Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.04 -
AhnLab-V3 5.0.0.2 2010.02.03 -
AntiVir 7.9.1.158 2010.02.03 -
Antiy-AVL 2.0.3.7 2010.02.03 -
Authentium 5.2.0.5 2010.02.03 -
Avast 4.8.1351.0 2010.02.02 -
AVG 9.0.0.730 2010.02.03 -
BitDefender 7.2 2010.02.03 -
CAT-QuickHeal 10.00 2010.02.03 -
ClamAV 0.96.0.0-git 2010.02.03 -
Comodo 3810 2010.02.03 -
DrWeb 5.0.1.12222 2010.02.04 -
eSafe 7.0.17.0 2010.02.03 -
eTrust-Vet 35.2.7278 2010.02.03 -
F-Prot 4.5.1.85 2010.02.03 -
F-Secure 9.0.15370.0 2010.02.03 -
Fortinet 4.0.14.0 2010.02.04 -
GData 19 2010.02.03 -
Ikarus T3.1.1.80.0 2010.02.03 -
Jiangmin 13.0.900 2010.02.03 -
K7AntiVirus 7.10.966 2010.02.03 -
Kaspersky 7.0.0.125 2010.02.04 -
McAfee 5881 2010.02.03 -
McAfee+Artemis 5881 2010.02.03 -
McAfee-GW-Edition 6.8.5 2010.02.03 -
Microsoft 1.5406 2010.02.03 -
NOD32 4833 2010.02.03 -
Norman 6.04.03 2010.02.03 -
nProtect 2009.1.8.0 2010.02.03 -
Panda 10.0.2.2 2010.02.03 -
PCTools 7.0.3.5 2010.02.04 -
Rising 22.33.02.04 2010.02.03 -
Sophos 4.50.0 2010.02.03 -
Sunbelt 3.2.1858.2 2010.02.03 -
TheHacker 6.5.1.0.179 2010.02.03 -
TrendMicro 9.120.0.1004 2010.02.03 -
VBA32 3.12.12.1 2010.02.03 -
ViRobot 2010.2.3.2170 2010.02.03 -
VirusBuster 5.0.21.0 2010.02.03 -
Additional information
File size: 10 bytes
MD5...: 1fab9f131b483bbf0ec5026cb8de9f58
SHA1..: 209da21c94cd0e9fc51d99b6a80554216fd2b809
SHA256: 59753234d797b36d96febbd89d1cfdcd4a551fef5c42b6538a6e824fad33f290
ssdeep: 3:wUTcS:wKH
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Unknown!
18:55:50:860 4008 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
18:55:50:860 4008 ================================================================================
18:55:50:860 4008 SystemInfo:
18:55:50:860 4008 OS Version: 6.0.6002 ServicePack: 2.0
18:55:50:860 4008 Product type: Workstation
18:55:50:860 4008 ComputerName: D-PC
18:55:50:860 4008 UserName: Dude
18:55:50:860 4008 Windows directory: C:\Windows
18:55:50:860 4008 Processor architecture: Intel x86
18:55:50:860 4008 Number of processors: 2
18:55:50:860 4008 Page size: 0x1000
18:55:50:860 4008 Boot type: Normal boot
18:55:50:860 4008 ================================================================================
18:55:50:860 4008 UnloadDriverW: NtUnloadDriver error 2
18:55:50:860 4008 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:55:50:876 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
18:55:51:000 4008 UtilityInit: KLMD drop and load success
18:55:51:000 4008 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
18:55:51:000 4008 UtilityInit: KLMD open success
18:55:51:000 4008 UtilityInit: Initialize success
18:55:51:000 4008
18:55:51:000 4008 Scanning Services ...
