Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Boot.TidServ.B impossible to be removed

Started by DavidAemes , Mar 28 2011 03:11 PM

Please log in to reply

#1
DavidAemes

Posted 28 March 2011 - 03:11 PM

Member

Member
10 posts

Hi,
my symantec shows boot.tidserv.b infection that can not be removed.
As I use this computer for work, please first of all can someone tell me which are the risks of this kind of infection? does someone can use this in order to leak some files from my PC?

I used:
- Malwarebytes' Anti-Malware
- OTL
- TDSSkiller
- BOOTKIT REMOVER (from command line)
- aswMBR
without any kind of result!

To be precise, I used COMBOFIX too and the result, in this case, was to cancel different files from System32 folder, as well as all the files of the Western Digital backup program normally used to do backup, thus avoiding the normal use of Win 7...nevertheless I solved this issue using the installation DVD of Win 7.
The infection is still alive.

Please let me know if I can use the PC or if is better don't use it.
I run twice OTL and this is the output (Let me know too if you need any other log):

OTL Extras logfile created on: 3/28/2011 10:51:13 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\giorgf\Desktop
Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148.95 Gb Total Space | 65.49 Gb Free Space | 43.97% Space Free | Partition Type: NTFS
Drive D: | 2.24 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: GIORGF-PC | User Name: giorgf | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4}" = Microsoft Office Communicator 2007 R2
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{123260D2-F148-11D0-BA76-00A024E16E89}" = eRoom 7 Client
"{1362E602-9625-42D3-B57F-CDA9D26F9DA8}" = Pinnacle Studio 15
"{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}" = Cisco Systems VPN Client 5.0.01.0600
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (INSIGHT)
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CEBCDA7-E9C2-47FF-83D9-A02247A15CD3}" = Insight
"{4BF3A357-3C4F-49EE-B16C-D45D7D7F1819}" = EasyTether
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{6C64AB8C-F78B-45C0-98E3-6DE9702E0225}" = Microsoft Office Live Meeting 2007
"{6DE721A5-5E89-4D74-994C-652BB3C0672E}" = Driver Pinnacle Video
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89BD7A69-EFCC-4E36-A5AB-F03EE10B383D}" = Insight
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B3776EC-5F0A-4996-A7DF-BB5DA95B240E}" = Vodafone Mobile Connect
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2010
"{90140000-0057-0000-0000-0000000FF1CE}" = Microsoft Office Visio 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A53A11EA-0095-493F-86FA-A15E8A86A405}" = VMware Player
"{AC76BA86-7AD7-1040-7B44-A94000000001}" = Adobe Reader 9.4.3 - Italiano
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BE}" = WinZip 15.0
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EB5DF19E-75D5-4FF1-AE23-2A9A2E0F2BDD}" = Pinnacle Studio 15 Ultimate Plugins
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F4C6DD02-8ACA-4354-BA36-9FFC3B767E73}" = Cisco AnyConnect VPN Client
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ASF-AVI-RM-WMV Repair_is1" = ASF-AVI-RM-WMV Repair 2.01
"BitTorrent" = BitTorrent
"FileZilla Client" = FileZilla Client 3.3.5.1
"HijackThis" = HijackThis 2.0.2
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"Knoll Light Factory EZ Studio 15" = Knoll Light Factory EZ Studio 15
"Layer III Audio Encoder 1.0.70111" = Layer III Audio Encoder
"LinkedIn Outlook Connector" = LinkedIn Outlook Connector
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Thunderbird (3.1.9)" = Mozilla Thunderbird (3.1.9)
"NAV" = Norton AntiVirus
"NVIDIA Drivers" = NVIDIA Drivers
"nView Desktop Manager" = NVIDIA nView Desktop Manager
"Office14.PRJPRO" = Microsoft Project Professional 2010
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"Office14.VISIO" = Microsoft Visio Premium 2010
"PPTminimizer_is1" = PPTminimizer
"Red Giant ToonIt Studio 15" = Red Giant ToonIt Studio 15
"Replay Video Capture3.1B" = Replay Video Capture
"VLC media player" = VLC media player 1.1.5
"VMware_Player" = VMware Player
"Win2PDF_is1" = Win2PDF 7

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ActiveTouchMeetingClient" = WebEx
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/18/2011 4:47:07 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

Error - 3/18/2011 5:37:42 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

Error - 3/18/2011 5:41:00 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

Error - 3/18/2011 5:41:03 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

Error - 3/18/2011 5:41:12 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

Error - 3/18/2011 5:41:14 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

Error - 3/18/2011 6:57:34 AM | Computer Name = giorgf-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\program files\VMware\vmware
player\vssSnapVista64.exe". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 3/18/2011 10:50:19 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

Error - 3/18/2011 10:50:19 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

Error - 3/18/2011 10:50:19 AM | Computer Name = giorgf-PC | Source = libcsd | ID = 1001
Description =

[ Cisco AnyConnect VPN Client Events ]
Error - 3/28/2011 4:33:20 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::applyHostConfigForNoVpn File: .\MainThread.cpp
Line:
7578 Invoked Function: CHostConfigMgr::DeterminePublicInterface Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 3/28/2011 4:33:20 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::MainLoop File: .\MainThread.cpp Line: 325 Invoked
Function: CMainThread::applyHostConfigForNoVpn Return Code: -33095647 (0xFE070021)
Description:
ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 3/28/2011 4:37:38 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CChangeRouteHelper::ClearRouteTable File: .\ChangeRouteHelper.cpp
Line:
606 Invoked Function: AddRoute Return Code: -33095667 (0xFE07000D) Description: ROUTETABLE_ERROR_CREATEIPFORWARDENTRY_FAILED
the
interface appears to be available

Error - 3/28/2011 4:37:38 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CChangeRouteHelper::ClearRouteTable File: .\ChangeRouteHelper.cpp
Line:
606 Invoked Function: AddRoute Return Code: -33095667 (0xFE07000D) Description: ROUTETABLE_ERROR_CREATEIPFORWARDENTRY_FAILED
the
interface appears to be available

Error - 3/28/2011 4:37:38 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CIPv4ChangeRouteHelper::FindBestRoute File: .\IPv4ChangeRouteHelper.cpp
Line:
2484 Invoked Function: CIPv4RouteTable::FindMatchingRoute Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 3/28/2011 4:37:38 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CIPv4ChangeRouteHelper::FindBestRoute File: .\IPv4ChangeRouteHelper.cpp
Line:
2484 Invoked Function: CIPv4RouteTable::FindMatchingRoute Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 3/28/2011 4:37:38 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CIPv4ChangeRouteHelper::FindBestRoute File: .\IPv4ChangeRouteHelper.cpp
Line:
2484 Invoked Function: CIPv4RouteTable::FindMatchingRoute Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 3/28/2011 4:37:38 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CRouteMgr::UpdatePublicAddress File: .\RouteMgr.cpp Line:
2188 Invoked Function: CChangeRouteTable::FindBestRouteInterface Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 3/28/2011 4:37:38 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::applyHostConfigForNoVpn File: .\MainThread.cpp
Line:
7578 Invoked Function: CHostConfigMgr::DeterminePublicInterface Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 3/28/2011 4:37:38 PM | Computer Name = giorgf-PC | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::MainLoop File: .\MainThread.cpp Line: 325 Invoked
Function: CMainThread::applyHostConfigForNoVpn Return Code: -33095647 (0xFE070021)
Description:
ROUTETABLE_ERROR_GETBESTROUTE_FAILED

[ System Events ]
Error - 1/31/2011 11:18:44 AM | Computer Name = giorgf-PC | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

< End of report >

Symantec founds it at any reboot. Please see the export of Symantec log:
Category: Unresolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action
3/28/2011 3:06 PM,High,Boot.Tidserv.B detected by Auto-Protect,Attention Required,Remove this Security Risk now.

Thank you very much!!
Regards,

Fabio Giorgio

#2
RKinner

Posted 29 March 2011 - 02:05 PM

Malware Expert

Expert
24,734 posts

You posted the Extras log. We really want the OTL log.

