Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

recieveing an secuity alert from NIS 2010 "Tidserv Activity 2"

Started by ßGéè Gêë , Jan 15 2012 06:17 PM

  • This topic is locked This topic is locked

#1
ßGéè Gêë
Posted 15 January 2012 - 06:17 PM

ßGéè Gêë

    Member

  • Member
  • PipPip
  • 16 posts
i was running my computer a couple days ago, when i was alerted by norton internet security that, i needed to manually remove Tidserv Activity 2. so i followed the symantec link to the fix for Backdoor.Tidserv removal tool on the symantec site. ran the program, but i still get the same security alert from NIS
  • 0

Advertisements

#2
maliprog
Posted 16 January 2012 - 12:04 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello ßGéè Gêë and welcome to my office here at G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post aswMBR.txt in your next reply
  • Also, ZIP MBR.dat it creates and attach it to your next reply

Step 2

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 3

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

#3
ßGéè Gêë
Posted 16 January 2012 - 10:08 PM

ßGéè Gêë

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
i have sent the MBR.dat by email, here is the aswMBR.txt:


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-16 18:43:55
-----------------------------
18:43:55.028 OS Version: Windows 5.1.2600 Service Pack 3
18:43:55.028 Number of processors: 2 586 0x4B02
18:43:55.043 ComputerName: YOUR-4DACD0EA75 UserName:
18:43:59.042 Initialize success
18:49:27.717 AVAST engine defs: 12011601
18:52:36.642 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
18:52:36.642 Disk 0 Vendor: ST32000542AS CC95 Size: 1907729MB BusType: 3
18:52:36.642 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T0L0-26
18:52:36.642 Disk 1 Vendor: SAMSUNG_HD160JJ ZM100-33 Size: 152627MB BusType: 3
18:52:36.673 Disk 0 MBR read successfully
18:52:36.673 Disk 0 MBR scan
18:52:36.704 Disk 0 Windows VISTA default MBR code
18:52:36.704 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1835253 MB offset 63
18:52:36.720 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 72472 MB offset 3758599530
18:52:36.736 Disk 0 scanning sectors +3907024065
18:52:36.798 Disk 0 scanning C:\WINDOWS\system32\drivers
18:52:42.250 File: C:\WINDOWS\system32\drivers\ipsec.sys **INFECTED** Win32:Smadow [Rtk]
18:52:49.420 Disk 0 trace - called modules:
18:52:49.436 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xb3e20ff0]<<
18:52:49.436 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b36dab8]
18:52:49.436 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> [0x8abab658]
18:52:49.436 \Driver\00001787[0x8a778658] -> IRP_MJ_CREATE -> 0xb3e20ff0
18:52:54.419 AVAST engine scan C:\WINDOWS
18:53:40.846 AVAST engine scan C:\WINDOWS\system32
19:06:21.471 AVAST engine scan C:\WINDOWS\system32\drivers
19:06:33.659 File: C:\WINDOWS\system32\drivers\ipsec.sys **INFECTED** Win32:Smadow [Rtk]
19:10:20.174 AVAST engine scan C:\Documents and Settings\HP_Administrator
20:06:57.940 AVAST engine scan C:\Documents and Settings\All Users
20:16:15.096 Scan finished successfully
20:18:16.987 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
20:18:16.987 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
  • 0

