 16:45 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

------- Sigcheck -------

[-] 2004-08-04 . 94A9B8FB5863FC840AF4591004B627CC . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2004-08-04 . BA72F335D47B8D4D4BE2A39C47DE3C15 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]

"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88203]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"PFO Check Settings"="pfochk.exe" [2001-02-26 57344]

"SwdisUsrPCN.pkg-rup3-m81049"="c:\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" [2010-01-08 16384]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-17 115560]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\CAM48\Start Menu\Programs\Startup\

GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2009-3-5 431608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-8-22 1421328]

GPS Pathfinder Office Connection Manager.lnk - c:\program files\GPS Pathfinder Office 2.80\conmgr.exe [2007-11-26 65536]

GPS Pathfinder Office Project Changer.lnk - c:\program files\GPS Pathfinder Office 2.80\PfPjChgr.exe [2007-11-26 36864]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

WinZip Quick Pick.lnk - c:\apps\UTIL\WinZip11\WZQKPICK.EXE [2008-10-30 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\CLNTRUST.EXE"=

"c:\\WINDOWS\\SYSTEM32\\SESSMGR.EXE"=

"c:\\TIVOLI\\LCF\\BIN\\W32-IX86\\MRT\\LCFD.EXE"=

"c:\\TIVOLI\\LCF\\INV\\SCAN\\WEPMCOLL.EXE"=

"c:\\TIVOLI\\LCF\\DAT\\1\\CACHE\\BIN\\W32-IX86\\TME\\SWDIS\\SPDE\\SPD_ENG.EXE"=

"c:\\PROGRAM FILES\\SAP\\FRONTEND\\SAPGUI\\SAPLOGON.EXE"=

"c:\\PROGRAM FILES\\SAP\\FRONTEND\\SAPGUI\\SAPLGPAD.EXE"=

"c:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE"=

"c:\\PROGRAM FILES\\CISCO SYSTEMS\\VPN CLIENT\\IPSECDIALER.EXE"=

"c:\\PROGRAM FILES\\CISCO SYSTEMS\\VPN CLIENT\\VPNGUI.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"52311:TCP"= 52311:TCP:BESPortTCP

"52311:UDP"= 52311:UDP:BESPortUDP

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 6:00 AM 26624]

R2 CITMDRV;CITMDRV;c:\windows\system32\drivers\CITMDRV.SYS [11/26/2007 3:33 PM 10752]

R2 lcfd;Tivoli Endpoint;c:\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [11/26/2007 4:14 PM 184320]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/19/2010 2:08 PM 304464]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [6/2/2010 2:12 PM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 4:05 PM 87808]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/31/1979 7:00 PM 35968]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/19/2010 2:08 PM 20952]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [11/8/2010 1:04 PM 6607744]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]

S3 OracleORA_V901_HOMEClientCache;OracleORA_V901_HOMEClientCache;c:\oracle\Product\V901\bin\ONRSD.EXE [8/14/2001 6:25 PM 425828]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

2004-08-04 08:00 99840 ----a-w- c:\windows\system32\advpack.dll

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.mw.com/

uInternet Connection Wizard,ShellNext = hxxp://home.mw.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Trusted Zone: ariba.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\CAM48\Application Data\Mozilla\Firefox\Profiles\31q9twmu.default\

FF - prefs.js: browser.startup.homepage - hxxp://home.mw.com/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - c:\program files\Mozilla Firefox\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}

FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-29 11:06

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xX??????(?@???????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)

c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL

c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

- - - - - - - > 'Explorer.exe'(2524)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec AntiVirus\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\System32\SCardSvr.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\windows\SYSTEM32\DWRCS.EXE

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\notes\ntmulti.exe

c:\progra~1\AT&TGL~1\NetCfgSv.EXE

c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

c:\windows\System32\snmp.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wm.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\SYSTEM32\DWRCST.exe

c:\program files\Symantec AntiVirus\SmcGui.exe

c:\windows\system32\NWTRAY.EXE

c:\windows\AGRSMMSG.exe

c:\progra~1\MICROS~4\wcescomm.exe

c:\progra~1\MICROS~4\rapimgr.exe

c:\progra~1\COMMON~1\Trimble\REMOTE~1\TRDMU.exe

.

**************************************************************************

.

Completion time: 2011-01-29 11:13:09 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-29 16:13

ComboFix2.txt 2011-01-29 02:56

Pre-Run: 12,365,307,904 bytes free

Post-Run: 12,411,027,456 bytes free

- - End Of File - - F2B3EE047CFA8F893318EDD87D8A1113

Now what?

cm

Link to post
Share on other sites

We need to see if we can find a good copy of explorer.exe and winlogon.exe.