Could I see the combofix log from your earlier attempt?

TidServ.B is an infector of the mbr.

Since you have the DVD:

See if repairing the mbr per http://www.ehow.com/...br-windows.html will help.

After you get to the command prompt you need to change to the boot folder so type:

cd \boot

or maybe

cd boot

one of them should work and take you to the folder where bootsect lives.

Ron

#3
DavidAemes

Posted 30 March 2011 - 03:36 AM

Member

Topic Starter
Member
10 posts

You posted the Extras log. We really want the OTL log.

Could I see the combofix log from your earlier attempt?

TidServ.B is an infector of the mbr.

Since you have the DVD:

See if repairing the mbr per http://www.ehow.com/...br-windows.html will help.

After you get to the command prompt you need to change to the boot folder so type:

cd \boot

or maybe

cd boot

one of them should work and take you to the folder where bootsect lives.

Ron

Hi,
thanks for your tips.

I'll test to execute the "bootsect /nt60 C:\" or the "bootsect /nt60 ALL".
Nevertheless, here you can find the OTL log file (sorry for my mistake).

Thanks.
FG

OTL logfile created on: 3/28/2011 10:51:13 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\giorgf\Desktop
Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148.95 Gb Total Space | 65.49 Gb Free Space | 43.97% Space Free | Partition Type: NTFS
Drive D: | 2.24 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: GIORGF-PC | User Name: giorgf | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/28 22:44:11 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\giorgf\Desktop\OTL.exe
PRC - [2011/01/30 00:11:36 | 003,372,856 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
PRC - [2010/12/20 17:57:04 | 000,602,872 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
PRC - [2010/12/19 01:25:16 | 000,048,456 | ---- | M] (Mobile Stream) -- C:\Program Files\Mobile Stream\EasyTether\easytthr.exe
PRC - [2010/11/24 04:21:18 | 000,130,000 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe
PRC - [2010/11/12 18:54:30 | 005,145,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office Communicator\communicator.exe
PRC - [2010/11/11 14:31:54 | 000,334,448 | ---- | M] (VMware, Inc.) -- C:\Windows\System32\vmnetdhcp.exe
PRC - [2010/11/11 14:31:50 | 000,404,080 | ---- | M] (VMware, Inc.) -- C:\Windows\System32\vmnat.exe
PRC - [2010/11/11 14:31:36 | 000,064,112 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Player\hqtray.exe
PRC - [2010/11/11 14:30:44 | 000,113,264 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Player\vmware-authd.exe
PRC - [2010/11/11 13:31:44 | 000,539,248 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
PRC - [2010/10/25 11:03:52 | 000,217,088 | ---- | M] (Teruten) -- C:\Windows\System32\FsUsbExService.Exe
PRC - [2010/03/29 21:26:00 | 000,227,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
PRC - [2009/11/12 14:48:56 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/10/31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/01/21 07:49:14 | 000,153,096 | ---- | M] (EMC) -- C:\Program Files\eRoom 7\ERClient7.exe
PRC - [2008/11/04 12:40:24 | 002,087,424 | ---- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
PRC - [2008/11/04 12:39:20 | 000,014,336 | ---- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
PRC - [2007/09/25 02:11:35 | 000,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
PRC - [2007/09/25 02:11:35 | 000,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
PRC - [2007/07/16 12:58:02 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2007/02/20 12:07:40 | 000,199,752 | ---- | M] (Pinnacle Systems GmbH) -- C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

========== Modules (SafeList) ==========

MOD - [2011/03/28 22:44:11 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\giorgf\Desktop\OTL.exe
MOD - [2010/08/21 07:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/12/20 17:57:04 | 000,602,872 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2010/11/24 04:21:18 | 000,130,000 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe -- (NAV)
SRV - [2010/11/15 07:55:56 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/11/11 14:31:54 | 000,334,448 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\System32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2010/11/11 14:31:50 | 000,404,080 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\System32\vmnat.exe -- (VMware NAT Service)
SRV - [2010/11/11 14:30:44 | 000,113,264 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\VMware\VMware Player\vmware-authd.exe -- (VMAuthdService)
SRV - [2010/11/11 13:31:44 | 000,539,248 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2010/10/25 11:03:52 | 000,217,088 | ---- | M] (Teruten) [Auto | Running] -- C:\Windows\System32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2010/08/19 14:57:14 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Player\vmware-ufad.exe -- (ufad-ws60)
SRV - [2010/03/25 11:25:22 | 030,969,208 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2009/11/12 14:48:56 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2009/07/14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 03:15:36 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\lpdsvc.dll -- (LPDSVC)
SRV - [2008/11/04 12:39:20 | 000,014,336 | ---- | M] (Vodafone) [Auto | Running] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2007/07/16 12:58:02 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)

========== Driver Services (SafeList) ==========

DRV - [2011/03/28 20:58:01 | 000,053,248 | ---- | M] (eSage Lab) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rk_remover.sys -- (rk_remover-boot)
DRV - [2011/03/27 11:35:05 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110328.017\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/03/27 11:35:05 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/03/27 11:35:05 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/03/27 11:35:05 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110328.017\NAVENG.SYS -- (NAVENG)
DRV - [2011/03/27 11:19:27 | 000,126,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/09 21:11:42 | 000,800,376 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110309.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/01/03 10:38:36 | 000,136,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2011/01/03 10:38:36 | 000,121,192 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
DRV - [2011/01/03 10:38:36 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
DRV - [2010/12/21 07:55:02 | 000,030,312 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadadb.sys -- (androidusb)
DRV - [2010/12/01 07:24:00 | 000,295,032 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\NAV\1205000.07D\SYMNETS.SYS -- (SymNetS)
DRV - [2010/11/23 06:59:15 | 000,035,960 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\SymIMV.sys -- (SymIM)
DRV - [2010/11/23 06:08:31 | 000,509,560 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\Drivers\NAV\1205000.07D\SRTSP.SYS -- (SRTSP)
DRV - [2010/11/23 06:08:31 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NAV\1205000.07D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/11/18 04:59:55 | 000,652,336 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\system32\drivers\NAV\1205000.07D\SYMEFA.SYS -- (SymEFA)
DRV - [2010/11/16 03:45:33 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NAV\1205000.07D\Ironx86.SYS -- (SymIRON)
DRV - [2010/11/11 14:32:10 | 000,070,768 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmci.sys -- (vmci)
DRV - [2010/11/11 14:32:08 | 000,854,128 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmx86.sys -- (vmx86)
DRV - [2010/11/11 14:30:34 | 000,024,688 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2010/11/11 14:29:26 | 000,026,352 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2010/11/11 13:31:28 | 000,032,368 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\hcmon.sys -- (hcmon)
DRV - [2010/11/11 11:04:52 | 000,036,400 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2010/11/11 11:04:52 | 000,016,560 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2010/11/09 02:50:30 | 000,353,912 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110325.001\IDSvix86.sys -- (IDSVix86)
DRV - [2010/10/25 11:03:52 | 000,036,640 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2010/10/21 04:28:36 | 000,340,016 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\NAV\1205000.07D\SYMDS.SYS -- (SymDS)
DRV - [2010/08/29 18:18:06 | 000,017,232 | ---- | M] (Mobile Stream) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\easytthr.sys -- (easytether)
DRV - [2010/08/19 14:56:38 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMware\VMware Player\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2010/08/16 20:02:49 | 000,019,680 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vpnva.sys -- (vpnva)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/08/18 13:06:54 | 000,037,120 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuqbus.sys -- (GTUQBUS)
DRV - [2009/08/18 13:06:54 | 000,021,248 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtscser.sys -- (GTSCSER)
DRV - [2009/08/18 13:06:54 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtptser.sys -- (GTPTSER)
DRV - [2009/08/18 13:06:52 | 000,107,776 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhs51.sys -- (GTUHSNDISIPXP)
DRV - [2009/08/18 13:06:52 | 000,067,840 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhsbus.sys -- (GTUHSBUS)
DRV - [2009/08/18 13:06:52 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhsser.sys -- (GTUHSSER)
DRV - [2009/07/14 03:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 03:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 03:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 01:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/14 01:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 01:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/03/11 15:04:00 | 007,545,216 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/07/16 12:57:12 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/01/31 14:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/09/23 23:18:32 | 000,171,520 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MarvinBus.sys -- (MarvinBus)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = AB 81 31 BF 2C 84 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = serprx101rm001.services.external.local:8080

