Jump to content


Photo
- - - - -

smitfraud-c.generic-Can't seem to shake this one


  • This topic is locked This topic is locked
9 replies to this topic

#1 crisw

crisw

    New Member

  • Members
  • Pip
  • 4 posts

Posted 09 March 2012 - 09:08 PM

Need help beating this Trojan. Spybot and Malwarebytes won't touch it. I've attached the DDS logs. Thanks in advance!

Attached Files



#2 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 10 March 2012 - 06:18 AM

Hello and :welcome:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#3 crisw

crisw

    New Member

  • Members
  • Pip
  • 4 posts

Posted 10 March 2012 - 11:21 AM

Hi Elise! Thanks for your help!

08:13:52.0674 2436 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
08:13:54.0679 2436 ============================================================
08:13:54.0679 2436 Current date / time: 2012/03/10 08:13:54.0679
08:13:54.0680 2436 SystemInfo:
08:13:54.0680 2436
08:13:54.0680 2436 OS Version: 6.1.7601 ServicePack: 1.0
08:13:54.0680 2436 Product type: Workstation
08:13:54.0680 2436 ComputerName: NIKKI-PC
08:13:54.0681 2436 UserName: Nikki
08:13:54.0681 2436 Windows directory: C:\windows
08:13:54.0681 2436 System windows directory: C:\windows
08:13:54.0681 2436 Running under WOW64
08:13:54.0681 2436 Processor architecture: Intel x64
08:13:54.0681 2436 Number of processors: 2
08:13:54.0681 2436 Page size: 0x1000
08:13:54.0681 2436 Boot type: Normal boot
08:13:54.0681 2436 ============================================================
08:13:57.0636 2436 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
08:13:57.0648 2436 \Device\Harddisk0\DR0:
08:13:57.0665 2436 MBR used
08:13:57.0665 2436 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2EE800, BlocksNum 0x23A94800
08:13:57.0715 2436 Initialize success
08:13:57.0715 2436 ============================================================
08:14:19.0060 0484 ============================================================
08:14:19.0060 0484 Scan started
08:14:19.0061 0484 Mode: Manual;
08:14:19.0061 0484 ============================================================
08:14:20.0047 0484 1394ohci (a87d604aea360176311474c87a63bb88) C:\windows\system32\drivers\1394ohci.sys
08:14:20.0055 0484 1394ohci - ok
08:14:20.0161 0484 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\windows\system32\drivers\ACPI.sys
08:14:20.0167 0484 ACPI - ok
08:14:20.0279 0484 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\windows\system32\drivers\acpipmi.sys
08:14:20.0282 0484 AcpiPmi - ok
08:14:20.0417 0484 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\windows\system32\drivers\adp94xx.sys
08:14:20.0432 0484 adp94xx - ok
08:14:20.0561 0484 adpahci (597f78224ee9224ea1a13d6350ced962) C:\windows\system32\drivers\adpahci.sys
08:14:20.0577 0484 adpahci - ok
08:14:20.0695 0484 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\windows\system32\drivers\adpu320.sys
08:14:20.0702 0484 adpu320 - ok
08:14:20.0893 0484 aevocnsf (a412d2fd7c0e1b50a7845fa083894223) C:\windows\system32\drivers\aevocnsf.sys
08:14:20.0899 0484 aevocnsf - ok
08:14:21.0034 0484 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\windows\system32\drivers\afd.sys
08:14:21.0045 0484 AFD - ok
08:14:21.0159 0484 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\windows\system32\drivers\agp440.sys
08:14:21.0163 0484 agp440 - ok
08:14:21.0288 0484 aliide (5812713a477a3ad7363c7438ca2ee038) C:\windows\system32\drivers\aliide.sys
08:14:21.0292 0484 aliide - ok
08:14:21.0417 0484 amdide (1ff8b4431c353ce385c875f194924c0c) C:\windows\system32\drivers\amdide.sys
08:14:21.0422 0484 amdide - ok
08:14:21.0527 0484 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\windows\system32\drivers\amdk8.sys
08:14:21.0536 0484 AmdK8 - ok
08:14:21.0887 0484 amdkmdag (7a1ac757f3a2a3126a806b7319cab21b) C:\windows\system32\DRIVERS\atikmdag.sys
08:14:22.0078 0484 amdkmdag - ok
08:14:22.0205 0484 amdkmdap (eef6f806eedfd1c746071f1fd684870e) C:\windows\system32\DRIVERS\atikmpag.sys
08:14:22.0211 0484 amdkmdap - ok
08:14:22.0320 0484 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\windows\system32\DRIVERS\amdppm.sys
08:14:22.0324 0484 AmdPPM - ok
08:14:22.0414 0484 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\windows\system32\drivers\amdsata.sys
08:14:22.0418 0484 amdsata - ok
08:14:22.0518 0484 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\windows\system32\drivers\amdsbs.sys
08:14:22.0527 0484 amdsbs - ok
08:14:22.0649 0484 amdxata (540daf1cea6094886d72126fd7c33048) C:\windows\system32\drivers\amdxata.sys
08:14:22.0652 0484 amdxata - ok
08:14:22.0756 0484 amd_sata (caee7c1afc9f1c9ee8dd11acd18d22e7) C:\windows\system32\DRIVERS\amd_sata.sys
08:14:22.0759 0484 amd_sata - ok
08:14:22.0866 0484 amd_xata (23726116b4fbcc84fc45b95157c08f5f) C:\windows\system32\DRIVERS\amd_xata.sys
08:14:22.0870 0484 amd_xata - ok
08:14:23.0018 0484 AppID (89a69c3f2f319b43379399547526d952) C:\windows\system32\drivers\appid.sys
08:14:23.0023 0484 AppID - ok
08:14:23.0208 0484 arc (c484f8ceb1717c540242531db7845c4e) C:\windows\system32\drivers\arc.sys
08:14:23.0213 0484 arc - ok
08:14:23.0355 0484 arcsas (019af6924aefe7839f61c830227fe79c) C:\windows\system32\drivers\arcsas.sys
08:14:23.0359 0484 arcsas - ok
08:14:23.0458 0484 AsyncMac (769765ce2cc62867468cea93969b2242) C:\windows\system32\DRIVERS\asyncmac.sys
08:14:23.0463 0484 AsyncMac - ok
08:14:23.0566 0484 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\windows\system32\drivers\atapi.sys
08:14:23.0571 0484 atapi - ok
08:14:23.0798 0484 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\windows\system32\drivers\bxvbda.sys
08:14:23.0813 0484 b06bdrv - ok
08:14:23.0937 0484 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\windows\system32\DRIVERS\b57nd60a.sys
08:14:23.0944 0484 b57nd60a - ok
08:14:24.0051 0484 Beep (16a47ce2decc9b099349a5f840654746) C:\windows\system32\drivers\Beep.sys
08:14:24.0056 0484 Beep - ok
08:14:24.0301 0484 BHDrvx64 (6c64fa457c200874faa87d74152e0d84) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120302.001\BHDrvx64.sys
08:14:24.0323 0484 BHDrvx64 - ok
08:14:24.0432 0484 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\windows\system32\DRIVERS\blbdrive.sys
08:14:24.0436 0484 blbdrive - ok
08:14:24.0543 0484 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\windows\system32\DRIVERS\bowser.sys
08:14:24.0548 0484 bowser - ok
08:14:24.0645 0484 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\windows\system32\drivers\BrFiltLo.sys
08:14:24.0649 0484 BrFiltLo - ok
08:14:24.0749 0484 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\windows\system32\drivers\BrFiltUp.sys
08:14:24.0755 0484 BrFiltUp - ok
