Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Google search redirects

Started by plaw , May 23 2012 05:57 PM

Next

This topic is locked

15 replies to this topic

#1 plaw

New Member

Members
11 posts

Posted 23 May 2012 - 05:57 PM

I am stumped on a problem that I am unable to resolve and need some assistance if possible. Client PC has a Google Search Redirect to various sites, but only intermittantly. The client had a rootkit a few weeks ago and also a mail bot that was sending SPAM. I believed the PC to be clean and have updated Malwarebytes today and found nothing other than tracking cookies. Please review the attached logs and advise if I am missing something obivous or which tools to use next to determine where the problem exists.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by debbie at 12:09:49 on 2012-05-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3017.1676 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://msn.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Qwiklinx: {3e7c8b5a-96ab-438f-bf9b-782400655440} - c:\documents and settings\debbie\application data\qwiklinx\Qwiklinx.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 9.0\acrobat\AdobeCollabSync.exe"
uRun: [UniPrint] c:\program files\uniprint\client\SetDfltSettings.exe
uRun: [SPMTray] "c:\program files\pc speed maximizer\SPMTray.exe"
uRun: [Shop To Win] c:\program files\shop to win\ShopToWin.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [UniPrint] c:\program files\uniprint\client\SetDfltSettings.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aciaagent.com\www
Trusted Zone: ams-benefits.com
Trusted Zone: ams-services.com
Trusted Zone: ams-support.com
Trusted Zone: ams360.com
Trusted Zone: amsservices.com
Trusted Zone: bing.com
Trusted Zone: callidusondemand.com\aaam-prd
Trusted Zone: chase.com
Trusted Zone: chase.com\chaseonline
Trusted Zone: chase.com\deposits
Trusted Zone: chase.com\mfasa
Trusted Zone: chase.com\payments
Trusted Zone: chase.com\www
Trusted Zone: cinfin.com\cinciapps
Trusted Zone: cinfin.com\cincilink
Trusted Zone: cinfin.com\diamond
Trusted Zone: cinfin.com\eclassapps
Trusted Zone: cinfin.com\umcincilink
Trusted Zone: cinfin.com\webapps
Trusted Zone: cinfin.com\www
Trusted Zone: cinfinc.om\cincicms
Trusted Zone: ec
Trusted Zone: epymtservice.com\epayment
Trusted Zone: firstcomp.com\agency
Trusted Zone: firstcomp.com\www
Trusted Zone: itms-online.com\www
Trusted Zone: msn.com
Trusted Zone: msn.com\www
Trusted Zone: naic.org\sbs-wv
Trusted Zone: prevailnetwork.com
Trusted Zone: tasconline.com\www1
Trusted Zone: travelers.com
Trusted Zone: travelers.com\logon
Trusted Zone: travelerspc.com
Trusted Zone: vertafore.com
Trusted Zone: westfield-bank.com\www
DPF: AuthenticBrowserEdition - hxxps://www.itms-online.com/WebClient//AuthenticBrowserEdition.CAB
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://cincilink.cinfin.com/common/ClientSideControls/Citrix/wficat.cab
DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} - hxxps://www.itms-online.com/crystalreportviewers11/ActiveXControls/PrintControl.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://tia1/ConnectComputer/nshelp.dll
DPF: {5CB26FF7-663A-471F-BDA2-15FE6CCA1B6F} - hxxp://173.10.228.17:85/admin/AproDx9.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264172128958
DPF: {72B8BEFE-967D-4C0C-8633-34D45F64A2EF} - hxxps://eclasapps.cinfin.com/eclasStartup/startEclasRelease.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://vertaforesupport.webex.com/client/wbs27-vzbprodcn/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.100
TCP: Interfaces\{1B5B3D42-F1E1-45DB-AB84-E8062F4DBDDD} : DhcpNameServer = 192.168.1.100
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-12-24 214024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-5-27 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-5-27 108456]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2011-5-27 1839888]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-12-24 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-12-24 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-6 106104]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-23 40776]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120509.002\NAVENG.SYS [2012-5-9 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120509.002\NAVEX15.SYS [2012-5-9 1576312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-9 257696]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-5-27 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-12-24 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-12-24 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-12-24 34248]
S3 RapportIaso;RapportIaso;\??\c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys --> c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys [?]
S3 ustp2;ustp2;c:\windows\system32\drivers\ustp2.sys [2010-12-15 19840]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-23 15:37:33 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-22 16:42:30 -------- d-----w- c:\documents and settings\debbie\local settings\application data\Sun
2012-05-22 16:40:30 -------- d-----w- c:\program files\Oracle
2012-05-22 16:40:22 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-22 16:40:22 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-07 20:53:00 2134016 ----a-r- c:\windows\system32\cdintf300.dll
2012-05-07 20:52:58 -------- d-----w- c:\program files\AMS Services, Inc
2012-05-07 20:18:54 -------- d-----w- c:\documents and settings\debbie\local settings\application data\AMS Services, Inc
2012-05-07 20:13:11 -------- d-----w- c:\documents and settings\debbie\local settings\application data\assembly
2012-05-07 18:49:18 -------- d-----w- c:\documents and settings\debbie\local settings\application data\visi_coupon
2012-05-07 18:49:10 -------- d-----w- c:\documents and settings\debbie\application data\blekkotb_019
2012-05-07 18:49:05 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-05-07 18:48:26 -------- d-----w- c:\program files\Yahoo!
2012-05-07 18:43:45 -------- d-----w- c:\documents and settings\debbie\application data\.purple
2012-05-07 17:58:47 -------- d-----w- c:\program files\Chat Messenger
2012-05-07 17:58:42 -------- d-----w- c:\documents and settings\debbie\local settings\application data\Babylon
2012-05-07 17:58:41 -------- d-----w- c:\documents and settings\all users\application data\Babylon
2012-05-07 17:54:31 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2012-05-07 17:54:01 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars
2012-05-07 17:53:55 -------- d-----w- c:\program files\blekkotb_soc
2012-05-04 17:57:57 476672 ----a-w- c:\windows\system32\s1100u.dll
2012-05-04 17:57:57 3559424 ----a-w- c:\windows\system32\ippi5s1100.dll
2012-05-04 17:57:57 279552 ----a-w- c:\windows\system32\S1300u.dll
2012-05-04 17:57:57 264192 ----a-w- c:\windows\system32\s300u.dll
2012-05-04 17:57:57 24064 ----a-w- c:\windows\system32\Fjmcusb.dll
2012-05-04 17:57:57 2269184 ----a-w- c:\windows\system32\ijl5s1100.dll
2012-05-04 17:57:57 21504 ----a-w- c:\windows\system32\fj52usb.dll
2012-05-04 17:57:57 1990656 ----a-w- c:\windows\system32\ippi5s300.dll
2012-05-04 17:57:57 1990656 ----a-w- c:\windows\system32\ippi5s1300.dll
2012-05-04 17:57:57 1302528 ----a-w- c:\windows\system32\ijl5s300.dll
2012-05-04 17:57:57 1302528 ----a-w- c:\windows\system32\ijl5s1300.dll
2012-05-04 17:57:52 69632 ----a-w- c:\windows\system32\distortion.dll
2012-05-04 17:46:56 -------- d-----w- c:\documents and settings\debbie\application data\Logishrd
2012-05-04 16:30:14 -------- d-s---w- C:\Fixitup23532F
2012-05-04 15:12:51 -------- d-----w- C:\Fixitup
2012-05-04 15:07:01 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-05-04 13:54:44 -------- d-----w- C:\delete.me
2012-05-02 19:24:32 -------- d-----w- c:\program files\HitmanPro
2012-05-02 18:17:41 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
.
==================== Find3M ====================
.
2012-05-04 14:22:18 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 14:22:18 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-16 12:39:12 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 12:17:07.21 ===============

I also Ran GMER but it did not find anything so I didn't capture the log.

THANKS IN ADVANCE!
PLaw

Attached Files

attach.txt 20.24K 2 downloads

Back to top

BC Ads
BleepingComputer.com

#2 gringo_pr

Bleepin Gringo

Malware Response Team
120,677 posts

Gender:Male
Location:Puerto rico

Posted 24 May 2012 - 07:17 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

Download Security Check by screen317 from here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Back to top

#3 plaw

New Member

Members
11 posts

Posted 25 May 2012 - 11:44 AM

Thanks for the help.