========== FireFox ==========

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn\ [2011/03/27 11:56:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/03/06 12:07:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/11/30 00:38:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\giorgf\AppData\Roaming\Mozilla\Extensions
[2010/11/30 00:38:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\giorgf\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

O1 HOSTS File: ([2011/03/28 15:35:08 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\communicator.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MobileConnect] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Windows\System32\nwiz.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [USBToolTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe (Pinnacle Systems GmbH)
O4 - HKLM..\Run: [VMware hqtray] C:\Program Files\VMware\VMware Player\hqtray.exe (VMware, Inc.)
O4 - HKCU..\Run: [EasyTether] C:\Program Files\Mobile Stream\EasyTether\easytthr.exe (Mobile Stream)
O4 - HKCU..\Run: [KiesHelper] C:\Program Files\Samsung\Kies\KiesHelper.exe (Samsung)
O4 - HKCU..\Run: [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - Startup: C:\Users\giorgf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (EMC)
O4 - Startup: C:\Users\giorgf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} http://picasaweb.goo...1/uploader2.cab (UploadListView Class)
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} https://crk01-00i2d-...ries/vpnweb.cab (Cisco AnyConnect VPN Client Web Control)
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} http://ctseroom02.co...etup/client.cab (ERPageAddin Class)
O16 - DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} https://crk01-00i2d-...ies/instweb.cab (CSD ActiveX Installer)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://isc2educatio...ng/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} https://crk01-00i1d-...ies/instweb.cab (CSD ActiveX Installer)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/07/14 10:13:55 | 000,000,043 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/28 22:44:08 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\giorgf\Desktop\OTL.exe
[2011/03/28 22:15:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2011/03/28 22:12:18 | 095,812,448 | ---- | C] ( ) -- C:\Users\giorgf\Desktop\setup_9.0.0.722_28.03.2011_22-17.exe
[2011/03/28 22:05:14 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Users\giorgf\Desktop\aswMBR.exe
[2011/03/28 20:53:06 | 000,053,248 | ---- | C] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2011/03/28 20:52:31 | 000,000,000 | ---D | C] -- C:\Users\giorgf\Desktop\tdss_remover_latest
[2011/03/28 15:38:50 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/03/28 15:22:15 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/28 14:55:25 | 010,832,208 | ---- | C] (Symantec Corporation) -- C:\Users\giorgf\Desktop\nortonsafeweblite.exe
[2011/03/27 14:19:16 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Local\NPE
[2011/03/27 12:31:03 | 000,035,960 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SymIMV.sys
[2011/03/27 11:35:39 | 000,652,336 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1205000.07D\symefa.sys
[2011/03/27 11:35:39 | 000,509,560 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1205000.07D\srtsp.sys
[2011/03/27 11:35:39 | 000,340,016 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1205000.07D\symds.sys
[2011/03/27 11:35:39 | 000,295,032 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1205000.07D\symnets.sys
[2011/03/27 11:35:39 | 000,136,312 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1205000.07D\ironx86.sys
[2011/03/27 11:35:39 | 000,050,168 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1205000.07D\srtspx.sys
[2011/03/27 11:35:30 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NAV\1205000.07D
[2011/03/27 11:19:27 | 000,126,512 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2011/03/27 11:19:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/03/27 11:19:27 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/03/27 11:18:56 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NAV
[2011/03/27 11:18:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton AntiVirus
[2011/03/27 11:18:54 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2011/03/27 11:18:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2011/03/27 11:18:07 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2011/03/27 11:18:07 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2011/03/27 11:11:56 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/03/18 21:13:28 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Roaming\Canneverbe_Limited
[2011/03/18 21:13:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Canneverbe Limited
[2011/03/18 21:12:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CDBurnerXP
[2011/03/18 21:12:40 | 000,000,000 | ---D | C] -- C:\Program Files\CDBurnerXP
[2011/03/16 14:43:51 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2011/03/14 12:10:24 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Roaming\Insight
[2011/03/11 14:48:17 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/10 10:52:27 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Local\Google
[2011/03/10 10:52:09 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Local\Deployment
[2011/03/10 10:52:09 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Local\Apps
[2011/03/08 23:08:51 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2011/03/08 18:40:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HijackThis
[2011/03/08 18:40:55 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/03/08 17:26:44 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Roaming\Malwarebytes
[2011/03/08 17:26:36 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/08 17:26:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/08 17:26:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/08 17:26:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/03/08 17:26:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/07 11:11:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win2PDF
[2011/03/06 23:14:16 | 000,000,000 | ---D | C] -- C:\AVG10
[2011/03/04 19:11:41 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2011/03/03 11:09:30 | 000,000,000 | ---D | C] -- C:\Users\giorgf\Documents\Pinnacle Studio
[2011/03/03 11:08:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Pinnacle Studio Ultimate Collection
[2011/03/03 10:29:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Studio Plugins
[2011/03/03 10:29:44 | 000,090,112 | ---- | C] (MindVision Software) -- C:\Windows\unvise32.exe
[2011/03/03 10:25:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Pinnacle
[2011/03/03 10:24:55 | 000,000,000 | ---D | C] -- C:\Users\giorgf\AppData\Local\Pinnacle
[2011/03/03 10:24:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Pinnacle Studio Ultimate
[2011/03/03 10:22:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pinnacle Studio 15
[2011/03/03 10:21:45 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\My Projects
[2011/03/03 10:18:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Pegasus Imaging
[2011/03/03 10:18:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Yahoo!
[2011/03/03 10:18:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Studio 15
[2011/03/03 10:18:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Pinnacle Studio Plus
[2011/03/03 10:18:19 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Pinnacle
[2011/03/03 10:18:19 | 000,000,000 | ---D | C] -- C:\Program Files\Pinnacle
[2011/03/03 10:14:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Pinnacle

========== Files - Modified Within 30 Days ==========

[2011/03/28 22:48:00 | 000,001,162 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2333114377-402739105-1773717283-1001UA.job
[2011/03/28 22:44:54 | 000,012,272 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/28 22:44:54 | 000,012,272 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/28 22:44:11 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\giorgf\Desktop\OTL.exe
[2011/03/28 22:42:32 | 000,676,474 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/28 22:42:32 | 000,126,038 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/28 22:41:12 | 000,133,632 | ---- | M] () -- C:\Users\giorgf\Desktop\RKUnhookerLE.EXE
[2011/03/28 22:37:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/28 22:37:26 | 2414,321,664 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/28 22:12:18 | 095,812,448 | ---- | M] ( ) -- C:\Users\giorgf\Desktop\setup_9.0.0.722_28.03.2011_22-17.exe
[2011/03/28 22:08:16 | 000,011,980 | ---- | M] () -- C:\Users\giorgf\Desktop\AVPTool.htm
[2011/03/28 22:05:18 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Users\giorgf\Desktop\aswMBR.exe
[2011/03/28 20:58:01 | 000,053,248 | ---- | M] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2011/03/28 20:50:52 | 000,039,605 | ---- | M] () -- C:\Users\giorgf\Desktop\bootkit_remover.rar
[2011/03/28 20:50:30 | 000,385,818 | ---- | M] () -- C:\Users\giorgf\Desktop\tdss_remover_latest.rar
[2011/03/28 20:36:01 | 001,046,814 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1205000.07D\Cat.DB
[2011/03/28 15:35:08 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/03/28 15:04:35 | 392,754,039 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/03/28 14:55:25 | 010,832,208 | ---- | M] (Symantec Corporation) -- C:\Users\giorgf\Desktop\nortonsafeweblite.exe
[2011/03/28 14:21:35 | 000,000,953 | ---- | M] () -- C:\Users\giorgf\Desktop\fnd_gfm fabio.tsv
[2011/03/28 13:48:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2333114377-402739105-1773717283-1001Core.job
[2011/03/28 12:11:58 | 000,000,670 | ---- | M] () -- C:\Windows\1way.ini
[2011/03/27 11:19:27 | 000,126,512 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2011/03/27 11:19:27 | 000,007,456 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2011/03/27 11:19:27 | 000,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2011/03/07 11:11:17 | 000,000,000 | ---- | M] () -- C:\Windows\Progs_.ini
[2011/03/05 21:04:53 | 000,000,349 | ---- | M] () -- C:\Users\Public\Documents\PCLECHAL.INI
[2011/03/03 16:46:05 | 000,012,288 | ---- | M] () -- C:\Users\giorgf\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/03 10:34:12 | 000,473,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/03/02 16:19:45 | 000,002,237 | ---- | M] () -- C:\Users\giorgf\Desktop\TI1632144 - Consolidamento Storage e Backup - Shortcut.lnk

