Unknown virus, svchost.exe error code

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

Unknown virus, svchost.exe error code

#1 Lonetar555

Member

Group: Members
Posts: 47
Joined: 10-September 11

Posted 10 September 2011 - 06:20 PM

I originally posted this issue here. http://www.bleepingcomputer.com/forums/topic418366.html The problems with this computer began with an infection with the Security Protection virus. Malwarebytes, Spybot, and Ad-Aware were run to try to rid the machine of the problem. Now Malwarebytes will not run - it starts and then disappears. After that, trying to launch gives the error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." During preparation for this post, I was also unable to get GMER to generate a log. It would run and then the window would simply disappear. I was able to generate the needed DDS logs. They are attached as requested.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Run by Jennifer E. Olson at 17:55:26 on 2011-09-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.483 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\2426613655:1758485615.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.EXE
C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
C:\Program Files\Lenovo\Lenovo Mouse Suite\Pelmiced.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jennifer E. Olson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jennifer E. Olson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\jennifer e. olson\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Daemon for Mouse Suite] c:\program files\lenovo\lenovo mouse suite\ICO.EXE
mRun: [SKDaemon.exe] c:\program files\lenovo\productivity keyboard\SKDaemon.exe
mRun: [volmgr] %APPDATA%\volmgr.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\jennif~1.ols\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{4738A7CD-80F4-4086-A79F-E5D477F146F2} : DhcpNameServer = 68.94.156.1 68.94.157.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Hosts: 95.64.61.141 www.google.com
Hosts: 95.64.61.142 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-13 64512]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-12-13 14336]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-6-24 12560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-7 24652]
R3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\PelPs2m.sys [2010-7-12 19818]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-9-10 41272]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-21 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-21 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-09-10 21:12:04 -------- d-----w- c:\program files\Runtime Software
2011-09-10 20:23:41 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-10 20:23:38 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-10 20:23:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-10 18:54:16 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-09-10 18:46:07 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-09-10 18:46:07 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-09-10 18:46:07 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-09-10 18:46:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-09-10 18:45:41 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-09-10 18:33:45 -------- d-----w- c:\windows\system32\PreInstall
2011-09-10 18:33:44 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-09-10 18:33:43 -------- d--h--w- c:\windows\$hf_mig$
2011-09-10 11:47:26 -------- d-----w- c:\program files\Lavasoft
2011-09-10 11:39:35 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-09-09 15:42:52 26624 ----a-w- c:\windows\system32\dll.dll
2011-09-09 15:40:31 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-09-09 15:40:30 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-09-09 15:40:30 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-09-09 15:40:30 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-09-09 15:23:51 -------- d-----w- c:\documents and settings\jennifer e. olson\application data\Poeceq
2011-09-09 15:23:50 -------- d-----w- c:\documents and settings\jennifer e. olson\application data\Oqdeyg
2011-09-09 15:23:45 -------- d-----w- c:\documents and settings\jennifer e. olson\application data\Gyat
2011-09-07 20:53:59 -------- d-----w- c:\documents and settings\jennifer e. olson\application data\Vataba
2011-09-07 20:53:59 -------- d-----w- c:\documents and settings\jennifer e. olson\application data\Hiityw
2011-09-07 17:16:06 295042 ----a-w- c:\windows\system32\shimg.dll
2011-09-07 03:03:32 -------- d-s---w- C:\ComboFix
2011-09-07 01:53:57 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-06 22:16:30 -------- d-sha-r- C:\cmdcons
2011-09-05 20:15:55 -------- d-----w- c:\program files\Spybot
2011-09-05 19:06:42 -------- d-----w- C:\System Recovery
2011-08-27 22:53:31 -------- d-----w- C:\Adobe
.
==================== Find3M ====================
.
2011-08-18 20:25:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-30 01:35:57 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST980825A___________________39T2564_LEN rev.3.07 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x865FB790]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8676EAB8]
3 CLASSPNP[0xF7650FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8672CB88]
\Driver\00000312[0x8665C4F8] -> IRP_MJ_CREATE -> 0x865FB790
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8666F2E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:56:32.96 ===============

attach.txt (12.27K)
Number of downloads: 1

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 September 2011 - 01:40 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 Lonetar555

Member

Group: Members
Posts: 47
Joined: 10-September 11

Posted 12 September 2011 - 06:19 AM

Thank you for your reply and the beginning of your assistance. Combofix will download but it will not run. The error message is as follows:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 September 2011 - 07:53 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#5 Lonetar555

Member

Group: Members
Posts: 47
Joined: 10-September 11

Posted 12 September 2011 - 08:07 AM

I have run TDSSKiller. To follow is the log. I await further instruction. Thanks so much.