Security Check Log
****************************
Results of screen317's Security Check version 0.99.38
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes Anti-Malware version 1.61.0.1400
JavaFX 2.1.0
Java™ 7 Update 4
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Symantec AntiVirus Smc.exe
Symantec AntiVirus Rtvscan.exe
Symantec AntiVirus SmcGui.exe
``````````End of Log````````````
**************************

Ran combofix and it removed some items and then the PC locked up before the log was created. It sat for an hour with no activity or mouse response. I rebooted and ran cf again here is the log from the second process.

ComboFix 12-05-25.02 - debbie 05/25/2012 11:41:45.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3017.1973 [GMT -4:00]
Running from: c:\download\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\assembly\tmp
c:\documents and settings\All Users\Application Data\D0AFDC5F42.sys
c:\documents and settings\debbie\Local Settings\Application Data\assembly\tmp
c:\documents and settings\debbie\My Documents\ShopToWin
.
.
((((((((((((((((((((((((( Files Created from 2012-04-25 to 2012-05-25 )))))))))))))))))))))))))))))))
.
.
2012-05-23 16:58 . 2012-05-23 16:58 -------- d-----w- c:\documents and settings\debbie\Application Data\ElevatedDiagnostics
2012-05-22 16:42 . 2012-05-22 16:42 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\Sun
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\program files\Common Files\Java
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\program files\Oracle
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\documents and settings\debbie\Application Data\Oracle
2012-05-22 16:40 . 2012-04-04 22:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-22 16:40 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-07 21:30 . 2012-05-07 21:30 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\AMS Services, Inc
2012-05-07 21:30 . 2012-05-25 14:39 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\assembly
2012-05-07 21:24 . 2012-05-07 21:24 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\Fujitsu
2012-05-07 21:24 . 2012-05-07 21:24 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\PFU
2012-05-07 20:53 . 2011-09-16 12:15 2134016 ----a-r- c:\windows\system32\cdintf300.dll
2012-05-07 20:52 . 2012-05-07 20:52 -------- d-----w- c:\program files\AMS Services, Inc
2012-05-07 20:18 . 2012-05-07 20:18 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\AMS Services, Inc
2012-05-07 20:13 . 2012-05-25 14:39 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\assembly
2012-05-07 18:49 . 2012-05-07 18:53 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-05-07 18:48 . 2012-05-07 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-05-07 18:48 . 2012-05-07 18:58 -------- d-----w- c:\program files\Yahoo!
2012-05-07 17:58 . 2012-05-07 18:44 -------- d-----w- c:\program files\Chat Messenger
2012-05-07 17:58 . 2012-05-07 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2012-05-07 17:54 . 2012-05-07 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2012-05-07 17:54 . 2012-05-07 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\blekko toolbars
2012-05-07 17:53 . 2012-05-07 19:00 -------- d-----w- c:\program files\blekkotb_soc
2012-05-04 17:57 . 2010-08-03 22:59 476672 ----a-w- c:\windows\system32\s1100u.dll
2012-05-04 17:57 . 2010-07-23 16:50 2269184 ----a-w- c:\windows\system32\ijl5s1100.dll
2012-05-04 17:57 . 2010-07-12 20:55 3559424 ----a-w- c:\windows\system32\ippi5s1100.dll
2012-05-04 17:57 . 2009-09-19 02:03 279552 ----a-w- c:\windows\system32\S1300u.dll
2012-05-04 17:57 . 2009-04-24 00:29 1990656 ----a-w- c:\windows\system32\ippi5s1300.dll
2012-05-04 17:57 . 2009-04-24 00:29 1302528 ----a-w- c:\windows\system32\ijl5s1300.dll
2012-05-04 17:57 . 2008-04-03 12:06 21504 ----a-w- c:\windows\system32\fj52usb.dll
2012-05-04 17:57 . 2007-08-17 20:32 24064 ----a-w- c:\windows\system32\Fjmcusb.dll
2012-05-04 17:57 . 2007-07-27 02:48 264192 ----a-w- c:\windows\system32\s300u.dll
2012-05-04 17:57 . 2007-05-23 23:57 1990656 ----a-w- c:\windows\system32\ippi5s300.dll
2012-05-04 17:57 . 2007-05-23 23:57 1302528 ----a-w- c:\windows\system32\ijl5s300.dll
2012-05-04 17:57 . 2005-02-17 15:55 69632 ----a-w- c:\windows\system32\distortion.dll
2012-05-04 17:46 . 2012-05-04 17:46 -------- d-----w- c:\documents and settings\debbie\Application Data\Logitech
2012-05-04 17:46 . 2012-05-04 17:46 -------- d-----w- c:\documents and settings\debbie\Application Data\Logishrd
2012-05-04 15:12 . 2012-05-04 16:17 -------- d-----w- C:\Fixitup
2012-05-04 15:07 . 2012-05-04 15:07 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-05-04 13:54 . 2012-05-23 15:53 -------- d-----w- C:\delete.me
2012-05-02 19:53 . 2012-05-02 19:53 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\Malwarebytes
2012-05-02 19:24 . 2012-05-02 19:24 -------- d-----w- c:\program files\HitmanPro
2012-05-02 18:17 . 2012-05-03 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-05-02 18:14 . 2012-05-02 18:14 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\UniPrint
2012-05-02 18:13 . 2012-05-02 18:13 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\Adobe
2012-05-02 18:13 . 2012-05-02 19:28 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\SUDDENLINKTOOLBAR
2012-05-02 18:13 . 2012-05-02 18:13 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\Trusteer
2012-05-02 18:03 . 2012-05-02 18:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\HpUpdate
2012-05-02 17:59 . 2012-05-02 17:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUDDENLINKTOOLBAR
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fujitsu
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\OA
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\PFU
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\UniPrint
2012-05-02 17:57 . 2012-05-02 17:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Trusteer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 14:22 . 2012-04-09 16:41 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 14:22 . 2011-05-21 19:43 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-16 12:39 . 2012-04-16 12:39 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-04 19:56 . 2010-07-14 19:53 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 11:01 . 2008-04-14 09:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 09:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-14 09:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 09:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 09:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 09:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe" [2012-03-26 550360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-05-27 115624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-01-17 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2012-5-4 1081344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/18/2007 12:09 AM 11032]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [12/24/2009 1:36 PM 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [12/24/2009 2:25 PM 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2/6/2012 5:02 PM 106104]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/9/2012 12:41 PM 257696]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/27/2011 12:55 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 RapportIaso;RapportIaso;\??\c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys --> c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys [?]
S3 ustp2;ustp2;c:\windows\system32\drivers\ustp2.sys [12/15/2010 3:58 PM 19840]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 14:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
Trusted Zone: aciaagent.com\www
Trusted Zone: ams-benefits.com
Trusted Zone: ams-services.com
Trusted Zone: ams-support.com
Trusted Zone: ams360.com
Trusted Zone: amsservices.com
Trusted Zone: bing.com
Trusted Zone: chase.com
Trusted Zone: chase.com\chaseonline
Trusted Zone: chase.com\deposits
Trusted Zone: chase.com\mfasa
Trusted Zone: chase.com\payments
Trusted Zone: chase.com\www
Trusted Zone: cinfin.com\cinciapps
Trusted Zone: cinfin.com\cincilink
Trusted Zone: cinfin.com\diamond
Trusted Zone: cinfin.com\eclassapps
Trusted Zone: cinfin.com\umcincilink
Trusted Zone: cinfin.com\webapps
Trusted Zone: cinfin.com\www
Trusted Zone: cinfinc.om\cincicms
Trusted Zone: epymtservice.com\epayment
Trusted Zone: firstcomp.com\agency
Trusted Zone: firstcomp.com\www
Trusted Zone: itms-online.com\www
Trusted Zone: msn.com
Trusted Zone: msn.com\www
Trusted Zone: naic.org\sbs-wv
Trusted Zone: prevailnetwork.com
Trusted Zone: tasconline.com\www1
Trusted Zone: travelers.com
Trusted Zone: travelers.com\logon
Trusted Zone: travelerspc.com
Trusted Zone: vertafore.com
Trusted Zone: westfield-bank.com\www
TCP: DhcpNameServer = 192.168.1.100
DPF: AuthenticBrowserEdition - hxxps://www.itms-online.com/WebClient//AuthenticBrowserEdition.CAB
DPF: {5CB26FF7-663A-471F-BDA2-15FE6CCA1B6F} - hxxp://173.10.228.17:85/admin/AproDx9.cab
DPF: {72B8BEFE-967D-4C0C-8633-34D45F64A2EF} - hxxps://eclasapps.cinfin.com/eclasStartup/startEclasRelease.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-25 12:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\Macromed\Flash\Flash32_11_2_202_235.ocx
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\Dxtrans.dll
c:\windows\system32\Dxtmsft.dll
.
Completion time: 2012-05-25 12:27:48
ComboFix-quarantined-files.txt 2012-05-25 16:27
ComboFix2.txt 2012-05-04 16:16
.
Pre-Run: 218,398,515,200 bytes free
Post-Run: 218,374,422,528 bytes free
.
- - End Of File - - 05F533DA4E5A2DFB87601A975D384B14

PC Seems to be running ok. But still have the same issue with Google searches, it completes the search and when the link is clicked it is redirected to various sites. 'get-answers-fast' is a popular one.

Another thing of note. Symantec firewall is blocking an incoming web traffic attach from a remote host at 37-59-198-61. I don't know if there is a bot on this station trying to get out or not.

Thanks in advance for your help.
PLaw

Back to top

#4 plaw

New Member

Members
11 posts

Posted 25 May 2012 - 11:44 AM

Thanks for the help.

Security Check Log
****************************
Results of screen317's Security Check version 0.99.38
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes Anti-Malware version 1.61.0.1400
JavaFX 2.1.0
Java™ 7 Update 4
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Symantec AntiVirus Smc.exe
Symantec AntiVirus Rtvscan.exe
Symantec AntiVirus SmcGui.exe
``````````End of Log````````````
**************************

Ran combofix and it removed some items and then the PC locked up before the log was created. It sat for an hour with no activity or mouse response. I rebooted and ran cf again here is the log from the second process.