========== Files Created - No Company Name ==========

[2011/03/28 22:41:09 | 000,133,632 | ---- | C] () -- C:\Users\giorgf\Desktop\RKUnhookerLE.EXE
[2011/03/28 22:08:16 | 000,011,980 | ---- | C] () -- C:\Users\giorgf\Desktop\AVPTool.htm
[2011/03/28 20:50:52 | 000,039,605 | ---- | C] () -- C:\Users\giorgf\Desktop\bootkit_remover.rar
[2011/03/28 20:50:28 | 000,385,818 | ---- | C] () -- C:\Users\giorgf\Desktop\tdss_remover_latest.rar
[2011/03/28 14:21:35 | 000,000,953 | ---- | C] () -- C:\Users\giorgf\Desktop\fnd_gfm fabio.tsv
[2011/03/27 11:55:01 | 001,046,814 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\Cat.DB
[2011/03/27 11:35:39 | 000,007,528 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\iron.cat
[2011/03/27 11:35:39 | 000,007,458 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\symnet.cat
[2011/03/27 11:35:39 | 000,007,456 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\symefa.cat
[2011/03/27 11:35:39 | 000,007,454 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\srtspx.cat
[2011/03/27 11:35:39 | 000,007,450 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\symds.cat
[2011/03/27 11:35:39 | 000,007,450 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\srtsp.cat
[2011/03/27 11:35:39 | 000,003,374 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\symefa.inf
[2011/03/27 11:35:39 | 000,002,792 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\symds.inf
[2011/03/27 11:35:39 | 000,001,446 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\symnet.inf
[2011/03/27 11:35:39 | 000,001,389 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\srtspx.inf
[2011/03/27 11:35:39 | 000,001,383 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\srtsp.inf
[2011/03/27 11:35:39 | 000,000,742 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\iron.inf
[2011/03/27 11:35:30 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1205000.07D\isolate.ini
[2011/03/27 11:19:27 | 000,007,456 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2011/03/27 11:19:27 | 000,000,805 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2011/03/18 21:12:40 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2011/03/16 14:43:27 | 000,001,162 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2333114377-402739105-1773717283-1001UA.job
[2011/03/16 14:43:26 | 000,001,110 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2333114377-402739105-1773717283-1001Core.job
[2011/03/11 14:48:07 | 392,754,039 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/07 11:11:53 | 000,150,760 | ---- | C] () -- C:\Windows\System32\WIN2PDFS.DLL
[2011/03/07 11:11:53 | 000,074,472 | ---- | C] () -- C:\Windows\System32\WIN2PDFM.DLL
[2011/03/07 11:11:17 | 000,000,000 | ---- | C] () -- C:\Windows\Progs_.ini
[2011/03/03 12:47:45 | 000,012,288 | ---- | C] () -- C:\Users\giorgf\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/03 10:16:05 | 000,000,349 | ---- | C] () -- C:\Users\Public\Documents\PCLECHAL.INI
[2011/01/29 18:00:24 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2011/01/29 18:00:22 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2011/01/29 18:00:22 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2011/01/29 18:00:22 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2011/01/29 18:00:22 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2011/01/08 20:02:57 | 000,084,480 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/11/18 20:06:00 | 000,000,670 | ---- | C] () -- C:\Windows\1way.ini
[2010/11/18 09:29:02 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2010/11/18 09:29:02 | 000,036,640 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2010/11/14 21:09:17 | 001,724,416 | ---- | C] () -- C:\Windows\System32\nvwdmcpl.dll
[2010/11/14 21:09:17 | 001,657,376 | ---- | C] () -- C:\Windows\System32\nwiz.exe
[2010/11/14 21:09:17 | 001,503,232 | ---- | C] () -- C:\Windows\System32\nView.dll
[2010/11/14 21:09:17 | 001,101,824 | ---- | C] () -- C:\Windows\System32\nvwimg.dll
[2010/11/14 21:09:17 | 000,466,944 | ---- | C] () -- C:\Windows\System32\nvShell.dll
[2010/11/14 21:09:17 | 000,449,056 | ---- | C] () -- C:\Windows\System32\nvAppBar.exe
[2010/11/14 21:09:17 | 000,158,240 | ---- | C] () -- C:\Windows\System32\nvTaskbar.exe
[2009/10/06 09:16:00 | 000,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/07/14 06:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 06:33:53 | 000,473,440 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 04:05:48 | 000,676,474 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 04:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 04:05:48 | 000,126,038 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 04:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 04:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 04:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/14 02:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009/07/14 01:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2008/11/12 14:51:04 | 000,135,882 | R--- | C] () -- C:\ProgramData\DeviceManager.xml.rc4
[2008/08/20 16:45:46 | 000,020,270 | ---- | C] () -- C:\ProgramData\DeviceInstaller.xml
[2008/07/31 11:01:00 | 000,000,000 | ---- | C] () -- C:\Windows\System32\ToolBx.dll
[2008/03/07 17:03:14 | 000,013,312 | ---- | C] () -- C:\Windows\System32\CallSimReader.dll
[2008/03/07 17:02:24 | 000,061,440 | ---- | C] () -- C:\Windows\System32\SimReader.dll
[2007/07/16 12:58:10 | 000,197,408 | ---- | C] () -- C:\Windows\System32\vpnapi.dll

========== LOP Check ==========

[2010/11/14 21:45:01 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\AVG10
[2011/03/19 18:19:03 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\BitTorrent
[2010/11/14 23:09:24 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Bytemobile
[2011/03/18 21:13:28 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Canneverbe_Limited
[2010/12/17 10:14:22 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Cisco
[2010/12/23 16:52:31 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\eRoom
[2011/03/11 18:49:33 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\FileZilla
[2011/03/28 11:42:06 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Insight
[2011/02/14 10:19:36 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\PPTminimizer
[2010/11/18 09:28:34 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Samsung
[2010/11/30 00:38:15 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Thunderbird
[2011/01/25 10:46:04 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Trondent Development Corp
[2010/11/14 23:11:34 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Vodafone
[2011/01/07 16:28:22 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\WD
[2010/11/30 00:54:02 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\webex
[2011/02/10 11:33:00 | 000,000,000 | ---D | M] -- C:\Users\giorgf\AppData\Roaming\Xerox
[2011/02/25 12:38:47 | 000,032,634 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

#4
DavidAemes

Posted 30 March 2011 - 02:11 PM

Member

Topic Starter
Member
10 posts

Hi,
unfortunately the bootsect command didn't work; it says that "bootcode was succesfully updated on all targeted devices" but once rebooted the system.
do you think that the only way to solve the issue is a "data zero filling" of all sectors or do you believe that we can do some other test?
Then, in your opinion, which kind of risks can occur?