2011/09/12 07:58:41.0187 3460 TDSS rootkit removing tool 2.5.21.0 Sep 10 2011 21:07:05
2011/09/12 07:58:41.0671 3460 ================================================================================
2011/09/12 07:58:41.0671 3460 SystemInfo:
2011/09/12 07:58:41.0671 3460
2011/09/12 07:58:41.0671 3460 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/12 07:58:41.0671 3460 Product type: Workstation
2011/09/12 07:58:41.0671 3460 ComputerName: JENNIFER
2011/09/12 07:58:41.0671 3460 UserName: Jennifer E. Olson
2011/09/12 07:58:41.0671 3460 Windows directory: C:\WINDOWS
2011/09/12 07:58:41.0671 3460 System windows directory: C:\WINDOWS
2011/09/12 07:58:41.0671 3460 Processor architecture: Intel x86
2011/09/12 07:58:41.0671 3460 Number of processors: 1
2011/09/12 07:58:41.0671 3460 Page size: 0x1000
2011/09/12 07:58:41.0671 3460 Boot type: Normal boot
2011/09/12 07:58:41.0671 3460 ================================================================================
2011/09/12 07:58:42.0265 3460 Initialize success
2011/09/12 07:58:49.0000 0500 ================================================================================
2011/09/12 07:58:49.0000 0500 Scan started
2011/09/12 07:58:49.0000 0500 Mode: Manual;
2011/09/12 07:58:49.0000 0500 ================================================================================
2011/09/12 07:58:49.0703 0500 972fa390 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\2426613655:1758485615.exe
2011/09/12 07:58:50.0218 0500 Suspicious file (Hidden): C:\WINDOWS\2426613655:1758485615.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/09/12 07:58:50.0218 0500 972fa390 - detected HiddenFile.Multi.Generic (1)
2011/09/12 07:58:51.0140 0500 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/12 07:58:51.0468 0500 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/09/12 07:58:52.0109 0500 aeaudio (cde1f62fe63631b932ace2249fb11da0) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/09/12 07:58:52.0453 0500 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/12 07:58:52.0765 0500 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/12 07:58:54.0515 0500 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
2011/09/12 07:58:55.0718 0500 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/12 07:58:56.0078 0500 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/12 07:58:56.0781 0500 ati2mtag (d7cd23138e85b73caa6d41b8a103924a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/09/12 07:58:57.0265 0500 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/12 07:58:57.0593 0500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/12 07:58:57.0937 0500 b57w2k (66dd574749c38153c6067ebba929befc) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/09/12 07:58:58.0296 0500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/12 07:58:58.0625 0500 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/09/12 07:58:58.0937 0500 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/09/12 07:58:59.0281 0500 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/09/12 07:58:59.0593 0500 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/09/12 07:58:59.0968 0500 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/12 07:59:00.0296 0500 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/12 07:59:00.0906 0500 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/12 07:59:01.0250 0500 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/12 07:59:01.0578 0500 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/12 07:59:02.0218 0500 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/12 07:59:02.0546 0500 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/09/12 07:59:02.0875 0500 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/12 07:59:04.0078 0500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/12 07:59:04.0437 0500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/12 07:59:04.0765 0500 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/12 07:59:05.0078 0500 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/12 07:59:05.0421 0500 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/12 07:59:06.0031 0500 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/12 07:59:06.0375 0500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/12 07:59:06.0703 0500 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/12 07:59:07.0015 0500 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/12 07:59:07.0375 0500 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/12 07:59:07.0718 0500 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/12 07:59:08.0031 0500 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/12 07:59:08.0375 0500 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/12 07:59:08.0703 0500 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/09/12 07:59:09.0015 0500 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/12 07:59:09.0406 0500 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/12 07:59:10.0015 0500 HSFHWICH (5bf94348801cddf7b2f3855830f93569) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2011/09/12 07:59:10.0390 0500 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/09/12 07:59:10.0765 0500 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/12 07:59:11.0656 0500 i8042prt (b1c437b7628cbe740a1d69baebde4207) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/12 07:59:11.0656 0500 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: b1c437b7628cbe740a1d69baebde4207, Fake md5: 4a0b06aa8943c1e332520f7440c0aa30
2011/09/12 07:59:11.0671 0500 i8042prt - detected Rootkit.Win32.ZAccess.e (0)
2011/09/12 07:59:12.0000 0500 IBMPMDRV (ff2dbf3b183516eec87dad241ec50e7a) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
2011/09/12 07:59:12.0312 0500 IBMTPCHK (3a7dbe81ec5edb96a0a61c7d4af3198d) C:\WINDOWS\system32\Drivers\IBMBLDID.sys
2011/09/12 07:59:12.0640 0500 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/12 07:59:13.0250 0500 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/12 07:59:13.0609 0500 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/12 07:59:14.0015 0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/12 07:59:14.0312 0500 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/12 07:59:14.0625 0500 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/12 07:59:14.0937 0500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/12 07:59:15.0281 0500 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/12 07:59:15.0625 0500 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/09/12 07:59:15.0953 0500 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/12 07:59:16.0296 0500 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/12 07:59:16.0656 0500 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/12 07:59:16.0968 0500 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/12 07:59:17.0296 0500 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/12 07:59:17.0640 0500 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/12 07:59:17.0781 0500 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/09/12 07:59:18.0093 0500 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/09/12 07:59:18.0703 0500 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/09/12 07:59:19.0046 0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/12 07:59:19.0375 0500 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/12 07:59:19.0718 0500 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/12 07:59:20.0031 0500 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/12 07:59:20.0343 0500 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/12 07:59:20.0984 0500 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/12 07:59:21.0312 0500 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/12 07:59:21.0656 0500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/12 07:59:21.0984 0500 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/12 07:59:22.0296 0500 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/12 07:59:22.0640 0500 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/12 07:59:22.0968 0500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/12 07:59:23.0296 0500 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/12 07:59:23.0593 0500 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/12 07:59:23.0906 0500 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/12 07:59:24.0234 0500 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/12 07:59:24.0562 0500 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/12 07:59:24.0875 0500 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/12 07:59:25.0187 0500 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/12 07:59:25.0515 0500 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/12 07:59:25.0843 0500 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/12 07:59:26.0171 0500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/12 07:59:26.0515 0500 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/12 07:59:26.0906 0500 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/12 07:59:27.0234 0500 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