#4
ßGéè Gêë
Posted 16 January 2012 - 10:12 PM

ßGéè Gêë

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
here is the TDSSKiller.txt




20:20:48.0049 4796 TDSS rootkit removing tool 2.7.2.0 Jan 14 2012 20:07:30
20:20:48.0190 4796 ============================================================
20:20:48.0190 4796 Current date / time: 2012/01/16 20:20:48.0190
20:20:48.0190 4796 SystemInfo:
20:20:48.0190 4796
20:20:48.0190 4796 OS Version: 5.1.2600 ServicePack: 3.0
20:20:48.0190 4796 Product type: Workstation
20:20:48.0190 4796 ComputerName: YOUR-4DACD0EA75
20:20:48.0190 4796 UserName: HP_Administrator
20:20:48.0190 4796 Windows directory: C:\WINDOWS
20:20:48.0190 4796 System windows directory: C:\WINDOWS
20:20:48.0190 4796 Processor architecture: Intel x86
20:20:48.0190 4796 Number of processors: 2
20:20:48.0190 4796 Page size: 0x1000
20:20:48.0190 4796 Boot type: Normal boot
20:20:48.0190 4796 ============================================================
20:20:53.0409 4796 Drive \Device\Harddisk0\DR0 - Size: 0x1D1C1116000, SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
20:20:53.0424 4796 Drive \Device\Harddisk1\DR1 - Size: 0x25433D6000, SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
20:20:53.0627 4796 Initialize success
20:21:02.0690 2040 ============================================================
20:21:02.0690 2040 Scan started
20:21:02.0690 2040 Mode: Manual;
20:21:02.0690 2040 ============================================================
20:21:03.0955 2040 Abiosdsk - ok
20:21:04.0190 2040 abp480n5 - ok
20:21:04.0502 2040 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:21:04.0549 2040 ACPI - ok
20:21:04.0877 2040 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:21:04.0877 2040 ACPIEC - ok
20:21:05.0112 2040 adpu160m - ok
20:21:05.0440 2040 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:21:05.0487 2040 aec - ok
20:21:05.0862 2040 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:21:05.0893 2040 AFD - ok
20:21:06.0127 2040 Aha154x - ok
20:21:06.0362 2040 aic78u2 - ok
20:21:06.0705 2040 aic78xx - ok
20:21:06.0955 2040 AliIde - ok
20:21:07.0205 2040 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
20:21:07.0221 2040 AmdK8 - ok
20:21:07.0471 2040 amsint - ok
20:21:07.0830 2040 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
20:21:07.0830 2040 aracpi - ok
20:21:08.0080 2040 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
20:21:08.0080 2040 arhidfltr - ok
20:21:08.0330 2040 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
20:21:08.0330 2040 arkbcfltr - ok
20:21:08.0580 2040 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
20:21:08.0674 2040 armoucfltr - ok
20:21:08.0909 2040 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:21:08.0924 2040 Arp1394 - ok
20:21:09.0159 2040 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
20:21:09.0174 2040 ARPolicy - ok
20:21:09.0409 2040 asc - ok
20:21:09.0737 2040 asc3350p - ok
20:21:09.0955 2040 asc3550 - ok
20:21:10.0205 2040 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:21:10.0221 2040 AsyncMac - ok
20:21:10.0471 2040 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:10.0471 2040 atapi - ok
20:21:10.0799 2040 Atdisk - ok
20:21:11.0049 2040 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:21:11.0065 2040 Atmarpc - ok
20:21:11.0299 2040 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:21:11.0315 2040 audstub - ok
20:21:11.0565 2040 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:21:11.0565 2040 Beep - ok
20:21:11.0987 2040 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20111223.001\BHDrvx86.sys
20:21:12.0174 2040 BHDrvx86 - ok
20:21:12.0424 2040 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:21:12.0424 2040 cbidf2k - ok
20:21:12.0784 2040 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:21:12.0784 2040 CCDECODE - ok
20:21:13.0002 2040 cd20xrnt - ok
20:21:13.0268 2040 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:21:13.0268 2040 Cdaudio - ok
20:21:13.0518 2040 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:21:13.0534 2040 Cdfs - ok
20:21:13.0893 2040 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:21:13.0909 2040 Cdrom - ok
20:21:14.0143 2040 Changer - ok
20:21:14.0393 2040 CmdIde - ok
20:21:14.0752 2040 Cpqarray - ok
20:21:15.0002 2040 CxLPT (33a28b28a4b10eb89fdb926226618a3b) C:\WINDOWS\system32\drivers\CxLPT.sys
20:21:15.0002 2040 CxLPT - ok
20:21:15.0237 2040 dac2w2k - ok
20:21:15.0471 2040 dac960nt - ok
20:21:15.0815 2040 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:15.0830 2040 Disk - ok
20:21:16.0268 2040 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:21:16.0455 2040 dmboot - ok
20:21:16.0721 2040 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:21:16.0768 2040 dmio - ok
20:21:17.0002 2040 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:21:17.0002 2040 dmload - ok
20:21:17.0268 2040 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:21:17.0284 2040 DMusic - ok
20:21:17.0518 2040 dpti2o - ok
20:21:17.0752 2040 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:21:17.0752 2040 drmkaud - ok
20:21:17.0940 2040 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
20:21:18.0034 2040 eeCtrl - ok
20:21:18.0096 2040 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
20:21:18.0127 2040 EraserUtilRebootDrv - ok
20:21:18.0409 2040 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:21:18.0440 2040 Fastfat - ok
20:21:18.0705 2040 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:21:18.0705 2040 Fdc - ok
20:21:18.0955 2040 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:21:18.0971 2040 Fips - ok
20:21:19.0205 2040 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:21:19.0221 2040 Flpydisk - ok
20:21:19.0487 2040 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:21:19.0518 2040 FltMgr - ok
20:21:19.0752 2040 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:21:19.0768 2040 Fs_Rec - ok
20:21:20.0018 2040 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:21:20.0049 2040 Ftdisk - ok
20:21:20.0284 2040 ftsata2 - ok
20:21:20.0534 2040 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
20:21:20.0534 2040 GEARAspiWDM - ok
20:21:20.0799 2040 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:21:20.0815 2040 Gpc - ok
20:21:21.0080 2040 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:21:21.0112 2040 HDAudBus - ok
20:21:21.0377 2040 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:21:21.0393 2040 HidUsb - ok
20:21:21.0627 2040 hpn - ok
20:21:21.0909 2040 HSXHWBS2 (1f5c64b0c6b2e2f48735a77ae714ccb8) C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
20:21:21.0971 2040 HSXHWBS2 - ok
20:21:22.0455 2040 HSX_DP (a7f8c9228898a1e871d2ae7082f50ac3) C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
20:21:22.0674 2040 HSX_DP - ok
20:21:23.0002 2040 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:21:23.0065 2040 HTTP - ok
20:21:23.0299 2040 i2omgmt - ok
20:21:23.0534 2040 i2omp - ok
20:21:23.0784 2040 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:21:23.0799 2040 i8042prt - ok
20:21:24.0018 2040 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120113.002\IDSxpx86.sys
20:21:24.0096 2040 IDSxpx86 - ok
20:21:24.0362 2040 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:21:24.0362 2040 Imapi - ok
20:21:24.0596 2040 InCDFs - ok
20:21:24.0830 2040 InCDPass - ok
20:21:25.0065 2040 InCDRm - ok
20:21:25.0299 2040 ini910u - ok
20:21:26.0752 2040 IntcAzAudAddService (14b48553be78472d2bd3a518658a1710) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:21:27.0987 2040 IntcAzAudAddService - ok