Here the combofix log:

ComboFix 11-03-29.06 - giorgf 03/30/2011 21:52:23.2.2 - x86
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3070.2113 [GMT 2:00]
Running from: c:\users\giorgf\Desktop\ComboFix.exe
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-30 19:57 . 2011-03-30 19:57 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-03-30 19:57 . 2011-03-30 19:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-28 20:15 . 2011-03-28 20:33 -------- d-----w- c:\programdata\Kaspersky Lab
2011-03-28 18:53 . 2011-03-28 18:58 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2011-03-28 18:36 . 2010-12-23 05:28 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-28 18:36 . 2010-12-23 05:28 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-28 18:36 . 2010-12-23 05:28 850432 ----a-w- c:\windows\system32\sbe.dll
2011-03-28 18:36 . 2010-12-23 05:24 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-28 18:36 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-03-28 18:36 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-03-27 12:19 . 2011-03-27 12:22 -------- d-----w- c:\users\giorgf\AppData\Local\NPE
2011-03-27 10:31 . 2010-11-23 04:59 35960 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2011-03-27 09:19 . 2011-03-27 09:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-03-27 09:19 . 2011-03-27 09:19 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-03-27 09:19 . 2011-03-27 09:19 -------- d-----w- c:\program files\Symantec
2011-03-27 09:18 . 2011-03-27 09:56 -------- d-----w- c:\windows\system32\drivers\NAV
2011-03-27 09:18 . 2011-03-27 09:18 -------- d-----w- c:\program files\Norton AntiVirus
2011-03-27 09:18 . 2011-03-27 12:19 -------- d-----w- c:\programdata\Norton
2011-03-27 09:18 . 2011-03-27 09:18 -------- d-----w- c:\program files\NortonInstaller
2011-03-18 19:13 . 2011-03-18 19:13 -------- d-----w- c:\users\giorgf\AppData\Roaming\Canneverbe_Limited
2011-03-18 19:13 . 2011-03-18 19:13 -------- d-----w- c:\programdata\Canneverbe Limited
2011-03-18 19:12 . 2011-03-18 19:12 -------- d-----w- c:\program files\CDBurnerXP
2011-03-18 19:12 . 2009-11-12 12:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-03-14 10:10 . 2011-03-28 09:42 -------- d-----w- c:\users\giorgf\AppData\Roaming\Insight
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-03-11 13:23 . 2011-03-11 13:23 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-03-10 08:52 . 2011-03-16 12:43 -------- d-----w- c:\users\giorgf\AppData\Local\Google
2011-03-10 08:52 . 2011-03-10 08:55 -------- d-----w- c:\users\giorgf\AppData\Local\Deployment
2011-03-10 08:52 . 2011-03-10 08:52 -------- d-----w- c:\users\giorgf\AppData\Local\Apps
2011-03-08 21:08 . 2011-03-08 21:08 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-03-08 16:40 . 2011-03-08 16:40 -------- d-----w- c:\program files\Trend Micro
2011-03-08 15:26 . 2011-03-08 15:26 -------- d-----w- c:\users\giorgf\AppData\Roaming\Malwarebytes
2011-03-08 15:26 . 2011-03-08 15:26 -------- d-----w- c:\programdata\Malwarebytes
2011-03-08 15:26 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-08 15:26 . 2011-03-08 15:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-08 15:26 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 15:05 . 2011-03-08 15:07 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Miicrosoft
2011-03-07 12:43 . 2011-03-07 12:43 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2011-03-07 09:11 . 2010-02-08 20:56 74472 ----a-w- c:\windows\system32\WIN2PDFM.DLL
2011-03-07 09:11 . 2010-02-08 20:56 150760 ----a-w- c:\windows\system32\WIN2PDFS.DLL
2011-03-06 21:14 . 2011-03-06 21:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\WD
2011-03-06 21:14 . 2011-03-08 12:48 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2011-03-06 21:14 . 2011-03-06 21:14 -------- d-----w- C:\AVG10
2011-03-04 17:11 . 2011-03-04 17:11 -------- d-----w- c:\program files\MSXML 4.0
2011-03-03 09:08 . 2011-03-03 09:08 -------- d-----w- c:\programdata\Pinnacle Studio Ultimate Collection
2011-03-03 08:29 . 2004-03-29 15:23 90112 ----a-w- c:\windows\unvise32.exe
2011-03-03 08:25 . 2011-03-03 08:25 -------- d-----w- c:\program files\Common Files\Pinnacle
2011-03-03 08:24 . 2011-03-03 09:08 -------- d-----w- c:\users\giorgf\AppData\Local\Pinnacle
2011-03-03 08:24 . 2011-03-03 08:24 -------- d-----w- c:\programdata\Pinnacle Studio Ultimate
2011-03-03 08:18 . 2011-03-03 08:18 -------- d-----w- c:\program files\Common Files\Pegasus Imaging
2011-03-03 08:18 . 2011-03-03 08:29 -------- d-----w- c:\program files\Pinnacle
2011-03-03 08:18 . 2011-03-03 08:18 -------- d-----w- c:\programdata\Studio 15
2011-03-03 08:18 . 2011-03-03 08:18 -------- d-----w- c:\programdata\Pinnacle Studio Plus
2011-03-03 08:18 . 2011-03-03 08:18 -------- d-----w- c:\program files\Common Files\Yahoo!
2011-03-03 08:14 . 2011-03-03 08:23 -------- d-----w- c:\programdata\Pinnacle
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-29 14:33 . 2010-11-22 10:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 05:45 . 2011-02-09 08:34 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-31 01:01 . 2011-02-13 12:38 87340080 ----a-w- c:\users\giorgf\AppData\Roaming\Microsoft\Windows\Templates\SamsungKiesSetup.exe
2011-01-29 22:16 . 2011-01-29 22:16 30056 ----a-w- c:\windows\system32\MASetupCleaner.exe
2011-01-29 16:00 . 2011-02-13 12:41 4659712 ----a-w- c:\windows\system32\Redemption.dll
2011-01-29 16:00 . 2011-01-29 16:00 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2011-01-29 16:00 . 2011-01-29 16:00 325552 ----a-w- c:\windows\MASetupCaller.dll
2011-01-29 16:00 . 2011-01-29 16:00 30568 ----a-w- c:\windows\MusiccityDownload.exe
2011-01-29 16:00 . 2011-01-29 16:00 974848 ----a-w- c:\windows\system32\cis-2.4.dll
2011-01-29 16:00 . 2011-01-29 16:00 81920 ----a-w- c:\windows\system32\issacapi_bs-2.3.dll
2011-01-29 16:00 . 2011-01-29 16:00 65536 ----a-w- c:\windows\system32\issacapi_pe-2.3.dll
2011-01-29 16:00 . 2011-01-29 16:00 57344 ----a-w- c:\windows\system32\MTXSYNCICON.dll
2011-01-29 16:00 . 2011-01-29 16:00 57344 ----a-w- c:\windows\system32\MK_Lyric.dll
2011-01-29 16:00 . 2011-01-29 16:00 57344 ----a-w- c:\windows\system32\issacapi_se-2.3.dll
2011-01-29 16:00 . 2011-01-29 16:00 569344 ----a-w- c:\windows\system32\muzdecode.ax
2011-01-29 16:00 . 2011-01-29 16:00 491520 ----a-w- c:\windows\system32\muzapp.dll
2011-01-29 16:00 . 2011-01-29 16:00 49152 ----a-w- c:\windows\system32\MaJGUILib.dll
2011-01-29 16:00 . 2011-01-29 16:00 45056 ----a-w- c:\windows\system32\MaXMLProto.dll
2011-01-29 16:00 . 2011-01-29 16:00 45056 ----a-w- c:\windows\system32\MACXMLProto.dll
2011-01-29 16:00 . 2011-01-29 16:00 40960 ----a-w- c:\windows\system32\MTTELECHIP.dll
2011-01-29 16:00 . 2011-01-29 16:00 40960 ----a-w- c:\windows\system32\MAMACExtract.dll
2011-01-29 16:00 . 2011-01-29 16:00 352256 ----a-w- c:\windows\system32\MSLUR71.dll
2011-01-29 16:00 . 2011-01-29 16:00 258048 ----a-w- c:\windows\system32\muzoggsp.ax
2011-01-29 16:00 . 2011-01-29 16:00 245760 ----a-w- c:\windows\system32\MSCLib.dll
2011-01-29 16:00 . 2011-01-29 16:00 200704 ----a-w- c:\windows\system32\muzwmts.dll
2011-01-29 16:00 . 2011-01-29 16:00 155648 ----a-w- c:\windows\system32\MSFLib.dll
2011-01-29 16:00 . 2011-01-29 16:00 143360 ----a-w- c:\windows\system32\3DAudio.ax
2011-01-29 16:00 . 2011-01-29 16:00 135168 ----a-w- c:\windows\system32\muzaf1.dll
2011-01-29 16:00 . 2011-01-29 16:00 131072 ----a-w- c:\windows\system32\muzmpgsp.ax
2011-01-29 16:00 . 2011-01-29 16:00 122880 ----a-w- c:\windows\system32\muzeffect.ax
2011-01-29 16:00 . 2011-01-29 16:00 118784 ----a-w- c:\windows\system32\MaDRM.dll
2011-01-29 16:00 . 2011-01-29 16:00 110592 ----a-w- c:\windows\system32\muzmp4sp.ax
2011-01-29 16:00 . 2011-02-13 12:41 821824 ----a-w- c:\windows\system32\dgderapi.dll
2011-01-07 07:31 . 2011-02-25 14:11 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-07 07:31 . 2011-02-25 14:11 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-07 07:27 . 2011-02-09 08:34 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33 . 2011-02-09 08:34 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:37 . 2011-02-09 08:34 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:37 . 2011-02-09 08:34 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-01-03 08:38 . 2011-02-13 12:43 136680 ----a-w- c:\windows\system32\drivers\ssadmdm.sys
2011-01-03 08:38 . 2011-02-13 12:43 10344 ----a-w- c:\windows\system32\drivers\ssadwhnt.sys
2011-01-03 08:38 . 2011-02-13 12:43 10344 ----a-w- c:\windows\system32\drivers\ssadwh.sys
2011-01-03 08:38 . 2011-02-13 12:43 12776 ----a-w- c:\windows\system32\drivers\ssadmdfl.sys
2011-01-03 08:38 . 2011-02-13 12:43 121192 ----a-w- c:\windows\system32\drivers\ssadbus.sys
2011-01-03 08:38 . 2011-02-13 12:43 10472 ----a-w- c:\windows\system32\drivers\ssadcmnt.sys
2011-01-03 08:38 . 2011-02-13 12:43 10472 ----a-w- c:\windows\system32\drivers\ssadcm.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2011-01-29 888120]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2011-01-29 3372856]
"EasyTether"="c:\program files\Mobile Stream\EasyTether\easytthr.exe" [2010-12-18 48456]
"Google Update"="c:\users\giorgf\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-03-16 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-11 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-03-11 96800]
"nwiz"="nwiz.exe" [2009-03-04 1657376]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-11-12 5145952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-11-11 64112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-11-04 2087424]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
.
c:\users\giorgf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2009-1-21 153096]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2010-11-14 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2010-12-21 30312]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\DRIVERS\gtuhsbus.sys [2009-08-18 67840]
R3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\DRIVERS\gtuhs51.sys [2009-08-18 107776]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\DRIVERS\gtuhsser.sys [2009-08-18 8064]
R3 GTUQBUS;GT UQ BUS;c:\windows\system32\DRIVERS\gtuqbus.sys [2009-08-18 37120]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2011-03-28 53248]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-01-03 121192]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-01-03 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-01-03 136680]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-15 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\SYMDS.SYS [2010-10-21 340016]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [2011-03-09 800376]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110325.002\IDSvix86.sys [2011-03-14 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\Ironx86.SYS [2010-11-16 136312]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAV\1205000.07D\SYMNETS.SYS [2010-12-01 295032]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-25 217088]
S2 MSSQL$INSIGHT;SQL Server (INSIGHT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-11-11 70768]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-11-04 14336]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-12-20 602872]
S3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys [2010-08-29 17232]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-03-27 102448]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-10-25 36640]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - FSUSBEXDISK
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LPDService REG_MULTI_SZ LPDSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2333114377-402739105-1773717283-1001Core.job
- c:\users\giorgf\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-16 12:43]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2333114377-402739105-1773717283-1001UA.job
- c:\users\giorgf\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-16 12:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyServer = serprx101rm001.services.external.local:8080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://crk01-00i2d-vn01.emc.com/CACHE/stc/4/binaries/vpnweb.cab
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://ctseroom02.corp.emc.com/eRoomSetup/client.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://crk01-00i1d-vn01.emc.com/CACHE/sdesktop/install/binaries/instweb.cab
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-03-30 21:59:02
ComboFix-quarantined-files.txt 2011-03-30 19:59
.
Pre-Run: 70,677,442,560 bytes free
Post-Run: 70,669,074,432 bytes free
.
- - End Of File - - C78856A742042ED7D58B1A023690817D