2011/09/12 07:59:27.0562 0500 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/12 07:59:27.0937 0500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/12 07:59:28.0265 0500 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/12 07:59:28.0578 0500 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/12 07:59:28.0890 0500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/12 07:59:29.0250 0500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/12 07:59:29.0562 0500 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/12 07:59:29.0906 0500 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/12 07:59:30.0531 0500 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/09/12 07:59:30.0875 0500 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/09/12 07:59:32.0328 0500 pelmouse (b4d92797d295807d6739637538d01ccb) C:\WINDOWS\system32\DRIVERS\pelmouse.sys
2011/09/12 07:59:32.0625 0500 pelps2m (859b4b99dc669340434366a7351606a0) C:\WINDOWS\system32\DRIVERS\pelps2m.sys
2011/09/12 07:59:33.0515 0500 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
2011/09/12 07:59:33.0843 0500 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/12 07:59:34.0187 0500 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/12 07:59:34.0578 0500 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/12 07:59:34.0968 0500 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/12 07:59:36.0750 0500 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/12 07:59:37.0109 0500 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/09/12 07:59:37.0437 0500 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/12 07:59:37.0765 0500 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/12 07:59:38.0093 0500 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/12 07:59:38.0421 0500 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/12 07:59:38.0750 0500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/12 07:59:39.0093 0500 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/12 07:59:39.0421 0500 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/12 07:59:39.0750 0500 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/12 07:59:40.0093 0500 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/09/12 07:59:40.0437 0500 s24trans (1f950f97dbf5e0ba4fbbfaf074d3b47c) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/09/12 07:59:40.0765 0500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/12 07:59:41.0109 0500 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/12 07:59:41.0453 0500 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/12 07:59:41.0781 0500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/12 07:59:42.0437 0500 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/12 07:59:42.0593 0500 smihlp (fcc8edd602b50247c3e75bd23d4face6) C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
2011/09/12 07:59:42.0921 0500 smwdm (b09f23bf6e451b7a492b4a3d5eacfb24) C:\WINDOWS\system32\drivers\smwdm.sys
2011/09/12 07:59:43.0828 0500 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/12 07:59:44.0171 0500 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/12 07:59:44.0531 0500 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/12 07:59:44.0859 0500 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/12 07:59:45.0187 0500 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/12 07:59:45.0531 0500 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/12 07:59:47.0062 0500 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/12 07:59:47.0406 0500 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/12 07:59:47.0734 0500 TcUsb (72b9e77565da5fa564581976e000d29b) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/09/12 07:59:48.0046 0500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/12 07:59:48.0390 0500 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/12 07:59:48.0703 0500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/12 07:59:49.0343 0500 TPM (317b746b6069a10d635fdbdf48723845) C:\WINDOWS\system32\DRIVERS\tpm.sys
2011/09/12 07:59:49.0671 0500 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/12 07:59:50.0625 0500 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/12 07:59:50.0968 0500 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/12 07:59:51.0312 0500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/12 07:59:51.0625 0500 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/12 07:59:51.0953 0500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/12 07:59:52.0281 0500 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/12 07:59:52.0578 0500 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/12 07:59:52.0890 0500 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/12 07:59:53.0203 0500 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/12 07:59:53.0562 0500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/12 07:59:54.0171 0500 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/12 07:59:54.0609 0500 w29n51 (f0608f3b5b6d16f4870e867f9d069b6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2011/09/12 07:59:55.0046 0500 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/12 07:59:55.0671 0500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/12 07:59:56.0031 0500 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/09/12 07:59:56.0421 0500 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/12 07:59:56.0468 0500 MBR (0x1B8) (48e4fb73037ed2932d5e6bde31e6ee60) \Device\Harddisk0\DR0
2011/09/12 07:59:56.0468 0500 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
2011/09/12 07:59:56.0484 0500 Boot (0x1200) (4903555f97d12805a0002cb6a240ab60) \Device\Harddisk0\DR0\Partition0
2011/09/12 07:59:56.0484 0500 ================================================================================
2011/09/12 07:59:56.0484 0500 Scan finished
2011/09/12 07:59:56.0484 0500 ================================================================================
2011/09/12 07:59:56.0515 3688 Detected object count: 3
2011/09/12 07:59:56.0515 3688 Actual detected object count: 3
2011/09/12 08:00:28.0671 3688 HiddenFile.Multi.Generic(972fa390) - User select action: Skip
2011/09/12 08:00:29.0046 3688 i8042prt (b1c437b7628cbe740a1d69baebde4207) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/12 08:00:29.0046 3688 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: b1c437b7628cbe740a1d69baebde4207, Fake md5: 4a0b06aa8943c1e332520f7440c0aa30
2011/09/12 08:00:29.0281 3688 Backup copy found, using it..
2011/09/12 08:00:29.0281 3688 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured after reboot
2011/09/12 08:00:29.0281 3688 Rootkit.Win32.ZAccess.e(i8042prt) - User select action: Cure
2011/09/12 08:00:29.0328 3688 \Device\Harddisk0\DR0 (Rootkit.Boot.Pihar.a) - will be cured after reboot
2011/09/12 08:00:29.0328 3688 \Device\Harddisk0\DR0 - ok
2011/09/12 08:00:29.0328 3688 Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/12 08:00:40.0859 0856 Deinitialize success