ComboFix 12-05-25.02 - debbie 05/25/2012 11:41:45.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3017.1973 [GMT -4:00]
Running from: c:\download\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\assembly\tmp
c:\documents and settings\All Users\Application Data\D0AFDC5F42.sys
c:\documents and settings\debbie\Local Settings\Application Data\assembly\tmp
c:\documents and settings\debbie\My Documents\ShopToWin
.
.
((((((((((((((((((((((((( Files Created from 2012-04-25 to 2012-05-25 )))))))))))))))))))))))))))))))
.
.
2012-05-23 16:58 . 2012-05-23 16:58 -------- d-----w- c:\documents and settings\debbie\Application Data\ElevatedDiagnostics
2012-05-22 16:42 . 2012-05-22 16:42 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\Sun
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\program files\Common Files\Java
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\program files\Oracle
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\documents and settings\debbie\Application Data\Oracle
2012-05-22 16:40 . 2012-04-04 22:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-22 16:40 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-07 21:30 . 2012-05-07 21:30 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\AMS Services, Inc
2012-05-07 21:30 . 2012-05-25 14:39 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\assembly
2012-05-07 21:24 . 2012-05-07 21:24 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\Fujitsu
2012-05-07 21:24 . 2012-05-07 21:24 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\PFU
2012-05-07 20:53 . 2011-09-16 12:15 2134016 ----a-r- c:\windows\system32\cdintf300.dll
2012-05-07 20:52 . 2012-05-07 20:52 -------- d-----w- c:\program files\AMS Services, Inc
2012-05-07 20:18 . 2012-05-07 20:18 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\AMS Services, Inc
2012-05-07 20:13 . 2012-05-25 14:39 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\assembly
2012-05-07 18:49 . 2012-05-07 18:53 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-05-07 18:48 . 2012-05-07 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-05-07 18:48 . 2012-05-07 18:58 -------- d-----w- c:\program files\Yahoo!
2012-05-07 17:58 . 2012-05-07 18:44 -------- d-----w- c:\program files\Chat Messenger
2012-05-07 17:58 . 2012-05-07 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2012-05-07 17:54 . 2012-05-07 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2012-05-07 17:54 . 2012-05-07 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\blekko toolbars
2012-05-07 17:53 . 2012-05-07 19:00 -------- d-----w- c:\program files\blekkotb_soc
2012-05-04 17:57 . 2010-08-03 22:59 476672 ----a-w- c:\windows\system32\s1100u.dll
2012-05-04 17:57 . 2010-07-23 16:50 2269184 ----a-w- c:\windows\system32\ijl5s1100.dll
2012-05-04 17:57 . 2010-07-12 20:55 3559424 ----a-w- c:\windows\system32\ippi5s1100.dll
2012-05-04 17:57 . 2009-09-19 02:03 279552 ----a-w- c:\windows\system32\S1300u.dll
2012-05-04 17:57 . 2009-04-24 00:29 1990656 ----a-w- c:\windows\system32\ippi5s1300.dll
2012-05-04 17:57 . 2009-04-24 00:29 1302528 ----a-w- c:\windows\system32\ijl5s1300.dll
2012-05-04 17:57 . 2008-04-03 12:06 21504 ----a-w- c:\windows\system32\fj52usb.dll
2012-05-04 17:57 . 2007-08-17 20:32 24064 ----a-w- c:\windows\system32\Fjmcusb.dll
2012-05-04 17:57 . 2007-07-27 02:48 264192 ----a-w- c:\windows\system32\s300u.dll
2012-05-04 17:57 . 2007-05-23 23:57 1990656 ----a-w- c:\windows\system32\ippi5s300.dll
2012-05-04 17:57 . 2007-05-23 23:57 1302528 ----a-w- c:\windows\system32\ijl5s300.dll
2012-05-04 17:57 . 2005-02-17 15:55 69632 ----a-w- c:\windows\system32\distortion.dll
2012-05-04 17:46 . 2012-05-04 17:46 -------- d-----w- c:\documents and settings\debbie\Application Data\Logitech
2012-05-04 17:46 . 2012-05-04 17:46 -------- d-----w- c:\documents and settings\debbie\Application Data\Logishrd
2012-05-04 15:12 . 2012-05-04 16:17 -------- d-----w- C:\Fixitup
2012-05-04 15:07 . 2012-05-04 15:07 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-05-04 13:54 . 2012-05-23 15:53 -------- d-----w- C:\delete.me
2012-05-02 19:53 . 2012-05-02 19:53 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\Malwarebytes
2012-05-02 19:24 . 2012-05-02 19:24 -------- d-----w- c:\program files\HitmanPro
2012-05-02 18:17 . 2012-05-03 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-05-02 18:14 . 2012-05-02 18:14 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\UniPrint
2012-05-02 18:13 . 2012-05-02 18:13 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\Adobe
2012-05-02 18:13 . 2012-05-02 19:28 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\SUDDENLINKTOOLBAR
2012-05-02 18:13 . 2012-05-02 18:13 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\Trusteer
2012-05-02 18:03 . 2012-05-02 18:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\HpUpdate
2012-05-02 17:59 . 2012-05-02 17:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUDDENLINKTOOLBAR
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fujitsu
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\OA
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\PFU
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\UniPrint
2012-05-02 17:57 . 2012-05-02 17:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Trusteer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 14:22 . 2012-04-09 16:41 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 14:22 . 2011-05-21 19:43 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-16 12:39 . 2012-04-16 12:39 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-04 19:56 . 2010-07-14 19:53 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 11:01 . 2008-04-14 09:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 09:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-14 09:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 09:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 09:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 09:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe" [2012-03-26 550360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-05-27 115624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-01-17 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2012-5-4 1081344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/18/2007 12:09 AM 11032]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [12/24/2009 1:36 PM 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [12/24/2009 2:25 PM 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2/6/2012 5:02 PM 106104]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/9/2012 12:41 PM 257696]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/27/2011 12:55 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 RapportIaso;RapportIaso;\??\c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys --> c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys [?]
S3 ustp2;ustp2;c:\windows\system32\drivers\ustp2.sys [12/15/2010 3:58 PM 19840]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 14:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
Trusted Zone: aciaagent.com\www
Trusted Zone: ams-benefits.com
Trusted Zone: ams-services.com
Trusted Zone: ams-support.com
Trusted Zone: ams360.com
Trusted Zone: amsservices.com
Trusted Zone: bing.com
Trusted Zone: chase.com
Trusted Zone: chase.com\chaseonline
Trusted Zone: chase.com\deposits
Trusted Zone: chase.com\mfasa
Trusted Zone: chase.com\payments
Trusted Zone: chase.com\www
Trusted Zone: cinfin.com\cinciapps
Trusted Zone: cinfin.com\cincilink
Trusted Zone: cinfin.com\diamond
Trusted Zone: cinfin.com\eclassapps
Trusted Zone: cinfin.com\umcincilink
Trusted Zone: cinfin.com\webapps
Trusted Zone: cinfin.com\www
Trusted Zone: cinfinc.om\cincicms
Trusted Zone: epymtservice.com\epayment
Trusted Zone: firstcomp.com\agency
Trusted Zone: firstcomp.com\www
Trusted Zone: itms-online.com\www
Trusted Zone: msn.com
Trusted Zone: msn.com\www
Trusted Zone: naic.org\sbs-wv
Trusted Zone: prevailnetwork.com
Trusted Zone: tasconline.com\www1
Trusted Zone: travelers.com
Trusted Zone: travelers.com\logon
Trusted Zone: travelerspc.com
Trusted Zone: vertafore.com
Trusted Zone: westfield-bank.com\www
TCP: DhcpNameServer = 192.168.1.100
DPF: AuthenticBrowserEdition - hxxps://www.itms-online.com/WebClient//AuthenticBrowserEdition.CAB
DPF: {5CB26FF7-663A-471F-BDA2-15FE6CCA1B6F} - hxxp://173.10.228.17:85/admin/AproDx9.cab
DPF: {72B8BEFE-967D-4C0C-8633-34D45F64A2EF} - hxxps://eclasapps.cinfin.com/eclasStartup/startEclasRelease.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-25 12:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\Macromed\Flash\Flash32_11_2_202_235.ocx
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\Dxtrans.dll
c:\windows\system32\Dxtmsft.dll
.
Completion time: 2012-05-25 12:27:48
ComboFix-quarantined-files.txt 2012-05-25 16:27
ComboFix2.txt 2012-05-04 16:16
.
Pre-Run: 218,398,515,200 bytes free
Post-Run: 218,374,422,528 bytes free
.
- - End Of File - - 05F533DA4E5A2DFB87601A975D384B14

PC Seems to be running ok. But still have the same issue with Google searches, it completes the search and when the link is clicked it is redirected to various sites. 'get-answers-fast' is a popular one.

Another thing of note. Symantec firewall is blocking an incoming web traffic attach from a remote host at 37-59-198-61. I don't know if there is a bot on this station trying to get out or not.

Thanks in advance for your help.
PLaw

Back to top

#5 gringo_pr

Bleepin Gringo

Malware Response Team
120,677 posts

Gender:Male
Location:Puerto rico

Posted 25 May 2012 - 12:17 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.

Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Back to top

#6 plaw

New Member

Members
11 posts

Posted 25 May 2012 - 04:17 PM

I have downloaded both tools. The TDSSKiller app doesn't appear to be running. I tried in normal mode and it never started. Have rebooted into safe mode and it doesn't seem to launch. Any suggestions?

Edited by plaw, 25 May 2012 - 04:18 PM.

Back to top

#7 gringo_pr

Bleepin Gringo

Malware Response Team
120,677 posts

Gender:Male
Location:Puerto rico

Posted 25 May 2012 - 04:21 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Back to top

#8 plaw

New Member

Members
11 posts

Posted 25 May 2012 - 05:07 PM

I downloaded and ran the FixTDSS tool and ran it. It required a reboot, found and fixed and infection. I did not see an option to save a log file.