08:14:24.0912 0484 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\windows\System32\Drivers\Brserid.sys
08:14:24.0930 0484 Brserid - ok
08:14:25.0034 0484 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\windows\System32\Drivers\BrSerWdm.sys
08:14:25.0038 0484 BrSerWdm - ok
08:14:25.0134 0484 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\windows\System32\Drivers\BrUsbMdm.sys
08:14:25.0139 0484 BrUsbMdm - ok
08:14:25.0245 0484 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\windows\System32\Drivers\BrUsbSer.sys
08:14:25.0248 0484 BrUsbSer - ok
08:14:25.0348 0484 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\windows\system32\drivers\bthmodem.sys
08:14:25.0353 0484 BTHMODEM - ok
08:14:25.0467 0484 cdfs (b8bd2bb284668c84865658c77574381a) C:\windows\system32\DRIVERS\cdfs.sys
08:14:25.0472 0484 cdfs - ok
08:14:25.0576 0484 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\windows\system32\DRIVERS\cdrom.sys
08:14:25.0583 0484 cdrom - ok
08:14:25.0687 0484 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\windows\system32\drivers\circlass.sys
08:14:25.0690 0484 circlass - ok
08:14:25.0823 0484 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\windows\system32\CLFS.sys
08:14:25.0832 0484 CLFS - ok
08:14:25.0997 0484 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\windows\system32\DRIVERS\CmBatt.sys
08:14:26.0001 0484 CmBatt - ok
08:14:26.0114 0484 cmdide (e19d3f095812725d88f9001985b94edd) C:\windows\system32\drivers\cmdide.sys
08:14:26.0119 0484 cmdide - ok
08:14:26.0229 0484 CNG (c4943b6c962e4b82197542447ad599f4) C:\windows\system32\Drivers\cng.sys
08:14:26.0241 0484 CNG - ok
08:14:26.0388 0484 CnxtHdAudService (99b1b888b793de320c5479b3c953781f) C:\windows\system32\drivers\CHDRT64.sys
08:14:26.0413 0484 CnxtHdAudService - ok
08:14:26.0522 0484 Compbatt (102de219c3f61415f964c88e9085ad14) C:\windows\system32\drivers\compbatt.sys
08:14:26.0525 0484 Compbatt - ok
08:14:26.0623 0484 CompositeBus (03edb043586cceba243d689bdda370a8) C:\windows\system32\DRIVERS\CompositeBus.sys
08:14:26.0627 0484 CompositeBus - ok
08:14:26.0747 0484 crcdisk (1c827878a998c18847245fe1f34ee597) C:\windows\system32\drivers\crcdisk.sys
08:14:26.0750 0484 crcdisk - ok
08:14:26.0921 0484 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\windows\system32\Drivers\dfsc.sys
08:14:26.0926 0484 DfsC - ok
08:14:27.0049 0484 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\windows\system32\drivers\discache.sys
08:14:27.0053 0484 discache - ok
08:14:27.0215 0484 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\windows\system32\drivers\disk.sys
08:14:27.0219 0484 Disk - ok
08:14:27.0338 0484 drmkaud (9b19f34400d24df84c858a421c205754) C:\windows\system32\drivers\drmkaud.sys
08:14:27.0341 0484 drmkaud - ok
08:14:27.0452 0484 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\windows\System32\drivers\dxgkrnl.sys
08:14:27.0467 0484 DXGKrnl - ok
08:14:27.0636 0484 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\windows\system32\drivers\evbda.sys
08:14:27.0694 0484 ebdrv - ok
08:14:27.0816 0484 eeCtrl (0c3f9eff8ddd9f9eb56d754b4620155f) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
08:14:27.0827 0484 eeCtrl - ok
08:14:28.0102 0484 elxstor (0e5da5369a0fcaea12456dd852545184) C:\windows\system32\drivers\elxstor.sys
08:14:28.0114 0484 elxstor - ok
08:14:28.0314 0484 EraserUtilRebootDrv (8c0f9b877bc0b7ffd327ef55f9efb642) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
08:14:28.0318 0484 EraserUtilRebootDrv - ok
08:14:28.0515 0484 ErrDev (34a3c54752046e79a126e15c51db409b) C:\windows\system32\drivers\errdev.sys
08:14:28.0518 0484 ErrDev - ok
08:14:28.0810 0484 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\windows\system32\drivers\exfat.sys
08:14:28.0819 0484 exfat - ok
08:14:29.0083 0484 fastfat (0adc83218b66a6db380c330836f3e36d) C:\windows\system32\drivers\fastfat.sys
08:14:29.0154 0484 fastfat - ok
08:14:29.0349 0484 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\windows\system32\drivers\fdc.sys
08:14:29.0394 0484 fdc - ok
08:14:29.0610 0484 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\windows\system32\drivers\fileinfo.sys
08:14:29.0614 0484 FileInfo - ok
08:14:29.0903 0484 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\windows\system32\drivers\filetrace.sys
08:14:29.0909 0484 Filetrace - ok
08:14:30.0103 0484 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\windows\system32\drivers\flpydisk.sys
08:14:30.0108 0484 flpydisk - ok
08:14:30.0262 0484 FltMgr (da6b67270fd9db3697b20fce94950741) C:\windows\system32\drivers\fltmgr.sys
08:14:30.0271 0484 FltMgr - ok
08:14:30.0487 0484 FsDepends (d43703496149971890703b4b1b723eac) C:\windows\system32\drivers\FsDepends.sys
08:14:30.0491 0484 FsDepends - ok
08:14:30.0667 0484 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\windows\system32\drivers\Fs_Rec.sys
08:14:30.0670 0484 Fs_Rec - ok
08:14:31.0006 0484 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\windows\system32\DRIVERS\fvevol.sys
08:14:31.0011 0484 fvevol - ok
08:14:31.0201 0484 FwLnk (60acb128e64c35c2b4e4aab1b0a5c293) C:\windows\system32\DRIVERS\FwLnk.sys
08:14:31.0204 0484 FwLnk - ok
08:14:31.0319 0484 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\windows\system32\drivers\gagp30kx.sys
08:14:31.0323 0484 gagp30kx - ok
08:14:31.0431 0484 GEARAspiWDM (af4dee5531395dee72b35b36c9671fd0) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
08:14:31.0435 0484 GEARAspiWDM - ok
08:14:31.0598 0484 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\windows\system32\drivers\hcw85cir.sys
08:14:31.0603 0484 hcw85cir - ok
08:14:31.0712 0484 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\windows\system32\drivers\HdAudio.sys
08:14:31.0721 0484 HdAudAddService - ok
08:14:31.0870 0484 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\windows\system32\DRIVERS\HDAudBus.sys
08:14:31.0873 0484 HDAudBus - ok
08:14:31.0965 0484 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\windows\system32\drivers\HidBatt.sys
08:14:31.0972 0484 HidBatt - ok
08:14:32.0068 0484 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\windows\system32\drivers\hidbth.sys
08:14:32.0074 0484 HidBth - ok
08:14:32.0196 0484 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\windows\system32\drivers\hidir.sys
08:14:32.0201 0484 HidIr - ok
08:14:32.0337 0484 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\windows\system32\DRIVERS\hidusb.sys
08:14:32.0341 0484 HidUsb - ok
08:14:32.0464 0484 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\windows\system32\drivers\HpSAMD.sys
08:14:32.0469 0484 HpSAMD - ok
08:14:32.0582 0484 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\windows\system32\drivers\HTTP.sys
08:14:32.0602 0484 HTTP - ok
08:14:32.0730 0484 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\windows\system32\drivers\hwpolicy.sys
08:14:32.0737 0484 hwpolicy - ok
08:14:32.0850 0484 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\windows\system32\DRIVERS\i8042prt.sys
08:14:32.0855 0484 i8042prt - ok
08:14:32.0963 0484 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\windows\system32\drivers\iaStorV.sys
08:14:32.0974 0484 iaStorV - ok
08:14:33.0214 0484 IDSVia64 (18c40c3f368323b203ace403cb430db1) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120309.002\IDSvia64.sys
08:14:33.0229 0484 IDSVia64 - ok
08:14:33.0361 0484 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\windows\system32\drivers\iirsp.sys
08:14:33.0365 0484 iirsp - ok
08:14:33.0472 0484 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\windows\system32\drivers\intelide.sys
08:14:33.0478 0484 intelide - ok
08:14:33.0586 0484 intelppm (ada036632c664caa754079041cf1f8c1) C:\windows\system32\drivers\intelppm.sys
08:14:33.0592 0484 intelppm - ok
08:14:33.0697 0484 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\windows\system32\DRIVERS\ipfltdrv.sys
08:14:33.0705 0484 IpFilterDriver - ok
08:14:33.0867 0484 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\windows\system32\drivers\IPMIDrv.sys
08:14:33.0873 0484 IPMIDRV - ok
08:14:34.0000 0484 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\windows\system32\drivers\ipnat.sys
08:14:34.0007 0484 IPNAT - ok
08:14:34.0116 0484 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\windows\system32\drivers\irenum.sys
08:14:34.0121 0484 IRENUM - ok
08:14:34.0236 0484 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\windows\system32\drivers\isapnp.sys
08:14:34.0240 0484 isapnp - ok
08:14:34.0337 0484 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\windows\system32\drivers\msiscsi.sys
08:14:34.0347 0484 iScsiPrt - ok
08:14:34.0449 0484 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\windows\system32\DRIVERS\kbdclass.sys
08:14:34.0454 0484 kbdclass - ok
08:14:34.0560 0484 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\windows\system32\drivers\kbdhid.sys
08:14:34.0564 0484 kbdhid - ok
08:14:34.0661 0484 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\windows\system32\Drivers\ksecdd.sys
08:14:34.0666 0484 KSecDD - ok
08:14:34.0776 0484 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\windows\system32\Drivers\ksecpkg.sys
08:14:34.0783 0484 KSecPkg - ok
08:14:34.0890 0484 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\windows\system32\drivers\ksthunk.sys
08:14:34.0895 0484 ksthunk - ok
08:14:35.0010 0484 L1C (0e154da6ca9105354a07d0c576804037) C:\windows\system32\DRIVERS\L1C62x64.sys
08:14:35.0015 0484 L1C - ok
08:14:35.0171 0484 lltdio (1538831cf8ad2979a04c423779465827) C:\windows\system32\DRIVERS\lltdio.sys
08:14:35.0177 0484 lltdio - ok
08:14:35.0308 0484 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\windows\system32\drivers\lsi_fc.sys
08:14:35.0314 0484 LSI_FC - ok
08:14:35.0410 0484 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\windows\system32\drivers\lsi_sas.sys
08:14:35.0414 0484 LSI_SAS - ok
08:14:35.0523 0484 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\windows\system32\drivers\lsi_sas2.sys
08:14:35.0526 0484 LSI_SAS2 - ok
08:14:35.0627 0484 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\windows\system32\drivers\lsi_scsi.sys
08:14:35.0633 0484 LSI_SCSI - ok
08:14:35.0754 0484 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\windows\system32\drivers\luafv.sys
08:14:35.0758 0484 luafv - ok
08:14:35.0900 0484 MBAMProtector (79da94b35371b9e7104460c7693dcb2c) C:\windows\system32\drivers\mbam.sys
08:14:35.0903 0484 MBAMProtector - ok
08:14:36.0018 0484 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\windows\system32\drivers\megasas.sys
08:14:36.0024 0484 megasas - ok
08:14:36.0148 0484 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\windows\system32\drivers\MegaSR.sys
08:14:36.0166 0484 MegaSR - ok
08:14:36.0282 0484 Modem (800ba92f7010378b09f9ed9270f07137) C:\windows\system32\drivers\modem.sys
08:14:36.0287 0484 Modem - ok
08:14:36.0398 0484 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\windows\system32\DRIVERS\monitor.sys
08:14:36.0399 0484 monitor - ok
08:14:36.0512 0484 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\windows\system32\DRIVERS\mouclass.sys
08:14:36.0517 0484 mouclass - ok
08:14:36.0630 0484 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\windows\system32\DRIVERS\mouhid.sys
08:14:36.0634 0484 mouhid - ok
08:14:36.0737 0484 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\windows\system32\drivers\mountmgr.sys
08:14:36.0740 0484 mountmgr - ok
08:14:36.0861 0484 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\windows\system32\drivers\mpio.sys
08:14:36.0869 0484 mpio - ok
08:14:36.0962 0484 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\windows\system32\drivers\mpsdrv.sys
08:14:36.0966 0484 mpsdrv - ok
08:14:37.0103 0484 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\windows\system32\drivers\mrxdav.sys
08:14:37.0109 0484 MRxDAV - ok
08:14:37.0227 0484 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\windows\system32\DRIVERS\mrxsmb.sys
08:14:37.0234 0484 mrxsmb - ok
08:14:37.0328 0484 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\windows\system32\DRIVERS\mrxsmb10.sys
08:14:37.0336 0484 mrxsmb10 - ok
08:14:37.0424 0484 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\windows\system32\DRIVERS\mrxsmb20.sys
08:14:37.0428 0484 mrxsmb20 - ok
08:14:37.0523 0484 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\windows\system32\DRIVERS\msahci.sys
08:14:37.0528 0484 msahci - ok
08:14:37.0623 0484 msdsm (db801a638d011b9633829eb6f663c900) C:\windows\system32\drivers\msdsm.sys
08:14:37.0630 0484 msdsm - ok
08:14:37.0786 0484 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\windows\system32\drivers\Msfs.sys
08:14:37.0790 0484 Msfs - ok
08:14:37.0900 0484 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\windows\System32\drivers\mshidkmdf.sys
08:14:37.0902 0484 mshidkmdf - ok
08:14:37.0994 0484 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\windows\system32\drivers\msisadrv.sys
08:14:37.0998 0484 msisadrv - ok
08:14:38.0119 0484 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\windows\system32\drivers\MSKSSRV.sys
08:14:38.0126 0484 MSKSSRV - ok
08:14:38.0254 0484 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\windows\system32\drivers\MSPCLOCK.sys
08:14:38.0257 0484 MSPCLOCK - ok
08:14:38.0360 0484 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\windows\system32\drivers\MSPQM.sys
08:14:38.0364 0484 MSPQM - ok
08:14:38.0471 0484 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\windows\system32\drivers\MsRPC.sys
08:14:38.0485 0484 MsRPC - ok
08:14:38.0587 0484 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\windows\system32\DRIVERS\mssmbios.sys
08:14:38.0589 0484 mssmbios - ok
08:14:38.0683 0484 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\windows\system32\drivers\MSTEE.sys
08:14:38.0688 0484 MSTEE - ok
08:14:38.0800 0484 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\windows\system32\drivers\MTConfig.sys
08:14:38.0806 0484 MTConfig - ok
08:14:38.0952 0484 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\windows\system32\Drivers\mup.sys
08:14:38.0955 0484 Mup - ok
08:14:39.0091 0484 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\windows\system32\DRIVERS\nwifi.sys
08:14:39.0098 0484 NativeWifiP - ok
08:14:39.0253 0484 NAVENG (2dbe90210de76be6e1653bb20ec70ec2) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120309.034\ENG64.SYS
08:14:39.0260 0484 NAVENG - ok
08:14:39.0462 0484 NAVEX15 (346da70e203b8e2c850277713de8f71b) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120309.034\EX64.SYS
08:14:39.0492 0484 NAVEX15 - ok
08:14:39.0623 0484 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\windows\system32\drivers\ndis.sys
08:14:39.0638 0484 NDIS - ok
08:14:39.0756 0484 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\windows\system32\DRIVERS\ndiscap.sys
08:14:39.0780 0484 NdisCap - ok
08:14:39.0937 0484 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\windows\system32\DRIVERS\ndistapi.sys
08:14:39.0942 0484 NdisTapi - ok
08:14:40.0054 0484 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\windows\system32\DRIVERS\ndisuio.sys
08:14:40.0058 0484 Ndisuio - ok
08:14:40.0164 0484 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\windows\system32\DRIVERS\ndiswan.sys
08:14:40.0171 0484 NdisWan - ok
08:14:40.0275 0484 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\windows\system32\drivers\NDProxy.sys
08:14:40.0279 0484 NDProxy - ok
08:14:40.0378 0484 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\windows\system32\DRIVERS\netbios.sys
08:14:40.0381 0484 NetBIOS - ok
08:14:40.0483 0484 NetBT (09594d1089c523423b32a4229263f068) C:\windows\system32\DRIVERS\netbt.sys
08:14:40.0489 0484 NetBT - ok
08:14:40.0613 0484 nfrd960 (77889813be4d166cdab78ddba990da92) C:\windows\system32\drivers\nfrd960.sys
08:14:40.0618 0484 nfrd960 - ok
08:14:40.0745 0484 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\windows\system32\drivers\Npfs.sys
08:14:40.0751 0484 Npfs - ok
08:14:40.0869 0484 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\windows\system32\drivers\nsiproxy.sys
08:14:40.0871 0484 nsiproxy - ok
08:14:40.0948 0484 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\windows\system32\drivers\Ntfs.sys
08:14:40.0973 0484 Ntfs - ok
08:14:41.0055 0484 Null (9899284589f75fa8724ff3d16aed75c1) C:\windows\system32\drivers\Null.sys
08:14:41.0059 0484 Null - ok
08:14:41.0159 0484 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\windows\system32\drivers\nvraid.sys
08:14:41.0165 0484 nvraid - ok
08:14:41.0275 0484 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\windows\system32\drivers\nvstor.sys
08:14:41.0284 0484 nvstor - ok
08:14:41.0384 0484 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\windows\system32\drivers\nv_agp.sys
08:14:41.0391 0484 nv_agp - ok
08:14:41.0512 0484 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\windows\system32\drivers\ohci1394.sys
08:14:41.0520 0484 ohci1394 - ok
08:14:41.0661 0484 Parport (0086431c29c35be1dbc43f52cc273887) C:\windows\system32\drivers\parport.sys
08:14:41.0666 0484 Parport - ok
08:14:41.0778 0484 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\windows\system32\drivers\partmgr.sys
08:14:41.0784 0484 partmgr - ok
08:14:41.0891 0484 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\windows\system32\drivers\pci.sys
08:14:41.0894 0484 pci - ok
08:14:41.0988 0484 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\windows\system32\DRIVERS\pciide.sys
08:14:41.0992 0484 pciide - ok
08:14:42.0089 0484 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\windows\system32\drivers\pcmcia.sys
08:14:42.0096 0484 pcmcia - ok
08:14:42.0185 0484 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\windows\system32\drivers\pcw.sys
08:14:42.0189 0484 pcw - ok
08:14:42.0320 0484 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\windows\system32\drivers\peauth.sys
08:14:42.0336 0484 PEAUTH - ok
08:14:42.0486 0484 PGEffect (91111cebbde8015e822c46120ed9537c) C:\windows\system32\DRIVERS\pgeffect.sys
08:14:42.0491 0484 PGEffect - ok
08:14:42.0639 0484 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\windows\system32\DRIVERS\raspptp.sys
08:14:42.0643 0484 PptpMiniport - ok
08:14:42.0744 0484 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\windows\system32\drivers\processr.sys
08:14:42.0749 0484 Processor - ok
08:14:42.0892 0484 Psched (0557cf5a2556bd58e26384169d72438d) C:\windows\system32\DRIVERS\pacer.sys
08:14:42.0896 0484 Psched - ok
08:14:43.0051 0484 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\windows\system32\drivers\ql2300.sys
08:14:43.0076 0484 ql2300 - ok
08:14:43.0335 0484 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\windows\system32\drivers\ql40xx.sys
08:14:43.0340 0484 ql40xx - ok
08:14:43.0443 0484 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\windows\system32\drivers\qwavedrv.sys
08:14:43.0446 0484 QWAVEdrv - ok
08:14:43.0548 0484 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\windows\system32\DRIVERS\rasacd.sys
08:14:43.0554 0484 RasAcd - ok
08:14:43.0650 0484 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\windows\system32\DRIVERS\AgileVpn.sys
08:14:43.0654 0484 RasAgileVpn - ok
08:14:43.0804 0484 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\windows\system32\DRIVERS\rasl2tp.sys
08:14:43.0811 0484 Rasl2tp - ok
08:14:43.0919 0484 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\windows\system32\DRIVERS\raspppoe.sys
08:14:43.0924 0484 RasPppoe - ok
08:14:44.0027 0484 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\windows\system32\DRIVERS\rassstp.sys
08:14:44.0031 0484 RasSstp - ok
08:14:44.0123 0484 rdbss (77f665941019a1594d887a74f301fa2f) C:\windows\system32\DRIVERS\rdbss.sys
08:14:44.0130 0484 rdbss - ok
08:14:44.0219 0484 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\windows\system32\drivers\rdpbus.sys
08:14:44.0222 0484 rdpbus - ok
08:14:44.0346 0484 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\windows\system32\DRIVERS\RDPCDD.sys
08:14:44.0349 0484 RDPCDD - ok
08:14:44.0465 0484 RDPDISPM (bdf2db2f19945afaf102a2c03062efb1) C:\windows\system32\DRIVERS\rdpdispm.sys
08:14:44.0468 0484 RDPDISPM - ok
08:14:44.0579 0484 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\windows\system32\drivers\rdpencdd.sys
08:14:44.0582 0484 RDPENCDD - ok
08:14:44.0687 0484 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\windows\system32\drivers\rdprefmp.sys
08:14:44.0690 0484 RDPREFMP - ok
08:14:44.0825 0484 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\windows\system32\drivers\RDPWD.sys
08:14:44.0834 0484 RDPWD - ok
08:14:44.0944 0484 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\windows\system32\drivers\rdyboost.sys
08:14:44.0951 0484 rdyboost - ok
08:14:45.0070 0484 RimUsb (7b04c9843921ab1f695fb395422c5360) C:\windows\system32\Drivers\RimUsb_AMD64.sys
08:14:45.0074 0484 RimUsb - ok
08:14:45.0212 0484 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\windows\system32\DRIVERS\rspndr.sys
08:14:45.0217 0484 rspndr - ok
08:14:45.0351 0484 RSUSBSTOR (0e3dcf76f11dc431b088a2dfd7265cda) C:\windows\system32\Drivers\RtsUStor.sys
08:14:45.0360 0484 RSUSBSTOR - ok
08:14:45.0491 0484 RTL8192Ce (64fdf4fe366ca42da2b7d9d424b6e39b) C:\windows\system32\DRIVERS\rtl8192Ce.sys
08:14:45.0508 0484 RTL8192Ce - ok
08:14:45.0610 0484 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\windows\system32\drivers\sbp2port.sys
08:14:45.0619 0484 sbp2port - ok
08:14:45.0753 0484 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\windows\system32\DRIVERS\scfilter.sys
08:14:45.0758 0484 scfilter - ok
08:14:45.0895 0484 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\windows\system32\drivers\secdrv.sys
08:14:45.0900 0484 secdrv - ok
08:14:46.0027 0484 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\windows\system32\drivers\serenum.sys
08:14:46.0030 0484 Serenum - ok
08:14:46.0141 0484 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\windows\system32\drivers\serial.sys
08:14:46.0145 0484 Serial - ok
08:14:46.0263 0484 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\windows\system32\drivers\sermouse.sys
08:14:46.0269 0484 sermouse - ok
08:14:46.0418 0484 sffdisk (a554811bcd09279536440c964ae35bbf) C:\windows\system32\drivers\sffdisk.sys
08:14:46.0421 0484 sffdisk - ok
08:14:46.0530 0484 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\windows\system32\drivers\sffp_mmc.sys
08:14:46.0533 0484 sffp_mmc - ok
08:14:46.0663 0484 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\windows\system32\drivers\sffp_sd.sys
08:14:46.0669 0484 sffp_sd - ok
08:14:46.0797 0484 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\windows\system32\drivers\sfloppy.sys
08:14:46.0802 0484 sfloppy - ok
08:14:46.0943 0484 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\windows\system32\drivers\SiSRaid2.sys
08:14:46.0947 0484 SiSRaid2 - ok
08:14:47.0067 0484 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\windows\system32\drivers\sisraid4.sys
08:14:47.0073 0484 SiSRaid4 - ok
08:14:47.0180 0484 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\windows\system32\DRIVERS\smb.sys
08:14:47.0188 0484 Smb - ok
08:14:47.0305 0484 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\windows\system32\drivers\spldr.sys
08:14:47.0311 0484 spldr - ok
08:14:47.0486 0484 SRTSP (90ef30c3867bcde4579c01a6d6e75a7a) C:\windows\System32\Drivers\N360x64\0502000.00D\SRTSP64.SYS
08:14:47.0508 0484 SRTSP - ok
08:14:47.0636 0484 SRTSPX (c513e8a5e7978da49077f5484344ee1b) C:\windows\system32\drivers\N360x64\0502000.00D\SRTSPX64.SYS
08:14:47.0641 0484 SRTSPX - ok
08:14:47.0773 0484 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\windows\system32\DRIVERS\srv.sys
08:14:47.0787 0484 srv - ok
08:14:47.0910 0484 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\windows\system32\DRIVERS\srv2.sys
08:14:47.0919 0484 srv2 - ok
08:14:48.0014 0484 srvnet (27e461f0be5bff5fc737328f749538c3) C:\windows\system32\DRIVERS\srvnet.sys
08:14:48.0022 0484 srvnet - ok
08:14:48.0147 0484 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\windows\system32\drivers\stexstor.sys
08:14:48.0151 0484 stexstor - ok
08:14:48.0262 0484 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\windows\system32\DRIVERS\swenum.sys
08:14:48.0265 0484 swenum - ok
08:14:48.0425 0484 SymDS (6160145c7a87fc7672e8e3b886888176) C:\windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS
08:14:48.0434 0484 SymDS - ok
08:14:48.0594 0484 SymEFA (96aeed40d4d3521568b42027687e69e0) C:\windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS
08:14:48.0608 0484 SymEFA - ok
08:14:48.0720 0484 SymEvent (21a1c2d694c3cf962d31f5e873ab3d6f) C:\windows\system32\Drivers\SYMEVENT64x86.SYS
08:14:48.0726 0484 SymEvent - ok
08:14:48.0880 0484 SymIRON (bd0d711d8cbfcaa19ca123306eaf53a5) C:\windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS
08:14:48.0887 0484 SymIRON - ok
08:14:49.0071 0484 SymNetS (a6adb3d83023f8daa0f7b6fda785d83b) C:\windows\System32\Drivers\N360x64\0502000.00D\SYMNETS.SYS
08:14:49.0084 0484 SymNetS - ok
08:14:49.0257 0484 Tcpip (fc62769e7bff2896035aeed399108162) C:\windows\system32\drivers\tcpip.sys
08:14:49.0285 0484 Tcpip - ok
08:14:49.0458 0484 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\windows\system32\DRIVERS\tcpip.sys
08:14:49.0478 0484 TCPIP6 - ok
08:14:49.0572 0484 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\windows\system32\drivers\tcpipreg.sys
08:14:49.0575 0484 tcpipreg - ok
08:14:49.0671 0484 tdcmdpst (fd542b661bd22fa69ca789ad0ac58c29) C:\windows\system32\DRIVERS\tdcmdpst.sys
08:14:49.0675 0484 tdcmdpst - ok
08:14:49.0819 0484 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\windows\system32\drivers\tdpipe.sys
08:14:49.0823 0484 TDPIPE - ok
08:14:49.0928 0484 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\windows\system32\drivers\tdtcp.sys
08:14:49.0935 0484 TDTCP - ok
08:14:50.0041 0484 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\windows\system32\DRIVERS\tdx.sys
08:14:50.0046 0484 tdx - ok
08:14:50.0148 0484 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\windows\system32\DRIVERS\termdd.sys
08:14:50.0152 0484 TermDD - ok
08:14:50.0329 0484 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\windows\system32\DRIVERS\tssecsrv.sys
08:14:50.0333 0484 tssecsrv - ok
08:14:50.0456 0484 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\windows\system32\drivers\tsusbflt.sys
08:14:50.0461 0484 TsUsbFlt - ok
08:14:50.0557 0484 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\windows\system32\drivers\TsUsbGD.sys
08:14:50.0561 0484 TsUsbGD - ok
08:14:50.0684 0484 tunnel (3566a8daafa27af944f5d705eaa64894) C:\windows\system32\DRIVERS\tunnel.sys
08:14:50.0695 0484 tunnel - ok
08:14:50.0808 0484 TVALZ (550b567f9364d8f7684c3fb3ea665a72) C:\windows\system32\DRIVERS\TVALZ_O.SYS
08:14:50.0813 0484 TVALZ - ok
08:14:50.0887 0484 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\windows\system32\drivers\uagp35.sys
08:14:50.0892 0484 uagp35 - ok
08:14:50.0986 0484 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\windows\system32\DRIVERS\udfs.sys
08:14:50.0994 0484 udfs - ok
08:14:51.0115 0484 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\windows\system32\drivers\uliagpkx.sys
08:14:51.0119 0484 uliagpkx - ok
08:14:51.0217 0484 umbus (dc54a574663a895c8763af0fa1ff7561) C:\windows\system32\DRIVERS\umbus.sys
08:14:51.0221 0484 umbus - ok
08:14:51.0322 0484 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\windows\system32\drivers\umpass.sys
08:14:51.0327 0484 UmPass - ok
08:14:51.0423 0484 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\windows\system32\DRIVERS\usbccgp.sys
08:14:51.0428 0484 usbccgp - ok
08:14:51.0510 0484 usbcir (af0892a803fdda7492f595368e3b68e7) C:\windows\system32\drivers\usbcir.sys
08:14:51.0515 0484 usbcir - ok
08:14:51.0602 0484 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\windows\system32\DRIVERS\usbehci.sys
08:14:51.0606 0484 usbehci - ok
08:14:51.0713 0484 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\windows\system32\DRIVERS\usbhub.sys
08:14:51.0721 0484 usbhub - ok
08:14:51.0836 0484 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\windows\system32\DRIVERS\usbohci.sys
08:14:51.0841 0484 usbohci - ok
08:14:51.0951 0484 usbprint (73188f58fb384e75c4063d29413cee3d) C:\windows\system32\drivers\usbprint.sys
08:14:51.0956 0484 usbprint - ok
08:14:52.0060 0484 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\windows\system32\DRIVERS\USBSTOR.SYS
08:14:52.0066 0484 USBSTOR - ok
08:14:52.0163 0484 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\windows\system32\drivers\usbuhci.sys
08:14:52.0169 0484 usbuhci - ok
08:14:52.0280 0484 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\windows\system32\Drivers\usbvideo.sys
08:14:52.0288 0484 usbvideo - ok
08:14:52.0410 0484 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\windows\system32\drivers\vdrvroot.sys
08:14:52.0414 0484 vdrvroot - ok
08:14:52.0529 0484 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\windows\system32\DRIVERS\vgapnp.sys
08:14:52.0533 0484 vga - ok
08:14:52.0628 0484 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\windows\System32\drivers\vga.sys
08:14:52.0631 0484 VgaSave - ok
08:14:52.0744 0484 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\windows\system32\drivers\vhdmp.sys
08:14:52.0749 0484 vhdmp - ok
08:14:52.0857 0484 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\windows\system32\drivers\viaide.sys
08:14:52.0862 0484 viaide - ok
08:14:52.0977 0484 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\windows\system32\drivers\volmgr.sys
08:14:52.0982 0484 volmgr - ok
08:14:53.0091 0484 volmgrx (a255814907c89be58b79ef2f189b843b) C:\windows\system32\drivers\volmgrx.sys
08:14:53.0099 0484 volmgrx - ok
08:14:53.0218 0484 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\windows\system32\drivers\volsnap.sys
08:14:53.0226 0484 volsnap - ok
08:14:53.0328 0484 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\windows\system32\drivers\vsmraid.sys
08:14:53.0337 0484 vsmraid - ok
08:14:53.0627 0484 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\windows\system32\DRIVERS\vwifibus.sys
08:14:53.0630 0484 vwifibus - ok
08:14:53.0725 0484 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\windows\system32\DRIVERS\vwififlt.sys
08:14:53.0729 0484 vwififlt - ok
08:14:53.0867 0484 vwifimp (6a638fc4bfddc4d9b186c28c91bd1a01) C:\windows\system32\DRIVERS\vwifimp.sys
08:14:53.0872 0484 vwifimp - ok
08:14:53.0993 0484 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\windows\system32\drivers\wacompen.sys
08:14:54.0000 0484 WacomPen - ok
08:14:54.0115 0484 WANARP (356afd78a6ed4457169241ac3965230c) C:\windows\system32\DRIVERS\wanarp.sys
08:14:54.0122 0484 WANARP - ok
08:14:54.0142 0484 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\windows\system32\DRIVERS\wanarp.sys
08:14:54.0145 0484 Wanarpv6 - ok
08:14:54.0274 0484 Wd (72889e16ff12ba0f235467d6091b17dc) C:\windows\system32\drivers\wd.sys
08:14:54.0278 0484 Wd - ok
08:14:54.0389 0484 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\windows\system32\drivers\Wdf01000.sys
08:14:54.0401 0484 Wdf01000 - ok
08:14:54.0554 0484 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\windows\system32\DRIVERS\wfplwf.sys
08:14:54.0556 0484 WfpLwf - ok
08:14:54.0660 0484 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\windows\system32\drivers\wimmount.sys
08:14:54.0664 0484 WIMMount - ok
08:14:54.0894 0484 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\windows\system32\drivers\wmiacpi.sys
08:14:54.0900 0484 WmiAcpi - ok
08:14:55.0052 0484 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\windows\system32\drivers\ws2ifsl.sys
08:14:55.0055 0484 ws2ifsl - ok
08:14:55.0180 0484 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\windows\system32\drivers\WudfPf.sys
08:14:55.0184 0484 WudfPf - ok
08:14:55.0298 0484 WUDFRd (cf8d590be3373029d57af80914190682) C:\windows\system32\DRIVERS\WUDFRd.sys
08:14:55.0303 0484 WUDFRd - ok
08:14:55.0370 0484 MBR (0x1B8) (b5d3b89509933463264ff7748b075c37) \Device\Harddisk0\DR0
08:14:55.0424 0484 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
08:14:55.0425 0484 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
08:14:55.0451 0484 Boot (0x1200) (80ff801dbe2bbb8d72c04df77d231689) \Device\Harddisk0\DR0\Partition0
08:14:55.0453 0484 \Device\Harddisk0\DR0\Partition0 - ok
08:14:55.0457 0484 ============================================================
08:14:55.0457 0484 Scan finished
08:14:55.0457 0484 ============================================================
08:14:55.0488 3292 Detected object count: 1
08:14:55.0488 3292 Actual detected object count: 1
08:15:16.0027 3292 \Device\Harddisk0\DR0\# - copied to quarantine
08:15:16.0029 3292 \Device\Harddisk0\DR0 - copied to quarantine
08:15:16.0654 3292 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
08:15:16.0658 3292 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
08:15:16.0674 3292 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
08:15:16.0689 3292 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
08:15:16.0698 3292 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
08:15:16.0716 3292 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
08:15:16.0752 3292 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
08:15:16.0760 3292 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
08:15:16.0765 3292 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
08:15:16.0771 3292 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
08:15:16.0850 3292 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
08:15:16.0852 3292 \Device\Harddisk0\DR0 - ok
08:15:17.0367 3292 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
08:15:35.0003 3660 Deinitialize success

#4 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 10 March 2012 - 12:07 PM

Hi, unfortunately you had a nasty rootkit on your computer. Please read the following first before continuing the cleaning process.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#5 crisw

crisw

    New Member

  • Members
  • Pip
  • 4 posts

Posted 10 March 2012 - 02:29 PM

ComboFix 12-03-10.02 - Nikki 03/10/2012 10:51:20.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2663.1306 [GMT -8:00]
Running from: c:\users\Nikki\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-10 to 2012-03-10 )))))))))))))))))))))))))))))))
.
.
2012-03-10 19:05 . 2012-03-10 19:05 -------- d-----w- c:\users\KaetyBug\AppData\Local\temp
2012-03-10 19:05 . 2012-03-10 19:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-10 19:05 . 2012-03-10 19:05 -------- d-----w- c:\users\Camden and Keirsten\AppData\Local\temp
2012-03-10 16:15 . 2012-03-10 16:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 00:37 . 2010-11-11 19:59 252712 ----a-w- c:\windows\ETDUninst.dll
2012-03-09 19:21 . 2012-03-09 23:05 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-03-09 19:21 . 2012-03-09 19:23 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-03-06 16:08 . 2012-03-06 16:08 748336 ----a-w- c:\program files (x86)\Internet Explorer\iexplore.exe
2012-03-06 16:08 . 2012-03-06 16:08 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-03-06 16:08 . 2012-03-06 16:08 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-03-06 16:08 . 2012-03-06 16:08 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2012-03-06 16:08 . 2012-03-06 16:08 107008 ----a-w- c:\program files (x86)\Internet Explorer\iecleanup.exe
2012-03-06 15:48 . 2012-03-06 15:48 -------- d-----w- c:\users\Nikki\AppData\Roaming\Malwarebytes
2012-03-06 15:48 . 2012-03-09 15:20 -------- d-----w- c:\programdata\Malwarebytes
2012-03-06 15:48 . 2012-03-09 15:25 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-06 15:48 . 2011-12-10 23:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-05 04:02 . 2012-03-05 04:02 -------- d-----w- c:\programdata\ATI
2012-03-05 03:56 . 2012-03-05 04:01 -------- d-----w- c:\program files\ATI Technologies
2012-02-15 17:41 . 2012-02-15 17:41 48464 ----a-w- c:\windows\system32\drivers\aevocnsf.sys
2012-02-15 05:26 . 2012-02-15 05:26 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-15 00:52 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 00:52 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-15 00:51 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 00:51 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-15 00:51 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 00:50 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-15 00:50 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 00:50 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-10 20:55 . 2012-02-11 17:34 -------- dc-h--w- c:\programdata\{D8EAEB0B-7E66-400B-9DCD-5E815A852728}
2012-02-10 20:54 . 2012-02-10 20:54 -------- d-----w- c:\users\Nikki\AppData\Local\PackageAware
2012-02-10 01:20 . 2012-02-10 01:20 -------- d-----w- c:\program files (x86)\Chimpoo_3a
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 00:10 . 2012-01-30 00:10 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\CA36.tmp
2012-01-30 00:10 . 2012-01-30 00:10 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\C9F7.tmp
2012-01-08 02:18 . 2012-01-08 02:18 0 ---ha-w- c:\users\Nikki\AppData\Local\BITA884.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-14 39408]
"MusicManager"="c:\users\Nikki\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-02-21 13320704]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-07-29 17361032]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-16 336384]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2010-07-01 1295224]
"QuickTime Task"="c:\program files (x86)\QuickTime\qttask.exe" [2011-08-02 77824]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 aevocnsf;aevocnsf;c:\windows\system32\drivers\aevocnsf.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 136176]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-07-01 51576]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120302.001\BHDrvx64.sys [2012-03-02 1157240]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120309.002\IDSvia64.sys [2012-03-05 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0502000.00D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe [2011-04-17 130008]
S2 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-14 138360]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 18:03]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 18:03]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2820138118-1891196870-2981794189-1001Core.job
- c:\users\Nikki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-01 18:16]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2820138118-1891196870-2981794189-1001UA.job
- c:\users\Nikki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-01 18:16]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-10 11:16:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-10 19:16
.
Pre-Run: 249,316,507,648 bytes free
Post-Run: 248,856,104,960 bytes free
.
- - End Of File - - 6DB679831247E66237E46441A2AC7E9F

#6 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 10 March 2012 - 04:06 PM

How are things running at this point?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Driver::
aevocnsf

Rootkit::
c:\windows\system32\drivers\aevocnsf.sys
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#7 crisw

crisw

    New Member

  • Members
  • Pip
  • 4 posts

Posted 10 March 2012 - 05:17 PM

Seems to be better!


ComboFix 12-03-10.02 - Nikki 03/10/2012 13:38:44.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2663.1364 [GMT -8:00]
Running from: c:\users\Nikki\Downloads\ComboFix.exe
Command switches used :: c:\users\Nikki\Downloads\cfscript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_aevocnsf
.
.
((((((((((((((((((((((((( Files Created from 2012-02-10 to 2012-03-10 )))))))))))))))))))))))))))))))
.
.
2012-03-10 21:50 . 2012-03-10 21:50 -------- d-----w- c:\users\KaetyBug\AppData\Local\temp
2012-03-10 16:15 . 2012-03-10 16:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 00:37 . 2010-11-11 19:59 252712 ----a-w- c:\windows\ETDUninst.dll
2012-03-09 19:21 . 2012-03-09 23:05 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-03-09 19:21 . 2012-03-09 19:23 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-03-06 16:08 . 2012-03-06 16:08 748336 ----a-w- c:\program files (x86)\Internet Explorer\iexplore.exe
2012-03-06 16:08 . 2012-03-06 16:08 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-03-06 16:08 . 2012-03-06 16:08 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-03-06 16:08 . 2012-03-06 16:08 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2012-03-06 16:08 . 2012-03-06 16:08 107008 ----a-w- c:\program files (x86)\Internet Explorer\iecleanup.exe
2012-03-06 15:48 . 2012-03-06 15:48 -------- d-----w- c:\users\Nikki\AppData\Roaming\Malwarebytes
2012-03-06 15:48 . 2012-03-09 15:20 -------- d-----w- c:\programdata\Malwarebytes
2012-03-06 15:48 . 2012-03-09 15:25 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-06 15:48 . 2011-12-10 23:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-05 04:02 . 2012-03-05 04:02 -------- d-----w- c:\programdata\ATI
2012-03-05 03:56 . 2012-03-05 04:01 -------- d-----w- c:\program files\ATI Technologies
2012-02-15 17:41 . 2012-02-15 17:41 48464 ----a-w- c:\windows\system32\drivers\aevocnsf.sys
2012-02-15 05:26 . 2012-02-15 05:26 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-15 00:52 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 00:52 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-15 00:51 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 00:51 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-15 00:51 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 00:50 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-15 00:50 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 00:50 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-10 20:55 . 2012-02-11 17:34 -------- dc-h--w- c:\programdata\{D8EAEB0B-7E66-400B-9DCD-5E815A852728}
2012-02-10 20:54 . 2012-02-10 20:54 -------- d-----w- c:\users\Nikki\AppData\Local\PackageAware
2012-02-10 01:20 . 2012-02-10 01:20 -------- d-----w- c:\program files (x86)\Chimpoo_3a
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 00:10 . 2012-01-30 00:10 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\CA36.tmp
2012-01-30 00:10 . 2012-01-30 00:10 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\C9F7.tmp
2012-01-08 02:18 . 2012-01-08 02:18 0 ---ha-w- c:\users\Nikki\AppData\Local\BITA884.tmp
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-10_19.09.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-03-10 19:27 38648 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-10 19:27 53446 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-01-20 23:10 . 2012-03-10 19:24 4966 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-08-01 04:59 . 2012-03-10 19:27 9946 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2820138118-1891196870-2981794189-1001_UserData.bin
+ 2012-03-10 21:52 . 2012-03-10 21:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-10 19:07 . 2012-03-10 19:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-10 19:07 . 2012-03-10 19:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-10 21:52 . 2012-03-10 21:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 05:01 . 2012-03-10 21:51 389832 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-03-10 19:06 389832 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-06-14 17:34 . 2012-03-10 21:51 1405296 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-06-14 17:34 . 2012-03-10 19:06 1405296 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-08-01 05:02 . 2012-03-10 21:51 2887852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2820138118-1891196870-2981794189-1001-8192.dat
- 2011-08-01 05:02 . 2012-03-10 19:06 2887852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2820138118-1891196870-2981794189-1001-8192.dat
- 2012-03-01 22:18 . 2012-03-10 19:06 4236548 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2820138118-1891196870-2981794189-1001-4096.dat
+ 2012-03-01 22:18 . 2012-03-10 21:51 4236548 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2820138118-1891196870-2981794189-1001-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-14 39408]
"MusicManager"="c:\users\Nikki\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-02-21 13320704]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-07-29 17361032]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-16 336384]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2010-07-01 1295224]
"QuickTime Task"="c:\program files (x86)\QuickTime\qttask.exe" [2011-08-02 77824]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 136176]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-07-01 51576]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120302.001\BHDrvx64.sys [2012-03-02 1157240]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120309.002\IDSvia64.sys [2012-03-05 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0502000.00D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe [2011-04-17 130008]
S2 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-14 138360]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 18:03]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 18:03]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2820138118-1891196870-2981794189-1001Core.job
- c:\users\Nikki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-01 18:16]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2820138118-1891196870-2981794189-1001UA.job
- c:\users\Nikki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-01 18:16]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"combofix"="c:\combofix\CF20155.3XE" [2010-11-21 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-10 14:06:01 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-10 22:06
ComboFix2.txt 2012-03-10 19:16
.
Pre-Run: 248,931,295,232 bytes free
Post-Run: 248,656,441,344 bytes free
.
- - End Of File - - 289C5FB95749F722280B89BF94ED2744



#8 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 11 March 2012 - 02:08 AM

Good to hear that! :)

INSTALL ANTIVIRUS
---------------------------
I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u3.
  • Look for "JDK 7u3 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


Please launch MBAM, update it and run a full scan. Post me the resulting log.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#9 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 30 April 2012 - 06:52 PM

Are you still with us? This topic will be closed in a few days if we do not hear back from you.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#10 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 24 May 2012 - 08:51 AM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users