View Full Version : Browser Redirect won't go away
I got a Browser Re-Direct a while ago. I've tried lots to get rid of it including Malwarebytes & Spybot. It's still there. I've tried switching from IE8 to Firefox to Chrome...still there. I'm stumped. I've read the instructions on how to post here and have backed up my registry with ERUNT. I'm in need of help...I can't solve it. Below is the contents of my DDS.txt file. And attaced is my Attach.txt file, zipped. Thanks in advance.
DDS (Ver_10-11-10.01) - NTFSx86
Run by Scott at 8:40:47.20 on Fri 11/12/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2114 [GMT -8:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PKWARE\PKZIPO\PKTray.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Scott.BJA\My Documents\Downloads\dds.com
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [TSTimer] "c:\program files\timeslips\TSTimer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [JobHisInit] c:\program files\rds\rmclient\JobHisInit.exe
mRun: [MplSetUp] c:\program files\rds\rmclient\MplSetUp.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\scott.bja\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pkzipa~1.lnk - c:\program files\pkware\pkzipo\PKTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
============= SERVICES / DRIVERS ===============
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-9-14 47640]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVENG.sys [2010-10-15 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVEX15.sys [2010-10-15 1371184]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
=============== File Associations ===============
.scr=AutoCADScriptFile
=============== Created Last 30 ================
2010-10-16 19:34:45 -------- d-----w- C:\Temp
==================== Find3M ====================
2010-11-04 16:40:24 256 ----a-w- c:\windows\system32\pool.bin
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-60MHB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\00000032
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A29EEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88e02872; SUB DWORD [EBP-0x4], 0x88e0212e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8A501AB8]
3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000066[0x8A47DAC0]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A501030]
[0x8A4E3BC0] -> IRP_MJ_CREATE -> 0x8A29EEC5
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000065 -> \??\IDE#DiskWDC_WD1600JS-60MHB1_____________________10.02E02#2020202057202D444D574E41324B383639393734#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 8:41:55.98 ===============
Hello Ribno and :welcome:
My name is JonTom
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
I'm an architect in a small 3-person firm, and I'm the I.T. person...scary, I know. As this is a business computer, you may want to consider a reformat to ensure no proprietary business information is compromised.
As you are a small company, I can assist you with cleaning this machine on the understanding that it is at your own risk and that Safer Networking Forums cannot be held liable if any proprietary information is disclosed during the course of this fix.
If you wish to continue please do the following:
Please scan your system with GMER
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
Please post the GMER log in your next reply.
If you encounter any difficulties with the scan come back and let me know.
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-17 16:00:27
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\00000032 WDC_WD1600JS-60MHB1 rev.10.02E02
Running: gmer.exe; Driver: C:\DOCUME~1\Scott.BJA\LOCALS~1\Temp\pxtdypow.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB88D1380, 0x22083D, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[176] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[176] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\Explorer.EXE[176] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A9000C
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009C000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009A000C
.text C:\WINDOWS\System32\svchost.exe[1064] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 00B3000A
.text C:\WINDOWS\System32\svchost.exe[1064] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00A5000A
.text C:\Program Files\Timeslips\TSTimer.exe[1912] kernel32.dll!GetDiskFreeSpaceA 7C830309 5 Bytes JMP 0116BE04 C:\Program Files\Timeslips\TSDBAP32.dll (Timeslips API/Sage Software SB, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[3884] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\wuauclt.exe[3884] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\wuauclt.exe[3884] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C4000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \Driver\nvatabus -> DriverStartIo \Device\00000063 8A257AEA
Device \Driver\nvatabus -> DriverStartIo \Device\NvAta0 8A257AEA
Device \Driver\nvatabus -> DriverStartIo \Device\NvAta1 8A257AEA
Device \Driver\nvatabus -> DriverStartIo \Device\NvAta2 8A257AEA
Device \Device\00000065 -> \??\IDE#DiskWDC_WD1600JS-60MHB1_____________________10.02E02#2020202057202D444D574E41324B383639393734#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- EOF - GMER 1.0.15 ----
I hope this helps, and thanks for all the effort.
Hello Ribno
Thank you for the log.
Is this a networked machine?
If so, please disconnect the infected machine from the network. Please be advised that if this machine is indeed part of a network, it would be wise to scan all remaining machines with your in-house security applications.
Please work your way through the following steps:
Please disable Spybot Teatimer
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click "Tools", then click on the "Resident" icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active" box.
Click the "System Startup" icon in the List.
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.
Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
ComboFix 10-11-17.01 - Scott 11/18/2010 11:59:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2054 [GMT -8:00]
Running from: c:\documents and settings\Scott.BJA\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.
2010-11-12 16:35 . 2010-11-12 16:35 -------- d-----w- c:\program files\ERUNT
2010-11-11 22:10 . 2010-11-11 22:10 -------- d-----w- c:\documents and settings\Administrator.BJA
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-13 39408]
"TSTimer"="c:\program files\Timeslips\TSTimer.exe" [2005-07-26 2408448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-17 7561216]
"nwiz"="nwiz.exe" [2006-03-17 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-17 86016]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 77824]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-13 122368]
"JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2005-11-01 151552]
"MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2005-06-01 40960]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
c:\documents and settings\Scott.BJA\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-14 110592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-14 110592]
PKZIP Attachments Status.lnk - c:\program files\PKWARE\PKZIPO\PKTray.exe [2001-6-1 99992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 16:58 87424 ----a-w- c:\windows\system32\LMIinit.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 8:53 AM 135664]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - PXTDYPOW
*Deregistered* - NAVAP
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - pxtdypow
.