I rebooted again and ran TDSSKiller. Here is the report from that tool.
***************
17:38:10.0343 1200 TDSS rootkit removing tool 2.7.37.0 May 23 2012 08:15:30
17:38:10.0359 1200 ============================================================
17:38:10.0359 1200 Current date / time: 2012/05/25 17:38:10.0359
17:38:10.0359 1200 SystemInfo:
17:38:10.0359 1200
17:38:10.0359 1200 OS Version: 5.1.2600 ServicePack: 3.0
17:38:10.0359 1200 Product type: Workstation
17:38:10.0359 1200 ComputerName: DEBBIEHP
17:38:10.0359 1200 UserName: debbie
17:38:10.0359 1200 Windows directory: C:\WINDOWS
17:38:10.0359 1200 System windows directory: C:\WINDOWS
17:38:10.0359 1200 Processor architecture: Intel x86
17:38:10.0359 1200 Number of processors: 2
17:38:10.0359 1200 Page size: 0x1000
17:38:10.0359 1200 Boot type: Normal boot
17:38:10.0359 1200 ============================================================
17:38:10.0765 1200 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
17:38:10.0765 1200 ============================================================
17:38:10.0765 1200 \Device\Harddisk0\DR0:
17:38:10.0765 1200 MBR partitions:
17:38:10.0765 1200 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x1D1BFEC0
17:38:10.0765 1200 ============================================================
17:38:10.0796 1200 C: <-> \Device\Harddisk0\DR0\Partition0
17:38:10.0796 1200 ============================================================
17:38:10.0796 1200 Initialize success
17:38:10.0796 1200 ============================================================
17:38:27.0671 1428 ============================================================
17:38:27.0671 1428 Scan started
17:38:27.0671 1428 Mode: Manual;
17:38:27.0671 1428 ============================================================
17:38:27.0843 1428 Abiosdsk - ok
17:38:27.0843 1428 abp480n5 - ok
17:38:27.0875 1428 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
17:38:27.0875 1428 ac97intc - ok
17:38:27.0953 1428 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:38:27.0953 1428 ACPI - ok
17:38:27.0953 1428 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:38:27.0953 1428 ACPIEC - ok
17:38:28.0015 1428 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
17:38:28.0015 1428 AdobeFlashPlayerUpdateSvc - ok
17:38:28.0031 1428 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:38:28.0031 1428 adpu160m - ok
17:38:28.0031 1428 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
17:38:28.0031 1428 adpu320 - ok
17:38:28.0046 1428 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:38:28.0046 1428 aec - ok
17:38:28.0093 1428 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
17:38:28.0109 1428 AFD - ok
17:38:28.0109 1428 Aha154x - ok
17:38:28.0109 1428 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:38:28.0109 1428 aic78u2 - ok
17:38:28.0109 1428 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:38:28.0109 1428 aic78xx - ok
17:38:28.0156 1428 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
17:38:28.0156 1428 Alerter - ok
17:38:28.0187 1428 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
17:38:28.0187 1428 ALG - ok
17:38:28.0187 1428 AliIde - ok
17:38:28.0187 1428 amsint - ok
17:38:28.0203 1428 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
17:38:28.0218 1428 AppMgmt - ok
17:38:28.0218 1428 asc - ok
17:38:28.0218 1428 asc3350p - ok
17:38:28.0218 1428 asc3550 - ok
17:38:28.0218 1428 Aspi32 - ok
17:38:28.0375 1428 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
17:38:28.0375 1428 aspnet_state - ok
17:38:28.0390 1428 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:38:28.0390 1428 AsyncMac - ok
17:38:28.0406 1428 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:38:28.0406 1428 atapi - ok
17:38:28.0406 1428 Atdisk - ok
17:38:28.0437 1428 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:38:28.0437 1428 Atmarpc - ok
17:38:28.0453 1428 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
17:38:28.0453 1428 AudioSrv - ok
17:38:28.0468 1428 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:38:28.0468 1428 audstub - ok
17:38:28.0468 1428 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:38:28.0468 1428 Beep - ok
17:38:28.0531 1428 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
17:38:28.0531 1428 BITS - ok
17:38:28.0593 1428 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
17:38:28.0593 1428 Browser - ok
17:38:28.0765 1428 catchme - ok
17:38:28.0781 1428 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:38:28.0781 1428 cbidf2k - ok
17:38:28.0890 1428 ccEvtMgr (399a7df138d2110a3eb9bd64d6327f62) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
17:38:28.0890 1428 ccEvtMgr - ok
17:38:28.0906 1428 ccSetMgr (399a7df138d2110a3eb9bd64d6327f62) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
17:38:28.0906 1428 ccSetMgr - ok
17:38:28.0906 1428 cd20xrnt - ok
17:38:28.0921 1428 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:38:28.0921 1428 Cdaudio - ok
17:38:28.0937 1428 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:38:28.0937 1428 Cdfs - ok
17:38:28.0953 1428 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:38:28.0953 1428 Cdrom - ok
17:38:28.0953 1428 Changer - ok
17:38:29.0000 1428 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
17:38:29.0000 1428 CiSvc - ok
17:38:29.0015 1428 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
17:38:29.0015 1428 ClipSrv - ok
17:38:29.0093 1428 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:38:29.0093 1428 clr_optimization_v2.0.50727_32 - ok
17:38:29.0156 1428 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
17:38:29.0171 1428 clr_optimization_v4.0.30319_32 - ok
17:38:29.0171 1428 CmdIde - ok
17:38:29.0203 1428 COH_Mon (4f2dedeed7c091fafc4dada5534f3d37) C:\WINDOWS\system32\Drivers\COH_Mon.sys
17:38:29.0203 1428 COH_Mon - ok
17:38:29.0203 1428 COMSysApp - ok
17:38:29.0203 1428 Cpqarray - ok
17:38:29.0265 1428 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
17:38:29.0265 1428 CryptSvc - ok
17:38:29.0265 1428 dac2w2k - ok
17:38:29.0265 1428 dac960nt - ok
17:38:29.0328 1428 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
17:38:29.0328 1428 DcomLaunch - ok
17:38:29.0375 1428 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
17:38:29.0375 1428 Dhcp - ok
17:38:29.0421 1428 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:38:29.0421 1428 Disk - ok
17:38:29.0437 1428 dmadmin - ok
17:38:29.0500 1428 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:38:29.0500 1428 dmboot - ok
17:38:29.0515 1428 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:38:29.0515 1428 dmio - ok
17:38:29.0515 1428 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:38:29.0515 1428 dmload - ok
17:38:29.0531 1428 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
17:38:29.0531 1428 dmserver - ok
17:38:29.0546 1428 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:38:29.0546 1428 DMusic - ok
17:38:29.0578 1428 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
17:38:29.0578 1428 Dnscache - ok
17:38:29.0609 1428 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
17:38:29.0609 1428 Dot3svc - ok
17:38:29.0609 1428 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:38:29.0609 1428 dpti2o - ok
17:38:29.0625 1428 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:38:29.0625 1428 drmkaud - ok
17:38:29.0640 1428 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:38:29.0640 1428 E100B - ok
17:38:29.0687 1428 e1kexpress (90700eb149c8ee9fd8f61821e7d4b8fe) C:\WINDOWS\system32\DRIVERS\e1k5132.sys
17:38:29.0687 1428 e1kexpress - ok
17:38:29.0734 1428 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
17:38:29.0734 1428 EapHost - ok
17:38:29.0875 1428 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
17:38:29.0890 1428 eeCtrl - ok
17:38:29.0921 1428 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
17:38:29.0921 1428 EraserUtilRebootDrv - ok
17:38:29.0953 1428 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
17:38:29.0953 1428 ERSvc - ok
17:38:30.0000 1428 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:38:30.0000 1428 Eventlog - ok
17:38:30.0062 1428 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
17:38:30.0062 1428 EventSystem - ok
17:38:30.0109 1428 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:38:30.0109 1428 Fastfat - ok
17:38:30.0156 1428 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:38:30.0156 1428 FastUserSwitchingCompatibility - ok
17:38:30.0171 1428 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:38:30.0171 1428 Fdc - ok
17:38:30.0187 1428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:38:30.0187 1428 Fips - ok
17:38:30.0250 1428 FLEXnet Licensing Service (f76d04f7413b07daa029f6520b64b4e8) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
17:38:30.0250 1428 FLEXnet Licensing Service - ok
17:38:30.0265 1428 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
17:38:30.0265 1428 Flpydisk - ok
17:38:30.0328 1428 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
17:38:30.0328 1428 FltMgr - ok
17:38:30.0421 1428 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
17:38:30.0421 1428 FontCache3.0.0.0 - ok
17:38:30.0421 1428 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:38:30.0437 1428 Fs_Rec - ok
17:38:30.0437 1428 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:38:30.0437 1428 Ftdisk - ok
17:38:30.0484 1428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:38:30.0484 1428 Gpc - ok
17:38:30.0484 1428 gupdate - ok
17:38:30.0484 1428 gupdatem - ok
17:38:30.0500 1428 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:38:30.0500 1428 HDAudBus - ok
17:38:30.0515 1428 HECI (88a67c34e37186665e916fd347b50d19) C:\WINDOWS\system32\DRIVERS\HECI.sys
17:38:30.0515 1428 HECI - ok
17:38:30.0609 1428 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:38:30.0609 1428 helpsvc - ok
17:38:30.0640 1428 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
17:38:30.0656 1428 HidServ - ok
17:38:30.0687 1428 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:38:30.0687 1428 HidUsb - ok
17:38:30.0734 1428 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
17:38:30.0734 1428 hkmsvc - ok
17:38:30.0750 1428 HPFXBULK (299683d4c8aaa3f6f5d5d226a1782a6e) C:\WINDOWS\system32\drivers\hpfxbulk.sys
17:38:30.0750 1428 HPFXBULK - ok
17:38:30.0750 1428 hpn - ok
17:38:30.0796 1428 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:38:30.0796 1428 HTTP - ok
17:38:30.0843 1428 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
17:38:30.0843 1428 HTTPFilter - ok
17:38:30.0843 1428 i2omgmt - ok
17:38:30.0843 1428 i2omp - ok
17:38:30.0906 1428 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:38:30.0906 1428 i8042prt - ok
17:38:30.0921 1428 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
17:38:30.0921 1428 i81x - ok
17:38:30.0984 1428 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
17:38:30.0984 1428 iAimFP0 - ok
17:38:30.0984 1428 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
17:38:30.0984 1428 iAimFP1 - ok
17:38:30.0984 1428 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
17:38:30.0984 1428 iAimFP2 - ok
17:38:30.0984 1428 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
17:38:30.0984 1428 iAimFP3 - ok
17:38:30.0984 1428 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
17:38:30.0984 1428 iAimFP4 - ok
17:38:31.0031 1428 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
17:38:31.0031 1428 iAimFP5 - ok
17:38:31.0031 1428 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
17:38:31.0031 1428 iAimFP6 - ok
17:38:31.0031 1428 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
17:38:31.0031 1428 iAimFP7 - ok
17:38:31.0031 1428 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
17:38:31.0031 1428 iAimTV0 - ok
17:38:31.0031 1428 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
17:38:31.0031 1428 iAimTV1 - ok
17:38:31.0046 1428 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
17:38:31.0046 1428 iAimTV3 - ok
17:38:31.0046 1428 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
17:38:31.0046 1428 iAimTV4 - ok
17:38:31.0046 1428 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
17:38:31.0046 1428 iAimTV5 - ok
17:38:31.0046 1428 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
17:38:31.0046 1428 iAimTV6 - ok
17:38:31.0390 1428 ialm (d0190bbb1b577589548aba94e66d6838) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
17:38:31.0421 1428 ialm - ok
17:38:31.0593 1428 iaStor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\DRIVERS\iaStor.sys
17:38:31.0593 1428 iaStor - ok
17:38:31.0718 1428 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:38:31.0718 1428 idsvc - ok
17:38:31.0765 1428 IFXTPM (91c5e9f49f32110ced27e2f902fad607) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
17:38:31.0765 1428 IFXTPM - ok
17:38:31.0812 1428 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:38:31.0812 1428 Imapi - ok
17:38:31.0859 1428 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
17:38:31.0859 1428 ImapiService - ok
17:38:31.0859 1428 ini910u - ok
17:38:32.0140 1428 IntcAzAudAddService (744a7507d7a69a2a54638b8e5b630c0b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
17:38:32.0156 1428 IntcAzAudAddService - ok
17:38:32.0312 1428 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:38:32.0312 1428 IntelIde - ok
17:38:32.0343 1428 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:38:32.0343 1428 intelppm - ok
17:38:32.0375 1428 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
17:38:32.0375 1428 Ip6Fw - ok
17:38:32.0375 1428 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:38:32.0375 1428 IpFilterDriver - ok
17:38:32.0390 1428 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:38:32.0390 1428 IpInIp - ok
17:38:32.0421 1428 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:38:32.0421 1428 IpNat - ok
17:38:32.0437 1428 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:38:32.0437 1428 IPSec - ok
17:38:32.0453 1428 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:38:32.0453 1428 IRENUM - ok
17:38:32.0484 1428 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:38:32.0484 1428 isapnp - ok
17:38:32.0531 1428 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
17:38:32.0531 1428 Iviaspi - ok
17:38:32.0640 1428 IviRegMgr (213822072085b5bbad9af30ab577d817) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
17:38:32.0640 1428 IviRegMgr - ok
17:38:32.0718 1428 JavaQuickStarterService (5472d771c0197355c1d347f20392b982) C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
17:38:32.0718 1428 JavaQuickStarterService - ok
17:38:32.0734 1428 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:38:32.0734 1428 Kbdclass - ok
17:38:32.0750 1428 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:38:32.0750 1428 kbdhid - ok
17:38:32.0796 1428 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:38:32.0796 1428 kmixer - ok
17:38:32.0843 1428 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:38:32.0843 1428 KSecDD - ok
17:38:32.0906 1428 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
17:38:32.0906 1428 LanmanServer - ok
17:38:32.0953 1428 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
17:38:32.0953 1428 lanmanworkstation - ok
17:38:32.0953 1428 lbrtfdc - ok
17:38:33.0203 1428 LiveUpdate (f3fe36dde7f59b7d4f9581c920670198) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
17:38:33.0203 1428 LiveUpdate - ok
17:38:33.0375 1428 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
17:38:33.0375 1428 LmHosts - ok
17:38:33.0484 1428 LMS (2763a02188ffb04287f5034ec5b6b451) C:\Program Files\Intel\AMT\LMS.exe
17:38:33.0484 1428 LMS - ok
17:38:33.0531 1428 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
17:38:33.0531 1428 Messenger - ok
17:38:33.0562 1428 MfeAVFK (64b96de8c492bd435372d9130a535f1d) C:\WINDOWS\system32\drivers\MfeAVFK.sys
17:38:33.0562 1428 MfeAVFK - ok
17:38:33.0578 1428 MfeBOPK (078e87a89d36cc3516f19d5fb518bddc) C:\WINDOWS\system32\drivers\MfeBOPK.sys
17:38:33.0578 1428 MfeBOPK - ok
17:38:33.0625 1428 mfehidk (168c565101fd5b9db694efdec91fafa9) C:\WINDOWS\system32\drivers\mfehidk.sys
17:38:33.0625 1428 mfehidk - ok
17:38:33.0656 1428 MfeRKDK (e0842f67dc9bc4d21d1e319610ebe9e5) C:\WINDOWS\system32\drivers\MfeRKDK.sys
17:38:33.0656 1428 MfeRKDK - ok
17:38:33.0671 1428 mfetdik (43a7acbbd70ecd62f0b63486c72089a3) C:\WINDOWS\system32\drivers\mfetdik.sys
17:38:33.0671 1428 mfetdik - ok
17:38:33.0718 1428 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:38:33.0718 1428 mnmdd - ok
17:38:33.0734 1428 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
17:38:33.0734 1428 mnmsrvc - ok
17:38:33.0750 1428 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:38:33.0750 1428 Modem - ok
17:38:33.0781 1428 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:38:33.0781 1428 Mouclass - ok
17:38:33.0828 1428 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:38:33.0828 1428 mouhid - ok
17:38:33.0843 1428 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:38:33.0843 1428 MountMgr - ok
17:38:33.0843 1428 mraid35x - ok
17:38:33.0859 1428 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:38:33.0859 1428 MRxDAV - ok
17:38:33.0906 1428 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:38:33.0906 1428 MRxSmb - ok
17:38:33.0921 1428 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
17:38:33.0921 1428 MSDTC - ok
17:38:33.0921 1428 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:38:33.0921 1428 Msfs - ok
17:38:33.0921 1428 MSIServer - ok
17:38:33.0953 1428 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:38:33.0953 1428 MSKSSRV - ok
17:38:33.0953 1428 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:38:33.0953 1428 MSPCLOCK - ok
17:38:33.0968 1428 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:38:33.0968 1428 MSPQM - ok
17:38:34.0000 1428 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:38:34.0000 1428 mssmbios - ok
17:38:34.0031 1428 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
17:38:34.0031 1428 Mup - ok
17:38:34.0062 1428 NAL (d02734423b59b3ac14cdfe91e9665ff0) C:\WINDOWS\system32\Drivers\iqvw32.sys
17:38:34.0062 1428 NAL - ok
17:38:34.0093 1428 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
17:38:34.0093 1428 napagent - ok
17:38:34.0296 1428 NAVENG (f11033730b38260b6892e837c457fb4b) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120525.004\NAVENG.SYS
17:38:34.0296 1428 NAVENG - ok
17:38:34.0390 1428 NAVEX15 (4e4e7c0259d3bb97de24a636c0e06aba) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120525.004\NAVEX15.SYS
17:38:34.0390 1428 NAVEX15 - ok
17:38:34.0562 1428 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
17:38:34.0562 1428 NDIS - ok
17:38:34.0609 1428 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:38:34.0609 1428 NdisTapi - ok
17:38:34.0609 1428 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:38:34.0609 1428 Ndisuio - ok
17:38:34.0640 1428 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:38:34.0640 1428 NdisWan - ok
17:38:34.0703 1428 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:38:34.0703 1428 NDProxy - ok
17:38:34.0750 1428 Net Driver HPZ12 (a081cb6fb9a12668f233eb5414be3a0e) C:\WINDOWS\system32\HPZinw12.dll
17:38:34.0750 1428 Net Driver HPZ12 - ok
17:38:34.0812 1428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:38:34.0812 1428 NetBIOS - ok
17:38:34.0828 1428 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:38:34.0828 1428 NetBT - ok
17:38:34.0875 1428 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:38:34.0875 1428 NetDDE - ok
17:38:34.0875 1428 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:38:34.0875 1428 NetDDEdsdm - ok
17:38:34.0921 1428 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:38:34.0921 1428 Netlogon - ok
17:38:34.0937 1428 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
17:38:34.0937 1428 Netman - ok
17:38:35.0062 1428 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
17:38:35.0078 1428 NetTcpPortSharing - ok
17:38:35.0109 1428 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
17:38:35.0109 1428 Nla - ok
17:38:35.0156 1428 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:38:35.0156 1428 Npfs - ok
17:38:35.0187 1428 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:38:35.0187 1428 Ntfs - ok
17:38:35.0187 1428 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:38:35.0187 1428 NtLmSsp - ok
17:38:35.0250 1428 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
17:38:35.0265 1428 NtmsSvc - ok
17:38:35.0265 1428 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:38:35.0265 1428 Null - ok
17:38:35.0296 1428 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:38:35.0296 1428 NwlnkFlt - ok
17:38:35.0296 1428 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:38:35.0296 1428 NwlnkFwd - ok
17:38:35.0406 1428 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
17:38:35.0406 1428 odserv - ok
17:38:35.0421 1428 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:38:35.0421 1428 ose - ok
17:38:35.0468 1428 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
17:38:35.0468 1428 P3 - ok
17:38:35.0468 1428 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:38:35.0484 1428 Parport - ok
17:38:35.0484 1428 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:38:35.0484 1428 PartMgr - ok
17:38:35.0484 1428 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:38:35.0484 1428 ParVdm - ok
17:38:35.0515 1428 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:38:35.0515 1428 PCI - ok
17:38:35.0515 1428 PCIDump - ok
17:38:35.0531 1428 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:38:35.0531 1428 PCIIde - ok
17:38:35.0546 1428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:38:35.0546 1428 Pcmcia - ok
17:38:35.0562 1428 PDCOMP - ok
17:38:35.0562 1428 PDFRAME - ok
17:38:35.0562 1428 PDRELI - ok
17:38:35.0562 1428 PDRFRAME - ok
17:38:35.0562 1428 perc2 - ok
17:38:35.0562 1428 perc2hib - ok
17:38:35.0609 1428 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:38:35.0609 1428 PlugPlay - ok
17:38:35.0656 1428 Pml Driver HPZ12 (65bc271f337637731d3c71455ae1f476) C:\WINDOWS\system32\HPZipm12.dll
17:38:35.0656 1428 Pml Driver HPZ12 - ok
17:38:35.0671 1428 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:38:35.0671 1428 PolicyAgent - ok
17:38:35.0671 1428 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:38:35.0671 1428 PptpMiniport - ok
17:38:35.0671 1428 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:38:35.0671 1428 ProtectedStorage - ok
17:38:35.0703 1428 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:38:35.0703 1428 PSched - ok
17:38:35.0750 1428 PSI_SVC_2 (a6a7ad767bf5141665f5c675f671b3e1) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
17:38:35.0750 1428 PSI_SVC_2 - ok
17:38:35.0765 1428 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:38:35.0765 1428 Ptilink - ok
17:38:35.0765 1428 ql1080 - ok
17:38:35.0765 1428 Ql10wnt - ok
17:38:35.0765 1428 ql12160 - ok
17:38:35.0765 1428 ql1240 - ok
17:38:35.0765 1428 ql1280 - ok
17:38:35.0843 1428 RapportIaso - ok
17:38:35.0875 1428 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:38:35.0875 1428 RasAcd - ok
17:38:35.0937 1428 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
17:38:35.0937 1428 RasAuto - ok
17:38:35.0953 1428 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:38:35.0953 1428 Rasl2tp - ok
17:38:36.0000 1428 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
17:38:36.0000 1428 RasMan - ok
17:38:36.0015 1428 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:38:36.0015 1428 RasPppoe - ok
17:38:36.0015 1428 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:38:36.0015 1428 Raspti - ok
17:38:36.0062 1428 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:38:36.0062 1428 Rdbss - ok
17:38:36.0093 1428 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:38:36.0093 1428 RDPCDD - ok
17:38:36.0125 1428 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:38:36.0125 1428 rdpdr - ok
17:38:36.0156 1428 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
17:38:36.0156 1428 RDPWD - ok
17:38:36.0203 1428 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
17:38:36.0203 1428 RDSessMgr - ok
17:38:36.0234 1428 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:38:36.0234 1428 redbook - ok
17:38:36.0265 1428 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
17:38:36.0265 1428 regi - ok
17:38:36.0328 1428 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
17:38:36.0328 1428 RemoteAccess - ok
17:38:36.0375 1428 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
17:38:36.0375 1428 RemoteRegistry - ok
17:38:36.0421 1428 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
17:38:36.0421 1428 RpcLocator - ok
17:38:36.0484 1428 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
17:38:36.0484 1428 RpcSs - ok
17:38:36.0500 1428 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
17:38:36.0500 1428 RSVP - ok
17:38:36.0515 1428 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:38:36.0515 1428 SamSs - ok
17:38:36.0531 1428 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
17:38:36.0531 1428 SCardSvr - ok
17:38:36.0562 1428 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
17:38:36.0562 1428 Schedule - ok
17:38:36.0593 1428 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:38:36.0593 1428 Secdrv - ok
17:38:36.0625 1428 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
17:38:36.0625 1428 seclogon - ok
17:38:36.0625 1428 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
17:38:36.0640 1428 SENS - ok
17:38:36.0640 1428 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:38:36.0640 1428 serenum - ok
17:38:36.0656 1428 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:38:36.0656 1428 Serial - ok
17:38:36.0671 1428 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:38:36.0671 1428 Sfloppy - ok
17:38:36.0734 1428 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
17:38:36.0734 1428 SharedAccess - ok
17:38:36.0781 1428 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:38:36.0781 1428 ShellHWDetection - ok
17:38:36.0781 1428 Simbad - ok
17:38:37.0000 1428 SmcService (a58cfa1b9d223b1e13f756cfc3dd8f63) C:\Program Files\Symantec AntiVirus\Smc.exe
17:38:37.0000 1428 SmcService - ok
17:38:37.0093 1428 SNAC (5df21eeecc50a04faa2e771e6728543d) C:\Program Files\Symantec AntiVirus\SNAC.EXE
17:38:37.0093 1428 SNAC - ok
17:38:37.0203 1428 Sparrow - ok
17:38:37.0343 1428 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
17:38:37.0343 1428 SPBBCDrv - ok
17:38:37.0390 1428 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:38:37.0390 1428 splitter - ok
17:38:37.0437 1428 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
17:38:37.0437 1428 Spooler - ok
17:38:37.0484 1428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:38:37.0484 1428 sr - ok
17:38:37.0531 1428 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
17:38:37.0531 1428 srservice - ok
17:38:37.0578 1428 SRTSP (14389e87d0d2e25b12bf2cc74cfaee07) C:\WINDOWS\system32\Drivers\SRTSP.SYS
17:38:37.0578 1428 SRTSP - ok
17:38:37.0640 1428 SRTSPL (aed0f68c185fe698a21cefcd76f0b8a4) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
17:38:37.0640 1428 SRTSPL - ok
17:38:37.0671 1428 SRTSPX (0e2ca6326726477fe29863808bbad413) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
17:38:37.0671 1428 SRTSPX - ok
17:38:37.0734 1428 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:38:37.0734 1428 Srv - ok
17:38:37.0765 1428 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
17:38:37.0765 1428 SSDPSRV - ok
17:38:37.0812 1428 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
17:38:37.0812 1428 stisvc - ok
17:38:37.0859 1428 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:38:37.0859 1428 swenum - ok
17:38:37.0875 1428 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:38:37.0875 1428 swmidi - ok
17:38:37.0875 1428 SwPrv - ok
17:38:38.0062 1428 Symantec AntiVirus (96900995907415fb4a8a18d97b3aa4a3) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
17:38:38.0062 1428 Symantec AntiVirus - ok
17:38:38.0250 1428 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
17:38:38.0250 1428 symc810 - ok
17:38:38.0250 1428 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:38:38.0250 1428 symc8xx - ok
17:38:38.0281 1428 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
17:38:38.0281 1428 SymEvent - ok
17:38:38.0296 1428 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
17:38:38.0296 1428 Symmpi - ok
17:38:38.0343 1428 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
17:38:38.0343 1428 SYMREDRV - ok
17:38:38.0359 1428 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
17:38:38.0359 1428 SYMTDI - ok
17:38:38.0359 1428 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:38:38.0359 1428 sym_hi - ok
17:38:38.0375 1428 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:38:38.0375 1428 sym_u3 - ok
17:38:38.0390 1428 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:38:38.0390 1428 sysaudio - ok
17:38:38.0421 1428 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
17:38:38.0421 1428 SysmonLog - ok
17:38:38.0453 1428 SysPlant (83fba2ce9843db015c381cf24b8e620c) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys
17:38:38.0453 1428 SysPlant - ok
17:38:38.0500 1428 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
17:38:38.0500 1428 TapiSrv - ok
17:38:38.0546 1428 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:38:38.0546 1428 Tcpip - ok
17:38:38.0578 1428 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:38:38.0578 1428 TDPIPE - ok
17:38:38.0609 1428 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:38:38.0609 1428 TDTCP - ok
17:38:38.0625 1428 Teefer2 (75346634d815c9fda103ae5fada072b3) C:\WINDOWS\system32\DRIVERS\teefer2.sys
17:38:38.0625 1428 Teefer2 - ok
17:38:38.0640 1428 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:38:38.0640 1428 TermDD - ok
17:38:38.0671 1428 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
17:38:38.0671 1428 TermService - ok
17:38:38.0718 1428 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:38:38.0734 1428 Themes - ok
17:38:38.0750 1428 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
17:38:38.0750 1428 TlntSvr - ok
17:38:38.0750 1428 TosIde - ok
17:38:38.0765 1428 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
17:38:38.0765 1428 TrkWks - ok
17:38:38.0781 1428 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:38:38.0781 1428 Udfs - ok
17:38:38.0781 1428 ultra - ok
17:38:39.0015 1428 UNS (d47e82866a6ff02dae9cedf127c4bee0) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
17:38:39.0031 1428 UNS - ok
17:38:39.0125 1428 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
17:38:39.0125 1428 upnphost - ok
17:38:39.0140 1428 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
17:38:39.0140 1428 UPS - ok
17:38:39.0203 1428 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:38:39.0203 1428 usbccgp - ok
17:38:39.0234 1428 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:38:39.0234 1428 usbehci - ok
17:38:39.0265 1428 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:38:39.0265 1428 usbhub - ok
17:38:39.0312 1428 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:38:39.0312 1428 usbprint - ok
17:38:39.0312 1428 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:38:39.0312 1428 usbscan - ok
17:38:39.0343 1428 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:38:39.0343 1428 USBSTOR - ok
17:38:39.0375 1428 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:38:39.0375 1428 usbuhci - ok
17:38:39.0406 1428 ustp2 (5f5b9f95647a26547c163c7b4f9e4b7a) C:\WINDOWS\system32\Drivers\ustp2.sys
17:38:39.0406 1428 ustp2 - ok
17:38:39.0421 1428 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:38:39.0421 1428 VgaSave - ok
17:38:39.0421 1428 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
17:38:39.0421 1428 ViaIde - ok
17:38:39.0453 1428 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:38:39.0453 1428 VolSnap - ok
17:38:39.0515 1428 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
17:38:39.0515 1428 VSS - ok
17:38:39.0546 1428 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
17:38:39.0546 1428 W32Time - ok
17:38:39.0562 1428 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:38:39.0562 1428 Wanarp - ok
17:38:39.0562 1428 WDICA - ok
17:38:39.0578 1428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:38:39.0578 1428 wdmaud - ok
17:38:39.0625 1428 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
17:38:39.0625 1428 WebClient - ok
17:38:39.0687 1428 WinDriver6 (e2ef0e2a004944e6647826a0f415d668) C:\WINDOWS\system32\DRIVERS\Windrvr6.sys
17:38:39.0687 1428 WinDriver6 - ok
17:38:39.0750 1428 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
17:38:39.0750 1428 winmgmt - ok
17:38:39.0953 1428 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
17:38:39.0968 1428 wlidsvc - ok
17:38:40.0140 1428 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
17:38:40.0140 1428 WmdmPmSN - ok
17:38:40.0218 1428 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
17:38:40.0218 1428 Wmi - ok
17:38:40.0265 1428 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
17:38:40.0265 1428 WmiAcpi - ok
17:38:40.0312 1428 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
17:38:40.0312 1428 WmiApSrv - ok
17:38:40.0437 1428 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
17:38:40.0437 1428 WMPNetworkSvc - ok
17:38:40.0640 1428 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
17:38:40.0640 1428 WPFFontCache_v0400 - ok
17:38:40.0812 1428 WPS (a021167a699cf9ab6e5fe2a60c6afc70) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
17:38:40.0812 1428 WPS - ok
17:38:40.0843 1428 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
17:38:40.0843 1428 WpsHelper - ok
17:38:40.0875 1428 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:38:40.0875 1428 WS2IFSL - ok
17:38:40.0937 1428 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
17:38:40.0937 1428 wscsvc - ok
17:38:40.0937 1428 WSearch - ok
17:38:40.0937 1428 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
17:38:40.0953 1428 wuauserv - ok
17:38:41.0000 1428 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:38:41.0000 1428 WudfPf - ok
17:38:41.0000 1428 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:38:41.0000 1428 WudfRd - ok
17:38:41.0015 1428 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
17:38:41.0015 1428 WudfSvc - ok
17:38:41.0046 1428 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
17:38:41.0046 1428 WZCSVC - ok
17:38:41.0062 1428 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
17:38:41.0062 1428 xmlprov - ok
17:38:41.0093 1428 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
17:38:41.0406 1428 \Device\Harddisk0\DR0 - ok
17:38:41.0406 1428 Boot (0x1200) (903cf007363359e0c08897f09b38fda3) \Device\Harddisk0\DR0\Partition0
17:38:41.0406 1428 \Device\Harddisk0\DR0\Partition0 - ok
17:38:41.0406 1428 ============================================================
17:38:41.0406 1428 Scan finished
17:38:41.0406 1428 ============================================================
17:38:41.0406 1404 Detected object count: 0
17:38:41.0406 1404 Actual detected object count: 0
**********************

I ran aswMBR next & I did not disable the Symantec AV before starting that tool. While the Avast tool was running the SEP autoprotect found boot.tidserv in the temp folder for the user profile. Here is the log for the aswMBR tool.
**********
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-25 17:39:51
-----------------------------
17:39:51.578 OS Version: Windows 5.1.2600 Service Pack 3
17:39:51.578 Number of processors: 2 586 0x170A
17:39:51.578 ComputerName: DEBBIEHP UserName: debbie
17:39:52.312 Initialize success
17:41:45.375 AVAST engine defs: 12052500
17:42:08.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:42:08.125 Disk 0 Vendor: SAMSUNG_ 1AC0 Size: 238475MB BusType: 3
17:42:08.156 Disk 0 MBR read successfully
17:42:08.156 Disk 0 MBR scan
17:42:08.171 Disk 0 Windows XP default MBR code
17:42:08.187 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238463 MB offset 2048
17:42:08.187 Disk 0 scanning sectors +488376000
17:42:08.265 Disk 0 scanning C:\WINDOWS\system32\drivers
17:42:15.859 Service scanning
17:42:28.859 Service SysPlant C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
17:42:29.015 Service Teefer2 C:\WINDOWS\system32\DRIVERS\teefer2.sys **LOCKED** 32
17:42:31.515 Service WPS C:\WINDOWS\system32\drivers\wpsdrvnt.sys **LOCKED** 32
17:42:32.078 Service WpsHelper C:\WINDOWS\system32\drivers\WpsHelper.sys **LOCKED** 32
17:42:33.484 Modules scanning
17:42:39.218 Disk 0 trace - called modules:
17:42:39.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
17:42:39.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac2b030]
17:42:39.250 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000077[0x8ac8d840]
17:42:39.250 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8ac67028]
17:42:39.859 AVAST engine scan C:\WINDOWS
17:42:46.343 AVAST engine scan C:\WINDOWS\system32
17:45:23.625 AVAST engine scan C:\WINDOWS\system32\drivers
17:45:37.312 AVAST engine scan C:\Documents and Settings\debbie
17:50:56.843 AVAST engine scan C:\Documents and Settings\All Users
17:52:21.500 Scan finished successfully
17:55:55.531 Disk 0 MBR has been saved successfully to "C:\Download\MBR.dat"
17:55:55.531 The log file has been saved successfully to "C:\Download\aswMBR.txt"

****************

Thanks for your help. Should I run more tools or test the Google search problems?

THANKS!
PLaw

Back to top

#9 gringo_pr

Bleepin Gringo

Malware Response Team
120,677 posts

Gender:Male
Location:Puerto rico

Posted 25 May 2012 - 05:46 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Back to top

#10 plaw

New Member

Members
11 posts

Posted 25 May 2012 - 06:45 PM

I ran the script and here is the report from CF.

******************
ComboFix 12-05-25.02 - debbie 05/25/2012 19:14:59.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3017.2310 [GMT -4:00]
Running from: c:\download\ComboFix.exe
Command switches used :: c:\download\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\debbie\Local Settings\Application Data\assembly\tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-04-25 to 2012-05-25 )))))))))))))))))))))))))))))))
.
.
2012-05-23 16:58 . 2012-05-23 16:58 -------- d-----w- c:\documents and settings\debbie\Application Data\ElevatedDiagnostics
2012-05-22 16:42 . 2012-05-22 16:42 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\Sun
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\program files\Common Files\Java
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\program files\Oracle
2012-05-22 16:40 . 2012-05-22 16:40 -------- d-----w- c:\documents and settings\debbie\Application Data\Oracle
2012-05-22 16:40 . 2012-04-04 22:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-22 16:40 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-07 21:30 . 2012-05-07 21:30 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\AMS Services, Inc
2012-05-07 21:30 . 2012-05-25 14:39 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\assembly
2012-05-07 21:24 . 2012-05-07 21:24 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\Fujitsu
2012-05-07 21:24 . 2012-05-07 21:24 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\PFU
2012-05-07 20:53 . 2011-09-16 12:15 2134016 ----a-r- c:\windows\system32\cdintf300.dll
2012-05-07 20:52 . 2012-05-07 20:52 -------- d-----w- c:\program files\AMS Services, Inc
2012-05-07 20:18 . 2012-05-07 20:18 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\AMS Services, Inc
2012-05-07 20:13 . 2012-05-25 23:19 -------- d-----w- c:\documents and settings\debbie\Local Settings\Application Data\assembly
2012-05-07 18:49 . 2012-05-07 18:53 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-05-07 18:48 . 2012-05-07 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-05-07 18:48 . 2012-05-07 18:58 -------- d-----w- c:\program files\Yahoo!
2012-05-07 17:58 . 2012-05-07 18:44 -------- d-----w- c:\program files\Chat Messenger
2012-05-07 17:58 . 2012-05-07 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2012-05-07 17:54 . 2012-05-07 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2012-05-07 17:54 . 2012-05-07 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\blekko toolbars
2012-05-07 17:53 . 2012-05-07 19:00 -------- d-----w- c:\program files\blekkotb_soc
2012-05-04 17:57 . 2010-08-03 22:59 476672 ----a-w- c:\windows\system32\s1100u.dll
2012-05-04 17:57 . 2010-07-23 16:50 2269184 ----a-w- c:\windows\system32\ijl5s1100.dll
2012-05-04 17:57 . 2010-07-12 20:55 3559424 ----a-w- c:\windows\system32\ippi5s1100.dll
2012-05-04 17:57 . 2009-09-19 02:03 279552 ----a-w- c:\windows\system32\S1300u.dll
2012-05-04 17:57 . 2009-04-24 00:29 1990656 ----a-w- c:\windows\system32\ippi5s1300.dll
2012-05-04 17:57 . 2009-04-24 00:29 1302528 ----a-w- c:\windows\system32\ijl5s1300.dll
2012-05-04 17:57 . 2008-04-03 12:06 21504 ----a-w- c:\windows\system32\fj52usb.dll
2012-05-04 17:57 . 2007-08-17 20:32 24064 ----a-w- c:\windows\system32\Fjmcusb.dll
2012-05-04 17:57 . 2007-07-27 02:48 264192 ----a-w- c:\windows\system32\s300u.dll
2012-05-04 17:57 . 2007-05-23 23:57 1990656 ----a-w- c:\windows\system32\ippi5s300.dll
2012-05-04 17:57 . 2007-05-23 23:57 1302528 ----a-w- c:\windows\system32\ijl5s300.dll
2012-05-04 17:57 . 2005-02-17 15:55 69632 ----a-w- c:\windows\system32\distortion.dll
2012-05-04 17:46 . 2012-05-04 17:46 -------- d-----w- c:\documents and settings\debbie\Application Data\Logitech
2012-05-04 17:46 . 2012-05-04 17:46 -------- d-----w- c:\documents and settings\debbie\Application Data\Logishrd
2012-05-04 15:12 . 2012-05-04 16:17 -------- d-----w- C:\Fixitup
2012-05-04 15:07 . 2012-05-04 15:07 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-05-04 13:54 . 2012-05-23 15:53 -------- d-----w- C:\delete.me
2012-05-02 19:53 . 2012-05-02 19:53 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\Malwarebytes
2012-05-02 19:24 . 2012-05-02 19:24 -------- d-----w- c:\program files\HitmanPro
2012-05-02 18:17 . 2012-05-03 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-05-02 18:14 . 2012-05-02 18:14 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\UniPrint
2012-05-02 18:13 . 2012-05-02 18:13 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\Adobe
2012-05-02 18:13 . 2012-05-02 19:28 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Application Data\SUDDENLINKTOOLBAR
2012-05-02 18:13 . 2012-05-02 18:13 -------- d-----w- c:\documents and settings\administrator.THORNBURGAGENCY\Local Settings\Application Data\Trusteer
2012-05-02 18:03 . 2012-05-02 18:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\HpUpdate
2012-05-02 17:59 . 2012-05-02 17:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUDDENLINKTOOLBAR
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fujitsu
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\OA
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\PFU
2012-05-02 17:58 . 2012-05-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\UniPrint
2012-05-02 17:57 . 2012-05-02 17:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Trusteer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 14:22 . 2012-04-09 16:41 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 14:22 . 2011-05-21 19:43 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-16 12:39 . 2012-04-16 12:39 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-04 19:56 . 2010-07-14 19:53 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 11:01 . 2008-04-14 09:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 09:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-14 09:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 09:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 09:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 09:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-25_16.14.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-25 21:58 . 2012-05-25 21:58 16384 c:\windows\temp\Perflib_Perfdata_10c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe" [2012-03-26 550360]
"UniPrint"="c:\program files\UniPrint\Client\SetDfltSettings.exe" [2010-12-16 199008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-05-27 115624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-01-17 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2012-5-4 1081344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/18/2007 12:09 AM 11032]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [12/24/2009 1:36 PM 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [12/24/2009 2:25 PM 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2/6/2012 5:02 PM 106104]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/9/2012 12:41 PM 257696]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/27/2011 12:55 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 RapportIaso;RapportIaso;\??\c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys --> c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys [?]
S3 ustp2;ustp2;c:\windows\system32\drivers\ustp2.sys [12/15/2010 3:58 PM 19840]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 14:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
Trusted Zone: aciaagent.com\www
Trusted Zone: ams-benefits.com
Trusted Zone: ams-services.com
Trusted Zone: ams-support.com
Trusted Zone: ams360.com
Trusted Zone: amsservices.com
Trusted Zone: bing.com
Trusted Zone: chase.com
Trusted Zone: chase.com\chaseonline
Trusted Zone: chase.com\deposits
Trusted Zone: chase.com\mfasa
Trusted Zone: chase.com\payments
Trusted Zone: chase.com\www
Trusted Zone: cinfin.com\cinciapps
Trusted Zone: cinfin.com\cincilink
Trusted Zone: cinfin.com\diamond
Trusted Zone: cinfin.com\eclassapps
Trusted Zone: cinfin.com\umcincilink
Trusted Zone: cinfin.com\webapps
Trusted Zone: cinfin.com\www
Trusted Zone: cinfinc.om\cincicms
Trusted Zone: epymtservice.com\epayment
Trusted Zone: firstcomp.com\agency
Trusted Zone: firstcomp.com\www
Trusted Zone: itms-online.com\www
Trusted Zone: msn.com
Trusted Zone: msn.com\www
Trusted Zone: naic.org\sbs-wv
Trusted Zone: prevailnetwork.com
Trusted Zone: tasconline.com\www1
Trusted Zone: travelers.com
Trusted Zone: travelers.com\logon
Trusted Zone: travelerspc.com
Trusted Zone: vertafore.com
Trusted Zone: westfield-bank.com\www
DPF: AuthenticBrowserEdition - hxxps://www.itms-online.com/WebClient//AuthenticBrowserEdition.CAB
DPF: {5CB26FF7-663A-471F-BDA2-15FE6CCA1B6F} - hxxp://173.10.228.17:85/admin/AproDx9.cab
DPF: {72B8BEFE-967D-4C0C-8633-34D45F64A2EF} - hxxps://eclasapps.cinfin.com/eclasStartup/startEclasRelease.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-25 19:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(476)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-05-25 19:20:38
ComboFix-quarantined-files.txt 2012-05-25 23:20
ComboFix2.txt 2012-05-25 16:28
ComboFix3.txt 2012-05-04 16:16
.
Pre-Run: 218,464,792,576 bytes free
Post-Run: 218,566,483,968 bytes free
.
- - End Of File - - 9E5CD41026CF1C73BE27CD56139EFD63
******************

The Google searches appear to work now. I have tried several different searches and all seem to go to the proper site.

Immediately after rebooting from the last run of CF I got the following messages in Symantec when launching IE to test the Google searches.

[SID: 24089] Web Attack: Malicious Toolkit Website 9 detected.
Traffic has been blocked from this application:

Traffic from IP address 173.236.50.237 is blocked from 5/25/2012 7:26:17 PM to 5/25/2012 7:36:17 PM.

I am assuming there is still something on here trying to contect a malicious site and download more malware. Do you agree? Are there additional tools to run?

Thanks for all your time and help.
PLaw

Back to top

#11 gringo_pr

Bleepin Gringo

Malware Response Team
120,677 posts

Gender:Male
Location:Puerto rico

Posted 26 May 2012 - 01:07 PM

Clean Out Temp Files

This small application you may want to keep and use once a week to keep the computer clean.

Download CCleaner from here http://www.ccleaner.com/
Run the installer to install the application.
When it gives you the option to install Yahoo toolbar uncheck the box next to it.
Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
Click Run Cleaner.
Close CCleaner.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM
Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidentally close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Back to top

#12 plaw

New Member

Members
11 posts

Posted 28 May 2012 - 09:47 AM

Thanks again for the help.

- I downloaded and ran the CCleaner app.

*******************
- Updated and Ran MBAM, here is the log.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.28.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
debbie :: DEBBIEHP [administrator]

5/28/2012 9:49:22 AM
mbam-log-2012-05-28 (09-49-22).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 351337
Time elapsed: 43 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

***************************************************

- Downloaded and ran Hijackthis, here is the report.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:34:50 AM, on 5/28/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/HPCOM/1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Adobe Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe"
O4 - HKCU\..\Run: [UniPrint] C:\Program Files\UniPrint\Client\SetDfltSettings.exe
O4 - Global Startup: ScanSnap Manager.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.ams-benefits.com
O15 - Trusted Zone: *.ams-services.com
O15 - Trusted Zone: *.ams-support.com
O15 - Trusted Zone: *.ams360.com
O15 - Trusted Zone: *.amsservices.com
O15 - Trusted Zone: http://*.bing.com
O15 - Trusted Zone: http://*.chase.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://*.msn.com
O15 - Trusted Zone: *.prevailnetwork.com
O15 - Trusted Zone: http://*.travelers.com
O15 - Trusted Zone: http://*.travelerspc.com
O15 - Trusted Zone: *.vertafore.com
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: AuthenticBrowserEdition - https://www.itms-online.com/WebClient//AuthenticBrowserEdition.CAB
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://cincilink.cinfin.com/common/ClientSideControls/Citrix/wficat.cab
O16 - DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} (Crystal Reports Print Control 11.0) - https://www.itms-online.com/crystalreportviewers11/ActiveXControls/PrintControl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://tia1/ConnectComputer/nshelp.dll
O16 - DPF: {5CB26FF7-663A-471F-BDA2-15FE6CCA1B6F} (CTDx9 Control) - http://173.10.228.17:85/admin/AproDx9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264172128958
O16 - DPF: {72B8BEFE-967D-4C0C-8633-34D45F64A2EF} (CeClasSetup2 Object) - https://eclasapps.cinfin.com/eclasStartup/startEclasRelease.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vertaforesupport.webex.com/client/wbs27-vzbprodcn/support/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thornburgagency.local
O17 - HKLM\Software\..\Telephony: DomainName = thornburgagency.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thornburgagency.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/debbie/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

--
End of file - 10809 bytes

***********************************************************************

I have left the computer unplugged from the Internet most of the time since my last update. It has been connected for a couple hours this morning while downloading these tools and running scans. So far I haven't noted any problems or Internet based malicious attacks. The Google searching appears to be working normally as well.

Please advise if there are additional steps to be completed.

Thanks,
PLaw

Back to top

#13 gringo_pr

Bleepin Gringo

Malware Response Team
120,677 posts

Gender:Male
Location:Puerto rico

Posted 28 May 2012 - 10:48 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
- O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
  O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
  O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
  O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
  O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
  O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  O4 - HKCU\..\Run: [Adobe Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe"
  O4 - HKCU\..\Run: [UniPrint] C:\Program Files\UniPrint\Client\SetDfltSettings.exe
  O4 - Global Startup: ScanSnap Manager.lnk = ?
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the ActiveX control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Back to top

#14 plaw

New Member

Members
11 posts

Posted 28 May 2012 - 11:57 AM

Ran Hijack this and made many of the requested changes. Some were left as they apply to applications that are important for the end user operation.

Ran the ESET Online scanner, here is the results log.

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Program Files\Bandoo\InstallerHelper.dll a variant of Win32/Adware.Bandoo.AA application
C:\Program Files\Bandoo\Plugins\OE\OEPlugin.dll a variant of Win32/Adware.Bandoo.AA application
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP7\A0001553.dll a variant of Win32/Adware.Gamevance.CB application
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP7\A0001556.dll a variant of Win32/Adware.Gamevance.BV application
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP7\A0001575.dll a variant of Win32/Adware.Yontoo.A application
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP7\A0001577.dll a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP7\A0001600.exe a variant of Win32/Adware.Gamevance.CC application

Plese advise how to proceed.

THANKS!
PLaw

Back to top

#15 gringo_pr

Bleepin Gringo

Malware Response Team
120,677 posts

Gender:Male
Location:Puerto rico

Posted 28 May 2012 - 12:59 PM

Hello

There are some minor things in your online scan that should be removed.

delete files

Copy all text in the quote box (below)...to Notepad.

@echo off
del /f /s /q "C:\Documents and Settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll"
del /f /s /q "C:\Program Files\Bandoo\InstallerHelper.dll"
del /f /s /q "C:\Program Files\Bandoo\Plugins\OE\OEPlugin.dll"
del %0
Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
It should look like this: <--XP<--vista
Double click on delfile.bat to execute it.
A black CMD window will flash, then disappear...this is normal.
The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK.

Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

turn off all active protection software
push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box ComboFix /Uninstall and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.