20:21:28.0221 2040 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:21:28.0221 2040 IntelIde - ok
20:21:28.0487 2040 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:21:28.0487 2040 intelppm - ok
20:21:28.0737 2040 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:21:28.0752 2040 Ip6Fw - ok
20:21:29.0002 2040 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:21:29.0002 2040 IpFilterDriver - ok
20:21:29.0252 2040 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:21:29.0252 2040 IpInIp - ok
20:21:29.0549 2040 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:21:29.0596 2040 IpNat - ok
20:21:29.0846 2040 IPSec (fc383d2606cc1315b149161cca5621d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:21:29.0862 2040 IPSec - ok
20:21:30.0096 2040 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:21:30.0112 2040 IRENUM - ok
20:21:30.0362 2040 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:21:30.0362 2040 isapnp - ok
20:21:30.0612 2040 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:21:30.0612 2040 Kbdclass - ok
20:21:30.0893 2040 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:21:30.0940 2040 kmixer - ok
20:21:31.0205 2040 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:21:31.0237 2040 KSecDD - ok
20:21:31.0487 2040 lbrtfdc - ok
20:21:31.0752 2040 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:21:31.0768 2040 mdmxsdk - ok
20:21:32.0018 2040 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:21:32.0018 2040 MHNDRV - ok
20:21:32.0252 2040 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:21:32.0268 2040 mnmdd - ok
20:21:32.0534 2040 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:21:32.0549 2040 Modem - ok
20:21:32.0815 2040 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
20:21:32.0830 2040 motmodem - ok
20:21:33.0112 2040 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:21:33.0112 2040 Mouclass - ok
20:21:33.0393 2040 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:21:33.0393 2040 mouhid - ok
20:21:33.0659 2040 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:21:33.0659 2040 MountMgr - ok
20:21:33.0893 2040 mraid35x - ok
20:21:34.0190 2040 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:21:34.0237 2040 MRxDAV - ok
20:21:34.0596 2040 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:21:34.0705 2040 MRxSmb - ok
20:21:34.0955 2040 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:21:34.0971 2040 Msfs - ok
20:21:35.0237 2040 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:21:35.0237 2040 MSKSSRV - ok
20:21:35.0487 2040 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:21:35.0487 2040 MSPCLOCK - ok
20:21:35.0815 2040 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:21:35.0815 2040 MSPQM - ok
20:21:36.0065 2040 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:21:36.0065 2040 mssmbios - ok
20:21:36.0315 2040 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
20:21:36.0315 2040 MSTEE - ok
20:21:36.0612 2040 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:21:36.0627 2040 Mup - ok
20:21:36.0909 2040 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:21:36.0924 2040 NABTSFEC - ok
20:21:37.0080 2040 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120116.002\NAVENG.SYS
20:21:37.0080 2040 NAVENG - ok
20:21:37.0518 2040 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120116.002\NAVEX15.SYS
20:21:37.0893 2040 NAVEX15 - ok
20:21:38.0190 2040 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:21:38.0221 2040 NDIS - ok
20:21:38.0471 2040 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:21:38.0487 2040 NdisIP - ok
20:21:38.0721 2040 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:21:38.0721 2040 NdisTapi - ok
20:21:38.0971 2040 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:21:38.0987 2040 Ndisuio - ok
20:21:39.0237 2040 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:21:39.0252 2040 NdisWan - ok
20:21:39.0549 2040 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:21:39.0565 2040 NDProxy - ok
20:21:39.0799 2040 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:21:39.0815 2040 NetBIOS - ok
20:21:40.0096 2040 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:21:40.0127 2040 NetBT - ok
20:21:40.0424 2040 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:21:40.0440 2040 NIC1394 - ok
20:21:40.0705 2040 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:21:40.0721 2040 Npfs - ok
20:21:41.0096 2040 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:21:41.0237 2040 Ntfs - ok
20:21:41.0596 2040 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:21:41.0627 2040 Null - ok
20:21:44.0409 2040 nv (b9b1bb146eb9a83dcf0f5635b09d3d43) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:21:46.0737 2040 nv - ok
20:21:46.0987 2040 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
20:21:46.0987 2040 NVENETFD - ok
20:21:47.0237 2040 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
20:21:47.0237 2040 nvnetbus - ok
20:21:47.0487 2040 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:21:47.0487 2040 NwlnkFlt - ok
20:21:47.0737 2040 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:21:47.0752 2040 NwlnkFwd - ok
20:21:48.0002 2040 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:21:48.0018 2040 ohci1394 - ok
20:21:48.0268 2040 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:21:48.0299 2040 Parport - ok
20:21:48.0534 2040 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:21:48.0534 2040 PartMgr - ok
20:21:48.0768 2040 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:21:48.0784 2040 ParVdm - ok
20:21:48.0987 2040 PCD5SRVC{8A863ACB-F5F6CC6A-05010004} (1d61739a00374c34a2583f52a0cebfe3) C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms
20:21:49.0096 2040 PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - ok
20:21:49.0346 2040 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:21:49.0362 2040 PCI - ok
20:21:49.0596 2040 PCIDump - ok
20:21:49.0830 2040 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:21:49.0830 2040 PCIIde - ok
20:21:50.0096 2040 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:21:50.0127 2040 Pcmcia - ok
20:21:50.0362 2040 PDCOMP - ok
20:21:50.0596 2040 PDFRAME - ok
20:21:50.0815 2040 PDRELI - ok
20:21:51.0049 2040 PDRFRAME - ok
20:21:51.0284 2040 perc2 - ok
20:21:51.0518 2040 perc2hib - ok
20:21:51.0799 2040 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:21:51.0815 2040 PptpMiniport - ok
20:21:52.0065 2040 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
20:21:52.0065 2040 Processor - ok
20:21:52.0315 2040 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
20:21:52.0315 2040 Ps2 - ok
20:21:52.0565 2040 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:21:52.0580 2040 PSched - ok
20:21:52.0830 2040 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:21:52.0830 2040 Ptilink - ok
20:21:53.0080 2040 PxHelp20 (97b735de4e3cd44c71c8cb09bdbf07b7) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:21:53.0080 2040 PxHelp20 - ok
20:21:53.0315 2040 ql1080 - ok
20:21:53.0549 2040 Ql10wnt - ok
20:21:53.0784 2040 ql12160 - ok
20:21:54.0018 2040 ql1240 - ok
20:21:54.0252 2040 ql1280 - ok
20:21:54.0518 2040 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:21:54.0518 2040 RasAcd - ok
20:21:54.0768 2040 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:21:54.0784 2040 Rasl2tp - ok
20:21:55.0034 2040 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:21:55.0034 2040 RasPppoe - ok
20:21:55.0268 2040 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:21:55.0284 2040 Raspti - ok