18:55:51:000 4008 CreateRegParser: Registry parser init started
18:55:51:000 4008 CreateRegParser: DisableWow64Redirection error
18:55:51:000 4008 wfopen_ex: Trying to open file C:\Windows\system32\config\system
18:55:51:000 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
18:55:51:000 4008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:55:51:000 4008 wfopen_ex: Trying to KLMD file open
18:55:51:000 4008 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
18:55:51:000 4008 wfopen_ex: File opened ok (Flags 2)
18:55:51:000 4008 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 3F1490
18:55:51:000 4008 wfopen_ex: Trying to open file C:\Windows\system32\config\software
18:55:51:000 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
18:55:51:000 4008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:55:51:000 4008 wfopen_ex: Trying to KLMD file open
18:55:51:000 4008 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
18:55:51:000 4008 wfopen_ex: File opened ok (Flags 2)
18:55:51:000 4008 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 3F1318
18:55:51:000 4008 CreateRegParser: EnableWow64Redirection error
18:55:51:000 4008 CreateRegParser: RegParser init completed
18:55:52:014 4008 GetAdvancedServicesInfo: Raw services enum returned 461 services
18:55:52:014 4008 fclose_ex: Trying to close file C:\Windows\system32\config\system
18:55:52:014 4008 fclose_ex: Trying to close file C:\Windows\system32\config\software
18:55:52:014 4008
18:55:52:014 4008 Scanning Kernel memory ...
18:55:52:014 4008 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:55:52:014 4008 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 866DAAE0
18:55:52:014 4008 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
18:55:52:014 4008
18:55:52:014 4008 DetectCureTDL3: DEVICE_OBJECT: 8545D030
18:55:52:014 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8545D030
18:55:52:014 4008 DetectCureTDL3: DEVICE_OBJECT: 861CF638
18:55:52:014 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 861CF638
18:55:52:014 4008 KLMD_ReadMem: Trying to ReadMemory 0x861CF638[0x38]
18:55:52:014 4008 DetectCureTDL3: DRIVER_OBJECT: 84FF9A18
18:55:52:014 4008 KLMD_ReadMem: Trying to ReadMemory 0x84FF9A18[0xA8]
18:55:52:014 4008 KLMD_ReadMem: Trying to ReadMemory 0xAB812488[0x1E]
18:55:52:014 4008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:55:52:014 4008 DetectCureTDL3: IrpHandler (0) addr: B05D7FC8
18:55:52:014 4008 DetectCureTDL3: IrpHandler (1) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (2) addr: B05D8040
18:55:52:014 4008 DetectCureTDL3: IrpHandler (3) addr: B05D80B8
18:55:52:014 4008 DetectCureTDL3: IrpHandler (4) addr: B05D80B8
18:55:52:014 4008 DetectCureTDL3: IrpHandler (5) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (6) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (7) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (8) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (9) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (10) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (11) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (12) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (13) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (14) addr: B05D7BC4
18:55:52:014 4008 DetectCureTDL3: IrpHandler (15) addr: B05CB7E4
18:55:52:014 4008 DetectCureTDL3: IrpHandler (16) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (17) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (18) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (19) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (20) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (21) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (22) addr: B05D659C
18:55:52:014 4008 DetectCureTDL3: IrpHandler (23) addr: B05D37A2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (24) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (25) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (26) addr: 81E449D2
18:55:52:014 4008 KLMD_ReadMem: Trying to ReadMemory 0xB05CDF26[0x400]
18:55:52:014 4008 TDL3_StartIoHookDetect: CheckParameters: 4, B05D2000, 0
18:55:52:014 4008 TDL3_FileDetect: Processing driver: USBSTOR
18:55:52:014 4008 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:55:52:014 4008 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:55:52:030 4008 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:55:52:030 4008
18:55:52:030 4008 DetectCureTDL3: DEVICE_OBJECT: 867DDAC8
18:55:52:030 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867DDAC8
18:55:52:030 4008 DetectCureTDL3: DEVICE_OBJECT: 85502900
18:55:52:030 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85502900
18:55:52:030 4008 DetectCureTDL3: DEVICE_OBJECT: 85535028
18:55:52:030 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85535028
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x85535028[0x38]
18:55:52:030 4008 DetectCureTDL3: DRIVER_OBJECT: 86F16698
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x86F16698[0xA8]
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x85500030[0x38]
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x854FFA68[0xA8]
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x854D04C8[0x1C]