Contents of the 'Scheduled Tasks' folder
2010-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2010-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 16:53]
2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 16:53]
2010-11-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-09-13 05:18]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-jgnipol
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 12:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-60MHB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\00000032
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A257EC5]<<
c:\docume~1\Scott.BJA\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88e02872; SUB DWORD [EBP-0x4], 0x88e0212e; PUSH EDI; CALL 0xffffffffffffdf33; }
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000065 -> \??\IDE#DiskWDC_WD1600JS-60MHB1_____________________10.02E02#2020202057202D444D574E41324B383639393734#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\NavLogon.dll
- - - - - - - > 'lsass.exe'(732)
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'explorer.exe'(3648)
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-11-18 12:32:54
ComboFix-quarantined-files.txt 2010-11-18 20:32
Pre-Run: 106,333,216,768 bytes free
Post-Run: 106,311,401,472 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 2DF51DCCAB3FD4A26268EE2C1F3B0047
Hello Ribno
Thank you for the log.
Is there any particular reason you have not upgraded to XP SP3?
Reset your browser proxies
For Internet Explorer:
Open Internet explorer, Click on "Tools" and then select "Internet Options".
Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
Uncheck "Use a Proxy server for your LAN".
Click Ok to close the Local Area Network (LAN) Settings window.
Click Ok to close the Internet Options window.
For Firefox:
Open Firefox, click on "Tools" then "Options" and then on "Advanced".
Click on the "Network" tab, and then on the "Settings" button.
Please make sure that the "No Proxy" option is selected.
mbr.exe
Please download here (http://www2.gmer.net/mbr/mbr.exe) and save it to the root directory, usually C:\ <- (Important).
Next, go to Start -> Run and type or copy/paste the following into the run box: c:\mbr.exe –t c:\mbr.log
Click on Enter.
After the scan has completed, please post the log (located in C:\ drive) in your next reply.
First of all, I have no reason for not upgrading to XP SP3. Should I do that now or wait until we're through?
Also, with Browser Re-Direct problems I was having, I uninstalled all browsers I had at the time except Google Chrome (which I don't really like). I normally use Firefox or IE. Should I install Firefox now or wait until the next step?
Thanks and I really appreciate you helping me.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-60MHB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\00000032
device: opened successfully
user: MBR read successfully
error: Read Incorrect function.
kernel: MBR read successfully
detected disk devices:
\Device\00000065 -> \??\IDE#DiskWDC_WD1600JS-60MHB1_____________________10.02E02#2020202057202D444D574E41324B383639393734#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Hello Ribno
First of all, I have no reason for not upgrading to XP SP3. Should I do that now or wait until we're through? Please hold off installing SP3 for the moment. I will let you know when to do so.
I would like to see the log created from the following tool.
Please note, if the tool detects anything during the course of its scan Please select "SKIP" rather than cure at this point. Once I have seen the log we will go from there :)
TDSS Killer
Please read carefully and follow these steps.
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and double click on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure. Please select Skip and then click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png
If a suspicious file is detected, the default action will be Skip, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious-1.png
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Please post the TDSSKiller log in your next reply.
2010/11/19 14:30:51.0064 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/19 14:30:51.0064 ================================================================================
2010/11/19 14:30:51.0064 SystemInfo:
2010/11/19 14:30:51.0064
2010/11/19 14:30:51.0064 OS Version: 5.1.2600 ServicePack: 2.0
2010/11/19 14:30:51.0064 Product type: Workstation
2010/11/19 14:30:51.0064 ComputerName: SAB
2010/11/19 14:30:51.0064 UserName: Scott
2010/11/19 14:30:51.0064 Windows directory: C:\WINDOWS
2010/11/19 14:30:51.0064 System windows directory: C:\WINDOWS
2010/11/19 14:30:51.0064 Processor architecture: Intel x86
2010/11/19 14:30:51.0064 Number of processors: 2
2010/11/19 14:30:51.0064 Page size: 0x1000
2010/11/19 14:30:51.0064 Boot type: Normal boot
2010/11/19 14:30:51.0064 ================================================================================
2010/11/19 14:30:51.0408 Initialize success
2010/11/19 14:31:12.0951 ================================================================================
2010/11/19 14:31:12.0951 Scan started
2010/11/19 14:31:12.0951 Mode: Manual;
2010/11/19 14:31:12.0951 ================================================================================
2010/11/19 14:31:13.0201 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/19 14:31:13.0279 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/19 14:31:13.0342 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/11/19 14:31:13.0420 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/11/19 14:31:13.0513 ALCXWDM (d11f7d8e7b43e532c5348674b6b6b890) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/11/19 14:31:13.0638 Suspicious file (Forged): C:\WINDOWS\system32\drivers\ALCXWDM.SYS. Real md5: d11f7d8e7b43e532c5348674b6b6b890, Fake md5: bea942ff21154fee4f71ddd477621c70
2010/11/19 14:31:13.0654 ALCXWDM - detected Forged file (1)
2010/11/19 14:31:13.0763 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/19 14:31:13.0826 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/19 14:31:13.0873 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/19 14:31:13.0951 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/19 14:31:14.0029 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/19 14:31:14.0248 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/19 14:31:14.0326 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/19 14:31:14.0357 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/19 14:31:14.0420 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/19 14:31:14.0576 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/19 14:31:14.0607 dmboot (e8bd266c43cd750cad9a0f503523ff48) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/19 14:31:14.0670 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmboot.sys. Real md5: e8bd266c43cd750cad9a0f503523ff48, Fake md5: c0fbb516e06e243f0cf31f597e7ebf7d
2010/11/19 14:31:14.0685 dmboot - detected Forged file (1)
2010/11/19 14:31:14.0685 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/19 14:31:14.0748 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/19 14:31:14.0794 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/19 14:31:14.0888 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/19 14:31:14.0935 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/19 14:31:14.0982 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/19 14:31:15.0013 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/19 14:31:15.0044 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/19 14:31:15.0091 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/11/19 14:31:15.0185 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/19 14:31:15.0232 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/19 14:31:15.0279 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/11/19 14:31:15.0341 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/19 14:31:15.0451 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/19 14:31:15.0544 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/19 14:31:15.0591 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/19 14:31:15.0701 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/19 14:31:15.0810 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/11/19 14:31:15.0872 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/19 14:31:15.0919 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/19 14:31:15.0966 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/19 