Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log for browser redirect


  • This topic is locked This topic is locked
28 replies to this topic

#1 ItaloPride

ItaloPride

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 21 May 2010 - 03:58 PM

Just removed Security Essentials 2010 but browser still redirects when clicking links


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:57:05 PM, on 5/21/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\S3Funkey.exe
C:\Windows\System32\s3trayp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Olimpia\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://it.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files\Blingee Plus\tbhelper.dll (file missing)
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - (no file)
O2 - BHO: BlingeeTb - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Blingee Plus\blingeetb.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Blingee Toolbar - {D1121FE0-0145-44C9-AA35-72071AC20A9B} - C:\Program Files\Blingee Plus\blingeetb.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [S3Funkey] S3Funkey.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe -chkautorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Users\Olimpia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Users\Olimpia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing) (HKCU)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DNS Client DnscacheDPS (DnscacheDPS) - Unknown owner - C:\Windows\system32\adsldpz.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Group Policy Client gpsvcRpcSs (gpsvcRpcSs) - Unknown owner - C:\Windows\system32\accessibilitycplq.exe (file missing)
O23 - Service: Human Interface Device Access hidservSLUINotify (hidservSLUINotify) - Unknown owner - C:\Windows\system32\appendo.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Windows Backup SDRSVCMMCSS (SDRSVCMMCSS) - Unknown owner - C:\Windows\system32\ACCTRESc.exe (file missing)
O23 - Service: Terminal Services UserMode Port Redirector UmRdpServicedot3svc (UmRdpServicedot3svc) - Unknown owner - C:\Windows\system32\apilogeng.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9635 bytes


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,178 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:02 AM

Posted 21 May 2010 - 07:33 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ItaloPride

ItaloPride
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 22 May 2010 - 08:41 PM

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 1/2/2009 11:48:00 PM
System Uptime: 5/22/2010 8:39:32 PM (0 hours ago)

Motherboard: FIC | | Everex StepNote Series
Processor: Genuine Intel® CPU T2080 @ 1.73GHz | mPGA 479M | 1733/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 67.19 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Bejeweled Blitz
Blingee Toolbar
CVS Photo Editor Plus
DriverAgent by eSupport.com
Facebook Plug-In
HDAUDIO Soft Data Fax Modem with SmartCP
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java™ 6 Update 20
Jewel Quest Solitaire
Junk Mail filter update
Mahjongg Artifacts 2
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PerfectDisk 2008 Professional
Platform
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype web features
Skype™ 4.1
Smart Menus (Windows Live Toolbar)
The Weather Channel Desktop 6
Try Corel Snapfire muvee autoProducer add on
Ultimate Extras sounds from Microsoft® Tinker™
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981433)
VIA Chrome9 HC IGP Family Display
VIA Platform Device Manager
VIA Rhine Family Fast Ethernet Adapter
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows Sound Schemes
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
Zuma Deluxe

==== Event Viewer Messages From Past Week ========

5/22/2010 8:41:00 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Multimedia Class Scheduler service to connect.
5/22/2010 8:41:00 PM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Multimedia Class Scheduler service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/22/2010 8:41:00 PM, Error: Service Control Manager [7000] - The Multimedia Class Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/22/2010 8:41:00 PM, Error: Service Control Manager [7000] - The aswFsBlk service failed to start due to the following error: The system cannot find the file specified.
5/22/2010 12:13:56 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
5/21/2010 5:07:46 PM, Error: Service Control Manager [7030] - The Eset Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
5/20/2010 8:07:33 PM, Error: EventLog [6008] - The previous system shutdown at 8:05:35 PM on 5/20/2010 was unexpected.
5/20/2010 7:51:35 PM, Error: EventLog [6008] - The previous system shutdown at 7:50:00 PM on 5/20/2010 was unexpected.
5/20/2010 3:15:42 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSP aswTdi easdrv spldr Wanarpv6
5/20/2010 3:15:42 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
5/20/2010 3:15:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
5/20/2010 3:15:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
5/20/2010 3:15:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/20/2010 3:15:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
5/20/2010 3:14:17 PM, Error: EventLog [6008] - The previous system shutdown at 3:12:03 PM on 5/20/2010 was unexpected.
5/20/2010 3:10:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/20/2010 3:05:58 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: easdrv spldr Wanarpv6
5/20/2010 3:04:33 PM, Error: EventLog [6008] - The previous system shutdown at 3:01:49 PM on 5/20/2010 was unexpected.
5/20/2010 11:38:50 PM, Error: Service Control Manager [7030] - The Lavasoft Ad-Aware Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
5/17/2010 4:05:34 PM, Error: EventLog [6008] - The previous system shutdown at 11:36:43 AM on 5/17/2010 was unexpected.
5/15/2010 2:54:29 PM, Error: EventLog [6008] - The previous system shutdown at 11:09:45 AM on 5/15/2010 was unexpected.

==== End Of File ===========================






DDS (Ver_10-03-17.01) - NTFSx86
Run by Olimpia at 20:45:26.02 on Sat 05/22/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.958.215 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\system32\taskeng.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\S3Funkey.exe
C:\Windows\System32\s3trayp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
svchost.exe "C:\Windows\system32\apilogeng.exe"
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Users\Olimpia\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.com/
uSearch Bar =
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://it.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://it.search.yahoo.com
mSearch Page = hxxp://it.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://it.search.yahoo.com
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {f0626a63-410b-45e2-99a1-3f2475b2d695} - Search Assistant
BHO: BlingeeTb Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\blingee plus\blingeetb.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Blingee Toolbar: {d1121fe0-0145-44c9-aa35-72071ac20a9b} - c:\program files\blingee plus\blingeetb.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DW6]
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [S3Funkey] S3Funkey.exe
mRun: [S3Trayp] S3trayp.exe -chkautorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Corel Photo Downloader] c:\program files\cvs\cvs photo editor plus\Corel Photo Downloader.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: facebook.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

================= FIREFOX ===================

FF - ProfilePath - c:\users\olimpia\appdata\roaming\mozilla\firefox\profiles\nk6e7upi.default\
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - component: c:\users\olimpia\appdata\roaming\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\components\FFTextLinks.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\olimpia\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\olimpia\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-1-3 17920]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-20 164048]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-5-20 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-20 40384]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2008-1-20 21504]
R2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-9-9 693512]
R3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\drivers\fetnd6v.sys [2008-12-4 43520]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\VTGKModeDX32.sys [2009-1-12 814592]
S2 DnscacheDPS;DNS Client DnscacheDPS;c:\windows\system32\adsldpz.exe srv --> c:\windows\system32\adsldpz.exe srv [?]
S2 gpsvcRpcSs;Group Policy Client gpsvcRpcSs;c:\windows\system32\accessibilitycplq.exe srv --> c:\windows\system32\accessibilitycplq.exe srv [?]
S2 hidservSLUINotify;Human Interface Device Access hidservSLUINotify;c:\windows\system32\appendo.exe srv --> c:\windows\system32\appendo.exe srv [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-20 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-20 40384]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-6 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-9-9 906504]

=============== Created Last 30 ================

2010-05-23 00:43:17 0 ----a-w- c:\users\olimpia\defogger_reenable
2010-05-21 20:38:25 0 d-----w- c:\program files\Trend Micro
2010-05-21 20:25:57 232 ----a-w- c:\windows\reimage.ini
2010-05-21 03:42:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-21 03:37:36 0 d-----w- c:\programdata\Lavasoft
2010-05-21 00:35:59 0 d-----w- c:\windows\system32\eu-ES
2010-05-21 00:35:59 0 d-----w- c:\windows\system32\ca-ES
2010-05-21 00:35:54 0 d-----w- c:\windows\system32\vi-VN
2010-05-20 23:51:35 155154022 ----a-w- c:\windows\MEMORY.DMP
2010-05-20 21:56:59 0 d-----w- c:\users\olimpia\appdata\roaming\Malwarebytes
2010-05-20 19:11:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 19:11:37 0 d-----w- c:\programdata\Malwarebytes
2010-05-20 19:11:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 19:11:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 19:10:25 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-20 19:10:12 0 d-----w- c:\programdata\Alwil Software
2010-05-20 19:04:39 1048576 --sha-w- c:\users\olimpia\NTUSER.DAT{0f69446c-6a70-11db-8eb3-985e31beb686}.TxR.2.regtrans-ms
2010-05-20 19:04:39 1048576 --sha-w- c:\users\olimpia\NTUSER.DAT{0f69446c-6a70-11db-8eb3-985e31beb686}.TxR.1.regtrans-ms
2010-05-20 19:04:39 1048576 --sha-w- c:\users\olimpia\NTUSER.DAT{0f69446c-6a70-11db-8eb3-985e31beb686}.TxR.0.regtrans-ms
2010-05-20 19:04:38 65536 --sha-w- c:\users\olimpia\NTUSER.DAT{0f69446c-6a70-11db-8eb3-985e31beb686}.TxR.blf
2010-05-20 00:10:37 74752 ------w- c:\windows\system32\aedc.sys
2010-05-19 11:52:02 0 ----a-w- c:\windows\system32\4597.exe
2010-05-19 11:32:01 0 ----a-w- c:\windows\system32\15116.exe
2010-05-19 11:12:01 0 ----a-w- c:\windows\system32\30294.exe
2010-05-19 10:52:00 0 ----a-w- c:\windows\system32\20687.exe
2010-05-19 10:32:00 0 ----a-w- c:\windows\system32\23025.exe
2010-05-19 10:12:00 0 ----a-w- c:\windows\system32\11798.exe
2010-05-19 09:51:59 0 ----a-w- c:\windows\system32\13499.exe
2010-05-19 09:31:59 0 ----a-w- c:\windows\system32\12419.exe
2010-05-19 09:11:58 0 ----a-w- c:\windows\system32\17596.exe
2010-05-19 08:51:58 0 ----a-w- c:\windows\system32\21819.exe
2010-05-19 08:31:57 0 ----a-w- c:\windows\system32\9235.exe
2010-05-19 08:11:57 0 ----a-w- c:\windows\system32\9903.exe
2010-05-19 07:51:56 0 ----a-w- c:\windows\system32\2957.exe
2010-05-18 22:29:51 0 ----a-w- c:\windows\system32\23727.exe
2010-05-18 22:09:51 0 ----a-w- c:\windows\system32\31288.exe
2010-05-18 21:49:50 0 ----a-w- c:\windows\system32\11741.exe
2010-05-18 21:29:50 0 ----a-w- c:\windows\system32\10082.exe
2010-05-18 21:09:50 0 ----a-w- c:\windows\system32\5234.exe
2010-05-18 20:49:49 0 ----a-w- c:\windows\system32\11966.exe
2010-05-18 20:29:48 0 ----a-w- c:\windows\system32\9945.exe
2010-05-18 20:09:48 0 ----a-w- c:\windows\system32\2013.exe
2010-05-18 09:05:39 25088 ----a-w- c:\windows\system32\0042.DLL
2010-05-17 07:26:08 0 d-----w- c:\programdata\Sun
2010-05-17 07:25:31 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-17 01:58:13 0 ----a-w- c:\windows\system32\5436.exe
2010-05-17 01:38:13 0 ----a-w- c:\windows\system32\4827.exe
2010-05-17 01:18:12 0 ----a-w- c:\windows\system32\11942.exe
2010-05-17 00:58:12 0 ----a-w- c:\windows\system32\2995.exe
2010-05-17 00:38:11 0 ----a-w- c:\windows\system32\491.exe
2010-05-17 00:18:11 0 ----a-w- c:\windows\system32\9961.exe
2010-05-16 23:58:11 0 ----a-w- c:\windows\system32\16827.exe
2010-05-16 23:38:10 0 ----a-w- c:\windows\system32\23281.exe
2010-05-16 23:18:10 0 ----a-w- c:\windows\system32\28145.exe
2010-05-16 22:58:10 0 ----a-w- c:\windows\system32\5705.exe
2010-05-16 22:38:09 0 ----a-w- c:\windows\system32\24464.exe
2010-05-16 19:37:31 778 ----a-w- C:\Security essentials 2010.lnk
2010-05-13 00:06:05 0 d-----w- C:\Poker Application
2010-05-12 23:51:29 0 d-----w- c:\program files\PokerStars.NET
2010-05-11 14:02:08 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-30 15:23:33 10 ----a-w- c:\windows\popcinfo.dat
2010-04-30 15:06:17 0 d-----w- c:\programdata\Oberon Media
2010-04-27 10:57:52 166400 ----a-w- c:\windows\system32\o.dat
2010-04-26 14:23:23 0 ----a-w- c:\windows\system32\ACWb.sys

==================== Find3M ====================

2010-05-21 21:08:51 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-05-21 21:08:51 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-21 21:08:51 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-21 00:35:42 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-21 00:24:20 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-16 02:00:26 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-17 11:48:33 86897 --sha-w- c:\windows\system32\apphelpe.sys
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-04 22:40:01 8 --sh--r- c:\windows\system32\7BF5025C67.sys

============= FINISH: 20:48:30.87 ===============





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-22 21:41:01
Windows 6.0.6002 Service Pack 2
Running: rpc8plec.exe; Driver: C:\Users\Olimpia\AppData\Local\Temp\uxldyfoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\Windows\system32\aedc.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\wuauclt.exe[696] ntdll.dll!NtProtectVirtualMemory 777E4D34 5 Bytes JMP 0030000A
.text C:\Windows\system32\wuauclt.exe[696] ntdll.dll!NtWriteVirtualMemory 777E5674 5 Bytes JMP 0031000A
.text C:\Windows\system32\wuauclt.exe[696] ntdll.dll!KiUserExceptionDispatcher 777E5DC8 5 Bytes JMP 001A000A
.text C:\Windows\system32\svchost.exe[1056] ntdll.dll!NtProtectVirtualMemory 777E4D34 5 Bytes JMP 0082000A
.text C:\Windows\system32\svchost.exe[1056] ntdll.dll!NtWriteVirtualMemory 777E5674 5 Bytes JMP 0083000A
.text C:\Windows\system32\svchost.exe[1056] ntdll.dll!KiUserExceptionDispatcher 777E5DC8 5 Bytes JMP 0081000A
.text C:\Windows\system32\svchost.exe[1056] ole32.dll!CoCreateInstance 766C9EA6 5 Bytes JMP 008A000A
.text C:\Windows\Explorer.EXE[1748] ntdll.dll!NtProtectVirtualMemory 777E4D34 5 Bytes JMP 007E000A
.text C:\Windows\Explorer.EXE[1748] ntdll.dll!NtWriteVirtualMemory 777E5674 3 Bytes JMP 007F000A
.text C:\Windows\Explorer.EXE[1748] ntdll.dll!NtWriteVirtualMemory + 4 777E5678 1 Byte [89]
.text C:\Windows\Explorer.EXE[1748] ntdll.dll!KiUserExceptionDispatcher 777E5DC8 5 Bytes JMP 007D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1848] ntdll.dll!NtProtectVirtualMemory 777E4D34 5 Bytes JMP 01B9000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1848] ntdll.dll!NtWriteVirtualMemory 777E5674 5 Bytes JMP 01BA000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1848] ntdll.dll!KiUserExceptionDispatcher 777E5DC8 5 Bytes JMP 009F000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aedc.sys
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----




#4 ItaloPride

ItaloPride
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 22 May 2010 - 09:15 PM

About 15 minutes after running the programs and posting this my browser crashed and my computer slowed down considerably. I had to restart my system entirely.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,178 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:02 AM

Posted 22 May 2010 - 10:01 PM

Hello

Please do The following.


It may be helpful for you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully

    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 ItaloPride

ItaloPride
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 22 May 2010 - 11:21 PM

ComboFix 10-05-22.01 - Olimpia 05/22/2010 23:58:18.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.958.221 [GMT -4:00]
Running from: c:\users\Olimpia\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWB3SH.dll
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\programdata\pswi_preloaded.exe
c:\users\Public\RemoveSGP.exe
c:\windows\system32\0042.DLL
c:\windows\system32\10082.exe
c:\windows\system32\11741.exe
c:\windows\system32\11798.exe
c:\windows\system32\11942.exe
c:\windows\system32\11966.exe
c:\windows\system32\12419.exe
c:\windows\system32\13499.exe
c:\windows\system32\15116.exe
c:\windows\system32\1660442209.dat
c:\windows\system32\16827.exe
c:\windows\system32\17596.exe
c:\windows\system32\2013.exe
c:\windows\system32\20687.exe
c:\windows\system32\21819.exe
c:\windows\system32\23025.exe
c:\windows\system32\23281.exe
c:\windows\system32\23727.exe
c:\windows\system32\24464.exe
c:\windows\system32\28145.exe
c:\windows\system32\2957.exe
c:\windows\system32\2995.exe
c:\windows\system32\30294.exe
c:\windows\system32\31288.exe
c:\windows\system32\4597.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5234.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\9235.exe
c:\windows\system32\9903.exe
c:\windows\system32\9945.exe
c:\windows\system32\9961.exe

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-23 04:12 . 2010-05-23 04:13 -------- d-----w- c:\users\Olimpia\AppData\Local\temp
2010-05-23 04:12 . 2010-05-23 04:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-21 20:38 . 2010-05-21 20:38 -------- d-----w- c:\program files\Trend Micro
2010-05-21 03:42 . 2010-05-21 03:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-21 03:37 . 2010-05-21 21:03 -------- d-----w- c:\programdata\Lavasoft
2010-05-21 01:46 . 2010-05-21 01:46 0 ----a-w- c:\windows\nsreg.dat
2010-05-21 01:46 . 2010-05-21 01:46 -------- d-----w- c:\users\Olimpia\AppData\Local\Mozilla
2010-05-21 00:35 . 2010-05-21 00:37 -------- d-----w- c:\windows\system32\ca-ES
2010-05-21 00:35 . 2010-05-21 00:37 -------- d-----w- c:\windows\system32\eu-ES
2010-05-21 00:35 . 2010-05-21 00:37 -------- d-----w- c:\windows\system32\vi-VN
2010-05-20 21:56 . 2010-05-20 21:56 -------- d-----w- c:\users\Olimpia\AppData\Roaming\Malwarebytes
2010-05-20 19:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 19:11 . 2010-05-20 19:11 -------- d-----w- c:\programdata\Malwarebytes
2010-05-20 19:11 . 2010-05-20 21:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 19:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 19:10 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-20 19:10 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-20 19:10 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-20 19:10 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-20 19:10 . 2010-05-06 20:34 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-20 19:10 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-20 19:10 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-20 19:10 . 2010-05-20 19:10 -------- d-----w- c:\programdata\Alwil Software
2010-05-20 19:10 . 2010-05-20 19:10 -------- d-----w- c:\program files\Alwil Software
2010-05-20 00:10 . 2010-05-20 00:10 74752 ------w- c:\windows\system32\aedc.sys
2010-05-17 15:35 . 2010-05-17 15:35 4224376 ---h--w- c:\programdata\PopCap Games\BejeweledBlitz\popcapgame1.exe
2010-05-17 07:26 . 2010-05-17 07:26 -------- d-----w- c:\program files\Common Files\Java
2010-05-17 07:25 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-13 00:06 . 2010-05-13 00:06 -------- d-----w- C:\Poker Application
2010-05-12 23:51 . 2010-05-12 23:54 -------- d-----w- c:\users\Olimpia\AppData\Local\PokerStars.NET
2010-05-12 23:51 . 2010-05-20 23:55 -------- d-----w- c:\program files\PokerStars.NET
2010-05-11 14:02 . 2010-05-11 14:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-30 15:23 . 2010-05-01 12:40 10 ----a-w- c:\windows\popcinfo.dat
2010-04-30 15:06 . 2010-04-30 15:06 -------- d-----w- c:\programdata\Oberon Media
2010-04-27 10:57 . 2010-04-27 10:57 166400 ----a-w- c:\windows\system32\o.dat
2010-04-26 14:23 . 2010-05-05 18:20 0 ----a-w- c:\windows\system32\ACWb.sys
2010-04-24 23:04 . 2010-04-24 23:04 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 03:36 . 2008-01-21 02:21 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-05-21 21:31 . 2009-01-03 02:14 -------- d-----w- c:\program files\a-squared Free
2010-05-21 21:15 . 2009-03-11 11:11 -------- d-----w- c:\program files\Yahoo!
2010-05-21 21:15 . 2009-03-11 11:12 -------- d-----w- c:\users\Olimpia\AppData\Roaming\Yahoo!
2010-05-21 00:38 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2010-05-21 00:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Journal
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-05-21 00:35 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-21 00:07 . 2009-12-28 20:40 -------- d-----w- c:\program files\Blingee Plus
2010-05-20 23:44 . 2009-12-21 13:11 -------- d-----w- c:\users\Olimpia\AppData\Roaming\Skype
2010-05-20 23:40 . 2009-12-21 13:15 -------- d-----w- c:\users\Olimpia\AppData\Roaming\skypePM
2010-05-17 07:25 . 2009-01-03 05:00 -------- d-----w- c:\program files\Java
2010-05-16 02:00 . 2009-12-04 22:40 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-16 02:00 . 2009-12-04 22:39 -------- d-----w- c:\users\Olimpia\AppData\Roaming\Corel
2010-04-30 15:05 . 2009-04-14 23:46 -------- d-----w- c:\program files\Oberon Media
2010-04-17 11:48 . 2010-04-17 09:57 86897 --sha-w- c:\windows\system32\apphelpe.sys
2010-04-17 08:41 . 2010-04-12 08:49 0 ----a-w- c:\windows\system32\algp.sys
2010-04-15 10:14 . 2009-01-03 02:27 -------- d-----w- c:\programdata\Microsoft Help
2010-04-08 19:39 . 2010-04-08 19:38 -------- d-----w- c:\programdata\PopCap Games
2010-04-08 19:38 . 2010-04-08 19:38 -------- d-----w- c:\program files\PopCap Games
2010-03-22 19:36 . 2010-02-11 11:37 50354 ----a-w- c:\users\Olimpia\AppData\Roaming\Facebook\uninstall.exe
2010-03-05 14:01 . 2010-04-14 08:55 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:41 . 2010-02-26 06:41 5582848 ----a-w- c:\users\Olimpia\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-25 11:18 . 2009-01-03 01:54 100432 ----a-w- c:\users\Olimpia\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-03 10:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 11:10 . 2010-04-14 08:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 08:56 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 08:55 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-31 09:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 09:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-03-31 09:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-03-31 09:21 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 16:10 . 2010-02-22 16:10 188928 ----a-w- c:\users\Olimpia\AppData\Roaming\Mozilla\Firefox\extensions\[email protected]\components\PlaySushiFF.dll
2009-12-04 22:40 . 2009-12-04 22:40 8 --sh--r- c:\windows\System32\7BF5025C67.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Trayp"="S3trayp.exe -chkautorun" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"S3Funkey"="S3Funkey.exe" [2008-03-05 102400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Corel Photo Downloader"="c:\program files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe" [2007-02-06 478800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:22,66,46,de,7e,f8,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2041831136-1919538491-1583298144-1000]
"EnableNotificationsRef"=dword:00000001

R2 aswFsBlk;aswFsBlk;aswFsBlk.sys [x]
R2 DnscacheDPS;DNS Client DnscacheDPS;c:\windows\system32\adsldpz.exe [x]
R2 gpsvcRpcSs;Group Policy Client gpsvcRpcSs;c:\windows\system32\accessibilitycplq.exe [x]
R2 hidservSLUINotify;Human Interface Device Access hidservSLUINotify;c:\windows\system32\appendo.exe [x]
R2 SDRSVCMMCSS;Windows Backup SDRSVCMMCSS;c:\windows\system32\ACCTRESc.exe [x]
R2 UmRdpServicedot3svc;Terminal Services UserMode Port Redirector UmRdpServicedot3svc;c:\windows\system32\apilogeng.exe [2008-01-21 82432]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-09-09 906504]
S1 aedc;aedc;c:\windows\system32\aedc.sys [2010-05-20 74752]
S1 aswSP;aswSP; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-09-09 693512]
S3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\DRIVERS\fetnd6v.sys [2008-12-04 43520]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-23 c:\windows\Tasks\User_Feed_Synchronization-{DEB90845-BDBE-434A-8AF2-C891777B748B}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: facebook.com\www
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{D1121FE0-0145-44C9-AA35-72071AC20A9B} - c:\program files\Blingee Plus\blingeetb.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D1121FE0-0145-44C9-AA35-72071AC20A9B} - c:\program files\Blingee Plus\blingeetb.dll
HKCU-Run-DW6 - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 00:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-23 00:19:44
ComboFix-quarantined-files.txt 2010-05-23 04:19

Pre-Run: 72,108,478,464 bytes free
Post-Run: 72,724,287,488 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A30B4BA333AD0B01860560C0099C318A


#7 ItaloPride

ItaloPride
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 22 May 2010 - 11:23 PM

i had to run it twice; the first time it was running it made it to step 6 and the computer just shut down. i restarted it in "normal" and did the scan again


edited: the browser still redirects when clicking on links, mainly from google.

Edited by ItaloPride, 22 May 2010 - 11:24 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,178 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:02 AM

Posted 22 May 2010 - 11:28 PM

Greetings


ok lets do this next.

TDSSKiller:
  • Please Download TDSSKiller.zip and save it on your desktop.
  • extract (unzip) its contents to your Desktop.
  • double-click the TDSSKiller Folder on your desktop.
  • right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
CODE
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start then Computer then Vista ( C:).
  • Please post the contents of that log in your next reply



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ItaloPride

ItaloPride
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 23 May 2010 - 12:03 AM

i had trouble finding the log; is this it?


00:38:53:883 3020 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
00:38:53:883 3020 ================================================================================
00:38:53:883 3020 SystemInfo:

00:38:53:883 3020 OS Version: 6.0.6002 ServicePack: 2.0
00:38:53:883 3020 Product type: Workstation
00:38:53:883 3020 ComputerName: OLIMPIA-PC
00:38:53:883 3020 UserName: Olimpia
00:38:53:883 3020 Windows directory: C:\Windows
00:38:53:883 3020 Processor architecture: Intel x86
00:38:53:883 3020 Number of processors: 2
00:38:53:883 3020 Page size: 0x1000
00:38:53:883 3020 Boot type: Normal boot
00:38:53:883 3020 ================================================================================
00:38:53:898 3020 UnloadDriverW: NtUnloadDriver error 2
00:38:53:898 3020 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
00:38:54:227 3020 wfopen_ex: Trying to open file C:\Windows\system32\config\system
00:38:54:227 3020 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:38:54:227 3020 wfopen_ex: Trying to KLMD file open
00:38:54:227 3020 wfopen_ex: File opened ok (Flags 2)
00:38:54:242 3020 wfopen_ex: Trying to open file C:\Windows\system32\config\software
00:38:54:242 3020 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:38:54:242 3020 wfopen_ex: Trying to KLMD file open
00:38:54:242 3020 wfopen_ex: File opened ok (Flags 2)
00:38:54:242 3020 KLAVA engine initialized
00:38:54:711 3020 Initialize success
00:38:54:711 3020
00:38:54:711 3020 Scanning Services ...
00:38:55:977 3020 Raw services enum returned 436 services
00:38:56:008 3020
00:38:56:008 3020 Scanning Drivers ...
00:38:56:727 3020 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
00:38:56:992 3020 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
00:38:57:164 3020 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
00:38:57:508 3020 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
00:38:57:836 3020 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
00:38:58:242 3020 aedc (86d1aace75ca954f0ac2d935b8930e40) C:\Windows\system32\aedc.sys
00:38:58:242 3020 Suspicious file (NoAccess): C:\Windows\system32\aedc.sys. md5: 86d1aace75ca954f0ac2d935b8930e40
00:38:58:742 3020 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
00:38:59:133 3020 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
00:38:59:195 3020 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
00:38:59:242 3020 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
00:38:59:336 3020 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
00:38:59:398 3020 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
00:38:59:461 3020 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
00:38:59:523 3020 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
00:38:59:634 3020 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
00:38:59:804 3020 aswMonFlt (58254e06b36b984e33ae314c0ea8f1a5) C:\Windows\system32\drivers\aswMonFlt.sys
00:38:59:867 3020 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\Windows\system32\drivers\aswRdr.sys
00:39:00:010 3020 aswSP (d78b644816db540e103d0b0766fd9967) C:\Windows\system32\drivers\aswSP.sys
00:39:00:257 3020 aswTdi (606d731008d98b6ef946730c597c1642) C:\Windows\system32\drivers\aswTdi.sys
00:39:00:444 3020 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
00:39:00:663 3020 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
00:39:01:038 3020 athr (44362605f5fff00c9b7696b47680a8c5) C:\Windows\system32\DRIVERS\athr.sys
00:39:01:366 3020 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
00:39:01:413 3020 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
00:39:01:866 3020 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
00:39:02:054 3020 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
00:39:02:272 3020 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
00:39:02:444 3020 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
00:39:02:663 3020 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
00:39:02:866 3020 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
00:39:02:913 3020 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
00:39:03:116 3020 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
00:39:03:554 3020 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
00:39:03:647 3020 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
00:39:03:772 3020 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
00:39:03:929 3020 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
00:39:04:257 3020 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
00:39:04:569 3020 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
00:39:04:757 3020 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
00:39:05:101 3020 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
00:39:05:226 3020 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
00:39:05:601 3020 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
00:39:05:757 3020 DefragFS (e08557f41650b505571d50c9247a1e03) C:\Windows\system32\drivers\DefragFS.sys
00:39:05:929 3020 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
00:39:06:022 3020 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
00:39:06:179 3020 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
00:39:06:507 3020 DXGKrnl (fb85f7f69e9b109820409243f578cc4d) C:\Windows\System32\drivers\dxgkrnl.sys
00:39:06:757 3020 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
00:39:07:054 3020 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
00:39:07:272 3020 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
00:39:07:491 3020 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
00:39:07:632 3020 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
00:39:07:835 3020 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
00:39:07:944 3020 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
00:39:08:147 3020 FETND6V (0020e12572006ebe529bcb0918677afd) C:\Windows\system32\DRIVERS\fetnd6v.sys
00:39:08:194 3020 FETNDIS (b2b2c38e916184ff8523c7439ddd417f) C:\Windows\system32\DRIVERS\fetnd5.sys
00:39:08:444 3020 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
00:39:08:757 3020 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
00:39:08:819 3020 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
00:39:09:054 3020 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
00:39:09:382 3020 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\Windows\system32\DRIVERS\fssfltr.sys
00:39:09:554 3020 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
00:39:09:866 3020 fvevol (fecf4c2e42440a8d132bf94eee3c3fc9) C:\Windows\system32\DRIVERS\fvevol.sys
00:39:10:194 3020 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
00:39:10:272 3020 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
00:39:10:601 3020 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
00:39:10:710 3020 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
00:39:10:929 3020 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
00:39:11:007 3020 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
00:39:11:101 3020 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
00:39:11:429 3020 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
00:39:11:616 3020 HSF_DPV (efed6bd9b9d5f407adca918bbe2d410d) C:\Windows\system32\DRIVERS\HSX_DPV.sys
00:39:11:913 3020 HSXHWAZL (c2eb8396c46e13f76037d70eae8820a9) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
00:39:12:054 3020 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
00:39:12:397 3020 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
00:39:12:476 3020 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
00:39:12:819 3020 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
00:39:12:866 3020 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
00:39:12:897 3020 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
00:39:13:022 3020 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
00:39:13:054 3020 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
00:39:13:366 3020 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
00:39:13:616 3020 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
00:39:13:694 3020 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
00:39:13:757 3020 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
00:39:13:944 3020 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
00:39:14:132 3020 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
00:39:14:538 3020 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
00:39:14:647 3020 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
00:39:14:851 3020 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
00:39:15:226 3020 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
00:39:15:601 3020 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
00:39:15:632 3020 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
00:39:15:663 3020 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
00:39:15:851 3020 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
00:39:15:913 3020 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
00:39:15:991 3020 LVUSBSta (9e9306063ecd8aa91b3fb76678d3cee2) C:\Windows\system32\drivers\LVUSBSta.sys
00:39:16:054 3020 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
00:39:16:413 3020 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
00:39:16:491 3020 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
00:39:16:726 3020 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
00:39:16:851 3020 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
00:39:17:382 3020 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
00:39:17:679 3020 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
00:39:17:772 3020 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
00:39:18:101 3020 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
00:39:18:132 3020 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
00:39:18:241 3020 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
00:39:18:522 3020 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
00:39:18:647 3020 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