many thanks,
Fabio

#5
RKinner

Posted 30 March 2011 - 06:36 PM

Malware Expert

Expert
24,734 posts

Try the AVG rescue disk:

http://www.geekstogo...ystem-tutorial/

Let it see if it can find anything then remove it and boot to the Win7 CD and run the "bootsect /nt60 C:\" as before. IF AVG finds anything and removes it that might keep it from reinstalling the mbr bug after we reset it.

Ron

#6
DavidAemes

Posted 05 April 2011 - 06:19 AM

Member

Topic Starter
Member
10 posts

Hi,
thanks for your suggestion.
I'll try this evening and I'll keep you updated.

Thanks,

FG

#7
DavidAemes

Posted 07 April 2011 - 12:12 AM

Member

Topic Starter
Member
10 posts

no way...
AVG finds 2 Trojan Horse on a zip file.... after deleting it, I launched bootsect command that was executed successfully; but at next reboot Boot.Tidserv.B was there, found by Symantec.

Any other suggestion?

Do I have to do a format with data zero filling in your opinion?

Thanks,

Regards,

#8
RKinner

Posted 07 April 2011 - 07:11 AM

Malware Expert

Expert
24,734 posts

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

I'm thinking you may have a Norton problem. There are reports of it continually complaining about threats that have been removed. There is a folder:

C:\Documents and Settings\All Users\Application data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup

that needs to be cleaned up. This is where it keeps infected files it has removed and also the list of Unresolved Threats. Boot into Safe Mode and then delete everything that is in it. (If it's not at that location then do a search for it). Then reboot into regular mode and have it run a full scan of your system.

Personally I wouldn't use Norton. It's a real resource hog and slows down your PC too much. I use the free Avast! 6 http://www.avast.com...virus-download.