14:31:16.0044 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/19 14:31:16.0107 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/19 14:31:16.0138 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/19 14:31:16.0185 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/19 14:31:16.0232 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/19 14:31:16.0310 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/19 14:31:16.0482 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2010/11/19 14:31:16.0544 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2010/11/19 14:31:16.0575 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2010/11/19 14:31:16.0654 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/19 14:31:16.0685 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/19 14:31:16.0716 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/19 14:31:16.0747 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/19 14:31:16.0794 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/19 14:31:16.0872 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/19 14:31:16.0935 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/19 14:31:16.0997 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/19 14:31:17.0044 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/19 14:31:17.0075 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/19 14:31:17.0138 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/19 14:31:17.0169 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/19 14:31:17.0278 NAVAP (69b2c32f9382ff0ab458d43415cd9460) C:\Program Files\NavNT\NAVAP.sys
2010/11/19 14:31:17.0325 NAVAPEL (d488113cfbaa3a4a7c2822662923a3e9) C:\Program Files\NavNT\NAVAPEL.SYS
2010/11/19 14:31:17.0497 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101013.002\NAVENG.sys
2010/11/19 14:31:17.0560 NAVEX15 (8883c4f3c26c43d8b7cf9ad7bfe0d57c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101013.002\NAVEX15.sys
2010/11/19 14:31:17.0685 Suspicious file (Forged): C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101013.002\NAVEX15.sys. Real md5: 8883c4f3c26c43d8b7cf9ad7bfe0d57c, Fake md5: 158676a5758c1fa519563b3e72fbf256
2010/11/19 14:31:17.0700 NAVEX15 - detected Forged file (1)
2010/11/19 14:31:17.0778 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/19 14:31:17.0841 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/19 14:31:17.0903 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/19 14:31:17.0935 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/19 14:31:17.0981 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/19 14:31:18.0013 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/19 14:31:18.0044 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/19 14:31:18.0106 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/19 14:31:18.0185 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/19 14:31:18.0263 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2010/11/19 14:31:18.0310 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/19 14:31:18.0356 nv (df959ea48c9fbce6e448c3a7a5b25311) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/19 14:31:18.0528 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\nv4_mini.sys. Real md5: df959ea48c9fbce6e448c3a7a5b25311, Fake md5: 392ad6a1676fbbc80fa1dad4c9955131
2010/11/19 14:31:18.0544 nv - detected Forged file (1)
2010/11/19 14:31:18.0575 nvatabus (52cab126c3ed5b851fb80eba0bea5c4e) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
2010/11/19 14:31:18.0606 NVENETFD (3f09e5118d1ab379d028d511e45c6155) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/11/19 14:31:18.0700 nvnetbus (77c63a663b88fe327d71dd8e0a0f19b6) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/11/19 14:31:18.0763 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/19 14:31:18.0794 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/19 14:31:18.0856 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/19 14:31:18.0888 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/19 14:31:18.0966 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/19 14:31:19.0013 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/19 14:31:19.0059 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/19 14:31:19.0091 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/19 14:31:19.0247 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/19 14:31:19.0278 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/19 14:31:19.0325 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/19 14:31:19.0387 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/19 14:31:19.0481 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/19 14:31:19.0512 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/19 14:31:19.0544 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/19 14:31:19.0575 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/19 14:31:19.0622 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/19 14:31:19.0653 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/19 14:31:19.0731 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/19 14:31:19.0809 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/19 14:31:19.0872 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/19 14:31:19.0950 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
2010/11/19 14:31:20.0012 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/11/19 14:31:20.0044 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/11/19 14:31:20.0122 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/19 14:31:20.0184 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/19 14:31:20.0215 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/19 14:31:20.0294 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/19 14:31:20.0450 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/19 14:31:20.0497 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/19 14:31:20.0559 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/19 14:31:20.0606 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/19 14:31:20.0669 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/19 14:31:20.0840 SymEvent (a769203607d8af4efa01148ae86697d5) C:\Program Files\Symantec\SYMEVENT.SYS
2010/11/19 14:31:20.0934 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/19 14:31:20.0981 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/19 14:31:21.0043 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/19 14:31:21.0090 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/19 14:31:21.0122 TermDD (1c7af2fade4e922c8804433fb5cbff5e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/19 14:31:21.0153 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: 1c7af2fade4e922c8804433fb5cbff5e, Fake md5: a540a99c281d933f3d69d55e48727f47
2010/11/19 14:31:21.0153 TermDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/19 14:31:21.0184 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
2010/11/19 14:31:21.0231 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/19 14:31:21.0309 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/19 14:31:21.0387 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/11/19 14:31:21.0434 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/19 14:31:21.0512 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/19 14:31:21.0559 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/19 14:31:21.0606 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/19 14:31:21.0668 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/19 14:31:21.0700 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/19 14:31:21.0762 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/11/19 14:31:21.0809 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/19 14:31:21.0856 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/19 14:31:21.0965 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/19 14:31:22.0168 ================================================================================
2010/11/19 14:31:22.0168 Scan finished
2010/11/19 14:31:22.0168 ================================================================================
2010/11/19 14:31:22.0184 Detected object count: 5
2010/11/19 14:31:57.0819 Forged file(ALCXWDM) - User select action: Skip
2010/11/19 14:31:57.0819 Forged file(dmboot) - User select action: Skip
2010/11/19 14:31:57.0834 Forged file(NAVEX15) - User select action: Skip
2010/11/19 14:31:57.0834 Forged file(nv) - User select action: Skip
2010/11/19 14:31:57.0834 Rootkit.Win32.TDSS.tdl3(TermDD) - User select action: Skip
Hello Ribno
Thank you for the log.