20:21:55.0565 2040 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:21:55.0612 2040 Rdbss - ok
20:21:55.0846 2040 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:21:55.0862 2040 RDPCDD - ok
20:21:56.0143 2040 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:21:56.0190 2040 rdpdr - ok
20:21:56.0471 2040 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:21:56.0502 2040 RDPWD - ok
20:21:56.0768 2040 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:21:56.0784 2040 redbook - ok
20:21:57.0049 2040 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
20:21:57.0049 2040 rtl8139 - ok
20:21:57.0315 2040 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:21:57.0330 2040 Secdrv - ok
20:21:57.0596 2040 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
20:21:57.0612 2040 Serial - ok
20:21:57.0877 2040 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:21:57.0877 2040 Sfloppy - ok
20:21:58.0112 2040 Simbad - ok
20:21:58.0377 2040 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:21:58.0393 2040 SLIP - ok
20:21:58.0659 2040 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys
20:21:58.0690 2040 snapman - ok
20:21:58.0924 2040 Sparrow - ok
20:21:59.0190 2040 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:21:59.0190 2040 splitter - ok
20:21:59.0440 2040 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:21:59.0455 2040 sr - ok
20:21:59.0877 2040 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS
20:22:00.0018 2040 SRTSP - ok
20:22:00.0268 2040 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS
20:22:00.0299 2040 SRTSPX - ok
20:22:00.0627 2040 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:22:00.0721 2040 Srv - ok
20:22:00.0971 2040 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:22:00.0987 2040 streamip - ok
20:22:01.0221 2040 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:22:01.0221 2040 swenum - ok
20:22:01.0487 2040 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:22:01.0502 2040 swmidi - ok
20:22:01.0737 2040 symc810 - ok
20:22:01.0971 2040 symc8xx - ok
20:22:02.0299 2040 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS
20:22:02.0393 2040 SymDS - ok
20:22:02.0815 2040 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS
20:22:03.0002 2040 SymEFA - ok
20:22:03.0268 2040 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
20:22:03.0315 2040 SymEvent - ok
20:22:03.0580 2040 SymIM (94a2459242a6dd0daf3baa99e96784ff) C:\WINDOWS\system32\DRIVERS\SymIM.sys
20:22:03.0580 2040 SymIM - ok
20:22:03.0596 2040 SymIMMP (94a2459242a6dd0daf3baa99e96784ff) C:\WINDOWS\system32\DRIVERS\SymIM.sys
20:22:03.0596 2040 SymIMMP - ok
20:22:03.0877 2040 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS
20:22:03.0909 2040 SymIRON - ok
20:22:04.0237 2040 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS
20:22:04.0330 2040 SYMTDI - ok
20:22:04.0565 2040 sym_hi - ok
20:22:04.0799 2040 sym_u3 - ok
20:22:05.0049 2040 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:22:05.0065 2040 sysaudio - ok
20:22:05.0424 2040 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:22:05.0502 2040 Tcpip - ok
20:22:05.0846 2040 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:22:05.0846 2040 TDPIPE - ok
20:22:06.0174 2040 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\WINDOWS\system32\DRIVERS\tdrpman.sys
20:22:06.0284 2040 tdrpman - ok
20:22:06.0549 2040 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:22:06.0565 2040 TDTCP - ok
20:22:06.0924 2040 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:22:06.0940 2040 TermDD - ok
20:22:07.0190 2040 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
20:22:07.0190 2040 tifsfilter - ok
20:22:07.0534 2040 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys
20:22:07.0643 2040 timounter - ok
20:22:07.0877 2040 TosIde - ok
20:22:08.0174 2040 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:22:08.0205 2040 Udfs - ok
20:22:08.0440 2040 ultra - ok
20:22:08.0784 2040 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:22:08.0877 2040 Update - ok
20:22:09.0143 2040 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:22:09.0159 2040 USBAAPL - ok
20:22:09.0424 2040 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
20:22:09.0440 2040 usbaudio - ok
20:22:09.0721 2040 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:22:09.0721 2040 usbccgp - ok
20:22:10.0002 2040 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:22:10.0018 2040 usbehci - ok
20:22:10.0284 2040 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:22:10.0299 2040 usbhub - ok
20:22:10.0565 2040 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
20:22:10.0580 2040 usbohci - ok
20:22:10.0846 2040 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:22:10.0862 2040 usbprint - ok
20:22:11.0112 2040 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:22:11.0127 2040 usbscan - ok
20:22:11.0377 2040 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:22:11.0393 2040 usbstor - ok
20:22:11.0643 2040 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:22:11.0659 2040 usbuhci - ok
20:22:11.0940 2040 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
20:22:11.0971 2040 usbvideo - ok
20:22:12.0237 2040 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:22:12.0252 2040 VgaSave - ok
20:22:12.0502 2040 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:22:12.0502 2040 ViaIde - ok
20:22:12.0784 2040 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:22:12.0799 2040 VolSnap - ok
20:22:13.0049 2040 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:22:13.0065 2040 Wanarp - ok
20:22:13.0440 2040 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
20:22:13.0549 2040 Wdf01000 - ok
20:22:13.0799 2040 WDICA - ok
20:22:14.0096 2040 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:22:14.0127 2040 wdmaud - ok
20:22:14.0580 2040 winachsx (11ec1afceb5c917ce73d3c301ff4291e) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
20:22:14.0752 2040 winachsx - ok
20:22:15.0049 2040 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
20:22:15.0065 2040 WinUSB - ok
20:22:15.0330 2040 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
20:22:15.0346 2040 WpdUsb - ok
20:22:15.0612 2040 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:22:15.0612 2040 WSTCODEC - ok
20:22:15.0909 2040 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:22:15.0924 2040 WudfPf - ok
20:22:16.0221 2040 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\WUDFRd.sys
20:22:16.0268 2040 WUDFRd - ok
20:22:16.0565 2040 zumbus (ae279cd76b38fc079eec3ca6d65a5926) C:\WINDOWS\system32\DRIVERS\zumbus.sys
20:22:16.0580 2040 zumbus - ok
20:22:16.0627 2040 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
20:22:16.0643 2040 \Device\Harddisk0\DR0 - ok
20:22:16.0659 2040 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR1
20:22:16.0893 2040 \Device\Harddisk1\DR1 - ok
20:22:16.0893 2040 Boot (0x1200) (11c38085148a51121e31fd33aebfc16a) \Device\Harddisk0\DR0\Partition0
20:22:16.0893 2040 \Device\Harddisk0\DR0\Partition0 - ok
20:22:16.0909 2040 Boot (0x1200) (a3c46c2819a4dd9a5b356f45154dcad1) \Device\Harddisk0\DR0\Partition1
20:22:16.0909 2040 \Device\Harddisk0\DR0\Partition1 - ok
20:22:16.0909 2040 Boot (0x1200) (4f0646ff06d3a18e39a6db4b3db50bb6) \Device\Harddisk1\DR1\Partition0
20:22:16.0909 2040 \Device\Harddisk1\DR1\Partition0 - ok
20:22:16.0924 2040 ============================================================
20:22:16.0924 2040 Scan finished
20:22:16.0924 2040 ============================================================
20:22:16.0924 4904 Detected object count: 0
20:22:16.0924 4904 Actual detected object count: 0
  • 0

