TDSS / Google Redirect

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

TDSS / Google Redirect Cannot remove an incredibly persistent new variant...

#1 pgeyskens

Member

Group: Members
Posts: 19
Joined: 21-May 11

Posted 22 May 2011 - 02:18 PM

I seem to have been infected with an incredibly persistent variant of the TDSS / Google redirect rootkit. Symptoms include:

Windows Security Center is disabled and cannot be restarted
Windows Security Essentials is disabled
Google (and other) searches redirect incorrectly

I have pretty much tried every documented removal strategy/tool with no success. Please find attached the requested documentation. Note that GMER did not allow me to select/deselect the options you require (another symptom of the rootkit?)

Appreciate any help you can provide.
Cheers
/Ph.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Phil.Geyskens at 9:31:01 on 2011-05-22
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3958.2047 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\LANDesk\Shared Files\residentagent.exe
C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe
C:\Program Files (x86)\LANDesk\LDClient\LocalSch.EXE
C:\Windows\SysWOW64\CBA\pds.exe
C:\PROGRA~2\LANDesk\LDClient\issuser.exe
C:\Program Files (x86)\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files (x86)\LANDesk\LDClient\collector.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files (x86)\LANDesk\LDClient\softmon.exe
C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\PROGRA~2\LANDesk\LDClient\rcgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoHelper_en.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\phil.geyskens\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Users\phil.geyskens\Desktop\gmer.exe
C:\Windows\system32\DllHost.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\Desktop\dds.scr
C:\Windows\SysWOW64\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
mWinlogon: Userinit=userinit.exe,
BHO: {00C6482D-C502-44C8-8409-FCE54AD9C208} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [PlaxoUpdate] C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoHelper_en.exe -a
uRun: [PlaxoSysTray] C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoSysTray.exe
uRun: [Google Update] "C:\Users\phil.geyskens\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [DellBtrEvent] C:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\PHIL~1.GEY\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\phil.geyskens\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\PHIL~1.GEY\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAGIT~1.LNK - C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDDMST~1.LNK - C:\Program Files (x86)\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
mPolicies-system: HideShutdownScripts = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 600 (0x258)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: hhcc.com\vpn
DPF: {08496B45-6BB1-4F92-A8E6-B9E7978634CB} - hxxps://vpn.hhcc.com/nortel_cacheable/TrustSite.cab
DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://vpn.hhcc.com/nortel_cacheable/NetDirect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} - hxxps://vpn.hhcc.com/nortel_cacheable/iewiper.cab
DPF: {ACDB1787-986D-434D-9857-2172CDB2108D} - hxxps://vpn.hhcc.com/nortel_cacheable/punblock.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://cpvpn.hhcc.com/SNX/CSHELL/extender.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files (x86)\QlikView\QvProtocol\qvp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: {00C6482D-C502-44C8-8409-FCE54AD9C208} - No File
BHO-X64: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHOX64.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun-x64: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
mRun-x64: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
mRun-x64: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe
mRun-x64: [Apoint] C:\Program Files\DellTPad\Apoint.exe
AppInit_DLLs-X64: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdcfltn.sys --> C:\Windows\system32\DRIVERS\stdcfltn.sys [?]
R1 DVMIO;DVMIO;C:\Program Files (x86)\Dell\Reader 2.1\dvmio_x64.sys [2010-5-4 20624]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SAVOnAccess;SAVOnAccess;C:\Windows\system32\DRIVERS\savonaccess.sys --> C:\Windows\system32\DRIVERS\savonaccess.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-4-20 89600]
R2 CBA8;LANDesk® Management Agent;C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe [2009-11-4 147456]
R2 CISMBIOS;CISMBIOS;\??\C:\Windows\system32\drivers\cismbios.sys --> C:\Windows\system32\drivers\cismbios.sys [?]
R2 cpextender;Check Point SSL Network Extender;C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe [2010-11-28 353800]
R2 DvmMDES;DeviceVM Meta Data Export Service;C:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe [2010-5-4 327680]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files (x86)\LANDesk\LDClient\policy.client.invoker.exe [2011-4-20 195072]
R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe [2011-4-20 182272]
R2 QDLService2kDell_CTC;Qualcomm Gobi 2000 Download Service (Dell_CTC);C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe [2010-5-17 331512]
R2 risdpcie;risdpcie;C:\Windows\system32\DRIVERS\risdpe64.sys --> C:\Windows\system32\DRIVERS\risdpe64.sys [?]
R2 SAVAdminService;Sophos Anti-Virus status reporter;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-4-20 163056]
R2 SAVService;Sophos Anti-Virus;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2011-4-20 97520]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files (x86)\LANDesk\LDClient\softmon.exe [2011-4-20 385024]
R2 Sophos Agent;Sophos Agent;C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe [2011-4-20 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe [2011-4-20 806912]
R2 swi_service;Sophos Web Intelligence Service;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2011-4-20 1541360]
R2 WDDMService;WDDMService;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-3-9 288768]
R2 WDFME;WD File Management Engine;C:\Program Files (x86)\Western Digital\WD Smartware\Front Parlor\WDFME\WDFME.exe [2011-3-9 1066896]
R2 WDSC;WD File Management Shadow Engine;C:\Program Files (x86)\Western Digital\WD Smartware\Front Parlor\WDSC.exe [2011-3-9 491920]
R2 WMCoreService;Mobile Broadband Service;C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode --> C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode [?]
R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 ldmirror;ldmirror;C:\Windows\system32\DRIVERS\ldmirror.sys --> C:\Windows\system32\DRIVERS\ldmirror.sys [?]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\Windows\system32\DRIVERS\mirrorflt.sys --> C:\Windows\system32\DRIVERS\mirrorflt.sys [?]
R3 VNA;Check Point Virtual Network Adapter;C:\Windows\system32\DRIVERS\vna.sys --> C:\Windows\system32\DRIVERS\vna.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot\SDWinSec.exe [2011-5-10 1153368]
S3 ldblank;Screen Blanking driver for Remote Control;C:\Windows\system32\DRIVERS\ldblank.sys --> C:\Windows\system32\DRIVERS\ldblank.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\20BA.tmp --> C:\Windows\system32\20BA.tmp [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 sdcfilter;sdcfilter;C:\Windows\system32\DRIVERS\sdcfilter.sys --> C:\Windows\system32\DRIVERS\sdcfilter.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S4 ProcTrigger;LANDesk® Process Trigger Service;C:\Program Files (x86)\LANDesk\LDClient\ProcTriggerSvc.exe [2011-4-20 73216]
S4 SophosBootDriver;SophosBootDriver;C:\Windows\system32\DRIVERS\SophosBootDriver.sys --> C:\Windows\system32\DRIVERS\SophosBootDriver.sys [?]
S4 tracksvc;LANDesk® Power Management Track Service;C:\Program Files (x86)\LANDesk\LDClient\tracksvc.exe [2011-4-20 66048]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-05-20 14:14:36 72080 ----a-w- C:\Users\phil.geyskens\g2mdlhlpx.exe
2011-05-17 19:17:25 -------- d-----w- C:\Windows\5BCC634A58AD42F9B3C62EA52F81CF85.TMP
2011-05-16 09:23:17 388096 ----a-r- C:\Users\phil.geyskens\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-15 23:18:31 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2D87.tmp
2011-05-15 23:18:31 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2D67.tmp
2011-05-15 23:18:31 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2CF9.tmp
2011-05-15 19:35:54 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\56E9.tmp
2011-05-15 19:35:54 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\56B9.tmp
2011-05-15 19:35:54 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\5699.tmp
2011-05-15 18:30:22 65736 ----a-w- C:\Windows\System32\drivers\pxrts.sys
2011-05-13 13:37:47 -------- d-----w- C:\Program Files\Speccy
2011-05-13 13:37:21 -------- d-----w- C:\Program Files\Defraggler
2011-05-12 17:57:16 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-05-12 09:40:34 20040 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-05-12 09:40:05 -------- d-----w- C:\ProgramData\Hitman Pro