This machine is infected with a rootkit.
We can use TDSSKiller to address the infection but before we do I would like to search for suitable replacements for the infected files in case anything goes wrong with the automated fix. In the event that anything does go wrong with the automated fix we can then replace the infected files manually.
A cautious approach is always best when dealing with these types of infection as unexpected things can (and sometimes do) happen.
Please do the following:
Please download SystemLook by JPShortstuff
Please download SystemLook by JPShortstuff by clicking here (http://jpshortstuff.247fixes.com/SystemLook.exe) or here (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe) and save the file (called SystemLook.exe) to your desktop.
Double click SystemLook.exe to run the program.
Copy the content of the following codebox into the main textfield:
:filefind
*ALCXWDM*
*dmboot*
*NAVEX15*
*nv4_mini*
*termdd*
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
SystemLook 04.09.10 by jpshortstuff
Log created at 09:47 on 22/11/2010 by Scott
Administrator - Elevation successful
========== filefind ==========
Searching for "*ALCXWDM*"
C:\WINDOWS\system32\drivers\ALCXWDM.SYS --a---- 2314560 bytes [00:31 13/09/2009] [07:04 25/03/2005] BEA942FF21154FEE4F71DDD477621C70
Searching for "*dmboot*"
C:\cmdcons\DMBOOT.SY_ --a---- 125135 bytes [07:07 04/08/2004] [07:07 04/08/2004] AC3649CE9D8B4F14B712AC7CD74ACD03
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\dmboot.sys --a---- 799744 bytes [18:44 13/04/2008] [18:44 13/04/2008] D992FE1274BDE0F84AD826ACAE022A41
C:\WINDOWS\system32\dllcache\dmboot.sys --a--c- 799744 bytes [12:00 04/08/2004] [12:00 04/08/2004] C0FBB516E06E243F0CF31F597E7EBF7D
C:\WINDOWS\system32\drivers\dmboot.sys --a---- 799744 bytes [12:00 04/08/2004] [12:00 04/08/2004] C0FBB516E06E243F0CF31F597E7EBF7D
Searching for "*NAVEX15*"
C:\Downloads\Software\WIN32\VIRDEFS\NAVEX15.EXP --a---- 669536 bytes [02:16 13/09/2009] [05:50 16/07/2002] 5AAA1C0D02B8F6FDFF1F1AD0FDBC45A7
C:\Downloads\Software\WIN32\VIRDEFS\NAVEX15.SYS --a---- 491712 bytes [02:16 13/09/2009] [05:49 16/07/2002] FD5E795D8CA4D0836D69D52F2170D79F
C:\Downloads\Software\WIN32\VIRDEFS\NAVEX15.VXD --a---- 594505 bytes [02:16 13/09/2009] [05:50 16/07/2002] A90E5BC37294AD5A9BF5165D24D97732
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101006.003\NAVEX15.EXP --a---- 13232 bytes [18:48 06/10/2010] [08:00 06/10/2010] BEAF79C0567D492432FBCC2B0FB5888B
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101006.003\NAVEX15.SYS --a---- 1371184 bytes [18:48 06/10/2010] [08:00 06/10/2010] 158676A5758C1FA519563B3E72FBF256
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101006.003\NAVEX15.VXD --a---- 933451 bytes [18:48 06/10/2010] [08:00 06/10/2010] F4C94315741836F600B9233C67A41542
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101013.002\NAVEX15.EXP --a---- 13232 bytes [03:03 16/10/2010] [08:00 13/10/2010] BEAF79C0567D492432FBCC2B0FB5888B
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101013.002\NAVEX15.SYS --a---- 1371184 bytes [03:03 16/10/2010] [08:00 13/10/2010] 158676A5758C1FA519563B3E72FBF256
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101013.002\NAVEX15.VXD --a---- 933451 bytes [03:03 16/10/2010] [08:00 13/10/2010] F4C94315741836F600B9233C67A41542
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub\navex15.exp --a---- 13232 bytes [08:00 16/09/2010] [08:00 16/09/2010] BEAF79C0567D492432FBCC2B0FB5888B
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub\navex15.sys --a---- 1362608 bytes [08:00 16/09/2010] [08:00 16/09/2010] 3DDB0BEF60B65DF6B110C23E17CD67DC
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub\navex15.vxd --a---- 933451 bytes [08:00 16/09/2010] [08:00 16/09/2010] F4C94315741836F600B9233C67A41542
Searching for "*nv4_mini*"
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\nv4_mini.sys --a---- 1897408 bytes [00:54 13/09/2009] [05:29 04/08/2004] 2B298519EDBFCF451D43E0F1E8F1006D
C:\WINDOWS\system32\dllcache\nv4_mini.sys --a--c- 3655712 bytes [17:16 17/03/2006] [17:16 17/03/2006] 392AD6A1676FBBC80FA1DAD4C9955131
C:\WINDOWS\system32\drivers\nv4_mini.sys --a---- 3655712 bytes [17:16 17/03/2006] [17:16 17/03/2006] 392AD6A1676FBBC80FA1DAD4C9955131
Searching for "*termdd*"
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\termdd.sys --a---- 40840 bytes [00:13 14/04/2008] [00:13 14/04/2008] 88155247177638048422893737429D9E
C:\WINDOWS\system32\drivers\termdd.sys --a---- 40840 bytes [22:24 12/09/2009] [08:01 04/08/2004] A540A99C281D933F3D69D55E48727F47
-= EOF =-
Hello Ribno
Hope you had a good weekend :)
Thank you for the log.