#5
ßGéè Gêë
Posted 16 January 2012 - 11:20 PM

ßGéè Gêë

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
could'nt figure out how to attach MBR.dat to the post...so if you can tell me how, i will
  • 0

#6
maliprog
Posted 16 January 2012 - 11:59 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Please do the following now:

  • On your desktop should be a file MBR.dat.
  • Right-click that file, point to Send To, and then click Compressed (zipped) Folder.
  • A new compressed file is created.
  • Please attach that file in your next reply.

How to add an attachment to a new topic or reply
  • 0

#7
ßGéè Gêë
Posted 17 January 2012 - 12:50 PM

ßGéè Gêë

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok there the MBR.dat

Attached Files

  • Attached File  MBR.zip   557bytes   137 downloads

  • 0

#8
maliprog
Posted 17 January 2012 - 02:32 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#9
ßGéè Gêë
Posted 17 January 2012 - 04:47 PM

ßGéè Gêë

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok ran the combfix, and it asked me to update and d/l ms system restore, i did, i also disabled antivirus and firewall(until next system restart). after system restore d/l and installed, combofix restarted and ran, but my antivirus and firewall also started. combofix finshed running and restarded again, and i got a alert from my winpatrol that my HOST file was changed, i accepted the change. combofix printed the txt file.
the computer appears to be working fine i haven't gotten anymore nonexist TCP connections, or the alert from NIS about manually remove Tidserv Activity 2, however, after the last restart of combofix, the System Tray icon for NIS wasn't there. i am going to restart my computer and see if it comes back.
here's the combofix log:

ComboFix 12-01-17.01 - HP_Administrator 01/17/2012 14:47:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2516 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\chrtmp
c:\documents and settings\HP_Administrator\Application Data\logs.dat
c:\documents and settings\HP_Administrator\Application Data\SQLite3.dll
c:\documents and settings\HP_Administrator\Local Settings\Application Data\assembly\tmp
c:\documents and settings\HP_Administrator\WINDOWS
C:\ErrLog.txt
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{EB0696D4-2A41-40E5-B848-F148B3C4590D}\setup.msi
c:\program files\Internet Explorer\SET9D1.tmp
c:\program files\Internet Explorer\SET9D2.tmp
c:\program files\Internet Explorer\SET9D4.tmp
c:\program files\Internet Explorer\SETA38.tmp
c:\program files\Internet Explorer\SETA39.tmp
c:\program files\Internet Explorer\SETA3A.tmp
c:\windows\$NtUninstallKB65490$
c:\windows\$NtUninstallKB65490$\3246866005\@
c:\windows\$NtUninstallKB65490$\3246866005\bckfg.tmp
c:\windows\$NtUninstallKB65490$\3246866005\cfg.ini
c:\windows\$NtUninstallKB65490$\3246866005\Desktop.ini
c:\windows\$NtUninstallKB65490$\3246866005\keywords
c:\windows\$NtUninstallKB65490$\3246866005\kwrd.dll
c:\windows\$NtUninstallKB65490$\3246866005\L\aqaeidou
c:\windows\$NtUninstallKB65490$\3246866005\U\00000001.@
c:\windows\$NtUninstallKB65490$\3246866005\U\00000002.@
c:\windows\$NtUninstallKB65490$\3246866005\U\00000004.@
c:\windows\$NtUninstallKB65490$\3246866005\U\80000000.@
c:\windows\$NtUninstallKB65490$\3246866005\U\80000004.@
c:\windows\$NtUninstallKB65490$\3246866005\U\80000032.@
c:\windows\$NtUninstallKB65490$\3447672851
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\kb913800.exe
c:\windows\SET5BA.tmp
c:\windows\SET5BD.tmp
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\EhjPrtwa.ini
c:\windows\system32\EhjPrtwa.ini2
c:\windows\system32\SET16.tmp
c:\windows\system32\SET19.tmp
c:\windows\system32\SET1A2.tmp
c:\windows\system32\SET1A9.tmp
c:\windows\system32\SET1C.tmp
c:\windows\system32\SET1C2.tmp
c:\windows\system32\SET1C3.tmp
c:\windows\system32\SET1CD.tmp
c:\windows\system32\SET1CE.tmp
c:\windows\system32\SET1D8.tmp
c:\windows\system32\SET1E.tmp
c:\windows\system32\SET1E0.tmp
c:\windows\system32\SET1F5.tmp
c:\windows\system32\SET1FA.tmp
c:\windows\system32\SET1FF.tmp
c:\windows\system32\SET209.tmp
c:\windows\system32\SET212.tmp
c:\windows\system32\SET213.tmp
c:\windows\system32\SET21A.tmp
c:\windows\system32\SET21B.tmp
c:\windows\system32\SET23.tmp
c:\windows\system32\SET23F.tmp
c:\windows\system32\SET24.tmp
c:\windows\system32\SET242.tmp
c:\windows\system32\SET245.tmp
c:\windows\system32\SET248.tmp
c:\windows\system32\SET24B.tmp
c:\windows\system32\SET25.tmp
c:\windows\system32\SET250.tmp
c:\windows\system32\SET260.tmp
c:\windows\system32\SET261.tmp
c:\windows\system32\SET268.tmp
c:\windows\system32\SET269.tmp
c:\windows\system32\SET291.tmp
c:\windows\system32\SET294.tmp
c:\windows\system32\SET2C9.tmp
c:\windows\system32\SET2CD.tmp
c:\windows\system32\SET35.tmp
c:\windows\system32\SET36.tmp
c:\windows\system32\SET37.tmp
c:\windows\system32\SET38B.tmp
c:\windows\system32\SET396.tmp
c:\windows\system32\SET3A5.tmp
c:\windows\system32\SET3A7.tmp
c:\windows\system32\SET3B0.tmp
c:\windows\system32\SET3B2.tmp
c:\windows\system32\SET3B8.tmp
c:\windows\system32\SET3BB.tmp
c:\windows\system32\SET3C5.tmp
c:\windows\system32\SET3CF.tmp
c:\windows\system32\SET4A.tmp
c:\windows\system32\SET4B.tmp
c:\windows\system32\SET4D5.tmp
c:\windows\system32\SET4D8.tmp
c:\windows\system32\SET50.tmp
c:\windows\system32\SET51.tmp
c:\windows\system32\SET579.tmp
c:\windows\system32\SET57B.tmp
c:\windows\system32\SET584.tmp
c:\windows\system32\SET58B.tmp
c:\windows\system32\SET5A2.tmp
c:\windows\system32\SET5A5.tmp
c:\windows\system32\SET5C4.tmp
c:\windows\system32\SET5C7.tmp
c:\windows\system32\SET621.tmp
c:\windows\system32\SET622.tmp
c:\windows\system32\SET624.tmp
c:\windows\system32\SET625.tmp
c:\windows\system32\SET64.tmp
c:\windows\system32\SET77.tmp
c:\windows\system32\SET83.tmp
c:\windows\system32\SET86.tmp
c:\windows\system32\SET97B.tmp
c:\windows\system32\SET97E.tmp
c:\windows\system32\SET9DE.tmp
c:\windows\system32\SET9DF.tmp
c:\windows\system32\SET9E1.tmp
c:\windows\system32\SET9E2.tmp
c:\windows\system32\SET9E3.tmp
c:\windows\system32\SET9E4.tmp
c:\windows\system32\SET9E5.tmp
c:\windows\system32\SET9E6.tmp
c:\windows\system32\SET9E8.tmp
c:\windows\system32\SET9EA.tmp
c:\windows\system32\SET9EB.tmp
c:\windows\system32\SET9EC.tmp
c:\windows\system32\SET9EF.tmp
c:\windows\system32\SET9F.tmp
c:\windows\system32\SET9F0.tmp
c:\windows\system32\SET9F3.tmp
c:\windows\system32\SET9F4.tmp
c:\windows\system32\SET9F6.tmp
c:\windows\system32\SET9F9.tmp
c:\windows\system32\SET9FA.tmp
c:\windows\system32\SET9FB.tmp
c:\windows\system32\SET9FC.tmp
c:\windows\system32\SET9FD.tmp
c:\windows\system32\SET9FE.tmp
c:\windows\system32\SETA02.tmp
c:\windows\system32\SETA03.tmp
c:\windows\system32\SETA04.tmp
c:\windows\system32\SETA05.tmp
c:\windows\system32\SETA06.tmp
c:\windows\system32\SETA07.tmp
c:\windows\system32\SETA08.tmp
c:\windows\system32\SETA09.tmp
c:\windows\system32\SETA0A.tmp
c:\windows\system32\SETA0B.tmp
c:\windows\system32\SETA0C.tmp
c:\windows\system32\SETA0D.tmp
c:\windows\system32\SETA0E.tmp
c:\windows\system32\SETA1.tmp
c:\windows\system32\SETA10.tmp
c:\windows\system32\SETA11.tmp
c:\windows\system32\SETA12.tmp
c:\windows\system32\SETA13.tmp
c:\windows\system32\SETA15.tmp
c:\windows\system32\SETA2.tmp
c:\windows\system32\SETA3.tmp
c:\windows\system32\SETA41.tmp
c:\windows\system32\SETA42.tmp
c:\windows\system32\SETA43.tmp
c:\windows\system32\SETA44.tmp
c:\windows\system32\SETA45.tmp
c:\windows\system32\SETA46.tmp
c:\windows\system32\SETA47.tmp