2011-05-11 22:29:23 34560 ----a-w- C:\Windows\SysWow64\drivers\Normandy.sys
2011-05-10 17:56:04 -------- d-----w- C:\ProgramData\PrevxCSI
2011-05-10 17:40:41 6144 ------w- C:\Windows\System32\20BA.tmp
2011-05-10 17:39:19 6144 ------w- C:\Windows\System32\DF65.tmp
2011-05-10 16:29:59 6144 ------w- C:\Windows\System32\3ABF.tmp
2011-05-10 16:28:36 6144 ------w- C:\Windows\System32\F99A.tmp
2011-05-10 15:25:25 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-05-10 15:20:46 -------- d-----w- C:\Windows\pss
2011-05-10 13:36:40 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\{D6908907-8732-4EF9-AF9E-44F43EED5366}
2011-05-10 13:36:25 -------- d-----w- C:\Users\phil.geyskens\Tracing
2011-05-10 13:28:15 -------- d-----w- C:\Windows\en
2011-05-10 13:22:33 69464 ----a-w- C:\Windows\SysWow64\XAPOFX1_3.dll
2011-05-10 13:22:33 523088 ----a-w- C:\Windows\System32\d3dx10_42.dll
2011-05-10 13:22:33 515416 ----a-w- C:\Windows\SysWow64\XAudio2_5.dll
2011-05-10 13:22:33 453456 ----a-w- C:\Windows\SysWow64\d3dx10_42.dll
2011-05-10 13:22:28 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-05-10 13:22:28 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-05-10 13:22:12 1164800 ----a-w- C:\Windows\SysWow64\UIRibbonRes.dll
2011-05-10 13:22:11 3860992 ----a-w- C:\Windows\System32\UIRibbon.dll
2011-05-10 13:22:11 2983424 ----a-w- C:\Windows\SysWow64\UIRibbon.dll
2011-05-10 13:22:11 1164800 ----a-w- C:\Windows\System32\UIRibbonRes.dll
2011-05-10 13:19:00 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d359f80a1cc0f1419\MeshBetaRemover.exe
2011-05-10 13:18:56 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d08960781cc0f1418\DSETUP.dll
2011-05-10 13:18:56 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d08960781cc0f1418\DXSETUP.exe
2011-05-10 13:18:56 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d08960781cc0f1418\dsetup32.dll
2011-05-10 13:18:52 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\cd7e56771cc0f1417\DSETUP.dll
2011-05-10 13:18:52 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\cd7e56771cc0f1417\DXSETUP.exe
2011-05-10 13:18:52 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\cd7e56771cc0f1417\dsetup32.dll
2011-05-10 13:16:37 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Windows Live
2011-05-10 13:16:36 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-05-10 12:04:49 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-05-10 12:04:49 -------- d-----w- C:\Program Files (x86)\Spybot
2011-05-09 06:53:33 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\117F.tmp
2011-05-09 06:53:33 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\116E.tmp
2011-05-09 06:53:33 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\115E.tmp
2011-05-09 04:00:44 -------- d-----w- C:\Program Files (x86)\LinkedIn
2011-05-09 03:58:49 -------- d-----w- C:\Program Files (x86)\MSECache
2011-05-09 03:57:47 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\1E18.tmp
2011-05-09 03:57:47 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\1E17.tmp
2011-05-09 03:57:47 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\1E16.tmp
2011-05-08 06:49:08 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-08 06:49:07 -------- d-----w- C:\ProgramData\Malwarebytes
2011-05-07 15:26:54 178688 --sha-r- C:\Windows\SysWow64\wsecedit7.dll
2011-05-06 20:18:01 8802128 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{19E57FCD-375D-4B7D-A6F7-4CF68E2A905D}\mpengine.dll
2011-05-06 11:07:08 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\KeePass
2011-05-06 10:56:55 -------- d-----w- C:\Program Files (x86)\KeePass Password Safe 2
2011-05-03 23:49:58 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\B211.tmp
2011-05-03 23:49:58 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\B174.tmp
2011-05-03 23:49:58 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\B173.tmp
2011-05-03 03:03:45 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2717.tmp
2011-05-03 03:03:45 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2716.tmp
2011-05-03 03:03:45 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2705.tmp
2011-04-28 21:26:10 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\ElevatedDiagnostics
2011-04-28 19:47:57 -------- d-----w- C:\Program Files\Kyocera
2011-04-28 10:59:56 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\7CDE.tmp
2011-04-28 10:59:56 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\7C41.tmp
2011-04-28 10:59:55 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\7C31.tmp
2011-04-27 15:17:08 -------- d-----w- C:\Program Files (x86)\CheckPoint
2011-04-27 15:03:03 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\webex
2011-04-27 14:12:24 -------- d-----w- C:\ProgramData\WebEx
2011-04-27 13:00:22 -------- d-----w- C:\Program Files (x86)\Citrix
2011-04-27 12:07:53 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Apple Computer
2011-04-27 01:08:23 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Plaxo
2011-04-26 12:12:58 -------- d-----w- C:\Program Files\Common Files\Intel
2011-04-26 12:12:57 -------- d-----w- C:\Program Files (x86)\Common Files\Intel
2011-04-25 04:31:11 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\PrimoPDF
2011-04-23 15:12:58 -------- d-----w- C:\Program Files\Western Digital
2011-04-23 15:05:36 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Western_Digital
2011-04-23 15:04:16 -------- d-----w- C:\ProgramData\Western Digital
2011-04-23 15:03:34 -------- d-----w- C:\Program Files (x86)\Western Digital
2011-04-23 14:59:49 -------- d-----w- C:\Program Files\WDCSAM
2011-04-23 14:55:11 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Western Digital
2011-04-23 01:16:27 8802128 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-22 20:37:38 -------- d--h--w- C:\Users\phil.geyskens\AppData\Local\dvmexp
2011-04-22 20:29:08 -------- d-----w- C:\Program Files\QlikView
2011-04-22 20:29:06 -------- d-----w- C:\Program Files (x86)\QlikView
2011-04-22 20:29:05 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\QlikTech
2011-04-22 20:28:10 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\JAM Software
2011-04-22 20:28:01 -------- d-----w- C:\Program Files (x86)\JAM Software
2011-04-22 20:25:50 -------- d-----w- C:\Program Files\R
2011-04-22 20:21:37 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Downloaded Installations
2011-04-22 20:05:39 -------- d-----w- C:\Program Files (x86)\Auslogics
2011-04-22 19:53:56 -------- d-----w- C:\Program Files (x86)\2BrightSparks
2011-04-22 19:43:51 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Research In Motion
2011-04-22 19:43:49 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\Research In Motion
2011-04-22 19:42:40 31744 ----a-w- C:\Windows\System32\drivers\RimSerial_AMD64.sys
2011-04-22 19:42:10 -------- d-----w- C:\ProgramData\Research In Motion
2011-04-22 19:41:43 -------- d-----w- C:\Program Files (x86)\Research In Motion
2011-04-22 19:41:43 -------- d-----w- C:\Program Files (x86)\Common Files\Research In Motion
2011-04-22 18:23:51 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Microsoft Help
2011-04-22 18:18:33 -------- d-----w- C:\ProgramData\{D499C757-18A6-4CC3-9B9E-7EC7DDB5E414}
2011-04-22 18:17:29 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Apple
2011-04-22 17:02:40 95008 ----a-w- C:\Windows\System32\Primomonnt.dll
2011-04-22 17:02:38 -------- d-----w- C:\Program Files (x86)\Nitro PDF
2011-04-22 17:00:09 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\HandBrake
2011-04-22 17:00:09 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\HandBrake
2011-04-22 17:00:02 -------- d-----w- C:\Program Files (x86)\Handbrake
2011-04-22 16:59:36 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\Canneverbe Limited
2011-04-22 16:59:36 -------- d-----w- C:\ProgramData\Canneverbe Limited
.
==================== Find3M ====================
.
2011-04-20 19:36:27 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-04-20 16:23:27 25592 ----a-w- C:\Windows\System32\drivers\sdcfilter.sys
2011-04-20 16:23:20 35568 ----a-w- C:\Windows\System32\SophosBootTasks.exe
2011-04-20 16:23:19 142328 ----a-w- C:\Windows\System32\drivers\savonaccess.sys
2011-04-20 16:23:07 183024 ----a-w- C:\Windows\System32\sdccoinstaller.dll
2011-04-20 16:23:04 25608 ----a-w- C:\Windows\System32\drivers\SophosBootDriver.sys
2011-04-20 14:46:48 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2011-04-20 14:46:47 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-04-20 14:46:47 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2011-04-12 17:31:32 507904 ----a-r- C:\Windows\SysWow64\btwapi.dll
2011-04-06 20:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll
2011-04-06 20:26:58 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-04-06 20:26:58 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2011-04-06 20:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2011-04-06 20:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll
2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
.
============= FINISH: 9:31:48.53 ===============