Ron

#9
DavidAemes

Posted 08 April 2011 - 05:20 AM

Member

Topic Starter
Member
10 posts

Hi,
here the log of MBR CHECK:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Enterprise Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Latitude D630
Logical Drives Mask: 0x0000002c

Kernel Drivers (total 228):
0x82E1C000 \SystemRoot\system32\ntkrnlpa.exe
0x8322E000 \SystemRoot\system32\halmacpi.dll
0x80BB8000 \SystemRoot\system32\kdcom.dll
0x8B004000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8B089000 \SystemRoot\system32\PSHED.dll
0x8B09A000 \SystemRoot\system32\BOOTVID.dll
0x8B0A2000 \SystemRoot\system32\CLFS.SYS
0x8B0E4000 \SystemRoot\system32\CI.dll
0x8B18F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8B22A000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8B238000 \SystemRoot\system32\drivers\ACPI.sys
0x8B280000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8B289000 \SystemRoot\system32\drivers\msisadrv.sys
0x8B291000 \SystemRoot\system32\drivers\vdrvroot.sys
0x8B29C000 \SystemRoot\system32\drivers\pci.sys
0x8B2C6000 \SystemRoot\System32\drivers\partmgr.sys
0x8B2D7000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8B2DF000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8B2EA000 \SystemRoot\system32\drivers\volmgr.sys
0x8B2FA000 \SystemRoot\System32\drivers\volmgrx.sys
0x8B345000 \SystemRoot\system32\drivers\intelide.sys
0x8B34C000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8B35A000 \SystemRoot\system32\DRIVERS\pcmcia.sys
0x8B388000 \SystemRoot\System32\drivers\mountmgr.sys
0x8B39E000 \SystemRoot\system32\drivers\vmbus.sys
0x8B3C8000 \SystemRoot\system32\drivers\winhv.sys
0x8B3DA000 \SystemRoot\system32\drivers\atapi.sys
0x8B200000 \SystemRoot\system32\drivers\ataport.SYS
0x8B3E3000 \SystemRoot\system32\drivers\amdxata.sys
0x8B428000 \SystemRoot\system32\drivers\fltmgr.sys
0x8B45C000 \SystemRoot\system32\drivers\NAV\1205000.07D\SYMDS.SYS
0x8B4B3000 \SystemRoot\system32\drivers\fileinfo.sys
0x8B4C4000 \SystemRoot\system32\drivers\NAV\1205000.07D\SYMEFA.SYS
0x8B627000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B756000 \SystemRoot\System32\Drivers\msrpc.sys
0x8B781000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8B794000 \SystemRoot\System32\Drivers\cng.sys
0x8B7F1000 \SystemRoot\System32\drivers\pcw.sys
0x8B600000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8B81B000 \SystemRoot\system32\drivers\ndis.sys
0x8B8D2000 \SystemRoot\system32\drivers\NETIO.SYS
0x8B910000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8BA02000 \SystemRoot\System32\drivers\tcpip.sys
0x8BB4C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8BB7D000 \SystemRoot\system32\drivers\vmstorfl.sys
0x8BB86000 \SystemRoot\system32\drivers\volsnap.sys
0x8BBC5000 \SystemRoot\System32\Drivers\spldr.sys
0x8BBCD000 \SystemRoot\System32\drivers\rdyboost.sys
0x8B935000 \SystemRoot\System32\Drivers\mup.sys
0x8B945000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8B94D000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8B97F000 \SystemRoot\system32\DRIVERS\disk.sys
0x8B990000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8B568000 \SystemRoot\system32\drivers\cdrom.sys
0x8B9E7000 \SystemRoot\System32\Drivers\Null.SYS
0x8B9EE000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B800000 \SystemRoot\System32\drivers\vga.sys
0x8B587000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B80C000 \SystemRoot\System32\drivers\watchdog.sys
0x8B9F5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8B609000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B611000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8B619000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8B5A8000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8B5B6000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8B5CD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x91A00000 \SystemRoot\System32\DRIVERS\netbt.sys
0x91A32000 \SystemRoot\system32\drivers\afd.sys
0x91A8C000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x91A95000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x91A9C000 \SystemRoot\system32\DRIVERS\pacer.sys
0x91ABB000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x91ACC000 \SystemRoot\system32\DRIVERS\SymIMv.sys
0x91AD8000 \SystemRoot\system32\DRIVERS\netbios.sys
0x91AE6000 \SystemRoot\system32\DRIVERS\serial.sys
0x91B00000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x91B13000 \SystemRoot\system32\drivers\termdd.sys
0x91B24000 \SystemRoot\System32\Drivers\NAV\1205000.07D\SYMNETS.SYS
0x91B73000 \??\C:\Windows\system32\Drivers\SYMEVENT.SYS
0x91B99000 \SystemRoot\system32\drivers\NAV\1205000.07D\Ironx86.SYS
0x91BBD000 \SystemRoot\system32\drivers\NAV\1205000.07D\SRTSPX.SYS
0x9223C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9227D000 \SystemRoot\system32\drivers\nsiproxy.sys
0x92287000 \SystemRoot\system32\drivers\mssmbios.sys
0x92291000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110406.001\IDSvix86.sys
0x922EC000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0x9234A000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x92367000 \SystemRoot\System32\drivers\discache.sys
0x92373000 \SystemRoot\system32\drivers\csc.sys
0x923D7000 \SystemRoot\System32\Drivers\dfsc.sys
0x923EF000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x92A04000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110309.001\BHDrvx86.sys
0x92ACB000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x92AEC000 \SystemRoot\system32\DRIVERS\easytthr.sys
0x92AEF000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x93A0C000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x9413F000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x92B01000 \SystemRoot\System32\drivers\dxgmms1.sys
0x93A00000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x92B3A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x92B85000 \SystemRoot\system32\drivers\usbehci.sys
0x92B94000 \SystemRoot\system32\drivers\HDAudBus.sys
0x99C0B000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x99D23000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x99D2D000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
0x99D69000 \SystemRoot\system32\drivers\1394ohci.sys
0x99D96000 \SystemRoot\system32\drivers\i8042prt.sys
0x99DAE000 \SystemRoot\system32\drivers\mouclass.sys
0x99DBB000 \SystemRoot\system32\drivers\kbdclass.sys
0x99DC8000 \??\C:\Windows\system32\drivers\VMkbd.sys
0x99DCD000 \SystemRoot\system32\DRIVERS\serenum.sys
0x99DD7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x99DDD000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x99DE1000 \SystemRoot\system32\drivers\wmiacpi.sys
0x99DEA000 \SystemRoot\system32\drivers\CompositeBus.sys
0x92BB3000 \SystemRoot\system32\DRIVERS\dne2000.sys
0x92BD1000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x92BE3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x99C00000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x92200000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x92222000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x91BC8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x91BDF000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x941F6000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x99DF7000 \SystemRoot\system32\drivers\swenum.sys
0x9A23A000 \SystemRoot\system32\drivers\ks.sys
0x9A26E000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0x9A29C000 \SystemRoot\system32\drivers\umbus.sys
0x9A2AA000 \SystemRoot\system32\DRIVERS\vmnetadapter.sys
0x9A2AD000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0x9A2B0000 \SystemRoot\system32\drivers\usbhub.sys
0x9A2F4000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9A305000 \SystemRoot\system32\drivers\HdAudio.sys
0x9A355000 \SystemRoot\system32\drivers\portcls.sys
0x9A384000 \SystemRoot\system32\drivers\drmk.sys
0x9A39D000 \SystemRoot\system32\DRIVERS\VSTAZL3.SYS
0x9A42A000 \SystemRoot\system32\DRIVERS\VSTDPV3.SYS
0x9A52C000 \SystemRoot\system32\DRIVERS\VSTCNXT3.SYS
0x9A5E1000 \SystemRoot\system32\drivers\modem.sys
0x9BD80000 \SystemRoot\System32\win32k.sys
0x9A5EE000 \SystemRoot\System32\drivers\Dxapi.sys
0x9A400000 \SystemRoot\system32\drivers\hidusb.sys
0x9A40B000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x9A41E000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x9A425000 \SystemRoot\system32\drivers\USBD.SYS
0x9A3DA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x9A3E5000 \SystemRoot\system32\drivers\USBSTOR.SYS
0x9A200000 \SystemRoot\system32\DRIVERS\monitor.sys
0x9BFE0000 \SystemRoot\System32\TSDDD.dll
0x9BC20000 \SystemRoot\System32\cdd.dll
0x8CA25000 \SystemRoot\system32\DRIVERS\udfs.sys
0x8CA65000 \SystemRoot\system32\drivers\luafv.sys
0x8CA80000 \SystemRoot\system32\drivers\WudfPf.sys
0x8CA9A000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8CAA7000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8CAB2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x8CABB000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x8CACC000 \SystemRoot\system32\drivers\WinUSB.sys
0x8CAD5000 \SystemRoot\system32\drivers\WUDFRd.sys
0x8CAF6000 \SystemRoot\System32\DRIVERS\scfilter.sys
0x8CB02000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0x8CB10000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8CB20000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8CB66000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8CB76000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8CB89000 \SystemRoot\System32\Drivers\fastfat.SYS
0x9C618000 \SystemRoot\system32\drivers\HTTP.sys
0x9C69D000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9C6B6000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9C6C8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9C6EB000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9C726000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9C759000 \??\C:\Windows\system32\drivers\hcmon.sys
0x9C763000 \??\C:\Windows\system32\Drivers\vmci.sys
0xA0A24000 \??\C:\Windows\system32\Drivers\vmx86.sys
0xA0AF3000 \??\C:\Windows\system32\Drivers\CVPNDRVA.sys
0xA1E30000 \SystemRoot\system32\drivers\peauth.sys
0xA1EC7000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA1ED1000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA1EF2000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA1EFF000 \??\C:\Windows\system32\drivers\vmnetuserif.sys
0xA1F04000 \??\C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
0xA1F08000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA1F57000 \SystemRoot\System32\DRIVERS\srv.sys
0x9C773000 \SystemRoot\System32\Drivers\NAV\1205000.07D\SRTSP.SYS
0xA4022000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110406.038\NAVEX15.SYS
0xA4175000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110406.038\NAVENG.SYS
0xA4189000 \??\C:\Windows\system32\FsUsbExDisk.SYS
0xA4000000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77180000 \Windows\System32\ntdll.dll
0x483D0000 \Windows\System32\smss.exe
0x773C0000 \Windows\System32\apisetschema.dll
0x00450000 \Windows\System32\autochk.exe
0x76FE0000 \Windows\System32\setupapi.dll
0x77360000 \Windows\System32\gdi32.dll
0x76F00000 \Windows\System32\kernel32.dll
0x77350000 \Windows\System32\psapi.dll
0x76D40000 \Windows\System32\iertutil.dll
0x772C0000 \Windows\System32\clbcatq.dll
0x76D20000 \Windows\System32\sechost.dll
0x76D10000 \Windows\System32\normaliz.dll
0x76CB0000 \Windows\System32\difxapi.dll
0x76C90000 \Windows\System32\imm32.dll
0x76C30000 \Windows\System32\shlwapi.dll
0x76B80000 \Windows\System32\rpcrt4.dll
0x76AF0000 \Windows\System32\oleaut32.dll
0x769D0000 \Windows\System32\wininet.dll
0x76900000 \Windows\System32\user32.dll
0x76850000 \Windows\System32\msvcrt.dll
0x75C00000 \Windows\System32\shell32.dll
0x75AA0000 \Windows\System32\ole32.dll
0x75A70000 \Windows\System32\imagehlp.dll
0x75A60000 \Windows\System32\lpk.dll
0x75A10000 \Windows\System32\Wldap32.dll
0x75970000 \Windows\System32\usp10.dll
0x75930000 \Windows\System32\ws2_32.dll
0x75860000 \Windows\System32\msctf.dll
0x757E0000 \Windows\System32\comdlg32.dll
0x75740000 \Windows\System32\advapi32.dll
0x75730000 \Windows\System32\nsi.dll
0x75620000 \Windows\System32\urlmon.dll
0x755D0000 \Windows\System32\KernelBase.dll
0x755A0000 \Windows\System32\wintrust.dll
0x75580000 \Windows\System32\devobj.dll
0x75460000 \Windows\System32\crypt32.dll
0x753D0000 \Windows\System32\comctl32.dll
0x753A0000 \Windows\System32\cfgmgr32.dll
0x75390000 \Windows\System32\msasn1.dll