Please go ahead and run TDSSKiller again, but this time allow the tool to cure what it finds, then post the log created when the tool completes its scan.
I ran TDSSKiller, and one item said 'cure' so I left it. The others defaulted to 'skip' which I changed to 'delete'. It then said it needed to re-boot. During re-boot a MS Word message popped up asking me if I wanted to replace the 'Normal.DOT. file? I said 'No', and a message popped up saying that it couldn't quit....and then vanished before I could do anything. The machine was then frozen. I hit the reset button and upon boot-up, it looks like the screen resolution had changed, and the desktop icons all re-aligned. I ran another TDSSKiller to see if it had not worked, but this time if found no threats. Below is the 'pre re-boot' report. I really appreciate your help. If I'm clear at this point, can I reinstall Firefox, and should I upgrade to XP SP3?
Thanks...
2010/11/22 11:51:55.0035 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/22 11:51:55.0035 ================================================================================
2010/11/22 11:51:55.0035 SystemInfo:
2010/11/22 11:51:55.0035
2010/11/22 11:51:55.0035 OS Version: 5.1.2600 ServicePack: 2.0
2010/11/22 11:51:55.0035 Product type: Workstation
2010/11/22 11:51:55.0035 ComputerName: SAB
2010/11/22 11:51:55.0035 UserName: Scott
2010/11/22 11:51:55.0035 Windows directory: C:\WINDOWS
2010/11/22 11:51:55.0035 System windows directory: C:\WINDOWS
2010/11/22 11:51:55.0035 Processor architecture: Intel x86
2010/11/22 11:51:55.0035 Number of processors: 2
2010/11/22 11:51:55.0035 Page size: 0x1000
2010/11/22 11:51:55.0035 Boot type: Normal boot
2010/11/22 11:51:55.0035 ================================================================================
2010/11/22 11:51:55.0254 Initialize success
2010/11/22 11:51:59.0020 ================================================================================
2010/11/22 11:51:59.0020 Scan started
2010/11/22 11:51:59.0020 Mode: Manual;
2010/11/22 11:51:59.0020 ================================================================================
2010/11/22 11:51:59.0317 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/22 11:51:59.0364 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/22 11:51:59.0442 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/11/22 11:51:59.0520 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/11/22 11:51:59.0614 ALCXWDM (d11f7d8e7b43e532c5348674b6b6b890) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/11/22 11:51:59.0692 Suspicious file (Forged): C:\WINDOWS\system32\drivers\ALCXWDM.SYS. Real md5: d11f7d8e7b43e532c5348674b6b6b890, Fake md5: bea942ff21154fee4f71ddd477621c70
2010/11/22 11:51:59.0692 ALCXWDM - detected Forged file (1)
2010/11/22 11:51:59.0832 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/22 11:51:59.0864 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/22 11:51:59.0895 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/22 11:51:59.0957 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/22 11:52:00.0020 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/22 11:52:00.0176 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/22 11:52:00.0239 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/22 11:52:00.0254 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/22 11:52:00.0317 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/22 11:52:00.0457 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/22 11:52:00.0489 dmboot (e8bd266c43cd750cad9a0f503523ff48) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/22 11:52:00.0535 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmboot.sys. Real md5: e8bd266c43cd750cad9a0f503523ff48, Fake md5: c0fbb516e06e243f0cf31f597e7ebf7d
2010/11/22 11:52:00.0535 dmboot - detected Forged file (1)
2010/11/22 11:52:00.0582 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/22 11:52:00.0598 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/22 11:52:00.0660 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/22 11:52:00.0754 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/22 11:52:00.0801 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/22 11:52:00.0848 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/22 11:52:00.0879 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/22 11:52:00.0942 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/22 11:52:00.0989 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/11/22 11:52:01.0004 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/22 11:52:01.0051 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/22 11:52:01.0098 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/11/22 11:52:01.0160 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/22 11:52:01.0285 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/22 11:52:01.0348 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/22 11:52:01.0410 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/22 11:52:01.0489 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/22 11:52:01.0551 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/11/22 11:52:01.0614 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/22 11:52:01.0645 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/22 11:52:01.0692 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/22 11:52:01.0723 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/22 11:52:01.0786 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/22 11:52:01.0817 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/22 11:52:01.0864 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/22 11:52:01.0911 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/22 11:52:01.0926 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/22 11:52:02.0067 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2010/11/22 11:52:02.0114 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2010/11/22 11:52:02.0161 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2010/11/22 11:52:02.0192 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/22 11:52:02.0223 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/22 11:52:02.0254 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/22 11:52:02.0286 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/22 11:52:02.0332 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/22 11:52:02.0457 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/22 11:52:02.0489 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/22 11:52:02.0551 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/22 11:52:02.0598 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/22 11:52:02.0629 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/22 11:52:02.0692 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/22 11:52:02.0692 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/22 11:52:02.0801 NAVAP (69b2c32f9382ff0ab458d43415cd9460) C:\Program Files\NavNT\NAVAP.sys
2010/11/22 11:52:02.0848 NAVAPEL (d488113cfbaa3a4a7c2822662923a3e9) C:\Program Files\NavNT\NAVAPEL.SYS
2010/11/22 11:52:03.0004 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101013.002\NAVENG.sys
2010/11/22 11:52:03.0067 NAVEX15 (8883c4f3c26c43d8b7cf9ad7bfe0d57c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101013.002\NAVEX15.sys
2010/11/22 11:52:03.0161 Suspicious file (Forged): C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101013.002\NAVEX15.sys. Real md5: 8883c4f3c26c43d8b7cf9ad7bfe0d57c, Fake md5: 158676a5758c1fa519563b3e72fbf256
2010/11/22 11:52:03.0161 NAVEX15 - detected Forged file (1)
2010/11/22 11:52:03.0176 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/22 11:52:03.0223 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/22 11:52:03.0286 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/22 11:52:03.0317 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/22 11:52:03.0348 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/22 11:52:03.0379 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/22 11:52:03.0442 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/22 11:52:03.0489 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/22 11:52:03.0551 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/22 11:52:03.0614 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2010/11/22 11:52:03.0692 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/22 11:52:03.0754 nv (df959ea48c9fbce6e448c3a7a5b25311) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/22 11:52:03.0895 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\nv4_mini.sys. Real md5: df959ea48c9fbce6e448c3a7a5b25311, Fake md5: 392ad6a1676fbbc80fa1dad4c9955131
2010/11/22 11:52:03.0911 nv - detected Forged file (1)
2010/11/22 11:52:03.0957 nvatabus (52cab126c3ed5b851fb80eba0bea5c4e) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
2010/11/22 11:52:03.0973 NVENETFD (3f09e5118d1ab379d028d511e45c6155) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/11/22 11:52:04.0004 nvnetbus (77c63a663b88fe327d71dd8e0a0f19b6) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/11/22 11:52:04.0051 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/22 11:52:04.0082 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/22 11:52:04.0161 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/22 11:52:04.0207 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/22 11:52:04.0239 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/22 11:52:04.0286 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/22 11:52:04.0317 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/22 11:52:04.0348 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/22 11:52:04.0489 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/22 11:52:04.0536 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/22 11:52:04.0567 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/22 11:52:04.0614 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/22 11:52:04.0692 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/22 11:52:04.0723 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/22 11:52:04.0770 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/22 11:52:04.0817 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/22 11:52:04.0879 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/22 11:52:04.0895 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/22 11:52:04.0942 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/22 11:52:05.0004 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/22 11:52:05.0067 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/22 11:52:05.0145 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
2010/11/22 11:52:05.0270 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/11/22 11:52:05.0301 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/11/22 11:52:05.0379 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/22 11:52:05.0442 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/22 11:52:05.0473 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/22 11:52:05.0520 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/22 11:52:05.0583 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/22 11:52:05.0645 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/22 11:52:05.0708 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/22 11:52:05.0754 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/22 11:52:05.0801 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/22 11:52:05.0958 SymEvent (a769203607d8af4efa01148ae86697d5) C:\Program Files\Symantec\SYMEVENT.SYS
2010/11/22 11:52:06.0036 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/22 11:52:06.0129 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/22 11:52:06.0192 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/22 11:52:06.0223 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/22 11:52:06.0270 TermDD (1c7af2fade4e922c8804433fb5cbff5e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/22 11:52:06.0286 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: 1c7af2fade4e922c8804433fb5cbff5e, Fake md5: a540a99c281d933f3d69d55e48727f47
2010/11/22 11:52:06.0286 TermDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/22 11:52:06.0348 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
2010/11/22 11:52:06.0364 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/22 11:52:06.0442 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/22 11:52:06.0598 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/11/22 11:52:06.0629 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/22 11:52:06.0708 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/22 11:52:06.0754 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/22 11:52:06.0817 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/22 11:52:06.0879 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/22 11:52:06.0911 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/22 11:52:06.0942 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/11/22 11:52:06.0989 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/22 11:52:07.0036 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/22 11:52:07.0161 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/22 11:52:07.0380 ================================================================================
2010/11/22 11:52:07.0380 Scan finished
2010/11/22 11:52:07.0380 ================================================================================
2010/11/22 11:52:07.0380 Detected object count: 5
2010/11/22 11:53:10.0210 HKLM\SYSTEM\ControlSet001\services\ALCXWDM - will be deleted after reboot
2010/11/22 11:53:10.0210 HKLM\SYSTEM\ControlSet002\services\ALCXWDM - will be deleted after reboot
2010/11/22 11:53:10.0210 C:\WINDOWS\system32\drivers\ALCXWDM.SYS - will be deleted after reboot
2010/11/22 11:53:10.0210 Forged file(ALCXWDM) - User select action: Delete
2010/11/22 11:53:10.0210 HKLM\SYSTEM\ControlSet001\services\dmboot - will be deleted after reboot
2010/11/22 11:53:10.0210 HKLM\SYSTEM\ControlSet002\services\dmboot - will be deleted after reboot
2010/11/22 11:53:10.0210 C:\WINDOWS\system32\drivers\dmboot.sys - will be deleted after reboot
2010/11/22 11:53:10.0210 Forged file(dmboot) - User select action: Delete
2010/11/22 11:53:10.0226 HKLM\SYSTEM\ControlSet001\services\NAVEX15 - will be deleted after reboot
2010/11/22 11:53:10.0226 HKLM\SYSTEM\ControlSet002\services\NAVEX15 - will be deleted after reboot
2010/11/22 11:53:10.0226 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101013.002\NAVEX15.sys - will be deleted after reboot
2010/11/22 11:53:10.0226 Forged file(NAVEX15) - User select action: Delete
2010/11/22 11:53:10.0226 HKLM\SYSTEM\ControlSet001\services\nv - will be deleted after reboot
2010/11/22 11:53:10.0226 HKLM\SYSTEM\ControlSet002\services\nv - will be deleted after reboot
2010/11/22 11:53:10.0226 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys - will be deleted after reboot
2010/11/22 11:53:10.0226 Forged file(nv) - User select action: Delete
2010/11/22 11:53:10.0320 TermDD (1c7af2fade4e922c8804433fb5cbff5e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/22 11:53:10.0320 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: 1c7af2fade4e922c8804433fb5cbff5e, Fake md5: a540a99c281d933f3d69d55e48727f47
2010/11/22 11:53:14.0742 Backup copy found, using it..
2010/11/22 11:53:14.0820 C:\WINDOWS\system32\DRIVERS\termdd.sys - will be cured after reboot
2010/11/22 11:53:14.0820 Rootkit.Win32.TDSS.tdl3(TermDD) - User select action: Cure
2010/11/22 11:53:19.0977 Deinitialize success
Hello Ribno
and one item said 'cure' so I left it Good.
The others defaulted to 'skip' which I changed to 'delete'. :eek: I did not ask you to delete anything Ribno.
As I mentioned in my previous post:
Please go ahead and run TDSSKiller again, but this time allow the tool to cure what it finds
If I'm clear at this point, can I reinstall Firefox, and should I upgrade to XP SP3? Not sure if you are clean yet - we still have a few things to do:
Clean out your temporary files
Please download ATF Cleaner by Atribune by clicking here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save the file (called ATF-Cleaner.exe) to your desktop.
Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
Check the boxes to the left of the following:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional. If you want to remove everything check the "Select All" box.
Click on "Empty Selected" to begin cleaning.
Once the "Done Cleaning" message appears, click OK.
If you use Firefox, Click on the Firefox tab and repeat the above process.
When you have finished cleaning, click on the "Exit" button in the main menu.
MalwareBytes AntiMalware:
I can see that you have MBAM installed.
Double click on your MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.
Please update your Java
To update your Java, Click on "Start" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
In the window that opens, click on the "Update" tab, and then on "Update Now".
Your Java should begin to update. Please follow any prompts that you receive.
Please post the MBAM log and a new DDS scan log in your next reply.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5172
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
11/22/2010 1:55:33 PM
mbam-log-2010-11-22 (13-55-33).txt
Scan type: Quick scan
Objects scanned: 186919
Time elapsed: 6 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
---------------------------------------------------
DDS (Ver_10-11-10.01) - NTFSx86
Run by Scott at 14:00:36.29 on Mon 11/22/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2390 [GMT -8:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PKWARE\PKZIPO\PKTray.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Scott.BJA\My Documents\Downloads\DDS for Spybot Forum\dds.com
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TSTimer] "c:\program files\timeslips\TSTimer.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [JobHisInit] c:\program files\rds\rmclient\JobHisInit.exe
mRun: [MplSetUp] c:\program files\rds\rmclient\MplSetUp.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\scott.bja\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pkzipa~1.lnk - c:\program files\pkware\pkzipo\PKTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
============= SERVICES / DRIVERS ===============
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-9-14 47640]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVENG.sys [2010-10-15 86064]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20101013.002\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVEX15.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
=============== File Associations ===============
.scr=AutoCADScriptFile
=============== Created Last 30 ================
2010-11-22 21:58:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 23:51:01 89088 ----a-w- C:\mbr.exe
2010-11-18 19:56:42 -------- d-sha-r- C:\cmdcons
2010-11-18 19:52:05 98816 ----a-w- c:\windows\sed.exe
2010-11-18 19:52:05 89088 ----a-w- c:\windows\MBR.exe
2010-11-18 19:52:05 256512 ----a-w- c:\windows\PEV.exe
2010-11-18 19:52:05 161792 ----a-w- c:\windows\SWREG.exe
==================== Find3M ====================
2010-11-12 19:48:43 256 ----a-w- c:\windows\system32\pool.bin
2010-09-15 10:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
============= FINISH: 14:01:05.96 ===============
Hello Ribno
Thank you for the logs.
Please do the following:
Please work through the following steps
Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
Copy and Paste the text in the quotebox below into the open Notepad window:
DDS::
uInternet Settings,ProxyOverride = <local>
SkipFix::
Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
Close any open browsers.
Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Refering to the picture below, drag CFScript.txt into ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Once the log is produced, re-engage your resident anti virus.
Please run the following scan
Note: You will need to use Internet Explorer for this scan.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.
Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Push the "Start" button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push the "Finish" button.
Please provide the ComboFix log and the ESET log in your next reply and let me know how the machine is running now.
Hi. I followed your directions... I created the Combo log which I'll attach below. Then, I opened Internet Explorer and got ESET running...it was taking a long time and eventually I had to leave to pick up my daughter. At that point it was at about 40% complete and had indicated that it had found 1 threat. I figured I'd complete the assignment when I got into work this morning. Upon arrival, my computer was at the login screen and after logging in, a bubble over the automatic updates icon in the system tray indicated that my computer had been recently updated and had required a re-boot. 'Great' I thought and re-ran the ESET scan. It just now completed and found no threats. When it finished it did not have 'List of Threats' shown anywhere and therefore I was not able to Export to File. The only thing available was "Manage Quarantine". When I click on that it shows the location of the item. I've attached the screen shot to this.