18:55:52:030 4008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
18:55:52:030 4008 DetectCureTDL3: IrpHandler (0) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (1) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (2) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (3) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (4) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (5) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (6) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (7) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (8) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (9) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (10) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (11) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (12) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (13) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (14) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (15) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (16) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (17) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (18) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (19) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (20) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (21) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (22) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (23) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (24) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (25) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (26) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: All IRP handlers pointed to one addr: 85514618
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x85514618[0x400]
18:55:52:030 4008 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
18:55:52:030 4008 Driver "iaStor" Irp handler infected by TDSS rootkit ... 18:55:52:030 4008 KLMD_WriteMem: Trying to WriteMemory 0x8551467D[0xD]
18:55:52:030 4008 cured
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x855144BF[0x400]
18:55:52:030 4008 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
18:55:52:030 4008 Driver "iaStor" StartIo handler infected by TDSS rootkit ... 18:55:52:030 4008 TDL3_StartIoHookCure: Number of patches 1
18:55:52:030 4008 KLMD_WriteMem: Trying to WriteMemory 0x855145B6[0x6]
18:55:52:030 4008 cured
18:55:52:030 4008 TDL3_FileDetect: Processing driver: iaStor
18:55:52:030 4008 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\iaStor.sys
18:55:52:030 4008 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\iaStor.sys
18:55:52:046 4008 TDL3_FileDetect: C:\Windows\system32\DRIVERS\iaStor.sys - Verdict: Infected
18:55:52:046 4008 File C:\Windows\system32\DRIVERS\iaStor.sys infected by TDSS rootkit ... 18:55:52:046 4008 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\iaStor.sys
18:55:52:139 4008 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\iaahci.inf_7baf6192\iaStor.sys:308248, checking..
18:55:52:233 4008 ValidateDriverFile: Stage 1 passed
18:55:52:233 4008 ValidateDriverFile: Stage 2 passed
18:55:52:420 4008 DigitalSignVerifyByHandle: Embedded DS result: 00000000
18:55:52:420 4008 ValidateDriverFile: Stage 3 passed
18:55:52:420 4008 FileCallback: File validated successfully, restore information prepared
18:55:52:716 4008 FindDriverFileBackup: Backup copy found in DriverStore
18:55:52:716 4008 TDL3_FileCure: Backup copy found, using it..
18:55:52:716 4008 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskAC63.tmp
18:55:52:732 4008 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskAC63.tmp, system32\drivers\iaStor.sys)
18:55:52:763 4008 TDL3_FileCure: KLMD jobs schedule success
18:55:52:763 4008 will be cured on next reboot
18:55:52:763 4008 UtilityBootReinit: Reboot required for cure complete..
18:55:52:763 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
18:55:52:794 4008 UtilityBootReinit: KLMD drop success
18:55:52:794 4008 KLMD_ApplyPendList: Pending buffer(6621_708D, 616) dropped successfully
18:55:52:794 4008 UtilityBootReinit: Cure on reboot scheduled successfully
18:55:52:794 4008
18:55:52:794 4008 Completed
18:55:52:794 4008
18:55:52:794 4008 Results:
18:55:52:794 4008 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
18:55:52:794 4008 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:55:52:794 4008 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:55:52:794 4008
18:55:52:794 4008 UnloadDriverW: NtUnloadDriver error 1
18:55:52:794 4008 KLMD_Unload: UnloadDriverW(klmd21) error 1
18:55:52:810 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
18:55:52:810 4008 UtilityDeinit: KLMD(ARK) unloaded successfully
ComboFix 10-02-03.04 - Dude 02/03/2010 19:06:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1895 [GMT -5:00]
Running from: c:\users\Dude\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 24 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-217875371-810032128-178167479-500
C:\confin.sys
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\users\Dude\AppData\Roaming\SystemProc
c:\windows\system32\stacsv.exe
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.