Processes (total 71):
0 System Idle Process
4 SYSTEM
240 C:\Windows\System32\smss.exe
352 csrss.exe
412 C:\Windows\System32\wininit.exe
424 csrss.exe
480 C:\Windows\System32\winlogon.exe
516 C:\Windows\System32\services.exe
536 C:\Windows\System32\lsass.exe
544 C:\Windows\System32\lsm.exe
640 C:\Windows\System32\svchost.exe
700 C:\Windows\System32\nvvsvc.exe
736 C:\Windows\System32\svchost.exe
800 C:\Windows\System32\svchost.exe
860 C:\Windows\System32\svchost.exe
884 C:\Windows\System32\svchost.exe
1036 C:\Windows\System32\svchost.exe
1156 WUDFHost.exe
1292 C:\Windows\System32\rundll32.exe
1336 C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
1364 C:\Windows\System32\svchost.exe
1536 C:\Windows\System32\spoolsv.exe
1572 C:\Windows\System32\svchost.exe
1604 C:\Windows\System32\svchost.exe
1716 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1740 C:\Program Files\Bonjour\mDNSResponder.exe
1776 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1836 C:\Windows\System32\FsUsbExService.Exe
1872 C:\Windows\System32\svchost.exe
1892 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
1952 C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe
2024 C:\Program Files\CDBurnerXP\NMSAccessU.exe
256 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
404 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
1092 C:\Windows\System32\svchost.exe
1772 C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
1644 C:\Windows\System32\vmnat.exe
2080 C:\Program Files\VMware\VMware Player\vmware-authd.exe
2228 C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
2376 WmiPrvSE.exe
2436 C:\Windows\System32\vmnetdhcp.exe
2592 WmiPrvSE.exe
3064 WUDFHost.exe
3932 C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe
4016 C:\Windows\System32\dwm.exe
1228 C:\Windows\explorer.exe
1276 C:\Windows\System32\taskhost.exe
2516 C:\Windows\System32\rundll32.exe
3220 C:\Windows\System32\rundll32.exe
3268 C:\Program Files\Microsoft Office Communicator\communicator.exe
3344 C:\Program Files\VMware\VMware Player\hqtray.exe
3420 C:\Program Files\iTunes\iTunesHelper.exe
3428 C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
3440 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
3592 C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
200 C:\Program Files\Mobile Stream\EasyTether\easytthr.exe
604 C:\Program Files\eRoom 7\ERClient7.exe
728 C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
3800 C:\Program Files\iPod\bin\iPodService.exe
3320 C:\Windows\System32\SearchIndexer.exe
1136 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
1204 C:\Program Files\Windows Media Player\wmpnetwk.exe
4504 C:\Program Files\Internet Explorer\iexplore.exe
4540 C:\Program Files\Internet Explorer\iexplore.exe
3500 C:\Program Files\Internet Explorer\iexplore.exe
4192 C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
2600 C:\Program Files\Internet Explorer\iexplore.exe
5968 C:\Windows\System32\audiodg.exe
4500 C:\Users\giorgf\Downloads\MBRCheck.exe
5004 C:\Windows\System32\conhost.exe
264 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BEVS-00VAT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Done!

Then here you can find a link related to the infection:
http://www.symantec....-011801-4700-99

Unfortunately I can't remove as suggested.

ANy other suggestion, please?

Many thanks,

#10
RKinner

Posted 08 April 2011 - 08:39 AM

Malware Expert

Expert
24,734 posts

I'm not seeing an infection so I think what you have is a bad memory from Norton. Were you not able to remove the contents of QBackup?

Ron

#11
DavidAemes

Posted 09 April 2011 - 01:41 AM

Member

Topic Starter
Member
10 posts

Hi,
as I have Win 7, please can you suggest the location on this type of Operating System?

Did you read about the malware on http://www.symantec....-011801-4700-99 ?

Many thanks,

Best Regards,

#12
DavidAemes

Posted 09 April 2011 - 04:50 AM

Member

Topic Starter
Member
10 posts

I Found the folder and deleted all its content...
After the FIRST reboot later this operation, it seems that Symantec doesn't show the warning about the Boot.Tidsrv.B.

Now I'm launching a full scan...

I'll keep you updated...

Thanks,

#13
DavidAemes

Posted 09 April 2011 - 06:21 AM

Member

Topic Starter
Member
10 posts

The full scan was completed....no malware or virus were found!
For more security, I'm launching the Norton Power Erasare that is more powerful...

I'll keep you updated...

Thanks,