00:39:18:866 3020 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
00:39:19:085 3020 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
00:39:19:382 3020 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
00:39:19:444 3020 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
00:39:19:835 3020 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
00:39:20:069 3020 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
00:39:20:147 3020 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
00:39:20:444 3020 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
00:39:20:491 3020 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
00:39:20:616 3020 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
00:39:20:694 3020 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
00:39:20:835 3020 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
00:39:20:976 3020 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
00:39:21:147 3020 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
00:39:21:397 3020 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
00:39:21:694 3020 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
00:39:21:757 3020 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
00:39:21:851 3020 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
00:39:22:194 3020 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
00:39:22:241 3020 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
00:39:22:741 3020 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
00:39:23:007 3020 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
00:39:23:069 3020 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
00:39:23:413 3020 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
00:39:23:647 3020 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
00:39:23:897 3020 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
00:39:24:116 3020 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
00:39:24:163 3020 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
00:39:24:257 3020 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
00:39:24:288 3020 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
00:39:24:382 3020 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
00:39:24:554 3020 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
00:39:24:819 3020 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
00:39:25:069 3020 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
00:39:25:288 3020 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
00:39:25:569 3020 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
00:39:25:726 3020 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
00:39:25:897 3020 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
00:39:26:163 3020 PID_PEPI (0da6c5e0c8da6cebe52daacfe7ae9de6) C:\Windows\system32\DRIVERS\LV302V32.SYS
00:39:26:366 3020 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
00:39:26:413 3020 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
00:39:26:522 3020 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
00:39:26:632 3020 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
00:39:26:851 3020 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
00:39:26:897 3020 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
00:39:26:944 3020 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
00:39:27:007 3020 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
00:39:27:069 3020 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
00:39:27:241 3020 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
00:39:27:351 3020 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
00:39:27:413 3020 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
00:39:27:491 3020 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
00:39:27:647 3020 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
00:39:27:726 3020 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
00:39:27:804 3020 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
00:39:27:960 3020 S3GIGP (8143a0e902c2adfb7b4903e231e348de) C:\Windows\system32\DRIVERS\VTGKModeDX32.sys
00:39:28:132 3020 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
00:39:28:194 3020 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
00:39:28:257 3020 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
00:39:28:319 3020 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
00:39:28:382 3020 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
00:39:28:522 3020 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
00:39:28:569 3020 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
00:39:28:632 3020 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
00:39:28:694 3020 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
00:39:28:741 3020 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
00:39:28:897 3020 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
00:39:28:991 3020 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
00:39:29:069 3020 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
00:39:29:241 3020 srv (0debafcc0e3591fca34f077cab62f7f7) C:\Windows\system32\DRIVERS\srv.sys
00:39:29:335 3020 srv2 (6b6f3658e0a58c6c50c5f7fbdf3df633) C:\Windows\system32\DRIVERS\srv2.sys
00:39:29:413 3020 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
00:39:29:569 3020 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
00:39:29:632 3020 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
00:39:29:679 3020 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
00:39:29:741 3020 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
00:39:29:960 3020 Tcpip (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\drivers\tcpip.sys
00:39:30:132 3020 Tcpip6 (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\DRIVERS\tcpip.sys
00:39:30:226 3020 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
00:39:30:288 3020 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
00:39:30:335 3020 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
00:39:30:413 3020 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
00:39:30:507 3020 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
00:39:30:632 3020 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
00:39:30:710 3020 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
00:39:30:757 3020 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
00:39:30:835 3020 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\Windows\system32\DRIVERS\TVICHW32.SYS
00:39:30:991 3020 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\DRIVERS\uagp35.sys
00:39:31:101 3020 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
00:39:31:179 3020 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
00:39:31:272 3020 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
00:39:31:397 3020 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
00:39:31:476 3020 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
00:39:31:538 3020 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
00:39:31:632 3020 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
00:39:31:772 3020 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
00:39:31:835 3020 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
00:39:31:897 3020 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
00:39:31:991 3020 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
00:39:32:116 3020 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
00:39:32:179 3020 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
00:39:32:226 3020 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
00:39:32:288 3020 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
00:39:32:366 3020 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
00:39:32:522 3020 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
00:39:32:632 3020 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
00:39:32:694 3020 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
00:39:32:757 3020 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
00:39:32:866 3020 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
00:39:32:929 3020 videX32 (f95c0fcfbcbda6d8f202d2df4052f88d) C:\Windows\system32\DRIVERS\videX32.sys
00:39:33:022 3020 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
00:39:33:132 3020 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
00:39:33:319 3020 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
00:39:33:429 3020 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
00:39:33:476 3020 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
00:39:33:585 3020 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
00:39:33:601 3020 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
00:39:33:694 3020 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
00:39:33:882 3020 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
00:39:34:054 3020 winachsf (d0116c473ef3c381a42bb55036a1adb1) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
00:39:34:179 3020 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
00:39:34:241 3020 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
00:39:34:382 3020 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
00:39:34:460 3020 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
00:39:34:554 3020 XAudio (22a08b9faecd6a306868f59b7f03f188) C:\Windows\system32\DRIVERS\XAudio32.sys
00:39:34:601 3020 xfilt (bec604cdc548a528ebd3d7aa1dd46a89) C:\Windows\system32\DRIVERS\xfilt.sys
00:39:34:601 3020
00:39:34:601 3020 Completed
00:39:34:601 3020
00:39:34:601 3020 Results:
00:39:34:601 3020 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:39:34:601 3020 File objects infected / cured / cured on reboot: 0 / 0 / 0
00:39:34:601 3020
00:39:34:601 3020 fclose_ex: Trying to close file C:\Windows\system32\config\system
00:39:34:601 3020 fclose_ex: Trying to close file C:\Windows\system32\config\software
00:39:34:616 3020 KLMD(ARK) unloaded successfully


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,178 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:02 AM

Posted 23 May 2010 - 12:06 AM

yesn - arwe you still getting the redirects?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ItaloPride

ItaloPride
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 23 May 2010 - 12:23 AM

Yes I am...

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,178 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:02 AM

Posted 23 May 2010 - 01:23 AM



Greetiings

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
TDL::
c:\windows\system32\drivers\i8042prt.sys


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

let me have this new report

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 ItaloPride

ItaloPride
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 23 May 2010 - 07:40 PM

ComboFix 10-05-22.01 - Olimpia 05/23/2010 20:15:21.3.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.958.205 [GMT -4:00]
Running from: c:\users\Olimpia\Desktop\ComboFix.exe
Command switches used :: c:\users\Olimpia\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1660442209.dat

.
((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.

2010-05-24 00:28 . 2010-05-24 00:28 -------- d-----w- c:\users\Olimpia\AppData\Local\temp
2010-05-24 00:28 . 2010-05-24 00:28 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-24 00:28 . 2010-05-24 00:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-21 20:38 . 2010-05-21 20:38 -------- d-----w- c:\program files\Trend Micro
2010-05-21 03:42 . 2010-05-21 03:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-21 03:37 . 2010-05-21 21:03 -------- d-----w- c:\programdata\Lavasoft
2010-05-21 01:46 . 2010-05-21 01:46 0 ----a-w- c:\windows\nsreg.dat
2010-05-21 01:46 . 2010-05-21 01:46 -------- d-----w- c:\users\Olimpia\AppData\Local\Mozilla
2010-05-21 00:35 . 2010-05-21 00:37 -------- d-----w- c:\windows\system32\ca-ES
2010-05-21 00:35 . 2010-05-21 00:37 -------- d-----w- c:\windows\system32\eu-ES
2010-05-21 00:35 . 2010-05-21 00:37 -------- d-----w- c:\windows\system32\vi-VN
2010-05-20 21:56 . 2010-05-20 21:56 -------- d-----w- c:\users\Olimpia\AppData\Roaming\Malwarebytes
2010-05-20 19:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 19:11 . 2010-05-20 19:11 -------- d-----w- c:\programdata\Malwarebytes
2010-05-20 19:11 . 2010-05-20 21:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 19:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 19:10 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-20 19:10 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-20 19:10 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-20 19:10 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-20 19:10 . 2010-05-06 20:34 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-20 19:10 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-20 19:10 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-20 19:10 . 2010-05-20 19:10 -------- d-----w- c:\programdata\Alwil Software
2010-05-20 19:10 . 2010-05-20 19:10 -------- d-----w- c:\program files\Alwil Software
2010-05-20 00:10 . 2010-05-20 00:10 74752 ------w- c:\windows\system32\aedc.sys
2010-05-17 15:35 . 2010-05-17 15:35 4224376 ---h--w- c:\programdata\PopCap Games\BejeweledBlitz\popcapgame1.exe
2010-05-17 07:26 . 2010-05-17 07:26 -------- d-----w- c:\program files\Common Files\Java
2010-05-17 07:25 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-13 00:06 . 2010-05-13 00:06 -------- d-----w- C:\Poker Application
2010-05-12 23:51 . 2010-05-12 23:54 -------- d-----w- c:\users\Olimpia\AppData\Local\PokerStars.NET
2010-05-12 23:51 . 2010-05-20 23:55 -------- d-----w- c:\program files\PokerStars.NET
2010-05-11 14:02 . 2010-05-11 14:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-30 15:23 . 2010-05-01 12:40 10 ----a-w- c:\windows\popcinfo.dat
2010-04-30 15:06 . 2010-04-30 15:06 -------- d-----w- c:\programdata\Oberon Media
2010-04-27 10:57 . 2010-04-27 10:57 166400 ----a-w- c:\windows\system32\o.dat
2010-04-26 14:23 . 2010-05-05 18:20 0 ----a-w- c:\windows\system32\ACWb.sys
2010-04-24 23:04 . 2010-04-24 23:04 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 03:36 . 2008-01-21 02:21 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-05-21 21:31 . 2009-01-03 02:14 -------- d-----w- c:\program files\a-squared Free
2010-05-21 21:15 . 2009-03-11 11:11 -------- d-----w- c:\program files\Yahoo!
2010-05-21 21:15 . 2009-03-11 11:12 -------- d-----w- c:\users\Olimpia\AppData\Roaming\Yahoo!
2010-05-21 00:38 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2010-05-21 00:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Journal
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-21 00:37 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-05-21 00:35 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-21 00:07 . 2009-12-28 20:40 -------- d-----w- c:\program files\Blingee Plus
2010-05-20 23:44 . 2009-12-21 13:11 -------- d-----w- c:\users\Olimpia\AppData\Roaming\Skype
2010-05-20 23:40 . 2009-12-21 13:15 -------- d-----w- c:\users\Olimpia\AppData\Roaming\skypePM
2010-05-17 07:25 . 2009-01-03 05:00 -------- d-----w- c:\program files\Java
2010-05-16 02:00 . 2009-12-04 22:40 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-16 02:00 . 2009-12-04 22:39 -------- d-----w- c:\users\Olimpia\AppData\Roaming\Corel
2010-04-30 15:05 . 2009-04-14 23:46 -------- d-----w- c:\program files\Oberon Media
2010-04-17 11:48 . 2010-04-17 09:57 86897 --sha-w- c:\windows\system32\apphelpe.sys
2010-04-17 08:41 . 2010-04-12 08:49 0 ----a-w- c:\windows\system32\algp.sys
2010-04-15 10:14 . 2009-01-03 02:27 -------- d-----w- c:\programdata\Microsoft Help
2010-04-08 19:39 . 2010-04-08 19:38 -------- d-----w- c:\programdata\PopCap Games
2010-04-08 19:38 . 2010-04-08 19:38 -------- d-----w- c:\program files\PopCap Games
2010-03-22 19:36 . 2010-02-11 11:37 50354 ----a-w- c:\users\Olimpia\AppData\Roaming\Facebook\uninstall.exe
2010-03-05 14:01 . 2010-04-14 08:55 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:41 . 2010-02-26 06:41 5582848 ----a-w- c:\users\Olimpia\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-25 11:18 . 2009-01-03 01:54 100432 ----a-w- c:\users\Olimpia\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-03 10:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 11:10 . 2010-04-14 08:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 08:56 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 08:55 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-31 09:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 09:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-03-31 09:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-03-31 09:21 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-04 22:40 . 2009-12-04 22:40 8 --sh--r- c:\windows\System32\7BF5025C67.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Trayp"="S3trayp.exe -chkautorun" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"S3Funkey"="S3Funkey.exe" [2008-03-05 102400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Corel Photo Downloader"="c:\program files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe" [2007-02-06 478800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:22,66,46,de,7e,f8,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2041831136-1919538491-1583298144-1000]
"EnableNotificationsRef"=dword:00000001

R2 aswFsBlk;aswFsBlk;aswFsBlk.sys [x]
R2 DnscacheDPS;DNS Client DnscacheDPS;c:\windows\system32\adsldpz.exe [x]
R2 gpsvcRpcSs;Group Policy Client gpsvcRpcSs;c:\windows\system32\accessibilitycplq.exe [x]
R2 hidservSLUINotify;Human Interface Device Access hidservSLUINotify;c:\windows\system32\appendo.exe [x]
R2 SDRSVCMMCSS;Windows Backup SDRSVCMMCSS;c:\windows\system32\ACCTRESc.exe [x]
R2 UmRdpServicedot3svc;Terminal Services UserMode Port Redirector UmRdpServicedot3svc;c:\windows\system32\apilogeng.exe [2008-01-21 82432]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-09-09 906504]
S1 aedc;aedc;c:\windows\system32\aedc.sys [2010-05-20 74752]
S1 aswSP;aswSP; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-09-09 693512]
S3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\DRIVERS\fetnd6v.sys [2008-12-04 43520]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\User_Feed_Synchronization-{DEB90845-BDBE-434A-8AF2-C891777B748B}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: facebook.com\www
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 20:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-23 20:38:45
ComboFix-quarantined-files.txt 2010-05-24 00:38
ComboFix2.txt 2010-05-23 04:19

Pre-Run: 72,099,512,320 bytes free
Post-Run: 71,865,008,128 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - DC25F306D2C132823B6A45EFA4D13EC3


#14 ItaloPride

ItaloPride
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 23 May 2010 - 07:42 PM

I was able to click on one link, literally, then the rest started redirecting me again.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,178 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:02 AM

Posted 23 May 2010 - 07:56 PM

Hello

are you behind a router?

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users