On the main screen I can select 'Delete Quarantine Items'. I'll wait until I hear from you to do so.
As far as the machine goes, it appears to be running very smoothly, but I still haven't re-installed Firefox so I don't know if the browser redirect is still there. So far, Chrome has not been redirecting me.
Thanks again for you assistance. I'm very grateful.
The ComboFix log is here:
ComboFix 10-11-17.01 - Scott 11/22/2010 16:18:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2454 [GMT -8:00]
Running from: c:\documents and settings\Scott.BJA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Scott.BJA\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.
2010-11-22 22:17 . 2010-11-22 22:17 -------- d-----w- C:\NV29361308.TMP
2010-11-22 22:15 . 2005-03-25 07:04 2314560 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-11-22 22:14 . 2010-11-22 22:14 4096 ----a-w- c:\windows\gdrv.sys
2010-11-22 22:12 . 2010-11-22 22:12 -------- d-----w- C:\NV27962636.TMP
2010-11-22 21:58 . 2010-11-22 21:58 -------- d-----w- c:\program files\Common Files\Java
2010-11-22 21:58 . 2010-09-15 12:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 23:51 . 2010-11-18 23:45 89088 ----a-w- C:\mbr.exe
2010-11-12 16:35 . 2010-11-12 16:35 -------- d-----w- c:\program files\ERUNT
2010-11-11 22:10 . 2010-11-11 22:10 -------- d-----w- c:\documents and settings\Administrator.BJA
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-22 19:53 . 2009-09-12 22:24 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-09-15 10:29 . 2009-11-02 16:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-13 39408]
"TSTimer"="c:\program files\Timeslips\TSTimer.exe" [2005-07-26 2408448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-13 122368]
"JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2005-11-01 151552]
"MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2005-06-01 40960]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-17 7561216]
"nwiz"="nwiz.exe" [2006-03-17 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-17 86016]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 77824]
c:\documents and settings\Scott.BJA\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-14 110592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-14 110592]
PKZIP Attachments Status.lnk - c:\program files\PKWARE\PKZIPO\PKTray.exe [2001-6-1 99992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 16:58 87424 ----a-w- c:\windows\system32\LMIinit.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 8:53 AM 135664]
--- Other Services/Drivers In Memory ---
*Deregistered* - NAVAP
.
Contents of the 'Scheduled Tasks' folder
2010-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2010-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 16:53]
2010-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 16:53]
2010-11-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-09-13 05:18]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 16:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\NavLogon.dll
- - - - - - - > 'lsass.exe'(736)
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'explorer.exe'(4056)
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-11-22 16:25:09
ComboFix-quarantined-files.txt 2010-11-23 00:24
ComboFix2.txt 2010-11-18 20:32
Pre-Run: 105,672,597,504 bytes free
Post-Run: 105,697,828,864 bytes free
- - End Of File - - 8671AF7C0AD189342282D3A33477980D
Hello Ribno
Thank you for the log and extra informaiton.
It just now completed and found no threats Thats good to hear. What was found in the first ESET run (an infected Java Cache) appears to have been quarantined by ESET. This quarantined item cannot cause any harm to you machine.
As far as the machine goes, it appears to be running very smoothly, but I still haven't re-installed Firefox so I don't know if the browser redirect is still there I believe that the infection has been removed. However, I mentioned before that since this is a work machine, if it is part of a network, there may be a high risk of more than one machine being infected, so monitor them all closely and perform full system scans on them before reconnecting this one back up.
As you no longer appear to be experiencing any problems, I think we are almost done.
We will remove our tools in the steps below and I will provide you with links to the upgrades that this machine requires (you will also find a link to FireFox in my "Closing Speech").
Please Uninstall Combofix
Click on "Start" and then on "Run".
Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Removal of Tools
You no longer need DDS, GMER, mbr.exe, TDSSKiller, or SystemLook. Please delete them from your machine.
Please re-enable Spybot Teatimer
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click "Tools", then click on the "Resident" icon in the list.
Check the "Resident "TeaTimer" (Protection of overall system settings) active" box.
Click the "System Startup" icon in the List.
Check the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.
Please install XP Service Pack 3
XP Service Pack 3 contains many more security features that are not present in Service Pack 2.
Instructions for downloading XP Service Pack 3 can be found here (http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx)
Your Adobe is out of date
You can obtain the latest version of Adobe Reader from here (http://get.adobe.com/uk/reader/), and the latest version of Flash Player from here. (http://www.adobe.com/products/flashplayer/)
For more information and links to Adobe updates and downloads click here. (http://www.adobe.com/downloads/)
Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:
Enhance your System Security
For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security
Firefox
Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here. (http://www.mozilla.com/en-US/firefox/)
No-Script
If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)
Internet Explorer
The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)
SpywareBlaster
If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)
Web of Trust
When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)
Keep your Software Updated
Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)
Passwords
Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)
General Reading
PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Learn How To Combat Malware
Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
I really appreciate your help. If there are any surveys or recommendations that I can give I'd be happy to.
This forum is an invaluable tool!!!!!
I hope I don't have to come back, but if I do, I now know that I'm in very capable hands.
Thanks again...
Scott
Thanks again... You are Very Welcome Ribno
Glad we could help :)
Best wishes
JonTom
Since this problem appears to be resolved this topic is now closed.
Glad we could help :)
Best wishes
JonTom