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 September 2011 - 08:19 AM

Hello

very good - now rerun combofix for me

gringo

<-- Don't worry every little bit helps.

#7 Lonetar555

Member

Group: Members
Posts: 47
Joined: 10-September 11

Posted 12 September 2011 - 08:30 AM

I am still getting the same error message and combofix will not launch.

#8 Lonetar555

Member

Group: Members
Posts: 47
Joined: 10-September 11

Posted 12 September 2011 - 08:39 AM

I tried a different download for ComboFix and received this error when trying to download. "Error opening file for writing c:/32788R22FWJFW/iexplore.exe Click to abort to stop installation, retry to try again, or ignore to skip this file." On the bottom of the intall attempt was "Can't write c:/32788R22FWJFW/

#9 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 September 2011 - 12:13 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo

<-- Don't worry every little bit helps.

#10 Lonetar555

Member

Group: Members
Posts: 47
Joined: 10-September 11

Posted 12 September 2011 - 01:32 PM

I was able to run ComboFix in safe mode. After it launched and began to run it stopped and gave me the following:

"You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particulary difficult infection."

It went on further but it blipped up two more rapid screens that I was unable to read and then stated that it needed to reboot. I was able to get it back into safe mode for it to finish the scan. It then rebooted again before giving me a log. I was unable to catch it and it rebooted in regular mode. The log appeared and it listed below. The only problem I'm encountering so far is that ComboFix seems to have wiped out my wireless internet access. I am directly plugged in now to be able to get online, otherwise I have no means to access the internet. We have an encrypted router and I do not know how to get back into it. This is a Lenovo machine and used ThinkVantage Access Connections and that protocol is gone from the machine.

Here is the ComboFix log.

ComboFix 11-09-12.02 - Jennifer E. Olson 09/12/2011 12:38:58.2.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.826 [GMT -5:00]
Running from: c:\documents and settings\Jennifer E. Olson\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\GoogleCrashHandler.exe
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\GoogleUpdate.exe
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\GoogleUpdateBroker.exe
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\GoogleUpdateOnDemand.exe
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdate.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_am.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ar.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_bg.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_bn.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ca.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_cs.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_da.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_de.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_el.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_en-GB.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_en.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_es-419.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_es.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_et.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_fa.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_fi.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_fil.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_fr.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_gu.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_hi.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_hr.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_hu.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_id.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_is.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_it.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_iw.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ja.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_kn.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ko.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_lt.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_lv.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ml.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_mr.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ms.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_nl.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_no.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_pl.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_pt-BR.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_pt-PT.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ro.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ru.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sk.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sl.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sr.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sv.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sw.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ta.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_te.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_th.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_tr.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_uk.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ur.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_vi.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_zh-CN.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_zh-TW.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\npGoogleUpdate3.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\psmachine.dll
c:\docume~1\JENNIF~1.OLS\LOCALS~1\Temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\psuser.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\gaobib.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\imnaxy.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\tiito.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\ceriev.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\fewe.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\tiito.exe
c:\documents and settings\Family\Application Data\Agcyky
c:\documents and settings\Family\Application Data\Agcyky\qiumm.sug
c:\documents and settings\Family\Application Data\Albys
c:\documents and settings\Family\Application Data\Albys\pyduz.tmp
c:\documents and settings\Family\Application Data\Kokydo
c:\documents and settings\Family\Application Data\Kokydo\elydo.exe
c:\documents and settings\Jennifer E. Olson\Application Data\Oqdeyg
c:\documents and settings\Jennifer E. Olson\Application Data\Oqdeyg\ehpou.exe
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\GoogleCrashHandler.exe
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\GoogleUpdate.exe
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\GoogleUpdateBroker.exe
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\GoogleUpdateOnDemand.exe
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdate.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_am.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ar.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_bg.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_bn.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ca.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_cs.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_da.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_de.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_el.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_en-GB.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_en.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_es-419.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_es.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_et.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_fa.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_fi.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_fil.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_fr.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_gu.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_hi.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_hr.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_hu.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_id.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_is.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_it.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_iw.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ja.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_kn.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ko.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_lt.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_lv.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ml.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_mr.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ms.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_nl.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_no.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_pl.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_pt-BR.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_pt-PT.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ro.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ru.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sk.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sl.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sr.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sv.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_sw.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ta.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_te.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_th.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_tr.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_uk.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_ur.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_vi.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_zh-CN.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\goopdateres_zh-TW.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\npGoogleUpdate3.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\psmachine.dll
c:\documents and settings\Jennifer E. Olson\Local Settings\temp\{51F1AB80-D82C-4548-B248-BB8CC1B00C33}\psuser.dll
c:\windows\$NtUninstallKB52032$\1534778459
c:\windows\2426613655
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\system32\Dll.dll
c:\windows\system32\shimg.dll
c:\windows\$NtUninstallKB52032$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe . . . is infected!!
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe . . . is infected!!
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\Ati2evxx.exe . . . is infected!!
c:\windows\system32\Ati2evxx.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Bonjour\mDNSResponder.exe . . . is infected!!
c:\program files\Bonjour\mDNSResponder.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Intel\WiFi\bin\EvtEng.exe . . . is infected!!
c:\program files\Intel\WiFi\bin\EvtEng.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\ibmpmsvc.exe . . . is infected!!
c:\windows\system32\ibmpmsvc.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE . . . is infected!!
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe . . . is infected!!
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe . . . is infected!!
c:\program files\Intel\WiFi\bin\S24EvMon.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe . . . is infected!!
c:\program files\Analog Devices\SoundMAX\SMAgent.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Viewpoint\Common\ViewpointService.exe . . . is infected!!
c:\program files\Viewpoint\Common\ViewpointService.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_972fa390
.
.
((((((((((((((((((((((((( Files Created from 2011-08-12 to 2011-09-12 )))))))))))))))))))))))))))))))
.
.
2011-09-12 17:20 . 2011-09-12 17:20 -------- d-----w- C:\d039f2ec59f35d1d02
2011-09-12 17:17 . 2011-09-12 17:17 -------- d-----w- C:\5594995e1f7ac02457c2261d00b0
2011-09-12 17:17 . 2011-09-12 17:17 -------- d-----w- C:\d0934c2aa034db2ae4
2011-09-12 13:32 . 2011-09-12 13:32 -------- d--h--w- c:\windows\PIF
2011-09-12 13:02 . 2011-09-12 17:27 50112 --sha-w- c:\windows\system32\c_07600.nl_
2011-09-10 21:12 . 2011-09-10 21:12 -------- d-----w- c:\program files\Runtime Software
2011-09-10 20:23 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-10 20:23 . 2011-09-10 20:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-10 20:23 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-10 18:54 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-09-10 18:46 . 2010-12-09 13:42 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-09-10 18:46 . 2010-12-09 13:38 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-09-10 18:46 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-09-10 18:46 . 2010-12-09 13:07 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-09-10 18:45 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-09-10 18:33 . 2007-11-30 11:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-09-10 18:33 . 2011-09-12 10:59 -------- d--h--w- c:\windows\$hf_mig$
2011-09-10 11:47 . 2011-09-10 11:47 -------- d-----w- c:\program files\Lavasoft
2011-09-09 15:40 . 2011-09-09 15:40 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-09-09 15:40 . 2011-09-09 15:40 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-09-09 15:40 . 2011-09-09 15:40 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-09-09 15:40 . 2011-09-09 15:40 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-09-09 15:23 . 2011-09-09 15:23 -------- d-----w- c:\documents and settings\Jennifer E. Olson\Application Data\Poeceq
2011-09-09 15:23 . 2011-09-09 16:23 -------- d-----w- c:\documents and settings\Jennifer E. Olson\Application Data\Gyat
2011-09-09 15:18 . 2011-09-09 22:45 -------- d-----w- c:\documents and settings\Family\Application Data\Ebolo
2011-09-09 15:18 . 2011-09-09 16:23 -------- d-----w- c:\documents and settings\Family\Application Data\Upygxe
2011-09-07 21:15 . 2011-09-07 21:15 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-09-07 20:53 . 2011-09-07 21:24 -------- d-----w- c:\documents and settings\Jennifer E. Olson\Application Data\Vataba
2011-09-07 20:53 . 2011-09-07 21:14 -------- d-----w- c:\documents and settings\Jennifer E. Olson\Application Data\Hiityw
2011-09-07 01:53 . 2011-09-07 01:53 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-06 13:35 . 2011-09-06 13:35 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2011-09-05 20:15 . 2011-09-05 20:18 -------- d-----w- c:\program files\Spybot
2011-09-05 19:06 . 2011-09-05 19:06 -------- d-----w- C:\System Recovery
2011-09-03 19:14 . 2011-09-07 20:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-27 22:53 . 2011-08-27 22:53 -------- d-----w- C:\Adobe
2011-08-27 21:01 . 2011-08-27 21:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-12 13:01 . 2008-04-14 00:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-03 10:17 . 2008-12-13 15:47 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-18 20:25 . 2009-05-13 23:43 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-15 13:29 . 2008-12-13 15:47 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-12-13 15:47 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-30 01:35 . 2010-10-14 01:26 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10 . 2008-12-13 16:58 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2008-12-13 15:47 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2008-12-13 15:47 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 18:18 . 2008-12-13 15:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 12:58 . 2008-12-13 15:47 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-12-13 15:47 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-11-21 3289088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2008-06-25 49928]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-16 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-16 143360]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"Daemon for Mouse Suite"="c:\program files\Lenovo\Lenovo Mouse Suite\ICO.EXE" [2009-11-06 98304]
"SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2006-12-05 262144]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Family\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Jennifer E. Olson\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-06-25 01:31 95496 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Jennifer E. Olson\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/13/2009 6:43 PM 64512]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [12/13/2008 10:47 AM 14336]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [6/24/2008 8:07 PM 12560]
R3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\PelPs2m.sys [7/12/2010 10:19 PM 19818]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/21/2011 9:44 PM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/18/2011 3:25 PM 2151640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/21/2011 9:44 PM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/18/2011 3:25 PM 15232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 20:25]
.
2011-06-06 c:\windows\Tasks\AdobeAAMUpdater-1.0-JENNIFER-Jennifer E. Olson.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-05-12 08:44]
.
2011-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 02:44]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 02:44]
.
2011-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2053719858-2472827367-994003569-1004Core.job
- c:\documents and settings\Jennifer E. Olson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-10 21:59]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2053719858-2472827367-994003569-1004UA.job
- c:\documents and settings\Jennifer E. Olson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-10 21:59]
.
2011-09-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-09-10 03:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-volmgr - c:\documents and settings\Jennifer E. Olson\Application Data\volmgr.exe
SafeBoot-05468349.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-12 12:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.imapi]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
.
- - - - - - - > 'explorer.exe'(2516)
c:\program files\Lenovo\Lenovo Mouse Suite\pelscrll.dll
c:\program files\Lenovo\Lenovo Mouse Suite\PELCOMM.dll
c:\program files\Lenovo\Lenovo Mouse Suite\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
c:\program files\Lenovo\Lenovo Mouse Suite\Pelmiced.exe
.
**************************************************************************
.
Completion time: 2011-09-12 12:59:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-12 17:59
ComboFix2.txt 2011-09-06 23:27
.
Pre-Run: 49,045,671,936 bytes free
Post-Run: 47,981,862,912 bytes free
.
- - End Of File - - 6ABA3477941E7108FC9AF5D9FD718203