Attached File(s)

Attach.txt (11.47K)
Number of downloads: 1
gmer.log (393bytes)
Number of downloads: 0

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 28 May 2011 - 03:05 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

DeFogger

desktop

DeFogger

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not

Download DDS:

DDS by sUBs

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

Please Download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

.logs from DDS
log from RKUnHooker
let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 pgeyskens

Member

Group: Members
Posts: 19
Joined: 21-May 11

Posted 31 May 2011 - 01:20 PM

Defogger: did not run, error message "You must be an administrator to use Defogger" (I have admin rights on the laptop)
DDS logs attached below.
RKUnhookerLE did not run, error message:

Exception code : 0xC0000005
Instruction address : 0x00402EAA
Attempt to read at address : 0xFFFFFFFF

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Phil.Geyskens at 14:06:54 on 2011-05-31
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3958.1182 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\LANDesk\Shared Files\residentagent.exe
C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe
C:\Program Files (x86)\LANDesk\LDClient\LocalSch.EXE
C:\Windows\SysWOW64\CBA\pds.exe
C:\PROGRA~2\LANDesk\LDClient\issuser.exe
C:\Program Files (x86)\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files (x86)\LANDesk\LDClient\collector.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files (x86)\LANDesk\LDClient\softmon.exe
C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\PROGRA~2\LANDesk\LDClient\rcgui.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoHelper_en.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Users\phil.geyskens\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Dell\Reader 2.1\html2jpg.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\phil.geyskens\Desktop\dds.scr
C:\Windows\SysWOW64\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
mWinlogon: Userinit=userinit.exe,
BHO: {00C6482D-C502-44C8-8409-FCE54AD9C208} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [PlaxoUpdate] C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoHelper_en.exe -a
uRun: [PlaxoSysTray] C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoSysTray.exe
uRun: [Google Update] "C:\Users\phil.geyskens\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [DellBtrEvent] C:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\PHIL~1.GEY\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\phil.geyskens\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\PHIL~1.GEY\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDDMST~1.LNK - C:\Program Files (x86)\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
mPolicies-system: HideShutdownScripts = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 600 (0x258)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: hhcc.com\vpn
DPF: {08496B45-6BB1-4F92-A8E6-B9E7978634CB} - hxxps://vpn.hhcc.com/nortel_cacheable/TrustSite.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://vpn.hhcc.com/nortel_cacheable/NetDirect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} - hxxps://vpn.hhcc.com/nortel_cacheable/iewiper.cab
DPF: {ACDB1787-986D-434D-9857-2172CDB2108D} - hxxps://vpn.hhcc.com/nortel_cacheable/punblock.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://cpvpn.hhcc.com/SNX/CSHELL/extender.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files (x86)\QlikView\QvProtocol\qvp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: {00C6482D-C502-44C8-8409-FCE54AD9C208} - No File
BHO-X64: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHOX64.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun-x64: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
mRun-x64: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
mRun-x64: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe
mRun-x64: [Apoint] C:\Program Files\DellTPad\Apoint.exe
AppInit_DLLs-X64: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdcfltn.sys --> C:\Windows\system32\DRIVERS\stdcfltn.sys [?]
R1 DVMIO;DVMIO;C:\Program Files (x86)\Dell\Reader 2.1\dvmio_x64.sys [2010-5-4 20624]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SAVOnAccess;SAVOnAccess;C:\Windows\system32\DRIVERS\savonaccess.sys --> C:\Windows\system32\DRIVERS\savonaccess.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-4-20 89600]
R2 CBA8;LANDesk® Management Agent;C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe [2009-11-4 147456]
R2 CISMBIOS;CISMBIOS;\??\C:\Windows\system32\drivers\cismbios.sys --> C:\Windows\system32\drivers\cismbios.sys [?]
R2 cpextender;Check Point SSL Network Extender;C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe [2010-11-28 353800]
R2 DvmMDES;DeviceVM Meta Data Export Service;C:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe [2010-5-4 327680]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files (x86)\LANDesk\LDClient\policy.client.invoker.exe [2011-4-20 195072]
R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe [2011-4-20 182272]
R2 QDLService2kDell_CTC;Qualcomm Gobi 2000 Download Service (Dell_CTC);C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe [2010-5-17 331512]
R2 risdpcie;risdpcie;C:\Windows\system32\DRIVERS\risdpe64.sys --> C:\Windows\system32\DRIVERS\risdpe64.sys [?]
R2 SAVAdminService;Sophos Anti-Virus status reporter;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-4-20 163056]
R2 SAVService;Sophos Anti-Virus;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2011-4-20 97520]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files (x86)\LANDesk\LDClient\softmon.exe [2011-4-20 385024]
R2 Sophos Agent;Sophos Agent;C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe [2011-4-20 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe [2011-4-20 806912]
R2 swi_service;Sophos Web Intelligence Service;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2011-4-20 1541360]
R2 WDDMService;WDDMService;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-3-9 288768]
R2 WDSC;WD File Management Shadow Engine;C:\Program Files (x86)\Western Digital\WD Smartware\Front Parlor\WDSC.exe [2011-3-9 491920]
R2 WMCoreService;Mobile Broadband Service;C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode --> C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode [?]
R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 ldmirror;ldmirror;C:\Windows\system32\DRIVERS\ldmirror.sys --> C:\Windows\system32\DRIVERS\ldmirror.sys [?]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\Windows\system32\DRIVERS\mirrorflt.sys --> C:\Windows\system32\DRIVERS\mirrorflt.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 VNA;Check Point Virtual Network Adapter;C:\Windows\system32\DRIVERS\vna.sys --> C:\Windows\system32\DRIVERS\vna.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot\SDWinSec.exe [2011-5-10 1153368]
S2 WDFME;WD File Management Engine;C:\Program Files (x86)\Western Digital\WD Smartware\Front Parlor\WDFME\WDFME.exe [2011-3-9 1066896]
S3 ldblank;Screen Blanking driver for Remote Control;C:\Windows\system32\DRIVERS\ldblank.sys --> C:\Windows\system32\DRIVERS\ldblank.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\20BA.tmp --> C:\Windows\system32\20BA.tmp [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
S3 sdcfilter;sdcfilter;C:\Windows\system32\DRIVERS\sdcfilter.sys --> C:\Windows\system32\DRIVERS\sdcfilter.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S4 ProcTrigger;LANDesk® Process Trigger Service;C:\Program Files (x86)\LANDesk\LDClient\ProcTriggerSvc.exe [2011-4-20 73216]
S4 SophosBootDriver;SophosBootDriver;C:\Windows\system32\DRIVERS\SophosBootDriver.sys --> C:\Windows\system32\DRIVERS\SophosBootDriver.sys [?]
S4 tracksvc;LANDesk® Power Management Track Service;C:\Program Files (x86)\LANDesk\LDClient\tracksvc.exe [2011-4-20 66048]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-05-27 18:39:51 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\C997.tmp
2011-05-27 18:39:51 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\C976.tmp
2011-05-27 18:39:51 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\C966.tmp
2011-05-27 02:33:17 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2943.tmp
2011-05-27 02:33:17 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2942.tmp
2011-05-27 02:33:17 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2932.tmp
2011-05-24 13:26:43 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\Xerox
2011-05-23 12:41:08 -------- d-----w- C:\Program Files (x86)\ESET
2011-05-22 20:01:49 -------- d-----w- C:\Program Files (x86)\Inkscape
2011-05-17 19:17:25 -------- d-----w- C:\Windows\5BCC634A58AD42F9B3C62EA52F81CF85.TMP
2011-05-16 09:23:17 388096 ----a-r- C:\Users\phil.geyskens\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-15 23:18:31 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2D87.tmp
2011-05-15 23:18:31 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2D67.tmp
2011-05-15 23:18:31 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2CF9.tmp
2011-05-15 19:35:54 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\56E9.tmp
2011-05-15 19:35:54 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\56B9.tmp
2011-05-15 19:35:54 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\5699.tmp
2011-05-15 18:30:22 65736 ----a-w- C:\Windows\System32\drivers\pxrts.sys
2011-05-13 13:37:47 -------- d-----w- C:\Program Files\Speccy
2011-05-13 13:37:21 -------- d-----w- C:\Program Files\Defraggler
2011-05-12 17:57:16 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-05-12 09:40:34 20040 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-05-12 09:40:05 -------- d-----w- C:\ProgramData\Hitman Pro
2011-05-11 22:29:23 34560 ----a-w- C:\Windows\SysWow64\drivers\Normandy.sys
2011-05-10 17:56:04 -------- d-----w- C:\ProgramData\PrevxCSI
2011-05-10 17:40:41 6144 ------w- C:\Windows\System32\20BA.tmp
2011-05-10 17:39:19 6144 ------w- C:\Windows\System32\DF65.tmp
2011-05-10 16:29:59 6144 ------w- C:\Windows\System32\3ABF.tmp
2011-05-10 16:28:36 6144 ------w- C:\Windows\System32\F99A.tmp
2011-05-10 15:25:25 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-05-10 15:20:46 -------- d-----w- C:\Windows\pss
2011-05-10 13:36:40 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\{D6908907-8732-4EF9-AF9E-44F43EED5366}
2011-05-10 13:36:25 -------- d-----w- C:\Users\phil.geyskens\Tracing
2011-05-10 13:28:15 -------- d-----w- C:\Windows\en
2011-05-10 13:22:33 69464 ----a-w- C:\Windows\SysWow64\XAPOFX1_3.dll
2011-05-10 13:22:33 523088 ----a-w- C:\Windows\System32\d3dx10_42.dll
2011-05-10 13:22:33 515416 ----a-w- C:\Windows\SysWow64\XAudio2_5.dll
2011-05-10 13:22:33 453456 ----a-w- C:\Windows\SysWow64\d3dx10_42.dll
2011-05-10 13:22:28 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-05-10 13:22:28 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-05-10 13:22:12 1164800 ----a-w- C:\Windows\SysWow64\UIRibbonRes.dll
2011-05-10 13:22:11 3860992 ----a-w- C:\Windows\System32\UIRibbon.dll
2011-05-10 13:22:11 2983424 ----a-w- C:\Windows\SysWow64\UIRibbon.dll
2011-05-10 13:22:11 1164800 ----a-w- C:\Windows\System32\UIRibbonRes.dll
2011-05-10 13:19:00 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d359f80a1cc0f1419\MeshBetaRemover.exe
2011-05-10 13:18:56 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d08960781cc0f1418\DSETUP.dll
2011-05-10 13:18:56 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d08960781cc0f1418\DXSETUP.exe
2011-05-10 13:18:56 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d08960781cc0f1418\dsetup32.dll
2011-05-10 13:18:52 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\cd7e56771cc0f1417\DSETUP.dll
2011-05-10 13:18:52 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\cd7e56771cc0f1417\DXSETUP.exe
2011-05-10 13:18:52 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\cd7e56771cc0f1417\dsetup32.dll
2011-05-10 13:16:37 -------- d-----w- C:\Users\phil.geyskens\AppData\Local\Windows Live
2011-05-10 13:16:36 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-05-10 12:04:49 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-05-10 12:04:49 -------- d-----w- C:\Program Files (x86)\Spybot
2011-05-09 06:53:33 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\117F.tmp
2011-05-09 06:53:33 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\116E.tmp
2011-05-09 06:53:33 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\115E.tmp
2011-05-09 04:00:44 -------- d-----w- C:\Program Files (x86)\LinkedIn
2011-05-09 03:58:49 -------- d-----w- C:\Program Files (x86)\MSECache
2011-05-09 03:57:47 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\1E18.tmp
2011-05-09 03:57:47 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\1E17.tmp
2011-05-09 03:57:47 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\1E16.tmp
2011-05-08 06:49:08 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-08 06:49:07 -------- d-----w- C:\ProgramData\Malwarebytes
2011-05-07 15:26:54 178688 --sha-r- C:\Windows\SysWow64\wsecedit7.dll
2011-05-06 20:18:01 8802128 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{19E57FCD-375D-4B7D-A6F7-4CF68E2A905D}\mpengine.dll
2011-05-06 11:07:08 -------- d-----w- C:\Users\phil.geyskens\AppData\Roaming\KeePass
2011-05-06 10:56:55 -------- d-----w- C:\Program Files (x86)\KeePass Password Safe 2
2011-05-03 23:49:58 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\B211.tmp
2011-05-03 23:49:58 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\B174.tmp
2011-05-03 23:49:58 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\B173.tmp
2011-05-03 03:03:45 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2717.tmp
2011-05-03 03:03:45 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2716.tmp
2011-05-03 03:03:45 0 ----a-w- C:\Users\phil.geyskens\AppData\Local\2705.tmp
.
==================== Find3M ====================
.
2011-04-20 19:36:27 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-04-20 16:23:27 25592 ----a-w- C:\Windows\System32\drivers\sdcfilter.sys
2011-04-20 16:23:20 35568 ----a-w- C:\Windows\System32\SophosBootTasks.exe
2011-04-20 16:23:19 142328 ----a-w- C:\Windows\System32\drivers\savonaccess.sys
2011-04-20 16:23:07 183024 ----a-w- C:\Windows\System32\sdccoinstaller.dll
2011-04-20 16:23:04 25608 ----a-w- C:\Windows\System32\drivers\SophosBootDriver.sys
2011-04-20 14:46:48 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2011-04-20 14:46:47 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-04-20 14:46:47 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2011-04-12 17:31:32 507904 ----a-r- C:\Windows\SysWow64\btwapi.dll
2011-04-06 20:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll
2011-04-06 20:26:58 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-04-06 20:26:58 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2011-04-06 20:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2011-04-06 20:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll
2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
.
============= FINISH: 14:07:46.41 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/20/2011 10:44:27 AM
System Uptime: 5/31/2011 11:01:59 AM (3 hours ago)
.
Motherboard: Dell Inc. | | 04HKYP
Processor: Intel® Core™ i7 CPU M 620 @ 2.67GHz | CPU 1 | 2640/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 196.864 GiB free.
D: is CDROM ()
K: is NetworkDisk (NTFS) - 20480 GiB total, 2575.077 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Broadcom USH
Device ID: USB\VID_0A5C&PID_5800&MI_00\7&66DE6C9&0&0000
Manufacturer:
Name: Broadcom USH
PNP Device ID: USB\VID_0A5C&PID_5800&MI_00\7&66DE6C9&0&0000
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
Apple Application Support
Apple Software Update
Auslogics Duplicate File Finder
BlackBerry Desktop Software 6.0.2
Check Point Deployment Shell
Check Point SSL Network Extender Service
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
D3DX10
Dell Driver Download Manager
Dell Wireless HSPA Mini-Card Drivers
Dropbox
ESET Online Scanner v3
Evernote v. 4.3.1
FileHippo.com Update Checker
Google Chrome
GoToMeeting 4.5.0.457
HandBrake 0.9.5
HiJackThis
IDT Audio
Inkscape 0.48.1
Intel® Graphics Media Accelerator Driver
Java Auto Updater
Java™ 6 Update 24
KeePass Password Safe 2.15
LANDesk Advance Agent
LANDesk® Common Base Agent 8
LinkedIn Outlook Connector
Malwarebytes' Anti-Malware
Mesh Runtime
Messenger Companion
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Outlook Social Connector Provider for Facebook 32-bit
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSVCRT
Plaxo Toolbar for Windows
PrimoPDF -- brought to you by Nitro PDF Software
Qualcomm Gobi 2000 Package for Dell
QuickTime
Reader 2.1
Security Update for Microsoft PowerPoint 2010 (KB2519975)
Skype™ 5.3
Snagit 10
Sophos Anti-Virus
Sophos AutoUpdate
Sophos Remote Management System
Spybot - Search & Destroy
SyncBack
Times Reader
TreeSize Free V2.5
TweetDeck
Update for Microsoft Outlook Social Connector (KB2289116)
VLC media player 1.1.9
WebEx
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Yammer
.
==== Event Viewer Messages From Past Week ========
.
5/31/2011 8:35:57 AM, Error: Service Control Manager [7034] - The WD File Management Engine service terminated unexpectedly. It has done this 1 time(s).
5/31/2011 8:33:59 AM, Error: Microsoft-Windows-GroupPolicy [1058] - The processing of Group Policy failed. Windows attempted to read the file \\hillholliday.enterprise.int\sysvol\hillholliday.enterprise.int\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller.

File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled.
5/31/2011 7:25:42 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
5/31/2011 7:23:11 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
5/31/2011 7:23:02 AM, Error: Service Control Manager [7001] - The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
5/31/2011 7:22:57 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller.

Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
5/31/2011 7:22:56 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain HILLHOLLIDAY due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
5/30/2011 2:48:17 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
5/28/2011 10:43:27 AM, Error: Service Control Manager [7031] - The Check Point SSL Network Extender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 500 milliseconds: Restart the service.
5/24/2011 9:18:46 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {69B37063-2BB6-43B5-A109-60E69A77840F} and APPID {CD11FAB6-1C0E-45E1-BA31-5C6008EF2607} to the user HILLHOLLIDAY\Phil.Geyskens SID (S-1-5-21-725345543-1606980848-839522115-17574) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
.
==== End Of File ===========================

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 31 May 2011 - 02:18 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

:multiple Anti Virus programs:

AV: Microsoft Security Essentials
AV: Sophos Anti-Virus

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#5 pgeyskens

Member

Group: Members
Posts: 19
Joined: 21-May 11

Posted 02 June 2011 - 07:27 AM

Removed Microsoft Security Essentials
Disabled all Sophos processes
Downloaded and ran Combofix.exe - the code installs into the C:\3* directory, but does not run afterwards

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 June 2011 - 01:02 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#7 pgeyskens

Member

Group: Members
Posts: 19
Joined: 21-May 11

Posted 02 June 2011 - 03:52 PM

Ran TDSKiller - no infections found...

2011/06/02 16:50:37.0204 4448 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/06/02 16:50:37.0440 4448 ================================================================================
2011/06/02 16:50:37.0440 4448 SystemInfo:
2011/06/02 16:50:37.0440 4448
2011/06/02 16:50:37.0441 4448 OS Version: 6.1.7600 ServicePack: 0.0
2011/06/02 16:50:37.0441 4448 Product type: Workstation
2011/06/02 16:50:37.0441 4448 ComputerName: BW-PHILGEYSKENS
2011/06/02 16:50:37.0441 4448 UserName: Phil.Geyskens
2011/06/02 16:50:37.0441 4448 Windows directory: C:\Windows
2011/06/02 16:50:37.0441 4448 System windows directory: C:\Windows
2011/06/02 16:50:37.0441 4448 Running under WOW64
2011/06/02 16:50:37.0441 4448 Processor architecture: Intel x64
2011/06/02 16:50:37.0441 4448 Number of processors: 4
2011/06/02 16:50:37.0441 4448 Page size: 0x1000
2011/06/02 16:50:37.0441 4448 Boot type: Normal boot
2011/06/02 16:50:37.0441 4448 ================================================================================
2011/06/02 16:50:39.0190 4448 Initialize success
2011/06/02 16:50:42.0468 6740 ================================================================================
2011/06/02 16:50:42.0468 6740 Scan started
2011/06/02 16:50:42.0468 6740 Mode: Manual;
2011/06/02 16:50:42.0468 6740 ================================================================================
2011/06/02 16:50:44.0213 6740 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/06/02 16:50:44.0294 6740 Acceler (e0065cbf1a25c015c218457d2cd522b9) C:\Windows\system32\DRIVERS\Accelern.sys
2011/06/02 16:50:44.0337 6740 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2011/06/02 16:50:44.0372 6740 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/06/02 16:50:44.0436 6740 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/06/02 16:50:44.0494 6740 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/06/02 16:50:44.0534 6740 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/06/02 16:50:44.0609 6740 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2011/06/02 16:50:44.0660 6740 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2011/06/02 16:50:44.0717 6740 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2011/06/02 16:50:44.0779 6740 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2011/06/02 16:50:44.0831 6740 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/06/02 16:50:44.0872 6740 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/06/02 16:50:44.0920 6740 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2011/06/02 16:50:44.0980 6740 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/06/02 16:50:45.0033 6740 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2011/06/02 16:50:45.0112 6740 ApfiltrService (8655a2983a86d6675135b1ff6892055d) C:\Windows\system32\DRIVERS\Apfiltr.sys
2011/06/02 16:50:45.0172 6740 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2011/06/02 16:50:45.0258 6740 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/06/02 16:50:45.0314 6740 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/06/02 16:50:45.0363 6740 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/06/02 16:50:45.0445 6740 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2011/06/02 16:50:45.0552 6740 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/06/02 16:50:45.0657 6740 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/06/02 16:50:45.0742 6740 BCM42RLY (ac4e2d84de54cd3a013aeff0cc56095c) C:\Windows\system32\drivers\BCM42RLY.sys
2011/06/02 16:50:45.0868 6740 BCM43XX (8b5d16d20774fc3727f44e161be2c0ac) C:\Windows\system32\DRIVERS\bcmwl664.sys
2011/06/02 16:50:45.0951 6740 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/06/02 16:50:46.0145 6740 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/06/02 16:50:46.0202 6740 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2011/06/02 16:50:46.0241 6740 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/06/02 16:50:46.0271 6740 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/06/02 16:50:46.0317 6740 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/06/02 16:50:46.0356 6740 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/06/02 16:50:46.0386 6740 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/06/02 16:50:46.0414 6740 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/06/02 16:50:46.0507 6740 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\Windows\system32\DRIVERS\BthEnum.sys
2011/06/02 16:50:46.0545 6740 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/06/02 16:50:46.0587 6740 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\Windows\system32\DRIVERS\bthpan.sys
2011/06/02 16:50:46.0623 6740 BTHPORT (a51fa9d0e85d5adabef72e67f386309c) C:\Windows\system32\Drivers\BTHport.sys
2011/06/02 16:50:46.0715 6740 BTHUSB (f740b9a16b2c06700f2130e19986bf3b) C:\Windows\system32\Drivers\BTHUSB.sys
2011/06/02 16:50:46.0831 6740 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/06/02 16:50:46.0879 6740 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2011/06/02 16:50:46.0927 6740 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/06/02 16:50:46.0978 6740 CISMBIOS (51e5e8b0f4bc030dc6e554a4b48e5705) C:\Windows\system32\drivers\cismbios.sys
2011/06/02 16:50:47.0036 6740 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/06/02 16:50:47.0085 6740 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/06/02 16:50:47.0126 6740 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2011/06/02 16:50:47.0254 6740 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2011/06/02 16:50:47.0304 6740 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/06/02 16:50:47.0349 6740 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/06/02 16:50:47.0499 6740 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/06/02 16:50:47.0574 6740 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
2011/06/02 16:50:47.0678 6740 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2011/06/02 16:50:47.0755 6740 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/06/02 16:50:47.0786 6740 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/06/02 16:50:47.0862 6740 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/06/02 16:50:48.0017 6740 DVMIO (ad00375d9aba8db72d0e38129af0277a) C:\Program Files (x86)\Dell\Reader 2.1\dvmio_x64.sys
2011/06/02 16:50:48.0110 6740 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys
2011/06/02 16:50:48.0178 6740 e1kexpress (60c5b36e07be8b3af3911c3d10303cfe) C:\Windows\system32\DRIVERS\e1k62x64.sys
2011/06/02 16:50:48.0305 6740 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/06/02 16:50:48.0466 6740 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/06/02 16:50:48.0526 6740 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2011/06/02 16:50:48.0606 6740 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/06/02 16:50:48.0659 6740 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/06/02 16:50:48.0722 6740 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/06/02 16:50:48.0770 6740 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/06/02 16:50:48.0806 6740 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/06/02 16:50:48.0856 6740 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/06/02 16:50:48.0911 6740 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2011/06/02 16:50:48.0946 6740 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/06/02 16:50:48.0987 6740 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/06/02 16:50:49.0024 6740 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
2011/06/02 16:50:49.0063 6740 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/06/02 16:50:49.0110 6740 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/06/02 16:50:49.0168 6740 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/06/02 16:50:49.0237 6740 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2011/06/02 16:50:49.0298 6740 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/06/02 16:50:49.0314 6740 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/06/02 16:50:49.0355 6740 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/06/02 16:50:49.0391 6740 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/06/02 16:50:49.0467 6740 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2011/06/02 16:50:49.0555 6740 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/06/02 16:50:49.0621 6740 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2011/06/02 16:50:49.0657 6740 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2011/06/02 16:50:49.0689 6740 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/06/02 16:50:49.0789 6740 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/06/02 16:50:50.0049 6740 igfx (c02b4a9988a5be86348c74d6f8cc7e81) C:\Windows\system32\DRIVERS\igdkmd64.sys
2011/06/02 16:50:50.0331 6740 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/06/02 16:50:50.0409 6740 Impcd (dd587a55390ed2295bce6d36ad567da9) C:\Windows\system32\DRIVERS\Impcd.sys
2011/06/02 16:50:50.0493 6740 IntcDAud (4429b91b0fe91f9be8e24e93cc960368) C:\Windows\system32\DRIVERS\IntcDAud.sys
2011/06/02 16:50:50.0627 6740 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2011/06/02 16:50:50.0697 6740 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/06/02 16:50:50.0743 6740 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/06/02 16:50:50.0812 6740 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/06/02 16:50:50.0856 6740 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/06/02 16:50:50.0926 6740 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/06/02 16:50:50.0984 6740 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2011/06/02 16:50:51.0043 6740 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/06/02 16:50:51.0148 6740 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/06/02 16:50:51.0229 6740 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/06/02 16:50:51.0309 6740 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2011/06/02 16:50:51.0372 6740 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
2011/06/02 16:50:51.0421 6740 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/06/02 16:50:51.0619 6740 ldblank (07aee92fd10bd36f48b01fc8c609e78b) C:\Windows\system32\DRIVERS\ldblank.sys
2011/06/02 16:50:51.0727 6740 ldmirror (af7ee29e43dc2909b855ead8747e24a9) C:\Windows\system32\DRIVERS\ldmirror.sys
2011/06/02 16:50:51.0857 6740 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/06/02 16:50:51.0959 6740 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/06/02 16:50:52.0010 6740 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/06/02 16:50:52.0077 6740 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/06/02 16:50:52.0116 6740 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/06/02 16:50:52.0190 6740 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/06/02 16:50:52.0263 6740 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/06/02 16:50:52.0359 6740 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/06/02 16:50:52.0639 6740 MEMSWEEP2 (d70476ad02d6fd75282b196d3b58831d) C:\Windows\system32\20BA.tmp
2011/06/02 16:50:52.0722 6740 mirrorflt (541a10534da3d78414674d1be164b2aa) C:\Windows\system32\DRIVERS\mirrorflt.sys
2011/06/02 16:50:52.0839 6740 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/06/02 16:50:52.0922 6740 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/06/02 16:50:52.0964 6740 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2011/06/02 16:50:53.0059 6740 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/06/02 16:50:53.0119 6740 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2011/06/02 16:50:53.0139 6740 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2011/06/02 16:50:53.0188 6740 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/06/02 16:50:53.0241 6740 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2011/06/02 16:50:53.0308 6740 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/06/02 16:50:53.0396 6740 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/06/02 16:50:53.0441 6740 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/06/02 16:50:53.0482 6740 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2011/06/02 16:50:53.0583 6740 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2011/06/02 16:50:53.0670 6740 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/06/02 16:50:53.0717 6740 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/06/02 16:50:53.0802 6740 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/06/02 16:50:53.0900 6740 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/06/02 16:50:53.0976 6740 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/06/02 16:50:54.0025 6740 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/06/02 16:50:54.0139 6740 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2011/06/02 16:50:54.0187 6740 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/06/02 16:50:54.0256 6740 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/06/02 16:50:54.0325 6740 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/06/02 16:50:54.0402 6740 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/06/02 16:50:54.0497 6740 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/06/02 16:50:54.0627 6740 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2011/06/02 16:50:54.0689 6740 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/06/02 16:50:54.0756 6740 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/06/02 16:50:54.0823 6740 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/06/02 16:50:54.0876 6740 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/06/02 16:50:54.0928 6740 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2011/06/02 16:50:55.0031 6740 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/06/02 16:50:55.0094 6740 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2011/06/02 16:50:55.0210 6740 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/06/02 16:50:55.0435 6740 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/06/02 16:50:55.0518 6740 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/06/02 16:50:55.0734 6740 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2011/06/02 16:50:55.0786 6740 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/06/02 16:50:55.0846 6740 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/06/02 16:50:55.0903 6740 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2011/06/02 16:50:55.0980 6740 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/06/02 16:50:56.0035 6740 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/06/02 16:50:56.0159 6740 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/06/02 16:50:56.0212 6740 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2011/06/02 16:50:56.0291 6740 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2011/06/02 16:50:56.0321 6740 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2011/06/02 16:50:56.0396 6740 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/06/02 16:50:56.0451 6740 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/06/02 16:50:56.0523 6740 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/06/02 16:50:56.0883 6740 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2011/06/02 16:50:56.0962 6740 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/06/02 16:50:57.0075 6740 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2011/06/02 16:50:57.0260 6740 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/06/02 16:50:57.0343 6740 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/06/02 16:50:57.0436 6740 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/06/02 16:50:57.0496 6740 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/06/02 16:50:57.0629 6740 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/06/02 16:50:57.0721 6740 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/06/02 16:50:57.0787 6740 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/06/02 16:50:57.0900 6740 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/06/02 16:50:57.0971 6740 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2011/06/02 16:50:58.0055 6740 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/06/02 16:50:58.0132 6740 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/06/02 16:50:58.0263 6740 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
2011/06/02 16:50:58.0354 6740 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/06/02 16:50:58.0439 6740 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/06/02 16:50:58.0522 6740 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2011/06/02 16:50:58.0582 6740 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2011/06/02 16:50:58.0678 6740 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/06/02 16:50:58.0828 6740 RimVSerPort (c903d49655b4aae46673f0aaa6be0f58) C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys
2011/06/02 16:50:59.0023 6740 risdpcie (91c2ae052652e7abd88155f11d667ed2) C:\Windows\system32\DRIVERS\risdpe64.sys
2011/06/02 16:50:59.0167 6740 ROOTMODEM (388d3dd1a6457280f3badba9f3acd6b1) C:\Windows\system32\Drivers\RootMdm.sys
2011/06/02 16:50:59.0289 6740 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/06/02 16:50:59.0363 6740 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
2011/06/02 16:50:59.0587 6740 SAVOnAccess (d9057e8ca97628e275979a09ea66b34b) C:\Windows\system32\DRIVERS\savonaccess.sys
2011/06/02 16:50:59.0693 6740 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/06/02 16:51:00.0119 6740 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2011/06/02 16:51:00.0369 6740 sdbus (2c8d162efaf73abd36d8bcbb6340cae7) C:\Windows\system32\DRIVERS\sdbus.sys
2011/06/02 16:51:00.0442 6740 sdcfilter (894bfbec492e9e838d9e4406a90a3edb) C:\Windows\system32\DRIVERS\sdcfilter.sys
2011/06/02 16:51:00.0555 6740 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/06/02 16:51:00.0629 6740 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/06/02 16:51:00.0695 6740 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/06/02 16:51:00.0739 6740 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/06/02 16:51:00.0844 6740 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/06/02 16:51:00.0890 6740 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/06/02 16:51:00.0936 6740 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/06/02 16:51:01.0032 6740 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/06/02 16:51:01.0089 6740 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/06/02 16:51:01.0141 6740 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/06/02 16:51:01.0263 6740 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/06/02 16:51:01.0480 6740 SophosBootDriver (69fbe35a8165adbc313aa7f64b868ca1) C:\Windows\system32\DRIVERS\SophosBootDriver.sys
2011/06/02 16:51:01.0530 6740 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/06/02 16:51:01.0617 6740 srv (de6f5658da951c4bc8e498570b5b0d5f) C:\Windows\system32\DRIVERS\srv.sys
2011/06/02 16:51:01.0755 6740 srv2 (4d33d59c0b930c523d29f9bd40cda9d2) C:\Windows\system32\DRIVERS\srv2.sys
2011/06/02 16:51:01.0926 6740 srvnet (5a663fd67049267bc5c3f3279e631ffb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/06/02 16:51:02.0036 6740 stdcfltn (92e7f6666633d2dd91d527503daa7be0) C:\Windows\system32\DRIVERS\stdcfltn.sys
2011/06/02 16:51:02.0129 6740 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/06/02 16:51:02.0234 6740 STHDA (da40d9c9ccb9836d6abd1706935a2277) C:\Windows\system32\DRIVERS\stwrt64.sys
2011/06/02 16:51:02.0385 6740 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
2011/06/02 16:51:02.0519 6740 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
2011/06/02 16:51:02.0590 6740 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2011/06/02 16:51:02.0930 6740 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys
2011/06/02 16:51:03.0013 6740 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys
2011/06/02 16:51:03.0140 6740 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/06/02 16:51:03.0186 6740 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/06/02 16:51:03.0300 6740 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/06/02 16:51:03.0340 6740 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2011/06/02 16:51:03.0425 6740 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2011/06/02 16:51:03.0574 6740 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/06/02 16:51:03.0681 6740 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2011/06/02 16:51:03.0753 6740 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/06/02 16:51:03.0813 6740 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2011/06/02 16:51:03.0937 6740 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/06/02 16:51:04.0012 6740 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2011/06/02 16:51:04.0054 6740 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/06/02 16:51:04.0128 6740 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/06/02 16:51:04.0201 6740 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2011/06/02 16:51:04.0271 6740 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2011/06/02 16:51:04.0334 6740 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2011/06/02 16:51:04.0402 6740 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2011/06/02 16:51:04.0451 6740 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/06/02 16:51:04.0493 6740 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/06/02 16:51:04.0538 6740 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/06/02 16:51:04.0638 6740 usbvideo (7cb8c573c6e4a2714402cc0a36eab4fe) C:\Windows\System32\Drivers\usbvideo.sys
2011/06/02 16:51:04.0753 6740 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/06/02 16:51:04.0789 6740 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/06/02 16:51:04.0847 6740 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/06/02 16:51:04.0903 6740 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/06/02 16:51:04.0978 6740 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2011/06/02 16:51:05.0108 6740 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
2011/06/02 16:51:05.0199 6740 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
2011/06/02 16:51:05.0319 6740 VNA (a96afa32f73c065b9ae9d1554cdd00fc) C:\Windows\system32\DRIVERS\vna.sys
2011/06/02 16:51:05.0406 6740 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/06/02 16:51:05.0521 6740 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2011/06/02 16:51:05.0829 6740 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2011/06/02 16:51:05.0861 6740 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/06/02 16:51:05.0946 6740 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/06/02 16:51:06.0016 6740 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/06/02 16:51:06.0088 6740 vwifimp (6a638fc4bfddc4d9b186c28c91bd1a01) C:\Windows\system32\DRIVERS\vwifimp.sys
2011/06/02 16:51:06.0150 6740 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/06/02 16:51:06.0246 6740 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/02 16:51:06.0302 6740 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/02 16:51:06.0474 6740 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/06/02 16:51:06.0767 6740 WDC_SAM (a3d04ebf5227886029b4532f20d026f7) C:\Windows\system32\DRIVERS\wdcsam64.sys
2011/06/02 16:51:06.0949 6740 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/06/02 16:51:07.0683 6740 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/06/02 16:51:07.0736 6740 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/06/02 16:51:07.0913 6740 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUSB.sys
2011/06/02 16:51:08.0162 6740 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/06/02 16:51:08.0259 6740 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/06/02 16:51:08.0350 6740 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2011/06/02 16:51:08.0391 6740 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/06/02 16:51:08.0527 6740 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/06/02 16:51:08.0547 6740 ================================================================================
2011/06/02 16:51:08.0547 6740 Scan finished
2011/06/02 16:51:08.0547 6740 ================================================================================
2011/06/02 16:51:08.0562 1780 Detected object count: 0
2011/06/02 16:51:08.0562 1780 Actual detected object count: 0

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 June 2011 - 04:49 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo

<-- Don't worry every little bit helps.

#9 pgeyskens

Member

Group: Members
Posts: 19
Joined: 21-May 11

Posted 02 June 2011 - 05:28 PM

Ran without a glitch... Log file below...

ComboFix 11-06-02.02 - Phil.Geyskens 06/02/2011 18:10:44.2.4 - x64 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3958.3167 [GMT -4:00]
Running from: c:\users\phil.geyskens\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\156D.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\156E.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\156F.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\1E5B.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\1E5C.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\1E5D.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\2763.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\2764.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\2765.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\34C5.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\34C6.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\34C7.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\3530.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\3531.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\3532.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\3600.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\3601.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\3602.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\450D.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\451E.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\451F.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\9637.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\9638.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\9639.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\BDB5.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\BDB6.tmp
c:\users\phil.geyskens\AppData\Local\Microsoft\Windows\Temporary Internet Files\BDB7.tmp
.
----- BITS: Possible infected sites -----
.
hxxp://update.hillholliday.enterprise.int
.
((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
.
.
2011-06-02 22:14 . 2011-06-02 22:14 -------- d-----w- c:\users\SuperUser\AppData\Local\temp
2011-06-02 22:14 . 2011-06-02 22:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-02 22:14 . 2011-06-02 22:14 -------- d-----w- c:\users\Administrator.BW-PhilGeyskens\AppData\Local\temp
2011-06-02 20:48 . 2011-06-02 20:48 -------- d-----w- c:\program files (x86)\uTorrent
2011-06-02 20:47 . 2011-06-02 21:55 -------- d-----w- c:\users\phil.geyskens\AppData\Roaming\uTorrent
2011-05-31 18:10 . 2011-05-31 18:14 35712 ----a-w- c:\windows\SysWow64\drivers\BlackBox.sys
2011-05-27 18:39 . 2011-05-27 18:39 0 ----a-w- c:\users\phil.geyskens\AppData\Local\C997.tmp
2011-05-27 18:39 . 2011-05-27 18:39 0 ----a-w- c:\users\phil.geyskens\AppData\Local\C976.tmp
2011-05-27 18:39 . 2011-05-27 18:39 0 ----a-w- c:\users\phil.geyskens\AppData\Local\C966.tmp
2011-05-27 02:33 . 2011-05-27 02:33 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2943.tmp
2011-05-27 02:33 . 2011-05-27 02:33 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2942.tmp
2011-05-27 02:33 . 2011-05-27 02:33 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2932.tmp
2011-05-24 13:26 . 2011-05-24 13:26 -------- d-----w- c:\users\phil.geyskens\AppData\Roaming\Xerox
2011-05-22 20:01 . 2011-05-22 20:05 -------- d-----w- c:\program files (x86)\Inkscape
2011-05-17 19:17 . 2011-05-17 19:17 -------- d-----w- c:\windows\5BCC634A58AD42F9B3C62EA52F81CF85.TMP
2011-05-16 09:23 . 2011-05-16 09:23 388096 ----a-r- c:\users\phil.geyskens\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-15 23:18 . 2011-05-15 23:18 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2D87.tmp
2011-05-15 23:18 . 2011-05-15 23:18 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2D67.tmp
2011-05-15 23:18 . 2011-05-15 23:18 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2CF9.tmp
2011-05-15 19:35 . 2011-05-15 19:35 0 ----a-w- c:\users\phil.geyskens\AppData\Local\56E9.tmp
2011-05-15 19:35 . 2011-05-15 19:35 0 ----a-w- c:\users\phil.geyskens\AppData\Local\56B9.tmp
2011-05-15 19:35 . 2011-05-15 19:35 0 ----a-w- c:\users\phil.geyskens\AppData\Local\5699.tmp
2011-05-15 18:30 . 2011-05-15 18:30 65736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-05-13 13:37 . 2011-05-13 13:37 -------- d-----w- c:\program files\Speccy
2011-05-13 13:37 . 2011-05-13 13:37 -------- d-----w- c:\program files\Defraggler
2011-05-12 17:57 . 2011-05-12 17:57 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-05-12 09:40 . 2011-05-20 21:04 20040 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-12 09:40 . 2011-05-12 09:40 -------- d-----w- c:\programdata\Hitman Pro
2011-05-11 22:29 . 2011-05-11 22:31 34560 ----a-w- c:\windows\SysWow64\drivers\Normandy.sys
2011-05-10 17:56 . 2011-05-15 18:30 -------- d-----w- c:\programdata\PrevxCSI
2011-05-10 17:40 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\20BA.tmp
2011-05-10 17:39 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\DF65.tmp
2011-05-10 16:29 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\3ABF.tmp
2011-05-10 16:28 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\F99A.tmp
2011-05-10 15:25 . 2011-05-10 15:25 -------- d-----w- c:\program files (x86)\Trend Micro
2011-05-10 13:36 . 2011-05-10 13:36 -------- d-----w- c:\users\phil.geyskens\AppData\Local\{D6908907-8732-4EF9-AF9E-44F43EED5366}
2011-05-10 13:36 . 2011-05-17 18:11 -------- d-----w- c:\users\phil.geyskens\Tracing
2011-05-10 13:28 . 2011-05-10 13:28 -------- d-----w- c:\windows\en
2011-05-10 13:23 . 2011-05-10 13:28 -------- d-----w- c:\program files (x86)\Windows Live
2011-05-10 13:22 . 2011-05-10 13:22 -------- d-----w- c:\program files\Windows Live
2011-05-10 13:22 . 2009-09-04 21:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll
2011-05-10 13:22 . 2009-09-04 21:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll
2011-05-10 13:22 . 2009-09-04 21:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll
2011-05-10 13:22 . 2009-09-04 21:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-05-10 13:22 . 2006-11-29 17:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll
2011-05-10 13:22 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll
2011-05-10 13:22 . 2010-08-11 04:35 1164800 ----a-w- c:\windows\SysWow64\UIRibbonRes.dll
2011-05-10 13:22 . 2010-08-11 05:19 3860992 ----a-w- c:\windows\system32\UIRibbon.dll
2011-05-10 13:22 . 2010-08-11 05:13 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-05-10 13:22 . 2010-08-11 04:44 2983424 ----a-w- c:\windows\SysWow64\UIRibbon.dll
2011-05-10 13:16 . 2011-05-10 15:14 -------- d-----w- c:\users\phil.geyskens\AppData\Local\Windows Live
2011-05-10 13:16 . 2011-05-10 13:16 -------- d-----w- c:\program files (x86)\Common Files\Windows Live
2011-05-10 12:04 . 2011-05-21 15:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-05-10 12:04 . 2011-05-10 12:11 -------- d-----w- c:\program files (x86)\Spybot
2011-05-09 06:53 . 2011-05-09 06:53 0 ----a-w- c:\users\phil.geyskens\AppData\Local\117F.tmp
2011-05-09 06:53 . 2011-05-09 06:53 0 ----a-w- c:\users\phil.geyskens\AppData\Local\116E.tmp
2011-05-09 06:53 . 2011-05-09 06:53 0 ----a-w- c:\users\phil.geyskens\AppData\Local\115E.tmp
2011-05-09 04:00 . 2011-05-09 04:00 -------- d-----w- c:\program files (x86)\LinkedIn
2011-05-09 03:58 . 2011-05-09 03:58 -------- d-----w- c:\program files (x86)\MSECache
2011-05-09 03:57 . 2011-05-09 03:57 0 ----a-w- c:\users\phil.geyskens\AppData\Local\1E18.tmp
2011-05-09 03:57 . 2011-05-09 03:57 0 ----a-w- c:\users\phil.geyskens\AppData\Local\1E17.tmp
2011-05-09 03:57 . 2011-05-09 03:57 0 ----a-w- c:\users\phil.geyskens\AppData\Local\1E16.tmp
2011-05-08 06:49 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-08 06:49 . 2011-05-08 06:49 -------- d-----w- c:\programdata\Malwarebytes
2011-05-07 15:26 . 2011-05-07 15:26 178688 --sha-r- c:\windows\SysWow64\wsecedit7.dll
2011-05-06 11:07 . 2011-05-08 05:39 -------- d-----w- c:\users\phil.geyskens\AppData\Roaming\KeePass
2011-05-06 10:56 . 2011-05-06 10:56 -------- d-----w- c:\program files (x86)\KeePass Password Safe 2
2011-05-03 23:49 . 2011-05-03 23:49 0 ----a-w- c:\users\phil.geyskens\AppData\Local\B211.tmp
2011-05-03 23:49 . 2011-05-03 23:49 0 ----a-w- c:\users\phil.geyskens\AppData\Local\B174.tmp
2011-05-03 23:49 . 2011-05-03 23:49 0 ----a-w- c:\users\phil.geyskens\AppData\Local\B173.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 13:22 . 2010-06-24 15:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-03 03:03 . 2011-05-03 03:03 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2717.tmp
2011-05-03 03:03 . 2011-05-03 03:03 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2716.tmp
2011-05-03 03:03 . 2011-05-03 03:03 0 ----a-w- c:\users\phil.geyskens\AppData\Local\2705.tmp
2011-04-28 10:59 . 2011-04-28 10:59 0 ----a-w- c:\users\phil.geyskens\AppData\Local\7CDE.tmp
2011-04-28 10:59 . 2011-04-28 10:59 0 ----a-w- c:\users\phil.geyskens\AppData\Local\7C41.tmp
2011-04-28 10:59 . 2011-04-28 10:59 0 ----a-w- c:\users\phil.geyskens\AppData\Local\7C31.tmp
2011-04-20 19:36 . 2011-04-20 19:36 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-04-20 16:23 . 2011-04-20 16:23 25592 ----a-w- c:\windows\system32\drivers\sdcfilter.sys
2011-04-20 16:23 . 2011-04-20 16:23 35568 ----a-w- c:\windows\system32\SophosBootTasks.exe
2011-04-20 16:23 . 2011-04-20 16:23 142328 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2011-04-20 16:23 . 2011-04-20 16:24 183024 ----a-w- c:\windows\system32\sdccoinstaller.dll
2011-04-20 16:23 . 2011-04-20 16:23 25608 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2011-04-20 14:46 . 2011-04-20 14:47 29480 ----a-w- c:\windows\SysWow64\msxml3a.dll
2011-04-20 14:46 . 2011-04-20 14:47 505128 ----a-w- c:\windows\SysWow64\msvcp71.dll
2011-04-20 14:46 . 2011-04-20 14:47 353576 ----a-w- c:\windows\SysWow64\msvcr71.dll
2011-04-18 13:15 . 2011-04-20 16:06 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{512DACA0-0703-4EB1-8E37-F7DAEE0912A2}\mpengine.dll
2011-04-12 17:31 . 2011-04-12 17:31 507904 ----a-r- c:\windows\SysWow64\btwapi.dll
2011-04-06 20:26 . 2011-04-06 20:26 96544 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:26 . 2011-04-06 20:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:26 . 2011-04-06 20:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:26 . 2011-04-06 20:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-03-08 06:14 . 2011-04-20 21:38 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-08 05:38 . 2011-04-20 21:38 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"PlaxoUpdate"="c:\users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoHelper_en.exe" [2011-04-29 834952]
"PlaxoSysTray"="c:\users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoSysTray.exe" [2011-04-29 15752]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2011-06-02 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2011-04-10 1733120]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"DellBtrEvent"="c:\program files (x86)\Dell\Reader 2.1\DellBtrEvent.exe" [2010-05-13 160768]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\users\phil.geyskens\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2011-4-27 973824]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 4236288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"HideShutdownScripts"= 1 (0x1)
"MaxGPOScriptWait"= 600 (0x258)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-725345543-1606980848-839522115-17574\Scripts\Logoff\0\0]
"Script"=macro.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-725345543-1606980848-839522115-17574\Scripts\Logon\0\0]
"Script"=AllBoston.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-725345543-1606980848-839522115-17574\Scripts\Logon\1\0]
"Script"=HHCC.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 DVMIO;DVMIO;c:\program files (x86)\Dell\Reader 2.1\dvmio_x64.sys [2010-05-04 20624]
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [x]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
R2 CBA8;LANDesk® Management Agent;c:\program files (x86)\LANDesk\Shared Files\residentagent.exe [2009-11-04 147456]
R2 CISMBIOS;CISMBIOS;c:\windows\system32\drivers\cismbios.sys [x]
R2 cpextender;Check Point SSL Network Extender;c:\program files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe [2010-11-28 353800]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\program files (x86)\Dell\Reader 2.1\DVMExportService.exe [2010-05-04 327680]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files (x86)\LANDesk\LDClient\policy.client.invoker.exe [2010-04-27 195072]
R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files (x86)\LANDesk\LDClient\tmcsvc.exe [2010-03-30 182272]
R2 QDLService2kDell_CTC;Qualcomm Gobi 2000 Download Service (Dell_CTC);c:\program files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe [2010-05-17 331512]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-04-20 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2011-04-20 97520]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot\SDWinSec.exe [2009-01-26 1153368]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files (x86)\LANDesk\LDClient\softmon.exe [2010-10-21 385024]
R2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2011-04-20 1541360]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-03-09 288768]
R2 WDFME;WD File Management Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2011-03-09 1066896]
R2 WDSC;WD File Management Shadow Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2011-03-09 491920]
R2 WMCoreService;Mobile Broadband Service;c:\program files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode [x]
R3 BlackBox;BlackBox SR2; [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [x]
R3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\20BA.tmp [x]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [x]
R3 Normandy;Normandy SR2; [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R4 ProcTrigger;LANDesk® Process Trigger Service;c:\program files (x86)\LANDesk\LDClient\ProcTriggerSvc.exe [2010-03-23 73216]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [x]
R4 tracksvc;LANDesk® Power Management Track Service;c:\program files (x86)\LANDesk\LDClient\tracksvc.exe [2010-01-28 66048]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\DRIVERS\vna.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2009-07-14 01:14 301568 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1606980848-839522115-17574Core.job
- c:\users\phil.geyskens\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-21 19:37]
.
2011-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1606980848-839522115-17574UA.job
- c:\users\phil.geyskens\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-21 19:37]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\phil.geyskens\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-07-22 487424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-31 417304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-31 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-31 386584]
"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 686704]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-26 5712896]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 392048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
Trusted Zone: hhcc.com\vpn
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces: DhcpNameServer = 0.0.0.0
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files (x86)\QlikView\QvProtocol\qvp.dll
DPF: {08496B45-6BB1-4F92-A8E6-B9E7978634CB} - hxxps://vpn.hhcc.com/nortel_cacheable/TrustSite.cab
DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://vpn.hhcc.com/nortel_cacheable/NetDirect.cab
DPF: {ACDB1787-986D-434D-9857-2172CDB2108D} - hxxps://vpn.hhcc.com/nortel_cacheable/punblock.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]
"ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\20BA.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-02 18:15:50
ComboFix-quarantined-files.txt 2011-06-02 22:15
.
Pre-Run: 209,700,642,816 bytes free
Post-Run: 209,757,286,400 bytes free
.
- - End Of File - - 3DD022CEAB656BCD08F7B0CC195A2B1C

#10 pgeyskens

Member

Group: Members
Posts: 19
Joined: 21-May 11

Posted 02 June 2011 - 06:04 PM

Update...
Windows Security Center warning is gone
Have not been redirected in a while
Looks like a successful clean
Will be running Malwarebytes to remove any incremental infections.
Let me know what else I should do to make sure my laptop is (truly) clean.
Truly appreciate the help!
Cheers,
/Ph.

#11 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 June 2011 - 06:15 PM

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#12 pgeyskens

Member

Group: Members
Posts: 19
Joined: 21-May 11

Posted 02 June 2011 - 07:52 PM

Malwarebytes and Hijackthis ran without a hitch - logs below
But, I spoke to soon: Windows Security Center is still disabled and cannot be restarted.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6756

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/2/2011 8:48:00 PM
mbam-log-2011-06-02 (20-48-00).txt

Scan type: Quick scan
Objects scanned: 192299
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:49:51 PM, on 6/2/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoHelper_en.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
C:\Users\phil.geyskens\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\phil.geyskens\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellBtrEvent] C:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Users\phil.geyskens\AppData\Local\Plaxo\3.26.0.13\PlaxoSysTray.exe
O4 - Startup: Dropbox.lnk = C:\Users\phil.geyskens\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: EvernoteClipper.lnk = C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O8 - Extra context menu item: Add to Evernote 4.0 - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {08496B45-6BB1-4F92-A8E6-B9E7978634CB} (Trustsite Control) - https://vpn.hhcc.com/nortel_cacheable/TrustSite.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://vpn.hhcc.com/nortel_cacheable/NetDirect.cab
O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://vpn.hhcc.com/nortel_cacheable/iewiper.cab
O16 - DPF: {ACDB1787-986D-434D-9857-2172CDB2108D} (popupunblk Class) - https://vpn.hhcc.com/nortel_cacheable/punblock.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://cpvpn.hhcc.com/SNX/CSHELL/extender.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hillholliday.enterprise.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hillholliday.enterprise.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hillholliday.enterprise.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hillholliday.enterprise.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hillholliday.enterprise.int
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hillholliday.enterprise.int
O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files (x86)\QlikView\QvProtocol\qvp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\sophos_detoured.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\AESTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: LANDesk® Management Agent (CBA8) - Avocent Corporation - C:\Program Files (x86)\LANDesk\Shared Files\residentagent.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel Local Scheduler Service - Avocent Corporation - C:\Program Files (x86)\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\Windows\system32\CBA\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - Avocent Corporation - C:\PROGRA~2\LANDesk\LDClient\issuser.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LANDesk Policy Invoker - Avocent Corporation - C:\Program Files (x86)\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LANDesk Targeted Multicast - Avocent Corporation - C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Qualcomm Gobi 2000 Download Service (Dell_CTC) (QDLService2kDell_CTC) - QUALCOMM, Inc. - C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Inc. and its affiliates. - C:\Program Files (x86)\LANDesk\LDClient\softmon.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe
O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Plc - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: WDDMService - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD File Management Engine (WDFME) - Unknown owner - C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
O23 - Service: WD File Management Shadow Engine (WDSC) - Unknown owner - C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
O23 - Service: DW WLAN Tray Service (wltrysvc) - Dell Inc. - C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
O23 - Service: Mobile Broadband Service (WMCoreService) - Ericsson AB - C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 14572 bytes

#13 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 June 2011 - 08:34 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brakets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the activex control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

<-- Don't worry every little bit helps.

#14 pgeyskens

Member

Group: Members
Posts: 19
Joined: 21-May 11

Posted 03 June 2011 - 07:25 AM

ESET ran without detecting any problems, even if ALL SYMPTOMS ARE BACK, i.e., both Windows Security Center is disable AND Google redirects. Whatever relief I experienced after running ComboFix was of temporary nature and my laptop is back into it's infected state...

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=c8801617348e32498ddba78cd569adb5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-03 02:55:40
# local_time=2011-06-02 10:55:40 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 1103526 1103526 0 0
# compatibility_mode=5893 16776574 100 94 2829074 58609701 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=8449 16775165 50 99 0 2828069 0 0
# scanned=111648
# found=0
# cleaned=0
# scan_time=3489
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=c8801617348e32498ddba78cd569adb5
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-03 04:49:37
# local_time=2011-06-03 12:49:37 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 1107951 1107951 0 0
# compatibility_mode=5893 16776574 100 94 2833499 58614126 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=8449 16775165 50 99 0 2832494 0 0
# scanned=111784
# found=0
# cleaned=0
# scan_time=5901