c:\windows\system32\SETA48.tmp
c:\windows\system32\SETA49.tmp
c:\windows\system32\SETA4A.tmp
c:\windows\system32\SETA4B.tmp
c:\windows\system32\SETA4C.tmp
c:\windows\system32\SETA4D.tmp
c:\windows\system32\SETA4E.tmp
c:\windows\system32\SETA4F.tmp
c:\windows\system32\SETA50.tmp
c:\windows\system32\SETA51.tmp
c:\windows\system32\SETA53.tmp
c:\windows\system32\SETA54.tmp
c:\windows\system32\SETA55.tmp
c:\windows\system32\SETA56.tmp
c:\windows\system32\SETA57.tmp
c:\windows\system32\SETA58.tmp
c:\windows\system32\SETA59.tmp
c:\windows\system32\SETA5A.tmp
c:\windows\system32\SETA5B.tmp
c:\windows\system32\SETA5C.tmp
c:\windows\system32\SETA5D.tmp
c:\windows\system32\SETA5E.tmp
c:\windows\system32\SETA5F.tmp
c:\windows\system32\SETA60.tmp
c:\windows\system32\SETA61.tmp
c:\windows\system32\SETA62.tmp
c:\windows\system32\SETA63.tmp
c:\windows\system32\SETA64.tmp
c:\windows\system32\SETA65.tmp
c:\windows\system32\SETA66.tmp
c:\windows\system32\SETA67.tmp
c:\windows\system32\SETA68.tmp
c:\windows\system32\SETA69.tmp
c:\windows\system32\SETA6A.tmp
c:\windows\system32\SETAA7.tmp
c:\windows\system32\SETAAA.tmp
c:\windows\system32\SETAAD.tmp
c:\windows\system32\SETAB0.tmp
c:\windows\system32\SETAC2.tmp
c:\windows\system32\SETAC3.tmp
c:\windows\system32\SETAC9.tmp
c:\windows\system32\SETACA.tmp
c:\windows\system32\SETAD.tmp
c:\windows\system32\SETAEF.tmp
c:\windows\system32\SETAF4.tmp
c:\windows\system32\SETAF8.tmp
c:\windows\system32\SETAF9.tmp
c:\windows\system32\SETAFB.tmp
c:\windows\system32\SETAFC.tmp
c:\windows\system32\SETB18.tmp
c:\windows\system32\SETB1B.tmp
c:\windows\system32\SETB3.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETBA.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETC0.tmp
c:\windows\system32\SETDD.tmp
c:\windows\system32\SETE0.tmp
c:\windows\system32\SETE1.tmp
c:\windows\system32\SETE6.tmp
c:\windows\system32\SETE8.tmp
c:\windows\system32\SETEE.tmp
c:\windows\system32\SETF0.tmp
c:\windows\system32\SETF1.tmp
c:\windows\system32\SETF2.tmp
c:\windows\system32\SETF3.tmp
c:\windows\WindowsUpdate.log
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-17 21:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-17 21:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2012-01-16 00:29 . 2012-01-16 00:29 -------- d-----w- C:\d87d0836b24efa0b4c
2012-01-15 21:38 . 2011-03-31 03:04 44024 ----a-r- c:\windows\system32\drivers\SymIM.sys
2012-01-15 03:13 . 2012-01-15 21:08 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2012-01-15 03:13 . 2012-01-15 03:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FixTDSS
2012-01-03 16:52 . 2012-01-03 16:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ScanSoft
2012-01-03 16:52 . 2012-01-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2012-01-03 16:52 . 2012-01-03 16:52 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2012-01-03 16:51 . 2012-01-03 16:51 -------- d-----w- c:\program files\ScanSoft
2011-12-28 18:54 . 2011-12-28 18:54 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\SanctionedMedia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 16:18 . 2011-11-09 23:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2004-08-10 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-01-31 02:27 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 04:00 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-10 04:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-10 04:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 04:00 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 04:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 04:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-01-31 02:17 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-01-31 02:17 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HistoryKill"="c:\program files\HistoryKill 2007\histkill.exe" [2007-03-29 302592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-7 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-7 27136]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/10/2011 11:24 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/10/2011 11:24 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 7:25 PM 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/10/2011 11:24 AM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/10/2011 11:23 AM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/14/2012 8:15 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120113.002\IDSXpx86.sys [1/14/2012 12:33 PM 356280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 4:51 PM 30963576]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 7:37 PM 4640000]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [5/10/2006 10:26 PM 21248]
S3 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 5:39 PM 431456]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [8/5/2011 11:30 AM 268512]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 DcomLaunch32;DCOM Server Process Launcher ;c:\windows\system32\fxsapi32.exe --> c:\windows\system32\fxsapi32.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=;ftp=;https=;
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -
.
Notify-yayyvTKe - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-17 14:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010004}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1368)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(4000)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2012-01-17 15:02:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-17 22:02
.
Pre-Run: 1,511,418,138,624 bytes free
Post-Run: 1,511,730,667,520 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECT
.
- - End Of File - - 699A65D6F3D77B6CA68AE88526DC60E0
  • 0

#10
maliprog
Posted 18 January 2012 - 12:04 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ßGéè Gêë,

Combofix did great job and main infection is gone.

How is your system now? Any Problems?
Did you get NIS icon back and does it work now?
  • 0

Advertisements

#11
ßGéè Gêë
Posted 18 January 2012 - 08:11 AM

ßGéè Gêë

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Yes my system is working very well and after a reboot the NIS system tray icon did come back thank you very much for your help.
  • 0

#12
maliprog
Posted 18 January 2012 - 08:12 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#13
ßGéè Gêë
Posted 18 January 2012 - 08:12 PM

ßGéè Gêë

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok ran OTL and rebooted, ran TFC and rebooted, enabled windows update. my computer is running great thx.

now on this computer i'm running a dual boot with vista on a separated HHD and i'm having booting problem with the vista it take a long time to boot to the desktop(almost 10 mins) and the system hang up after i get to the desktop. can you help me with this or should i start another topic?
  • 0

#14
maliprog
Posted 19 January 2012 - 12:19 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ßGéè Gêë,

Do not start new topic. We can check here for any trace of malware in your Vista installation. From this post all steps are related and need to be run on your Vista installation.

If you can make it to your Desktop.

Download OTL to your Desktop

  • Run OTL.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the "Scan All User" checkbox
  • Change "Extra Registry" option to "SafeList"
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows OTL.txt and Extra.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this files, and post it with your next reply.

If you can make it to Desktop then try Safe Mode to run OTL scan.

Please restart in safe mode:

  • If the computer is running, shut down Windows, and then turn off the power
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe mode with networking option is selected.
  • Press Enter. The computer then begins to start in Safe mode.

  • 0

#15
ßGéè Gêë
Posted 19 January 2012 - 09:26 PM

ßGéè Gêë

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
d/l'ed OTL the link you posted is a .scr, tryed to run program but it "stopped responding". i ran it in safe mode/networking and normally, same result.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP