Jump to content

Multiple outgoing malicious IPs


Recommended Posts

Howdy,

I am see a group of IPs that are trying to get out:

188.95.52.162

195.3.145.251

208.87.33.151

199.80.55.13

67.29.139.153

logs:

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Run by cclack at 19:43:35 on 2011-08-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.1178 [GMT -5:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\rserver30\RServer3.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\rserver30\FamItrfc.Exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\igfxsrvc.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = ftp://hertz@ftp3.brierley.com/

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [atchk] "c:\program files\intel\amt\atchk.exe"

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

mRun: [Dquqijamehigata] rundll32.exe "c:\windows\agagavopiwam.dll",Startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\VPNCLI~1.LNK -

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\vmware\vmware player\vsocklib.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://babwvpn1.buildabear.com/CACHE/stc/1/binaries/vpnweb.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181925287343

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181933744859

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 10.4.2.66 10.4.2.122

TCP: Interfaces\{24CF8706-072C-4F9C-A0E1-70DEFA018297} : DhcpNameServer = 192.168.12.36 192.168.14.28

TCP: Interfaces\{29136A48-D0CD-4868-A790-EEE48F890547} : DhcpNameServer = 192.168.12.36 192.168.14.28

TCP: Interfaces\{C238C308-FA19-484A-9461-B59F13DEB237} : DhcpNameServer = 10.4.2.66 10.4.2.122

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\cclack.brierley\application data\mozilla\firefox\profiles\r023ur4n.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\cclack.brierley\application data\mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-9-1 24064]

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-2-2 41176]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-7 108392]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-8 54752]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-16 366640]

R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2007-2-21 1230936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-12-7 1839776]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-8-31 2066968]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-2-3 427192]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-8-31 144480]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-31 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-16 22712]

R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110817.002\NAVENG.SYS [2011-8-17 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110817.002\NAVEX15.SYS [2011-8-17 1576312]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-9-20 23888]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

S4 vsdatant;vsdatant;a --> a [?]

.

=============== Created Last 30 ================

.

2011-08-16 14:19:36 -------- d-----w- c:\documents and settings\cclack.brierley\application data\Malwarebytes

2011-07-19 15:38:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-19 15:27:08 -------- d-----w- c:\documents and settings\cclack.brierley\local settings\application data\{5457B5DC-F2F3-400E-8205-2C019BF29834}

.

==================== Find3M ====================

.

2011-08-17 13:29:02 0 ----a-w- c:\windows\Twekalifipulu.bin

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD3200AAKS-75L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AEBF4D0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8aec57f0]; MOV EAX, [0x8aec586c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AF58AB8]

3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AF5A350]

\Driver\atapi[0x8AF14A08] -> IRP_MJ_CREATE -> 0x8AEBF4D0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8AEBF31B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 19:46:00.94 ===============

Thank you for any help.

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

Howdy,

Thank you for taking a look. I actually jumped the gun and ran TDSSKILLER on Friday results are below.

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7535

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/22/2011 10:38:57 AM

mbam-log-2011-08-22 (10-38-57).txt

Scan type: Quick scan

Objects scanned: 310657

Time elapsed: 34 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

/***TDSSKILLER

2011/08/19 12:07:52.0436 4128 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17

2011/08/19 12:07:52.0873 4128 ================================================================================

2011/08/19 12:07:52.0873 4128 SystemInfo:

2011/08/19 12:07:52.0873 4128

2011/08/19 12:07:52.0873 4128 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/19 12:07:52.0873 4128 Product type: Workstation

2011/08/19 12:07:52.0873 4128 ComputerName: PCDA035

2011/08/19 12:07:52.0889 4128 UserName: cclack

2011/08/19 12:07:52.0889 4128 Windows directory: C:\WINDOWS

2011/08/19 12:07:52.0889 4128 System windows directory: C:\WINDOWS

2011/08/19 12:07:52.0889 4128 Processor architecture: Intel x86

2011/08/19 12:07:52.0889 4128 Number of processors: 2

2011/08/19 12:07:52.0889 4128 Page size: 0x1000

2011/08/19 12:07:52.0889 4128 Boot type: Normal boot

2011/08/19 12:07:52.0889 4128 ================================================================================

2011/08/19 12:07:54.0076 4128 Initialize success

2011/08/19 12:07:59.0029 1816 ================================================================================

2011/08/19 12:07:59.0029 1816 Scan started

2011/08/19 12:07:59.0029 1816 Mode: Manual;

2011/08/19 12:07:59.0029 1816 ================================================================================

2011/08/19 12:08:01.0654 1816 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/19 12:08:01.0685 1816 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/08/19 12:08:01.0732 1816 ADIHdAudAddService (307f5e03b02a3022d664c36d1ea25f2c) C:\WINDOWS\system32\drivers\ADIHdAud.sys

2011/08/19 12:08:01.0763 1816 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/19 12:08:01.0810 1816 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/08/19 12:08:01.0951 1816 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/19 12:08:01.0982 1816 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/19 12:08:02.0076 1816 ati2mtag (15b2fe76e2eceb98c49ed52311a6f26f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/08/19 12:08:02.0107 1816 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/19 12:08:02.0170 1816 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/19 12:08:02.0201 1816 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/08/19 12:08:02.0248 1816 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys

2011/08/19 12:08:02.0295 1816 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/19 12:08:02.0341 1816 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/19 12:08:02.0388 1816 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/19 12:08:02.0404 1816 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/19 12:08:02.0420 1816 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/19 12:08:02.0451 1816 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

2011/08/19 12:08:02.0513 1816 COH_Mon (de88a385898f6d13026f94f749fbaed2) C:\WINDOWS\system32\Drivers\COH_Mon.sys

2011/08/19 12:08:02.0576 1816 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2011/08/19 12:08:02.0638 1816 CVPNDRVA (465ced77e7c4f9d71b81ba600edafac1) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2011/08/19 12:08:02.0670 1816 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/19 12:08:02.0716 1816 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2011/08/19 12:08:02.0716 1816 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2011/08/19 12:08:02.0748 1816 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS

2011/08/19 12:08:02.0748 1816 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2011/08/19 12:08:02.0763 1816 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2011/08/19 12:08:02.0763 1816 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2011/08/19 12:08:02.0779 1816 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2011/08/19 12:08:02.0795 1816 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2011/08/19 12:08:02.0795 1816 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2011/08/19 12:08:02.0826 1816 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/19 12:08:02.0888 1816 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/19 12:08:02.0888 1816 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/19 12:08:02.0920 1816 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/19 12:08:02.0951 1816 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2011/08/19 12:08:02.0966 1816 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/19 12:08:02.0982 1816 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2011/08/19 12:08:02.0998 1816 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2011/08/19 12:08:03.0029 1816 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2011/08/19 12:08:03.0060 1816 e1kexpress (d60759140694150360bbefd9cab7c920) C:\WINDOWS\system32\DRIVERS\e1k5132.sys

2011/08/19 12:08:03.0154 1816 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/08/19 12:08:03.0185 1816 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/08/19 12:08:03.0201 1816 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/19 12:08:03.0232 1816 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/08/19 12:08:03.0248 1816 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/19 12:08:03.0248 1816 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/08/19 12:08:03.0310 1816 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/19 12:08:03.0341 1816 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/08/19 12:08:03.0373 1816 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/19 12:08:03.0373 1816 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/19 12:08:03.0388 1816 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/19 12:08:03.0435 1816 hcmon (1f79859a8c1d7c14ef6207852f622add) C:\WINDOWS\system32\drivers\hcmon.sys

2011/08/19 12:08:03.0451 1816 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/08/19 12:08:03.0498 1816 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys

2011/08/19 12:08:03.0513 1816 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/08/19 12:08:03.0576 1816 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/19 12:08:03.0607 1816 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

2011/08/19 12:08:03.0732 1816 ialm (bffa387180121df1e4646c4ced3e16ca) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/08/19 12:08:03.0888 1816 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/19 12:08:03.0951 1816 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/08/19 12:08:03.0966 1816 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/19 12:08:04.0013 1816 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/19 12:08:04.0029 1816 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/19 12:08:04.0060 1816 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/19 12:08:04.0060 1816 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/19 12:08:04.0091 1816 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/19 12:08:04.0123 1816 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/19 12:08:04.0138 1816 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/19 12:08:04.0154 1816 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/08/19 12:08:04.0170 1816 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/19 12:08:04.0201 1816 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/19 12:08:04.0232 1816 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys

2011/08/19 12:08:04.0263 1816 mirrorv3 (d96ea49ab9a9174331bc023fd0cadc18) C:\WINDOWS\system32\DRIVERS\rminiv3.sys

2011/08/19 12:08:04.0263 1816 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/19 12:08:04.0295 1816 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/19 12:08:04.0310 1816 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/19 12:08:04.0341 1816 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/08/19 12:08:04.0341 1816 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/19 12:08:04.0357 1816 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/19 12:08:04.0404 1816 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/19 12:08:04.0419 1816 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/19 12:08:04.0451 1816 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/19 12:08:04.0466 1816 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/19 12:08:04.0498 1816 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/19 12:08:04.0529 1816 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/19 12:08:04.0544 1816 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/19 12:08:04.0669 1816 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110818.021\NAVENG.SYS

2011/08/19 12:08:04.0701 1816 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110818.021\NAVEX15.SYS

2011/08/19 12:08:04.0732 1816 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/19 12:08:04.0748 1816 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/19 12:08:04.0763 1816 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/19 12:08:04.0779 1816 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/19 12:08:04.0810 1816 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/19 12:08:04.0810 1816 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/19 12:08:04.0826 1816 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/19 12:08:04.0857 1816 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/19 12:08:04.0888 1816 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/19 12:08:04.0951 1816 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/19 12:08:04.0998 1816 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/19 12:08:05.0029 1816 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/19 12:08:05.0060 1816 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/08/19 12:08:05.0076 1816 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/19 12:08:05.0091 1816 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/19 12:08:05.0123 1816 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/19 12:08:05.0138 1816 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/08/19 12:08:05.0154 1816 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/08/19 12:08:05.0232 1816 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/19 12:08:05.0248 1816 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/19 12:08:05.0279 1816 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/19 12:08:05.0294 1816 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/08/19 12:08:05.0341 1816 raddrvv3 (bfadb3f81e4e8ab07bca46f2882989da) C:\WINDOWS\system32\rserver30\raddrvv3.sys

2011/08/19 12:08:05.0341 1816 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/19 12:08:05.0357 1816 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/19 12:08:05.0373 1816 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/19 12:08:05.0373 1816 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/19 12:08:05.0388 1816 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/19 12:08:05.0404 1816 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/19 12:08:05.0419 1816 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/08/19 12:08:05.0435 1816 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/19 12:08:05.0451 1816 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/19 12:08:05.0529 1816 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/19 12:08:05.0560 1816 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/08/19 12:08:05.0576 1816 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/08/19 12:08:05.0607 1816 SFAUDIO (b6401608579b6431994425ba7653f774) C:\WINDOWS\system32\drivers\sfaudio.sys

2011/08/19 12:08:05.0638 1816 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/19 12:08:05.0779 1816 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2011/08/19 12:08:05.0794 1816 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/19 12:08:05.0888 1816 sptd (7f1b7c4d446cd3f926af45b8c48bd593) C:\WINDOWS\system32\Drivers\sptd.sys

2011/08/19 12:08:05.0888 1816 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 7f1b7c4d446cd3f926af45b8c48bd593

2011/08/19 12:08:05.0888 1816 sptd - detected LockedFile.Multi.Generic (1)

2011/08/19 12:08:05.0919 1816 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/08/19 12:08:05.0966 1816 SRTSP (b36f8d6a02ff2b3a53e250a629782f29) C:\WINDOWS\system32\Drivers\SRTSP.SYS

2011/08/19 12:08:06.0013 1816 SRTSPL (e99bd98ac171a29fc1ba9376be87ae73) C:\WINDOWS\system32\Drivers\SRTSPL.SYS

2011/08/19 12:08:06.0060 1816 SRTSPX (1af34729898063e9b7df8d149d767e07) C:\WINDOWS\system32\Drivers\SRTSPX.SYS

2011/08/19 12:08:06.0107 1816 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/19 12:08:06.0154 1816 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/19 12:08:06.0169 1816 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/19 12:08:06.0232 1816 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2011/08/19 12:08:06.0326 1816 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2011/08/19 12:08:06.0466 1816 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2011/08/19 12:08:06.0544 1816 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/19 12:08:06.0607 1816 SysPlant (666992d996c524812e713effd836d043) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys

2011/08/19 12:08:06.0669 1816 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/19 12:08:06.0701 1816 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/19 12:08:06.0716 1816 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/19 12:08:06.0732 1816 Teefer2 (f63439ac8fa992bfa0c757eb644a1a0c) C:\WINDOWS\system32\DRIVERS\teefer2.sys

2011/08/19 12:08:06.0748 1816 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/19 12:08:06.0794 1816 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/19 12:08:06.0841 1816 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/19 12:08:06.0873 1816 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/08/19 12:08:06.0919 1816 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/08/19 12:08:06.0951 1816 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/19 12:08:06.0982 1816 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/08/19 12:08:07.0029 1816 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/08/19 12:08:07.0091 1816 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/19 12:08:07.0138 1816 vmci (f3a7a37d07d2c45e0cf56c764f949e99) C:\WINDOWS\system32\Drivers\vmci.sys

2011/08/19 12:08:07.0154 1816 vmkbd (5bdd3fbdf10bb329874a38631abf1d3e) C:\WINDOWS\system32\drivers\VMkbd.sys

2011/08/19 12:08:07.0169 1816 VMnetAdapter (e41704d8149992107b333cc7a52c07cc) C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys

2011/08/19 12:08:07.0201 1816 VMnetBridge (1cd8e614760b436bcc91aeab8de5592a) C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys

2011/08/19 12:08:07.0232 1816 VMnetuserif (423cf74235fe72fae568e5709a54267f) C:\WINDOWS\system32\drivers\vmnetuserif.sys

2011/08/19 12:08:07.0232 1816 VMparport (5d4dd8c7d7cd4cad9a5528001bccbaaa) C:\WINDOWS\system32\Drivers\VMparport.sys

2011/08/19 12:08:07.0294 1816 vmx86 (755a9afe6665bab01c8013849d3785b1) C:\WINDOWS\system32\Drivers\vmx86.sys

2011/08/19 12:08:07.0310 1816 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/19 12:08:07.0357 1816 vpnva (e1f2333a88ec4a5c8ea6be357323b72d) C:\WINDOWS\system32\DRIVERS\vpnva.sys

2011/08/19 12:08:07.0451 1816 vstor2-ws60 (476a052b3ce506ed63a94018f3e979d5) C:\Program Files\VMware\VMware Player\vstor2-ws60.sys

2011/08/19 12:08:07.0482 1816 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/19 12:08:07.0544 1816 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/19 12:08:07.0591 1816 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/08/19 12:08:07.0623 1816 WPS (9748e527f0d71bc86a1fe45f294e368b) C:\WINDOWS\system32\drivers\wpsdrvnt.sys

2011/08/19 12:08:07.0669 1816 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys

2011/08/19 12:08:07.0685 1816 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/08/19 12:08:07.0732 1816 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/08/19 12:08:07.0763 1816 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/08/19 12:08:07.0810 1816 MBR (0x1B8) (04d4350ae5fb6fc2ad3e7c26b1323c68) \Device\Harddisk0\DR0

2011/08/19 12:08:07.0810 1816 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/08/19 12:08:07.0826 1816 Boot (0x1200) (05b7cd6675e67ba70b4009a639fa9be8) \Device\Harddisk0\DR0\Partition0

2011/08/19 12:08:07.0826 1816 ================================================================================

2011/08/19 12:08:07.0826 1816 Scan finished

2011/08/19 12:08:07.0826 1816 ================================================================================

2011/08/19 12:08:07.0841 4208 Detected object count: 2

2011/08/19 12:08:07.0841 4208 Actual detected object count: 2

2011/08/19 12:08:24.0872 4208 LockedFile.Multi.Generic(sptd) - User select action: Skip

2011/08/19 12:08:24.0903 4208 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/08/19 12:08:24.0903 4208 \Device\Harddisk0\DR0 - ok

2011/08/19 12:08:24.0903 4208 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure

2011/08/19 12:08:32.0683 2088 Deinitialize success

Link to post
Share on other sites

  • Staff

Hi,

Grah a fresh copy of TDSSKiller, run it, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 2 weeks later...

Yes, I apologize I was away a couple days. I ran TDSSkiller before I left, and combo along with dds today.

TDSSKILLER:

2011/08/25 20:01:38.0904 4508 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57

2011/08/25 20:01:39.0216 4508 ================================================================================

2011/08/25 20:01:39.0216 4508 SystemInfo:

2011/08/25 20:01:39.0216 4508

2011/08/25 20:01:39.0216 4508 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/25 20:01:39.0216 4508 Product type: Workstation

2011/08/25 20:01:39.0216 4508 ComputerName: PCDA035

2011/08/25 20:01:39.0216 4508 UserName: cclack

2011/08/25 20:01:39.0216 4508 Windows directory: C:\WINDOWS

2011/08/25 20:01:39.0216 4508 System windows directory: C:\WINDOWS

2011/08/25 20:01:39.0216 4508 Processor architecture: Intel x86

2011/08/25 20:01:39.0216 4508 Number of processors: 2

2011/08/25 20:01:39.0216 4508 Page size: 0x1000

2011/08/25 20:01:39.0216 4508 Boot type: Normal boot

2011/08/25 20:01:39.0216 4508 ================================================================================

2011/08/25 20:01:40.0451 4508 Initialize success

2011/08/25 20:01:44.0919 4588 ================================================================================

2011/08/25 20:01:44.0919 4588 Scan started

2011/08/25 20:01:44.0919 4588 Mode: Manual;

2011/08/25 20:01:44.0919 4588 ================================================================================

2011/08/25 20:01:45.0981 4588 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/25 20:01:46.0013 4588 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/08/25 20:01:46.0044 4588 ADIHdAudAddService (307f5e03b02a3022d664c36d1ea25f2c) C:\WINDOWS\system32\drivers\ADIHdAud.sys

2011/08/25 20:01:46.0075 4588 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/25 20:01:46.0122 4588 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/08/25 20:01:46.0263 4588 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/25 20:01:46.0310 4588 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/25 20:01:46.0419 4588 ati2mtag (15b2fe76e2eceb98c49ed52311a6f26f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/08/25 20:01:46.0513 4588 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/25 20:01:46.0560 4588 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/25 20:01:46.0606 4588 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/08/25 20:01:46.0669 4588 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys

2011/08/25 20:01:46.0716 4588 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/25 20:01:46.0763 4588 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/25 20:01:46.0809 4588 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/25 20:01:46.0825 4588 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/25 20:01:46.0872 4588 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/25 20:01:46.0919 4588 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

2011/08/25 20:01:46.0997 4588 COH_Mon (de88a385898f6d13026f94f749fbaed2) C:\WINDOWS\system32\Drivers\COH_Mon.sys

2011/08/25 20:01:47.0059 4588 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2011/08/25 20:01:47.0106 4588 CVPNDRVA (465ced77e7c4f9d71b81ba600edafac1) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2011/08/25 20:01:47.0138 4588 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/25 20:01:47.0184 4588 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2011/08/25 20:01:47.0184 4588 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2011/08/25 20:01:47.0200 4588 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS

2011/08/25 20:01:47.0216 4588 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2011/08/25 20:01:47.0216 4588 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2011/08/25 20:01:47.0231 4588 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2011/08/25 20:01:47.0231 4588 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2011/08/25 20:01:47.0247 4588 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2011/08/25 20:01:47.0247 4588 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2011/08/25 20:01:47.0309 4588 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/25 20:01:47.0372 4588 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/25 20:01:47.0372 4588 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/25 20:01:47.0403 4588 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/25 20:01:47.0434 4588 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2011/08/25 20:01:47.0466 4588 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/25 20:01:47.0466 4588 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2011/08/25 20:01:47.0481 4588 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2011/08/25 20:01:47.0513 4588 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2011/08/25 20:01:47.0559 4588 e1kexpress (d60759140694150360bbefd9cab7c920) C:\WINDOWS\system32\DRIVERS\e1k5132.sys

2011/08/25 20:01:47.0700 4588 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/08/25 20:01:47.0716 4588 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/08/25 20:01:47.0747 4588 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/25 20:01:47.0778 4588 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/08/25 20:01:47.0794 4588 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/25 20:01:47.0794 4588 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/08/25 20:01:47.0841 4588 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/25 20:01:47.0888 4588 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/08/25 20:01:47.0903 4588 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/25 20:01:47.0919 4588 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/25 20:01:47.0934 4588 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/25 20:01:47.0981 4588 hcmon (1f79859a8c1d7c14ef6207852f622add) C:\WINDOWS\system32\drivers\hcmon.sys

2011/08/25 20:01:47.0981 4588 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/08/25 20:01:48.0028 4588 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys

2011/08/25 20:01:48.0044 4588 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/08/25 20:01:48.0106 4588 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/25 20:01:48.0138 4588 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

2011/08/25 20:01:48.0263 4588 ialm (bffa387180121df1e4646c4ced3e16ca) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/08/25 20:01:48.0450 4588 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/25 20:01:48.0528 4588 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/08/25 20:01:48.0544 4588 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/25 20:01:48.0606 4588 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/25 20:01:48.0622 4588 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/25 20:01:48.0653 4588 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/25 20:01:48.0669 4588 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/25 20:01:48.0684 4588 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/25 20:01:48.0731 4588 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/25 20:01:48.0747 4588 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/25 20:01:48.0762 4588 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/08/25 20:01:48.0778 4588 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/25 20:01:48.0809 4588 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/25 20:01:48.0856 4588 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys

2011/08/25 20:01:48.0872 4588 mirrorv3 (d96ea49ab9a9174331bc023fd0cadc18) C:\WINDOWS\system32\DRIVERS\rminiv3.sys

2011/08/25 20:01:48.0887 4588 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/25 20:01:48.0903 4588 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/25 20:01:48.0919 4588 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/25 20:01:48.0934 4588 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/08/25 20:01:48.0934 4588 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/25 20:01:48.0950 4588 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/25 20:01:48.0997 4588 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/25 20:01:49.0012 4588 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/25 20:01:49.0044 4588 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/25 20:01:49.0059 4588 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/25 20:01:49.0091 4588 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/25 20:01:49.0122 4588 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/25 20:01:49.0137 4588 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/25 20:01:49.0325 4588 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110825.018\NAVENG.SYS

2011/08/25 20:01:49.0512 4588 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110825.018\NAVEX15.SYS

2011/08/25 20:01:49.0637 4588 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/25 20:01:49.0762 4588 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/25 20:01:49.0778 4588 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/25 20:01:49.0794 4588 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/25 20:01:49.0825 4588 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/25 20:01:49.0825 4588 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/25 20:01:49.0841 4588 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/25 20:01:49.0872 4588 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/25 20:01:49.0887 4588 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/25 20:01:49.0950 4588 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/25 20:01:49.0981 4588 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/25 20:01:50.0012 4588 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/25 20:01:50.0059 4588 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/08/25 20:01:50.0059 4588 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/25 20:01:50.0075 4588 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/25 20:01:50.0091 4588 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/25 20:01:50.0122 4588 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/08/25 20:01:50.0137 4588 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/08/25 20:01:50.0231 4588 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/25 20:01:50.0247 4588 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/25 20:01:50.0262 4588 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/25 20:01:50.0294 4588 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/08/25 20:01:50.0356 4588 raddrvv3 (bfadb3f81e4e8ab07bca46f2882989da) C:\WINDOWS\system32\rserver30\raddrvv3.sys

2011/08/25 20:01:50.0372 4588 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/25 20:01:50.0387 4588 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/25 20:01:50.0387 4588 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/25 20:01:50.0403 4588 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/25 20:01:50.0403 4588 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/25 20:01:50.0419 4588 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/25 20:01:50.0450 4588 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/08/25 20:01:50.0481 4588 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/25 20:01:50.0497 4588 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/25 20:01:50.0559 4588 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/25 20:01:50.0591 4588 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/08/25 20:01:50.0606 4588 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/08/25 20:01:50.0637 4588 SFAUDIO (b6401608579b6431994425ba7653f774) C:\WINDOWS\system32\drivers\sfaudio.sys

2011/08/25 20:01:50.0669 4588 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/25 20:01:50.0794 4588 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2011/08/25 20:01:50.0825 4588 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/25 20:01:50.0887 4588 sptd (7f1b7c4d446cd3f926af45b8c48bd593) C:\WINDOWS\system32\Drivers\sptd.sys

2011/08/25 20:01:50.0887 4588 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 7f1b7c4d446cd3f926af45b8c48bd593

2011/08/25 20:01:50.0887 4588 sptd - detected LockedFile.Multi.Generic (1)

2011/08/25 20:01:50.0903 4588 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/08/25 20:01:50.0934 4588 SRTSP (b36f8d6a02ff2b3a53e250a629782f29) C:\WINDOWS\system32\Drivers\SRTSP.SYS

2011/08/25 20:01:50.0965 4588 SRTSPL (e99bd98ac171a29fc1ba9376be87ae73) C:\WINDOWS\system32\Drivers\SRTSPL.SYS

2011/08/25 20:01:51.0012 4588 SRTSPX (1af34729898063e9b7df8d149d767e07) C:\WINDOWS\system32\Drivers\SRTSPX.SYS

2011/08/25 20:01:51.0044 4588 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/25 20:01:51.0075 4588 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/25 20:01:51.0090 4588 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/25 20:01:51.0169 4588 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2011/08/25 20:01:51.0215 4588 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2011/08/25 20:01:51.0262 4588 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2011/08/25 20:01:51.0309 4588 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/25 20:01:51.0356 4588 SysPlant (666992d996c524812e713effd836d043) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys

2011/08/25 20:01:51.0403 4588 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/25 20:01:51.0450 4588 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/25 20:01:51.0481 4588 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/25 20:01:51.0512 4588 Teefer2 (f63439ac8fa992bfa0c757eb644a1a0c) C:\WINDOWS\system32\DRIVERS\teefer2.sys

2011/08/25 20:01:51.0528 4588 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/25 20:01:51.0590 4588 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/25 20:01:51.0637 4588 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/25 20:01:51.0684 4588 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/08/25 20:01:51.0715 4588 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/08/25 20:01:51.0747 4588 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/25 20:01:51.0778 4588 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/08/25 20:01:51.0840 4588 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/08/25 20:01:51.0840 4588 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/25 20:01:51.0903 4588 vmci (f3a7a37d07d2c45e0cf56c764f949e99) C:\WINDOWS\system32\Drivers\vmci.sys

2011/08/25 20:01:51.0950 4588 vmkbd (5bdd3fbdf10bb329874a38631abf1d3e) C:\WINDOWS\system32\drivers\VMkbd.sys

2011/08/25 20:01:51.0981 4588 VMnetAdapter (e41704d8149992107b333cc7a52c07cc) C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys

2011/08/25 20:01:52.0012 4588 VMnetBridge (1cd8e614760b436bcc91aeab8de5592a) C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys

2011/08/25 20:01:52.0028 4588 VMnetuserif (423cf74235fe72fae568e5709a54267f) C:\WINDOWS\system32\drivers\vmnetuserif.sys

2011/08/25 20:01:52.0044 4588 VMparport (5d4dd8c7d7cd4cad9a5528001bccbaaa) C:\WINDOWS\system32\Drivers\VMparport.sys

2011/08/25 20:01:52.0090 4588 vmx86 (755a9afe6665bab01c8013849d3785b1) C:\WINDOWS\system32\Drivers\vmx86.sys

2011/08/25 20:01:52.0153 4588 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/25 20:01:52.0184 4588 vpnva (e1f2333a88ec4a5c8ea6be357323b72d) C:\WINDOWS\system32\DRIVERS\vpnva.sys

2011/08/25 20:01:52.0309 4588 vstor2-ws60 (476a052b3ce506ed63a94018f3e979d5) C:\Program Files\VMware\VMware Player\vstor2-ws60.sys

2011/08/25 20:01:52.0325 4588 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/25 20:01:52.0372 4588 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/25 20:01:52.0465 4588 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/08/25 20:01:52.0512 4588 WPS (9748e527f0d71bc86a1fe45f294e368b) C:\WINDOWS\system32\drivers\wpsdrvnt.sys

2011/08/25 20:01:52.0559 4588 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys

2011/08/25 20:01:52.0590 4588 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/08/25 20:01:52.0637 4588 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/08/25 20:01:52.0668 4588 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/08/25 20:01:52.0731 4588 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0

2011/08/25 20:01:52.0747 4588 Boot (0x1200) (05b7cd6675e67ba70b4009a639fa9be8) \Device\Harddisk0\DR0\Partition0

2011/08/25 20:01:52.0762 4588 ================================================================================

2011/08/25 20:01:52.0762 4588 Scan finished

2011/08/25 20:01:52.0762 4588 ================================================================================

2011/08/25 20:01:52.0778 5984 Detected object count: 1

2011/08/25 20:01:52.0778 5984 Actual detected object count: 1

2011/08/25 20:02:02.0199 5984 LockedFile.Multi.Generic(sptd) - User select action: Skip

2011/08/25 20:02:07.0746 4164 Deinitialize success

COMBOFIX:

ComboFix 11-09-06.03 - cclack 09/06/2011 17:31:36.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2307 [GMT -5:00]

Running from: c:\documents and settings\cclack.WORK\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\uccc.exe.8ab524e5.ini

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk

c:\documents and settings\cclack.WORK\Application Data\Adobe\plugs

c:\documents and settings\cclack.WORK\Application Data\Adobe\shed

c:\documents and settings\cclack.WORK\Local Settings\Application Data\{5457B5DC-F2F3-400E-8205-2C019BF29834}

c:\documents and settings\cclack.WORK\Local Settings\Application Data\{5457B5DC-F2F3-400E-8205-2C019BF29834}\chrome.manifest

c:\documents and settings\cclack.WORK\Local Settings\Application Data\{5457B5DC-F2F3-400E-8205-2C019BF29834}\chrome\content\_cfg.js

c:\documents and settings\cclack.WORK\Local Settings\Application Data\{5457B5DC-F2F3-400E-8205-2C019BF29834}\chrome\content\overlay.xul

c:\documents and settings\cclack.WORK\Local Settings\Application Data\{5457B5DC-F2F3-400E-8205-2C019BF29834}\install.rdf

c:\documents and settings\dlee\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\dlee\Local Settings\Application Data\ApplicationHistory\InstallUtil.exe.89c0d2f9.ini

c:\documents and settings\gcook\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\gcook\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse

c:\windows\agagavopiwam.dll

c:\windows\system32\Cache

c:\windows\system32\comct332.ocx

c:\windows\system32\html

c:\windows\system32\html\calendar.html

c:\windows\system32\html\calendarbottom.html

c:\windows\system32\html\calendartop.html

c:\windows\system32\html\crystalexportdialog.htm

c:\windows\system32\html\crystalprinthost.html

c:\windows\system32\images

c:\windows\system32\images\toolbar\calendar.gif

c:\windows\system32\images\toolbar\crlogo.gif

c:\windows\system32\images\toolbar\export.gif

c:\windows\system32\images\toolbar\export_over.gif

c:\windows\system32\images\toolbar\exportd.gif

c:\windows\system32\images\toolbar\First.gif

c:\windows\system32\images\toolbar\first_over.gif

c:\windows\system32\images\toolbar\Firstd.gif

c:\windows\system32\images\toolbar\gotopage.gif

c:\windows\system32\images\toolbar\gotopage_over.gif

c:\windows\system32\images\toolbar\gotopaged.gif

c:\windows\system32\images\toolbar\grouptree.gif

c:\windows\system32\images\toolbar\grouptree_over.gif

c:\windows\system32\images\toolbar\grouptreed.gif

c:\windows\system32\images\toolbar\grouptreepressed.gif

c:\windows\system32\images\toolbar\Last.gif

c:\windows\system32\images\toolbar\last_over.gif

c:\windows\system32\images\toolbar\Lastd.gif

c:\windows\system32\images\toolbar\Next.gif

c:\windows\system32\images\toolbar\next_over.gif

c:\windows\system32\images\toolbar\Nextd.gif

c:\windows\system32\images\toolbar\Prev.gif

c:\windows\system32\images\toolbar\prev_over.gif

c:\windows\system32\images\toolbar\Prevd.gif

c:\windows\system32\images\toolbar\print.gif

c:\windows\system32\images\toolbar\print_over.gif

c:\windows\system32\images\toolbar\printd.gif

c:\windows\system32\images\toolbar\Refresh.gif

c:\windows\system32\images\toolbar\refresh_over.gif

c:\windows\system32\images\toolbar\refreshd.gif

c:\windows\system32\images\toolbar\Search.gif

c:\windows\system32\images\toolbar\search_over.gif

c:\windows\system32\images\toolbar\searchd.gif

c:\windows\system32\images\toolbar\up.gif

c:\windows\system32\images\toolbar\up_over.gif

c:\windows\system32\images\toolbar\upd.gif

c:\windows\system32\images\tree\begindots.gif

c:\windows\system32\images\tree\beginminus.gif

c:\windows\system32\images\tree\beginplus.gif

c:\windows\system32\images\tree\blank.gif

c:\windows\system32\images\tree\blankdots.gif

c:\windows\system32\images\tree\dots.gif

c:\windows\system32\images\tree\lastdots.gif

c:\windows\system32\images\tree\lastminus.gif

c:\windows\system32\images\tree\lastplus.gif

c:\windows\system32\images\tree\Magnify.gif

c:\windows\system32\images\tree\minus.gif

c:\windows\system32\images\tree\minusbox.gif

c:\windows\system32\images\tree\plus.gif

c:\windows\system32\images\tree\plusbox.gif

c:\windows\system32\images\tree\singleminus.gif

c:\windows\system32\images\tree\singleplus.gif

.

.

((((((((((((((((((((((((( Files Created from 2011-08-06 to 2011-09-06 )))))))))))))))))))))))))))))))

.

.

2011-08-24 13:16 . 2011-08-24 13:16 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS

2011-08-19 21:55 . 2011-08-19 21:55 -------- d-----w- c:\program files\ESET

2011-08-19 18:12 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-19 18:12 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-19 18:11 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-16 14:19 . 2011-08-16 14:19 -------- d-----w- c:\documents and settings\cclack.WORK\Application Data\Malwarebytes

2011-08-15 19:59 . 2011-08-15 19:59 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2011-08-15 19:58 . 2011-08-15 19:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-19 15:38 . 2011-07-19 15:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-04 10:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 00:52 . 2010-04-16 14:59 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52 . 2010-04-16 14:59 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-24 14:10 . 2007-06-15 15:46 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-09-06 22:16 . 2011-03-24 13:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-10-22 64048]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-21 796696]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-11 166424]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-07 115560]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-6-19 25214]

VPN Client.lnk - [N/A]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-09-11 13:52 141848 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-09-11 13:51 137752 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2009-06-22 19:21 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4899:TCP"= 4899:TCP:Sunbelt

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [9/1/2009 2:55 PM 24064]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/29/2008 2:32 PM 716272]

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2/2/2007 2:54 PM 41176]

R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 5:33 PM 249648]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/16/2010 9:59 AM 366640]

R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2/21/2007 7:28 PM 1230936]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/31/2009 3:51 PM 2066968]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 5:45 AM 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 4:47 AM 563760]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/3/2009 3:39 PM 427192]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/31/2009 3:43 PM 144480]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2011 12:36 PM 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/16/2010 9:59 AM 22712]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 7:31 PM 195336]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/20/2010 2:39 PM 23888]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 75152915

*Deregistered* - 75152915

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = ftp://hertz@ftp3.WORK.com/

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

TCP: DhcpNameServer = 10.4.2.66 10.4.2.122

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://babwvpn1.buildabear.com/CACHE/stc/1/binaries/vpnweb.cab

FF - ProfilePath - c:\documents and settings\cclack.WORK\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-atchk - c:\program files\Intel\AMT\atchk.exe

HKLM-Run-Dquqijamehigata - c:\windows\agagavopiwam.dll

Notify-NavLogon - (no file)

SafeBoot-Symantec Antvirus

MSConfigStartUp-Dquqijamehigata - c:\windows\agagavopiwam.dll

MSConfigStartUp-Security Protection - c:\documents and settings\All Users\Application Data\defender.exe

AddRemove-HijackThis - c:\documents and settings\hmohammed\Local Settings\Temporary Internet Files\Content.IE5\77J58J8Q\HijackThis.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-06 17:41

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"="a"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1416)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\igfxdev.dll

.

Completion time: 2011-09-06 17:43:34

ComboFix-quarantined-files.txt 2011-09-06 22:43

.

Pre-Run: 270,624,612,352 bytes free

Post-Run: 273,449,365,504 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - E643FFD061A8F0E7DBE47D795FCC5863

DDS:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Run by cclack at 17:55:31 on 2011-09-06

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2401 [GMT -5:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\rserver30\RServer3.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\WINDOWS\system32\rserver30\FamItrfc.Exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = ftp://hertz@ftp3.work.com/

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\VPNCLI~1.LNK -

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\vmware\vmware player\vsocklib.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://babwvpn1.buildabear.com/CACHE/stc/1/binaries/vpnweb.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181925287343

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181933744859

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 10.4.2.66 10.4.2.122

TCP: Interfaces\{24CF8706-072C-4F9C-A0E1-70DEFA018297} : DhcpNameServer = 192.168.12.36 192.168.14.28

TCP: Interfaces\{29136A48-D0CD-4868-A790-EEE48F890547} : DhcpNameServer = 192.168.12.36 192.168.14.28

TCP: Interfaces\{C238C308-FA19-484A-9461-B59F13DEB237} : DhcpNameServer = 10.4.2.66 10.4.2.122

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\cclack.work\application data\mozilla\firefox\profiles\r023ur4n.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\cclack.work\application data\mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-9-1 24064]

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-2-2 41176]

R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-7 108392]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-8 54752]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-16 366640]

R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2007-2-21 1230936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-12-7 1839776]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-8-31 2066968]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-2-3 427192]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-8-31 144480]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-31 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-16 22712]

R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110906.002\NAVENG.SYS [2011-9-6 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110906.002\NAVEX15.SYS [2011-9-6 1576312]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-9-20 23888]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

S4 vsdatant;vsdatant;a --> a [?]

.

=============== Created Last 30 ================

.

2011-09-06 22:26:51 -------- d-sha-r- C:\cmdcons

2011-09-06 22:21:46 98816 ----a-w- c:\windows\sed.exe

2011-09-06 22:21:46 518144 ----a-w- c:\windows\SWREG.exe

2011-09-06 22:21:46 256000 ----a-w- c:\windows\PEV.exe

2011-09-06 22:21:46 208896 ----a-w- c:\windows\MBR.exe

2011-09-06 22:21:42 -------- d-----w- C:\ComboFix

2011-08-19 21:55:09 -------- d-----w- c:\program files\ESET

2011-08-19 18:12:47 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-19 18:12:46 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-19 18:11:54 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-16 14:19:36 -------- d-----w- c:\documents and settings\cclack.work\application data\Malwarebytes

.

==================== Find3M ====================

.

2011-09-06 12:48:55 0 ----a-w- c:\windows\Twekalifipulu.bin

2011-07-19 15:38:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 17:57:17.28 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Thank you for your help. Here are the logs.

ESET:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=41217

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=80d048523759ce43b6a3eb8afc256b0c

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-08-19 10:48:03

# local_time=2011-08-19 05:48:03 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=86632

# found=4

# cleaned=0

# scan_time=1452

C:\Documents and Settings\cclack.WORK\Application Data\Sun\Java\Deployment\cache\6.0\20\257e0a14-1e6c215e probably a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\cclack.WORK\Application Data\Sun\Java\Deployment\cache\6.0\41\3aff5a9-7785db2b a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\cclack.WORK\Local Settings\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\Cache\2\93\F3140d01 HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\cclack.WORK\Local Settings\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\Cache\5\49\3D35Ed01 HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=80d048523759ce43b6a3eb8afc256b0c

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-08-23 01:25:33

# local_time=2011-08-22 08:25:33 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 178415 178415 0 0

# scanned=266754

# found=12

# cleaned=0

# scan_time=7009

C:\Documents and Settings\cclack.WORK\Application Data\Sun\Java\Deployment\cache\6.0\20\257e0a14-1e6c215e probably a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\cclack.WORK\Application Data\Sun\Java\Deployment\cache\6.0\41\3aff5a9-7785db2b a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\cclack.WORK\Local Settings\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\Cache\2\93\F3140d01 HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\cclack.WORK\Local Settings\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\Cache\5\49\3D35Ed01 HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\cclack.WORK\Local Settings\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\Cache\F\84\2D33Fd01 HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5AVAW98W\b_onlyfreshteens_com[1].htm JS/Kryptik.CB trojan (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MQLCXDG2\b_onlyfreshteens_com[1].htm JS/Kryptik.CB trojan (unable to clean) 00000000000000000000000000000000 I

C:\Program Files\DAEMON Tools Lite\SRSAI.exe Win32/Adware.Toolbar.Shopper application (unable to clean) 00000000000000000000000000000000 I

C:\WINDOWS\agagavopiwam.dll a variant of Win32/Kryptik.RAA trojan (unable to clean) 00000000000000000000000000000000 I

C:\WINDOWS\Installer\49e05.msi Win32/RAdmin.30 application (unable to clean) 00000000000000000000000000000000 I

C:\WINDOWS\system32\rserver30\rserver3.exe Win32/RAdmin.30 application (unable to clean) 00000000000000000000000000000000 I

${Memory} multiple threats 00000000000000000000000000000000 I

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=80d048523759ce43b6a3eb8afc256b0c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-13 04:35:05

# local_time=2011-09-13 11:35:05 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 2049387 2049387 0 0

# scanned=277209

# found=5

# cleaned=5

# scan_time=5009

C:\Documents and Settings\cclack.WORK\Local Settings\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\Cache\2\93\F3140d01 HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\cclack.WORK\Local Settings\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\Cache\5\49\3D35Ed01 HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\cclack.WORK\Local Settings\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\Cache\F\84\2D33Fd01 HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\DAEMON Tools Lite\SRSAI.exe Win32/Adware.Toolbar.Shopper application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\agagavopiwam.dll.vir a variant of Win32/Kryptik.RAA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Security Check:

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Disabled!

ESET Online Scanner v3

Symantec Endpoint Protection

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 15

Java 6 Update 3

Out of date Java installed!

Adobe Flash Player 10.3.181.26

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Malwarebytes' Anti-Malware mbamservice.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

ClearJavaCache::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hello,

ComboFix:

ComboFix 11-09-16.01 - cclack 09/16/2011 17:58:28.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2341 [GMT -5:00]

Running from: c:\documents and settings\cclack.WORK\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\cclack.WORK\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Microsoft Office\OFFICE11\OSA.exe

c:\windows\system32\d3d9caps.dat

.

.

((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))

.

.

2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-08-30 20:33 . 2011-08-30 20:33 95672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-08-19 21:55 . 2011-08-19 21:55 -------- d-----w- c:\program files\ESET

2011-08-19 18:12 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-19 18:12 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-19 18:11 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-09 09:12 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-31 22:00 . 2010-04-16 14:59 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-19 15:38 . 2011-07-19 15:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-04 10:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2007-06-15 15:46 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-09-08 13:23 . 2011-03-24 13:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-09-06_22.41.49 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-09-15 15:30 . 2011-09-15 15:30 16384 c:\windows\Temp\Perflib_Perfdata_978.dat

+ 2011-09-15 13:38 . 2011-09-15 13:38 16384 c:\windows\Temp\Perflib_Perfdata_810.dat

+ 2011-09-15 13:38 . 2011-09-15 13:38 16384 c:\windows\Temp\Perflib_Perfdata_228.dat

+ 2009-03-26 16:56 . 2011-09-16 15:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-03-26 16:56 . 2011-09-06 15:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-03-26 16:56 . 2011-09-06 15:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-03-26 16:56 . 2011-09-16 15:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2011-09-07 15:31 . 2011-09-16 15:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-26 16:56 . 2011-09-06 15:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-10-26 13:44 . 2011-08-19 18:38 12288 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2009-10-26 13:44 . 2011-09-15 13:14 12288 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2011-09-15 13:14 . 2011-09-15 13:14 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

- 2011-08-19 18:29 . 2011-08-19 18:29 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2011-05-27 14:53 . 2011-05-27 14:53 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\ViewerPS.dll

+ 2011-05-27 19:52 . 2011-05-27 19:52 40368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\reader_sl.exe

+ 2011-05-27 14:52 . 2011-05-27 14:52 67016 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\PDFPrevHndlrShim.exe

+ 2011-05-27 14:52 . 2011-05-27 14:52 83376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\PDFPrevHndlr.dll

+ 2011-05-27 14:01 . 2011-05-27 14:01 95672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\nppdf32.dll

+ 2011-05-27 14:10 . 2011-05-27 14:10 13752 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\AcroRd32Info.exe

- 2009-10-26 13:44 . 2011-08-19 18:38 4096 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-10-26 13:44 . 2011-09-15 13:14 4096 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2009-10-26 13:50 . 2011-08-19 18:28 4096 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-10-26 13:50 . 2011-09-15 13:13 4096 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2004-08-04 10:00 . 2011-09-15 13:42 525676 c:\windows\system32\perfh009.dat

- 2004-08-04 10:00 . 2011-08-24 13:20 525676 c:\windows\system32\perfh009.dat

+ 2004-08-04 10:00 . 2011-09-15 13:42 101550 c:\windows\system32\perfc009.dat

- 2004-08-04 10:00 . 2011-08-24 13:20 101550 c:\windows\system32\perfc009.dat

+ 2010-01-28 17:07 . 2011-09-15 13:39 227334 c:\windows\system32\inetsrv\MetaBase.bin

- 2011-08-01 16:37 . 2011-08-01 16:37 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A83000000003}\SC_Reader.exe

+ 2011-08-01 16:37 . 2011-09-15 13:32 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A83000000003}\SC_Reader.exe

- 2009-10-26 13:44 . 2011-08-19 18:38 176128 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\visicon.exe

+ 2009-10-26 13:44 . 2011-09-15 13:14 176128 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\visicon.exe

+ 2009-10-26 13:44 . 2011-09-15 13:14 135168 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-10-26 13:44 . 2011-08-19 18:38 135168 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-10-26 13:50 . 2011-08-19 18:28 147456 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe

+ 2009-10-26 13:50 . 2011-09-15 13:13 147456 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe

+ 2009-10-26 13:50 . 2011-09-15 13:13 135168 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-10-26 13:50 . 2011-08-19 18:28 135168 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2007-06-18 14:39 . 2011-09-15 13:13 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2007-06-18 14:39 . 2011-08-19 18:38 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2011-05-27 14:06 . 2011-05-27 14:06 372736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\pdfshell.dll

+ 2011-05-27 13:20 . 2011-05-27 13:20 140728 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\AdobeUpdateCheck.exe

+ 2011-05-27 14:51 . 2011-05-27 14:51 738776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\AdobeCollabSync.exe

+ 2011-05-27 14:42 . 2011-05-27 14:42 112048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\AcroRdIF.dll

+ 2011-05-27 19:52 . 2011-05-27 19:52 345520 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\AcroRd32.exe

+ 2011-05-27 13:24 . 2011-05-27 13:24 632240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\AcroPDF.dll

+ 2011-01-14 12:10 . 2011-01-14 12:10 155520 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKWORD6.DLL

+ 2011-01-14 12:10 . 2011-01-14 12:10 140160 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKEXCEL2.DLL

+ 2011-08-31 05:33 . 2011-08-31 05:33 3550208 c:\windows\Installer\312f8.msp

+ 2011-08-10 22:43 . 2011-08-10 22:43 3795968 c:\windows\Installer\293b84eb.msp

+ 2011-07-26 13:17 . 2011-07-26 13:17 6824960 c:\windows\Installer\293b84bd.msp

+ 2011-08-16 17:35 . 2011-08-16 17:35 5519872 c:\windows\Installer\293b84a8.msp

+ 2011-07-21 17:34 . 2011-07-21 17:34 3456000 c:\windows\Installer\293b8494.msp

+ 2011-09-07 02:48 . 2011-09-07 02:48 8181248 c:\windows\Installer\293b8489.msp

+ 2011-07-27 12:39 . 2011-07-27 12:39 9892352 c:\windows\Installer\293b847c.msp

+ 2011-05-27 13:22 . 2011-05-27 13:22 1953792 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\rt3d.dll

+ 2011-01-14 12:10 . 2011-01-14 12:10 2395008 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKWORD.DLL

+ 2011-01-14 12:10 . 2011-01-14 12:10 2180992 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKPOWERPOINT.DLL

+ 2011-01-14 12:10 . 2011-01-14 12:10 3443072 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKEXCEL.DLL

+ 2009-08-17 22:38 . 2009-08-17 22:38 8554872 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6514\OARTCONV.DLL

+ 2007-06-18 13:17 . 2011-09-15 13:09 46249416 c:\windows\system32\MRT.exe

+ 2011-07-26 21:33 . 2011-07-26 21:33 10984448 c:\windows\Installer\293b84d2.msp

+ 2011-05-27 19:29 . 2011-05-27 19:29 13338040 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0300000030\8.3.0\AcroRd32.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-10-22 64048]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-21 796696]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-11 166424]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-07 115560]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-6-19 25214]

VPN Client.lnk - [N/A]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-09-11 13:52 141848 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-09-11 13:51 137752 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2009-06-22 19:21 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4899:TCP"= 4899:TCP:Sunbelt

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [9/1/2009 2:55 PM 24064]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/29/2008 2:32 PM 716272]

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2/2/2007 2:54 PM 41176]

R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 5:33 PM 249648]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/16/2010 9:59 AM 366152]

R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2/21/2007 7:28 PM 1230936]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/31/2009 3:51 PM 2066968]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 5:45 AM 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 4:47 AM 563760]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/3/2009 3:39 PM 427192]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/31/2009 3:43 PM 144480]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2011 12:36 PM 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/16/2010 9:59 AM 22216]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 7:31 PM 195336]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/20/2010 2:39 PM 23888]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = ftp://hertz@ftp3.WORK.com/

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

TCP: DhcpNameServer = 10.4.2.66 10.4.2.122

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn1.buildabear.com/CACHE/stc/1/binaries/vpnweb.cab

FF - ProfilePath - c:\documents and settings\cclack.WORK\Application Data\Mozilla\Firefox\Profiles\r023ur4n.default\

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-16 18:06

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"="a"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1420)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\igfxdev.dll

.

Completion time: 2011-09-16 18:08:20

ComboFix-quarantined-files.txt 2011-09-16 23:08

ComboFix2.txt 2011-09-06 22:43

.

Pre-Run: 272,580,128,768 bytes free

Post-Run: 272,609,095,680 bytes free

.

- - End Of File - - C77719D9FA1CCD1498AD50F7BA5ABC4D

DDS:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Run by cclack at 18:09:32 on 2011-09-16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2388 [GMT -5:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\rserver30\RServer3.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe

C:\WINDOWS\system32\rserver30\FamItrfc.Exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = ftp://hertz@ftp3.work.com/

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\VPNCLI~1.LNK -

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\vmware\vmware player\vsocklib.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn1.buildabear.com/CACHE/stc/1/binaries/vpnweb.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181925287343

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181933744859

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 10.4.2.66 10.4.2.122

TCP: Interfaces\{24CF8706-072C-4F9C-A0E1-70DEFA018297} : DhcpNameServer = 192.168.12.36 192.168.14.28

TCP: Interfaces\{29136A48-D0CD-4868-A790-EEE48F890547} : DhcpNameServer = 192.168.12.36 192.168.14.28

TCP: Interfaces\{C238C308-FA19-484A-9461-B59F13DEB237} : DhcpNameServer = 10.4.2.66 10.4.2.122

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\cclack.work\application data\mozilla\firefox\profiles\r023ur4n.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\cclack.work\application data\mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-9-1 24064]

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-2-2 41176]

R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-7 108392]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-8 54752]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-16 366152]

R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2007-2-21 1230936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-12-7 1839776]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-8-31 2066968]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-2-3 427192]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-8-31 144480]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-31 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-16 22216]

R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110916.002\NAVENG.SYS [2011-9-16 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110916.002\NAVEX15.SYS [2011-9-16 1576312]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-9-20 23888]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

S4 vsdatant;vsdatant;a --> a [?]

.

=============== Created Last 30 ================

.

2011-09-06 22:26:51 -------- d-sha-r- C:\cmdcons

2011-09-06 22:21:46 98816 ----a-w- c:\windows\sed.exe

2011-09-06 22:21:46 518144 ----a-w- c:\windows\SWREG.exe

2011-09-06 22:21:46 256000 ----a-w- c:\windows\PEV.exe

2011-09-06 22:21:46 208896 ----a-w- c:\windows\MBR.exe

2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-08-30 20:33:42 95672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-08-19 21:55:09 -------- d-----w- c:\program files\ESET

2011-08-19 18:12:47 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-19 18:12:46 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-19 18:11:54 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 12:48:55 0 ----a-w- c:\windows\Twekalifipulu.bin

2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-19 15:38:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 18:09:43.00 ===============

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Java™ 6 Update 15

Java™ 6 Update 3

Adobe Reader 8.0

Restart your computer.

Get the latest version of Java and Adobe Reader.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.