If you just delete them, windows won't load

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    winlogon.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Do the same for explorer.exe

Link to post
Share on other sites

First this one:

SystemLook 04.09.10 by jpshortstuff

Log created at 21:41 on 29/01/2011 by CAM48

Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe"

C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [00:00 01/01/1980] [08:00 04/08/2004] 94A9B8FB5863FC840AF4591004B627CC

-= EOF =-

Then the second:

SystemLook 04.09.10 by jpshortstuff

Log created at 22:08 on 29/01/2011 by CAM48

Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"

C:\WINDOWS\explorer.exe --a---- 1032192 bytes [00:00 01/01/1980] [08:00 04/08/2004] BA72F335D47B8D4D4BE2A39C47DE3C15

-= EOF =-

The fingers still aren't crossed...

cm

Link to post
Share on other sites

Lets run this again

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run

Accept the enhanced version

Then run the quick scan

About halfway through you will be prompted to buy - just X the box closed

Once finished it will generate a log please post the results

Link to post
Share on other sites

I just finished running the Dr Web scan again, well it's not done rebooting but it is telling me that no viruses were found I am on my phone. I still don't see where to save a log but there is also nothing to save.

I am not sure what that means but I hope you do.

Thanks for your help.

cm

Link to post
Share on other sites

Still not looking good.

ComboFix 11-01-29.03 - CAM48 01/30/2011 8:31.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.343 [GMT -5:00]

Running from: c:\documents and settings\CAM48\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-30 )))))))))))))))))))))))))))))))

.

2011-01-30 13:48 . 2011-01-30 13:48 53248 ----a-w- c:\temp\catchme.dll

2011-01-29 03:40 . 2011-01-29 03:40 -------- d-----w- c:\documents and settings\CAM48\DoctorWeb

2011-01-28 16:45 . 2011-01-28 16:45 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

------- Sigcheck -------

[-] 2004-08-04 . 94A9B8FB5863FC840AF4591004B627CC . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2004-08-04 . BA72F335D47B8D4D4BE2A39C47DE3C15 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]

"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88203]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"PFO Check Settings"="pfochk.exe" [2001-02-26 57344]

"SwdisUsrPCN.pkg-rup3-m81049"="c:\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" [2010-01-08 16384]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-17 115560]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\CAM48\Start Menu\Programs\Startup\

GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2009-3-5 431608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-8-22 1421328]

GPS Pathfinder Office Connection Manager.lnk - c:\program files\GPS Pathfinder Office 2.80\conmgr.exe [2007-11-26 65536]

GPS Pathfinder Office Project Changer.lnk - c:\program files\GPS Pathfinder Office 2.80\PfPjChgr.exe [2007-11-26 36864]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

WinZip Quick Pick.lnk - c:\apps\UTIL\WinZip11\WZQKPICK.EXE [2008-10-30 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\CLNTRUST.EXE"=

"c:\\WINDOWS\\SYSTEM32\\SESSMGR.EXE"=

"c:\\TIVOLI\\LCF\\BIN\\W32-IX86\\MRT\\LCFD.EXE"=

"c:\\TIVOLI\\LCF\\INV\\SCAN\\WEPMCOLL.EXE"=

"c:\\TIVOLI\\LCF\\DAT\\1\\CACHE\\BIN\\W32-IX86\\TME\\SWDIS\\SPDE\\SPD_ENG.EXE"=

"c:\\PROGRAM FILES\\SAP\\FRONTEND\\SAPGUI\\SAPLOGON.EXE"=

"c:\\PROGRAM FILES\\SAP\\FRONTEND\\SAPGUI\\SAPLGPAD.EXE"=

"c:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE"=

"c:\\PROGRAM FILES\\CISCO SYSTEMS\\VPN CLIENT\\IPSECDIALER.EXE"=

"c:\\PROGRAM FILES\\CISCO SYSTEMS\\VPN CLIENT\\VPNGUI.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"52311:TCP"= 52311:TCP:BESPortTCP

"52311:UDP"= 52311:UDP:BESPortUDP

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 6:00 AM 26624]

R2 CITMDRV;CITMDRV;c:\windows\system32\drivers\CITMDRV.SYS [11/26/2007 3:33 PM 10752]

R2 lcfd;Tivoli Endpoint;c:\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [11/26/2007 4:14 PM 184320]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/19/2010 2:08 PM 304464]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [6/2/2010 2:12 PM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 4:05 PM 87808]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/31/1979 7:00 PM 35968]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/19/2010 2:08 PM 20952]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [11/8/2010 1:04 PM 6607744]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]

S3 OracleORA_V901_HOMEClientCache;OracleORA_V901_HOMEClientCache;c:\oracle\Product\V901\bin\ONRSD.EXE [8/14/2001 6:25 PM 425828]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

2004-08-04 08:00 99840 ----a-w- c:\windows\system32\advpack.dll

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.mw.com/

uInternet Connection Wizard,ShellNext = hxxp://home.mw.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Trusted Zone: ariba.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\CAM48\Application Data\Mozilla\Firefox\Profiles\31q9twmu.default\

FF - prefs.js: browser.startup.homepage - hxxp://home.mw.com/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - c:\program files\Mozilla Firefox\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}

FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-30 08:48

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xX??????(?@???????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1316)

c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL

c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

- - - - - - - > 'Explorer.exe'(2744)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec AntiVirus\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\System32\SCardSvr.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\windows\SYSTEM32\DWRCS.EXE

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\notes\ntmulti.exe

c:\progra~1\AT&TGL~1\NetCfgSv.EXE

c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

c:\windows\System32\snmp.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wm.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\SYSTEM32\DWRCST.exe

c:\program files\Symantec AntiVirus\SmcGui.exe

c:\windows\system32\NWTRAY.EXE

c:\windows\AGRSMMSG.exe

c:\progra~1\MICROS~4\wcescomm.exe

c:\progra~1\MICROS~4\rapimgr.exe

c:\progra~1\COMMON~1\Trimble\REMOTE~1\TRDMU.exe

.

**************************************************************************

.

Completion time: 2011-01-30 08:54:34 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-30 13:54

ComboFix2.txt 2011-01-29 16:13

ComboFix3.txt 2011-01-29 02:56

Pre-Run: 12,320,178,176 bytes free

Post-Run: 12,310,994,944 bytes free

- - End Of File - - EF241043D9DC8E55757118D02E7B5603

cm

Link to post
Share on other sites

Lets try searching for just winlogon without the .exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    winlogon


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

OK I rebooted and ran systemlook with "winlogon" and it found no files again.

I ran it with "winlogon.*" on the second line and it returned the following:

SystemLook 04.09.10 by jpshortstuff

Log created at 13:55 on 30/01/2011 by CAM48

Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.*"

C:\INSTALL\I386\WINLOGON.EX_ --a---- 261115 bytes [08:00 04/08/2004] [08:00 04/08/2004] F41C4F5745589D0BB8268C02B71594CA

C:\WINDOWS\security\logs\winlogon.log --a---- 1013870 bytes [20:55 20/02/2009] [21:40 27/01/2011] 0D18C6D6410ED7BA09B08B762C096259

C:\WINDOWS\security\logs\winlogon.old --a---- 1049558 bytes [20:54 20/02/2009] [20:52 20/02/2009] 8450F9CAB51102948EEF968DCBEB5D67

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\i386\winlogon.ex_ --a---- 265069 bytes [09:42 14/04/2008] [09:42 14/04/2008] 063EF1A46C58A731F78AE5AF47070D65

C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [00:00 01/01/1980] [08:00 04/08/2004] 94A9B8FB5863FC840AF4591004B627CC

-= EOF =-

I'm not sure if that helps or not

cm

Link to post
Share on other sites

Not sure if you want "explorer" or "explorer.*"

Here is "explorer":

SystemLook 04.09.10 by jpshortstuff

Log created at 14:42 on 30/01/2011 by CAM48

Administrator - Elevation successful

========== filefind ==========

Searching for "explorer"

No files found.

-= EOF =-

and here is "explorer.*":

SystemLook 04.09.10 by jpshortstuff

Log created at 14:01 on 30/01/2011 by CAM48

Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"

C:\INSTALL\I386\EXPLORER.EX_ --a---- 359533 bytes [08:00 04/08/2004] [08:00 04/08/2004] 4F061B12F3D5457315A0314954E7EF46

C:\INSTALL\I386\EXPLORER.SC_ --a---- 181 bytes [08:00 04/08/2004] [08:00 04/08/2004] BC5B38879C56DFBC05C8B5C43AC4D739

C:\WINDOWS\explorer.exe --a---- 1032192 bytes [00:00 01/01/1980] [08:00 04/08/2004] BA72F335D47B8D4D4BE2A39C47DE3C15

C:\WINDOWS\explorer.scf --a---- 80 bytes [00:00 01/01/1980] [08:00 04/08/2004] A3975A7D2C98B30A2AE010754FFB9392

C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a---- 54086 bytes [18:17 30/01/2011] [18:17 30/01/2011] 4AD31309894BB1226533372CDF6F7FAE

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\i386\explorer.ex_ --a---- 356615 bytes [09:42 14/04/2008] [09:42 14/04/2008] D7B59A7EC9CB1429FDCEC84A22228555

-= EOF =-

and to the other question, yes I do see the recovery console option or at least the last time I did it I did.

cm

Link to post
Share on other sites

We're going to try this.

Boot into the recovery console.

Type in each command followed by taping the enter key.

Note any spaces as they need to be there.

At the commnad prompt, type in:

expand C:\INSTALL\I386\WINLOGON.EX_ c:\windows\Winlogon.exe

expand C:\INSTALL\I386\explorer.EX_ c:\explorer.exe

ren c:\windows\system32\winlogon.exe winlogon.bak

ren c:\windows\explorer.exe explorer.bak

copy c:\explorer.exe c:\windows\explorer.exe

copy c:\windows\Winlogon.exe c:\windows\system32\winlogon.exe

After the last one type in exit and reboot normal and run a new combofix scan

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.