2010-02-03 18:29 . 2009-08-29 09:00 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\NAVENG.SYS
2010-02-03 18:29 . 2009-08-29 09:00 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\NAVENG32.DLL
2010-02-03 18:29 . 2009-08-29 09:00 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\NAVEX32A.DLL
2010-02-03 18:29 . 2009-08-29 09:00 1323568 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\NAVEX15.SYS
2010-02-03 18:29 . 2009-08-29 09:00 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\ERASER.SYS
2010-02-03 18:29 . 2009-12-09 22:50 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\CCERASER.DLL
2010-02-03 18:29 . 2009-09-23 01:25 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\ECMSVR32.DLL
2010-02-03 18:29 . 2009-08-29 09:00 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\EECTRL.SYS
2010-02-02 20:33 . 2009-12-05 04:54 529456 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys
2010-02-02 20:33 . 2009-12-05 04:54 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHRules.dll
2010-02-02 20:33 . 2009-12-05 04:54 1405840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHEngine.dll
2010-02-02 20:33 . 2009-12-05 04:54 668720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx64.sys
2010-02-02 20:33 . 2009-12-05 04:54 610704 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\bbRGen.dll
2010-01-29 22:34 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSvix86.sys
2010-01-29 22:34 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSXpx86.sys
2010-01-29 22:34 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\Scxpx86.dll
2010-01-29 22:34 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSxpx86.dll
2010-01-29 22:34 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSviA64.sys
2010-01-27 22:06 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSvix86.sys
2010-01-27 22:06 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSXpx86.sys
2010-01-27 22:06 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\Scxpx86.dll
2010-01-27 22:06 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSxpx86.dll
2010-01-27 22:06 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSviA64.sys
2010-01-16 07:06 . 2010-01-16 07:06 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-10 00:09 . 2010-01-10 00:09 -------- d-----w- C:\New Folder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 23:58 . 2008-02-28 19:59 308248 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-01 14:02 . 2008-02-28 20:10 -------- d-----w- c:\program files\Google
2010-02-01 13:59 . 2009-09-22 00:13 -------- d-----w- c:\program files\LogMeIn
2009-12-30 18:00 . 2009-01-03 20:28 -------- d-----w- c:\program files\FlashFXP
2009-12-14 18:49 . 2009-12-17 02:30 471040 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2009-12-14 18:49 . 2009-12-17 02:30 43008 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-14 18:49 . 2009-12-17 02:30 347136 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-14 18:49 . 2009-12-17 02:30 340992 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-14 18:49 . 2009-12-17 02:30 1452032 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-10 03:16 . 2009-09-11 13:05 784752 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
2009-09-21 21:45 . 2008-08-14 05:51 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-08-25 03:10 . 2008-10-17 05:25 174592 --sha-w- c:\windows\System32\ncfpsys.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Google Update"="c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-12-14 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-11-03 4823416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-09-21 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-22 122368]
"SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
c:\users\Dude\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 09:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-10-01 16:57 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-24 23:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-01 22:57 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 16:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 16:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Password Protect USB 3.6.1]
2005-08-25 03:10 174592 --sha-w- c:\windows\System32\ncfpsys.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,71,c7,93,06,32,ca,01
R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NIS\1105000.07F\symds.sys [1/11/2010 4:56 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1105000.07F\symefa.sys [1/11/2010 4:56 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys [2/2/2010 3:33 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1105000.07F\cchpx86.sys [1/11/2010 4:56 PM 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSvix86.sys [1/29/2010 5:34 PM 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NIS\1105000.07F\ironx86.sys [1/11/2010 4:56 PM 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NIS\1105000.07F\symtdiv.sys [1/11/2010 4:56 PM 340016]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [1/20/2008 9:23 PM 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [9/21/2009 7:14 PM 47640]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe [1/11/2010 4:56 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/21/2009 10:58 AM 102448]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187B.sys [6/10/2009 4:52 AM 347648]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 9:03 AM 135664]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/28/2008 3:10 PM 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2010-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:02]
2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:02]
2010-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-217875371-810032128-178167479-1000Core.job
- c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-14 18:17]
2010-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-217875371-810032128-178167479-1000UA.job
- c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-14 18:17]
2010-02-02 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dude.job
- c:\program files\Norton Internet Security\Engine\17.5.0.127\navw32.exe [2010-01-11 06:08]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: ActiveGS.cab -
hxxp://activegs.freetoolsassociation.com/ActiveGS.cabDPF: Web-Based Email Tools -
hxxp://email.secureserver.net/Download.CABFF - ProfilePath - c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com/FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Dude\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-02-03 19:17
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-03 19:21:54
ComboFix-quarantined-files.txt 2010-02-04 00:21
Pre-Run: 21,680,717,824 bytes free
Post-Run: 21,945,155,584 bytes free
- - End Of File - - F5910A99528074BEA21497FC1192C1F8
Computer is running better as far as shutting itself down less and the google page redirect seems to have been fixed.