#11 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 September 2011 - 04:07 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\c_07600.nl_

Folder::
C:\d039f2ec59f35d1d02
C:\5594995e1f7ac02457c2261d00b0
C:\d0934c2aa034db2ae4
c:\documents and settings\Jennifer E. Olson\Application Data\Poeceq
c:\documents and settings\Jennifer E. Olson\Application Data\Gyat
c:\documents and settings\Family\Application Data\Ebolo
c:\documents and settings\Family\Application Data\Upygxe
c:\documents and settings\Jennifer E. Olson\Application Data\Vataba
c:\documents and settings\Jennifer E. Olson\Application Data\Hiityw

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#12 Lonetar555

Member

Group: Members
Posts: 47
Joined: 10-September 11

Posted 12 September 2011 - 05:34 PM

I'm not sure if this ran correctly or not. I saved and copied the script as instructed. When ComboFix launched, it gave me a dialog box stating there was a new version of ComboFix and did I want to get it. Not knowing which was correct, I checked yes. ComboFix ran. Here is the log. No reboot was required and the scan was significantly faster than the last.

ComboFix 11-09-12.03 - Jennifer E. Olson 09/12/2011 17:21:20.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.663 [GMT -5:00]
Running from: c:\documents and settings\Jennifer E. Olson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jennifer E. Olson\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\c_07600.nl_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\5594995e1f7ac02457c2261d00b0
c:\5594995e1f7ac02457c2261d00b0\baseline.dat
c:\5594995e1f7ac02457c2261d00b0\deffactory.dat
c:\5594995e1f7ac02457c2261d00b0\DeleteTemp.exe
c:\5594995e1f7ac02457c2261d00b0\dlmgr.dll
c:\5594995e1f7ac02457c2261d00b0\DW20.EXE
c:\5594995e1f7ac02457c2261d00b0\DWINTL20.DLL
c:\5594995e1f7ac02457c2261d00b0\eula.1025.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1028.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1029.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1030.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1031.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1032.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1033.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1035.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1036.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1037.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1038.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1040.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1041.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1042.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1043.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1044.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1045.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1046.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1049.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1053.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.1055.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.2052.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.2070.rtf
c:\5594995e1f7ac02457c2261d00b0\eula.3082.rtf
c:\5594995e1f7ac02457c2261d00b0\gencomp.dll
c:\5594995e1f7ac02457c2261d00b0\HtmlLite.dll
c:\5594995e1f7ac02457c2261d00b0\locdata.1025.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1028.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1029.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1030.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1031.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1032.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1035.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1036.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1037.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1038.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1040.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1041.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1042.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1043.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1044.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1045.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1046.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1049.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1053.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.1055.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.2052.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.2070.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.3082.ini
c:\5594995e1f7ac02457c2261d00b0\locdata.ini
c:\5594995e1f7ac02457c2261d00b0\logo.bmp
c:\5594995e1f7ac02457c2261d00b0\setup.exe
c:\5594995e1f7ac02457c2261d00b0\setup.sdb
c:\5594995e1f7ac02457c2261d00b0\setupres.1025.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1028.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1029.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1030.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1031.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1032.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1035.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1036.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1037.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1038.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1040.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1041.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1042.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1043.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1044.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1045.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1046.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1049.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1053.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.1055.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.2052.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.2070.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.3082.dll
c:\5594995e1f7ac02457c2261d00b0\setupres.dll
c:\5594995e1f7ac02457c2261d00b0\SITSetup.dll
c:\5594995e1f7ac02457c2261d00b0\vs_setup.dll
c:\5594995e1f7ac02457c2261d00b0\vs_setup.MS_
c:\5594995e1f7ac02457c2261d00b0\vs_setup.pdi
c:\5594995e1f7ac02457c2261d00b0\vs70uimgr.dll
c:\5594995e1f7ac02457c2261d00b0\vsbasereqs.dll
c:\5594995e1f7ac02457c2261d00b0\vsscenario.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1025.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1028.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1029.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1030.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1031.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1032.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1035.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1036.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1037.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1038.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1040.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1041.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1042.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1043.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1044.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1045.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1046.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1049.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1053.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.1055.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.2052.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.2070.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.3082.dll
c:\5594995e1f7ac02457c2261d00b0\WapRes.dll
c:\5594995e1f7ac02457c2261d00b0\WapUI.dll
C:\d039f2ec59f35d1d02
c:\d039f2ec59f35d1d02\filterpipelineprintproc.amd64.dll
c:\d039f2ec59f35d1d02\filterpipelineprintproc.dll
c:\d039f2ec59f35d1d02\msxpsdrv.amd64.cat
c:\d039f2ec59f35d1d02\msxpsdrv.amd64.inf
c:\d039f2ec59f35d1d02\msxpsdrv.cat
c:\d039f2ec59f35d1d02\msxpsdrv.inf
c:\d039f2ec59f35d1d02\msxpsinc.amd64.gpd
c:\d039f2ec59f35d1d02\msxpsinc.amd64.ppd
c:\d039f2ec59f35d1d02\msxpsinc.gpd
c:\d039f2ec59f35d1d02\msxpsinc.ppd
c:\d039f2ec59f35d1d02\mxdwdrv.amd64.dll
c:\d039f2ec59f35d1d02\mxdwdrv.dll
c:\d039f2ec59f35d1d02\mxdwdui.dll
c:\d039f2ec59f35d1d02\mxdwdui.gpd
c:\d039f2ec59f35d1d02\mxdwdui.ini
c:\d039f2ec59f35d1d02\printfilterpipelinesvc.exe
c:\d039f2ec59f35d1d02\prntvpt.dll
c:\d039f2ec59f35d1d02\spmsg.dll
c:\d039f2ec59f35d1d02\spuninst.exe
c:\d039f2ec59f35d1d02\spupdsvc.exe
c:\d039f2ec59f35d1d02\stddtype.gdl
c:\d039f2ec59f35d1d02\stdnames.gpd
c:\d039f2ec59f35d1d02\stdschem.gdl
c:\d039f2ec59f35d1d02\stdschmx.gdl
c:\d039f2ec59f35d1d02\unidrv.dll
c:\d039f2ec59f35d1d02\unidrv.hlp
c:\d039f2ec59f35d1d02\unidrvui.dll
c:\d039f2ec59f35d1d02\unires.dll
c:\d039f2ec59f35d1d02\update\eula.txt
c:\d039f2ec59f35d1d02\update\KB954550-v5.CAT
c:\d039f2ec59f35d1d02\update\spcustom.dll
c:\d039f2ec59f35d1d02\update\update.exe
c:\d039f2ec59f35d1d02\update\update.inf
c:\d039f2ec59f35d1d02\update\update.ver
c:\d039f2ec59f35d1d02\update\updspapi.dll
c:\d039f2ec59f35d1d02\xpsshhdr.dll
c:\d039f2ec59f35d1d02\xpssvcs.amd64.dll
c:\d039f2ec59f35d1d02\xpssvcs.dll
C:\d0934c2aa034db2ae4
c:\d0934c2aa034db2ae4\$shtdwn$.req
c:\d0934c2aa034db2ae4\dotnetfx20\aspnet.msp
c:\d0934c2aa034db2ae4\dotnetfx20\clr.msp
c:\d0934c2aa034db2ae4\dotnetfx20\crt.msp
c:\d0934c2aa034db2ae4\dotnetfx20\dw.msp
c:\d0934c2aa034db2ae4\dotnetfx20\netfx_ca.msp
c:\d0934c2aa034db2ae4\dotnetfx20\netfx_core.msp
c:\d0934c2aa034db2ae4\dotnetfx20\netfx_other.msp
c:\d0934c2aa034db2ae4\dotnetfx20\netfx20a_x86.msi
c:\d0934c2aa034db2ae4\dotnetfx20\prexp.msp
c:\d0934c2aa034db2ae4\dotnetfx20\winforms.msp
c:\d0934c2aa034db2ae4\dotnetfx30\netfx30a_x86.msi
c:\d0934c2aa034db2ae4\dotnetfx30\rgb9rast_x86.msi
c:\d0934c2aa034db2ae4\dotnetfx30\wcf.msp
c:\d0934c2aa034db2ae4\dotnetfx30\wcs.msp
c:\d0934c2aa034db2ae4\dotnetfx30\wf.msp
c:\d0934c2aa034db2ae4\dotnetfx30\wf_32.msp
c:\d0934c2aa034db2ae4\dotnetfx30\wic_x86_enu.exe
c:\d0934c2aa034db2ae4\dotnetfx30\wpf_other.msp
c:\d0934c2aa034db2ae4\dotnetfx30\wpf_other_32.msp
c:\d0934c2aa034db2ae4\dotnetfx30\wpf1.msp
c:\d0934c2aa034db2ae4\dotnetfx30\wpf2.msp
c:\d0934c2aa034db2ae4\dotnetfx30\wpf2_32.msp
c:\d0934c2aa034db2ae4\dotnetfx30\x86\msxml6.msi
c:\d0934c2aa034db2ae4\dotnetfx30\xps.msp
c:\d0934c2aa034db2ae4\dotnetfx30\xpsepsc-x86-en-us.exe
c:\d0934c2aa034db2ae4\dotnetfx35\x86\netfx35_x86.exe
c:\d0934c2aa034db2ae4\dotnetfx35setup.exe
c:\d0934c2aa034db2ae4\tools\clwireg.exe
c:\documents and settings\Family\Application Data\Ebolo
c:\documents and settings\Family\Application Data\Upygxe
c:\documents and settings\Family\Application Data\Upygxe\osdyi.puo
c:\documents and settings\Jennifer E. Olson\Application Data\Gyat
c:\documents and settings\Jennifer E. Olson\Application Data\Gyat\etux.tmp
c:\documents and settings\Jennifer E. Olson\Application Data\Hiityw
c:\documents and settings\Jennifer E. Olson\Application Data\Poeceq
c:\documents and settings\Jennifer E. Olson\Application Data\Poeceq\isiv.xur
c:\documents and settings\Jennifer E. Olson\Application Data\Vataba
c:\windows\system32\c_07600.nl_
.
.
((((((((((((((((((((((((( Files Created from 2011-08-12 to 2011-09-12 )))))))))))))))))))))))))))))))
.
.
2011-09-12 13:32 . 2011-09-12 13:32 -------- d--h--w- c:\windows\PIF
2011-09-10 21:12 . 2011-09-10 21:12 -------- d-----w- c:\program files\Runtime Software
2011-09-10 20:23 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-10 20:23 . 2011-09-10 20:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-10 20:23 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-10 18:54 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-09-10 18:46 . 2010-12-09 13:42 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-09-10 18:46 . 2010-12-09 13:38 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-09-10 18:46 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-09-10 18:46 . 2010-12-09 13:07 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-09-10 18:45 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-09-10 18:33 . 2007-11-30 11:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-09-10 18:33 . 2011-09-12 10:59 -------- d--h--w- c:\windows\$hf_mig$
2011-09-10 11:47 . 2011-09-10 11:47 -------- d-----w- c:\program files\Lavasoft
2011-09-09 15:40 . 2011-09-09 15:40 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-09-09 15:40 . 2011-09-09 15:40 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-09-09 15:40 . 2011-09-09 15:40 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-09-09 15:40 . 2011-09-09 15:40 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-09-07 21:15 . 2011-09-07 21:15 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-09-07 01:53 . 2011-09-07 01:53 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-06 13:35 . 2011-09-06 13:35 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2011-09-05 20:15 . 2011-09-05 20:18 -------- d-----w- c:\program files\Spybot
2011-09-05 19:06 . 2011-09-05 19:06 -------- d-----w- C:\System Recovery
2011-09-03 19:14 . 2011-09-07 20:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-27 22:53 . 2011-08-27 22:53 -------- d-----w- C:\Adobe
2011-08-27 21:01 . 2011-08-27 21:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-12 13:01 . 2008-04-14 00:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-03 10:17 . 2008-12-13 15:47 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-18 20:25 . 2009-05-13 23:43 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-15 13:29 . 2008-12-13 15:47 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-12-13 15:47 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-30 01:35 . 2010-10-14 01:26 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10 . 2008-12-13 16:58 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2008-12-13 15:47 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2008-12-13 15:47 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 18:18 . 2008-12-13 15:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 12:58 . 2008-12-13 15:47 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-12-13 15:47 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-12_17.54.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-12 18:10 . 2011-09-12 18:10 16384 c:\windows\temp\Perflib_Perfdata_7b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-11-21 3289088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2008-06-25 49928]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-16 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-16 143360]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"Daemon for Mouse Suite"="c:\program files\Lenovo\Lenovo Mouse Suite\ICO.EXE" [2009-11-06 98304]
"SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2006-12-05 262144]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Family\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Jennifer E. Olson\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-06-25 01:31 95496 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Jennifer E. Olson\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/13/2009 6:43 PM 64512]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [12/13/2008 10:47 AM 14336]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [6/24/2008 8:07 PM 12560]
R3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\PelPs2m.sys [7/12/2010 10:19 PM 19818]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/21/2011 9:44 PM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/18/2011 3:25 PM 2151640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/21/2011 9:44 PM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/18/2011 3:25 PM 15232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 20:25]
.
2011-06-06 c:\windows\Tasks\AdobeAAMUpdater-1.0-JENNIFER-Jennifer E. Olson.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-05-12 08:44]
.
2011-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 02:44]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 02:44]
.
2011-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2053719858-2472827367-994003569-1004Core.job
- c:\documents and settings\Jennifer E. Olson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-10 21:59]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2053719858-2472827367-994003569-1004UA.job
- c:\documents and settings\Jennifer E. Olson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-10 21:59]
.
2011-09-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-09-10 03:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-12 17:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.imapi]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
.
Completion time: 2011-09-12 17:30:03
ComboFix-quarantined-files.txt 2011-09-12 22:30
ComboFix2.txt 2011-09-12 17:59
ComboFix3.txt 2011-09-06 23:27
.
Pre-Run: 47,950,409,728 bytes free
Post-Run: 47,960,481,792 bytes free
.
- - End Of File - - 12EF06771E5EB7E498C286B1B099342A

#13 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 September 2011 - 07:10 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

start

settings

control panel

add/remove programs

Adobe Reader 9.1

remove

Update Adobe Reader

http://www.adobe.com/products/acrobat/readstep2.html

Adobe Reader

here

Note:

AskBar

Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#14 Lonetar555

Member

Group: Members
Posts: 47
Joined: 10-September 11

Posted 12 September 2011 - 08:10 PM

Things are running better and better. Malwarebytes found nothing on quick scan. The log for it and HijackThis are attached. Also, I just realized that the original nasty little "secrets" error is no longer coming up on booting. As we go along, please recommend what I should uninstall from this system. This is my daughter's computer, and I do not want her to run any of these programs accidentally or without supervision.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:06:10 PM, on 9/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.EXE
C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\Pelmiced.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jennifer E. Olson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jennifer E. Olson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jennifer E. Olson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Daemon for Mouse Suite] C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.EXE
O4 - HKLM\..\Run: [SKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: CCC.lnk = ? (User 'Default user')
O4 - Startup: CCC.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (file missing)
O23 - Service: Access Connections Main Service (AcSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (file missing)
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Unknown owner - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (file missing)
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 8974 bytes

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7706

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

9/12/2011 8:02:24 PM
mbam-log-2011-09-12 (20-02-24).txt

Scan type: Quick scan
Objects scanned: 189062
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 September 2011 - 09:05 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brakets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the activex control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt