Infected, killed it... am I clean?

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
←
1
2

You cannot start a new topic
This topic is locked

Infected, killed it... am I clean? Had infection, cleaned it up, want to make sure.

#16 JR2_Alaska

Member

Group: Members
Posts: 24
Joined: 24-February 11

Posted 14 January 2012 - 02:11 AM

The computer still does not like to start up very well. I had to run MBAM in Safemode as the computer became unresponsive when I tried to open MBAM. Seems like booting into safe mode one time and then rebooting into normal mode makes the computer boot better.

MBAM is all good, here is the log:

Malwarebytes Anti-Malware (PRO) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.14.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.5730.11
rathert :: RATHERT-DM [administrator]

Protection: Disabled

1/13/2012 9:49:14 PM
mbam-log-2012-01-13 (21-49-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218453
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Here is the Hijack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:08:09 PM, on 1/13/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\lxeacoms.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\SlipStream\NetSwitch\WDisW.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://gateway.slb.com/dana-na/auth/url_default/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - d:\Java6-30\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111202150332.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - d:\Java6-30\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - d:\Java6-30\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [EFS] C:\WINDOWS\SYSTEM32\WScript.EXE C:\PROGRA~1\NOVADIGM\SLB_EFS.VBS
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O15 - Trusted Zone: *.alpinemud.com
O15 - Trusted Zone: *.atbalance.com
O15 - Trusted Zone: *.boydsrental.com
O15 - Trusted Zone: *.coiltubingservices.com
O15 - Trusted Zone: *.deeptec.com.br
O15 - Trusted Zone: *.drillmotors.com
O15 - Trusted Zone: *.dutchco.com
O15 - Trusted Zone: *.dyna-drill.com
O15 - Trusted Zone: *.dynadrill.com
O15 - Trusted Zone: *.ecutec.eu
O15 - Trusted Zone: *.emhobbs.com
O15 - Trusted Zone: *.employcareers.com
O15 - Trusted Zone: *.enertech-ws.com
O15 - Trusted Zone: *.geodiamond.com
O15 - Trusted Zone: *.geoservices.com
O15 - Trusted Zone: *.iwilson.com
O15 - Trusted Zone: http://web.miswaco.com
O15 - Trusted Zone: *.miswaco.com
O15 - Trusted Zone: *.omniseals.com
O15 - Trusted Zone: *.pathfinder-int.com
O15 - Trusted Zone: *.pathfinder-ltd.co.uk
O15 - Trusted Zone: *.pathfinderlwd.com
O15 - Trusted Zone: *.perfolog.com
O15 - Trusted Zone: *.siismithservices.com
O15 - Trusted Zone: http://*.smartforce.com
O15 - Trusted Zone: *.smith-innerarmor.com
O15 - Trusted Zone: *.smith-intl.com
O15 - Trusted Zone: http://smithlink.smith.com
O15 - Trusted Zone: *.smith.com
O15 - Trusted Zone: *.smithbits.com
O15 - Trusted Zone: *.smithborehole.com
O15 - Trusted Zone: *.smithdrilling.com
O15 - Trusted Zone: *.sweco.com
O15 - Trusted Zone: *.thomastools.com
O15 - Trusted Zone: *.unitedwire.com
O15 - Trusted Zone: *.weirhouston.com
O15 - Trusted Zone: *.whdrillingsolutions.com
O15 - Trusted Zone: *.whes.com
O15 - Trusted Zone: http://www.wilsonconfidential.com
O15 - Trusted Zone: *.wilsonconfidential.com
O15 - Trusted Zone: *.wilsononline.com
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP1-11759/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://gateway.slb.com/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = nam.slb.com
O20 - Winlogon Notify: CMGShieldNP - CmgShieldNP.dll (file missing)
O20 - Winlogon Notify: slbScCertProp - C:\WINDOWS\system32\ScCertProp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CMG Shield (CMGShield) - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINDOWS\etlisrv.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: Entrust/TrueDelete™ (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - d:\Java6-30\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxeaCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxeaserv.exe
O23 - Service: lxea_device - - C:\WINDOWS\system32\lxeacoms.exe
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleOraHome817Agent - Unknown owner - C:\Oracle\Ora817\bin\dbsnmp.exe (file missing)
O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\Oracle\Ora817\BIN\ONRSD.EXE (file missing)
O23 - Service: OracleOraHome817DataGatherer - Unknown owner - C:\Oracle\Ora817\bin\vppdc.exe (file missing)
O23 - Service: OracleOraHome817HTTPServer - Unknown owner - C:\Oracle\Ora817\Apache\Apache\Apache.exe (file missing)
O23 - Service: OracleOraHome817PagingServer - Unknown owner - C:\Oracle\Ora817/bin/pagntsrv.exe (file missing)
O23 - Service: OracleOraHome817TNSListener - Unknown owner - C:\Oracle\Ora817\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServicegfpc8 - Unknown owner - c:\oracle\ora817\bin\ORACLE.EXE (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe

--
End of file - 15484 bytes

#17 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 14 January 2012 - 02:22 AM

Hello

see if this helps with the bootup

I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#18 JR2_Alaska

Member

Group: Members
Posts: 24
Joined: 24-February 11

Posted 14 January 2012 - 02:53 AM

I did it (again as we did it earlier as well) and there is still something wrong. The machine boots up fine and everything appears to run fine but when I try to run a program it becomes unresponsive. It seems like the computer is still working but the screen locks. I got the task manager running and was watching the processes and CPU load. The computer was basically done doing anything (system idle process was #1 on cpu load) yet the little green box in start menu showed the cpu at 100%. Weird stuff.

I booted into safe mode to send this. I am going to bed for the night, I will reboot into normal mode and just let it run without touching anything.

#19 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 14 January 2012 - 03:03 AM

I would like you to run this again

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#20 JR2_Alaska

Member

Group: Members
Posts: 24
Joined: 24-February 11

Posted 14 January 2012 - 01:26 PM

Left the computer run all night and its working perfect. Ran TDSSKIller, found nothing. Here is the log.

09:23:00.0625 2384 TDSS rootkit removing tool 2.7.1.0 Jan 13 2012 15:24:05
09:23:01.0250 2384 ============================================================
09:23:01.0250 2384 Current date / time: 2012/01/14 09:23:01.0250
09:23:01.0250 2384 SystemInfo:
09:23:01.0250 2384
09:23:01.0250 2384 OS Version: 5.1.2600 ServicePack: 3.0
09:23:01.0250 2384 Product type: Workstation
09:23:01.0250 2384 ComputerName: RATHERT-DM
09:23:01.0250 2384 UserName: rathert
09:23:01.0250 2384 Windows directory: C:\WINDOWS
09:23:01.0250 2384 System windows directory: C:\WINDOWS
09:23:01.0250 2384 Processor architecture: Intel x86
09:23:01.0250 2384 Number of processors: 2
09:23:01.0250 2384 Page size: 0x1000
09:23:01.0250 2384 Boot type: Normal boot
09:23:01.0250 2384 ============================================================
09:23:03.0656 2384 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000, SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
09:23:03.0890 2384 Initialize success
09:23:37.0171 3752 ============================================================
09:23:37.0171 3752 Scan started
09:23:37.0171 3752 Mode: Manual;
09:23:37.0171 3752 ============================================================
09:23:38.0218 3752 Abiosdsk - ok
09:23:38.0234 3752 abp480n5 - ok
09:23:38.0265 3752 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:23:38.0265 3752 ACPI - ok
09:23:38.0296 3752 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:23:38.0312 3752 ACPIEC - ok
09:23:38.0312 3752 adpu160m - ok
09:23:38.0343 3752 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:23:38.0343 3752 aec - ok
09:23:38.0375 3752 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:23:38.0375 3752 AFD - ok
09:23:38.0390 3752 Aha154x - ok
09:23:38.0390 3752 aic78u2 - ok
09:23:38.0406 3752 aic78xx - ok
09:23:38.0421 3752 AliIde - ok
09:23:38.0421 3752 amsint - ok
09:23:38.0468 3752 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
09:23:38.0515 3752 ApfiltrService - ok
09:23:38.0562 3752 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
09:23:38.0562 3752 Arp1394 - ok
09:23:38.0578 3752 asc - ok
09:23:38.0578 3752 asc3350p - ok
09:23:38.0593 3752 asc3550 - ok
09:23:38.0625 3752 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
09:23:38.0625 3752 Aspi32 - ok
09:23:38.0656 3752 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:23:38.0656 3752 AsyncMac - ok
09:23:38.0671 3752 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
09:23:38.0671 3752 atapi - ok
09:23:38.0671 3752 Atdisk - ok
09:23:38.0687 3752 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:23:38.0703 3752 Atmarpc - ok
09:23:38.0796 3752 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:23:38.0812 3752 audstub - ok
09:23:38.0859 3752 b57w2k (71509c9db1a4b2c05141563fbe3e18a0) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
09:23:38.0906 3752 b57w2k - ok
09:23:39.0015 3752 BCM43XX (e9ea635b8432d68f0005b3f6cebab837) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
09:23:39.0171 3752 BCM43XX - ok
09:23:39.0265 3752 BCMTPM (09a41ba9dc48f2f52ade4a42fe945d98) C:\WINDOWS\system32\DRIVERS\btpmw32.sys
09:23:39.0281 3752 BCMTPM - ok
09:23:39.0296 3752 BCMWLNPF (8c31c9db77ed6143ad09dc5fd2c9d9cc) C:\WINDOWS\system32\drivers\bcmwlnpf.sys
09:23:39.0312 3752 BCMWLNPF - ok
09:23:39.0328 3752 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:23:39.0343 3752 Beep - ok
09:23:39.0609 3752 catchme - ok
09:23:39.0640 3752 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:23:39.0640 3752 cbidf2k - ok
09:23:39.0734 3752 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
09:23:39.0750 3752 CCDECODE - ok
09:23:39.0765 3752 cd20xrnt - ok
09:23:39.0812 3752 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:23:39.0843 3752 Cdaudio - ok
09:23:39.0875 3752 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:23:39.0906 3752 Cdfs - ok
09:23:39.0921 3752 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:23:39.0968 3752 Cdrom - ok
09:23:40.0062 3752 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
09:23:40.0062 3752 CmBatt - ok
09:23:40.0062 3752 CmdIde - ok
09:23:40.0093 3752 CmgShieldCEF (1580aa985d638457debbf5446bd466b8) C:\WINDOWS\system32\DRIVERS\CMGShCEF.sys
09:23:40.0109 3752 CmgShieldCEF - ok
09:23:40.0125 3752 CmgShieldNP (3ef90e381814acadfff27afbede48f9d) C:\WINDOWS\system32\CmgShieldNP.dll
09:23:40.0140 3752 CmgShieldNP - ok
09:23:40.0156 3752 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
09:23:40.0156 3752 Compbatt - ok
09:23:40.0187 3752 Cpqarray - ok
09:23:40.0218 3752 CSRBC (8e1945984e147562f9f08e1d344a69cc) C:\WINDOWS\system32\Drivers\csrbcxp.sys
09:23:40.0312 3752 CSRBC - ok
09:23:40.0328 3752 dac2w2k - ok
09:23:40.0328 3752 dac960nt - ok
09:23:40.0343 3752 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:23:40.0359 3752 Disk - ok
09:23:40.0390 3752 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:23:40.0421 3752 dmboot - ok
09:23:40.0515 3752 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:23:40.0531 3752 dmio - ok
09:23:40.0562 3752 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:23:40.0578 3752 dmload - ok
09:23:40.0593 3752 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:23:40.0593 3752 DMusic - ok
09:23:40.0609 3752 dpti2o - ok
09:23:40.0625 3752 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:23:40.0625 3752 drmkaud - ok
09:23:40.0656 3752 dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
09:23:40.0703 3752 dsNcAdpt - ok
09:23:40.0734 3752 Egatebus (4924195a308f41dde7dfe2f17791e175) C:\WINDOWS\system32\drivers\egatebus.sys
09:23:40.0781 3752 Egatebus - ok
09:23:40.0796 3752 Egaterdr (5985c08604a12255d1939d688b0cb5a2) C:\WINDOWS\system32\drivers\egaterdr.sys
09:23:40.0843 3752 Egaterdr - ok
09:23:40.0859 3752 EL3C589 (782802aa0e9389457664076fdef509cf) C:\WINDOWS\system32\DRIVERS\el589nd5.sys
09:23:40.0906 3752 EL3C589 - ok
09:23:40.0953 3752 ETFSDNT (dc4f6a3c3d40b344efab59f1fc714d7e) C:\WINDOWS\system32\etfsdrv.sys
09:23:41.0031 3752 ETFSDNT - ok
09:23:41.0109 3752 fanio (0dd24dabb0b8c4ac0d8f2ebf0492276a) C:\WINDOWS\system32\drivers\fanio.sys
09:23:41.0203 3752 fanio - ok
09:23:41.0218 3752 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:23:41.0218 3752 Fastfat - ok
09:23:41.0234 3752 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
09:23:41.0250 3752 Fdc - ok
09:23:41.0250 3752 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:23:41.0265 3752 Fips - ok
09:23:41.0265 3752 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
09:23:41.0281 3752 Flpydisk - ok
09:23:41.0296 3752 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
09:23:41.0296 3752 FltMgr - ok
09:23:41.0328 3752 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:23:41.0328 3752 Fs_Rec - ok
09:23:41.0343 3752 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:23:41.0359 3752 Ftdisk - ok
09:23:41.0375 3752 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
09:23:41.0421 3752 GEARAspiWDM - ok
09:23:41.0437 3752 GKUPRO2D (d5eccc6df4aa18a1e31fd71f6c15c8ec) C:\WINDOWS\system32\Drivers\GKUPRO2D.sys
09:23:41.0484 3752 GKUPRO2D - ok
09:23:41.0500 3752 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:23:41.0531 3752 Gpc - ok
09:23:41.0546 3752 guardian2 (7031a936832967a93b0e5d5f1c76745a) C:\WINDOWS\system32\Drivers\oz776.sys
09:23:41.0640 3752 guardian2 - ok
09:23:41.0671 3752 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:23:41.0671 3752 HDAudBus - ok
09:23:41.0687 3752 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:23:41.0687 3752 HidUsb - ok
09:23:41.0703 3752 hpn - ok
09:23:41.0734 3752 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
09:23:41.0781 3752 HSFHWAZL - ok
09:23:41.0890 3752 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
09:23:41.0953 3752 HSF_DPV - ok
09:23:41.0984 3752 HTCAND32 (cbd09ed9cf6822177ee85aea4d8816a2) C:\WINDOWS\system32\Drivers\ANDROIDUSB.sys
09:23:42.0031 3752 HTCAND32 - ok
09:23:42.0062 3752 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:23:42.0062 3752 HTTP - ok
09:23:42.0078 3752 i2omp - ok
09:23:42.0109 3752 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:23:42.0125 3752 i8042prt - ok
09:23:42.0140 3752 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:23:42.0140 3752 Imapi - ok
09:23:42.0156 3752 ini910u - ok
09:23:42.0156 3752 IntelIde - ok
09:23:42.0187 3752 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:23:42.0187 3752 intelppm - ok
09:23:42.0281 3752 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
09:23:42.0281 3752 Ip6Fw - ok
09:23:42.0328 3752 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:23:42.0328 3752 IpFilterDriver - ok
09:23:42.0343 3752 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:23:42.0359 3752 IpInIp - ok
09:23:42.0375 3752 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:23:42.0390 3752 IpNat - ok
09:23:42.0390 3752 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:23:42.0406 3752 IPSec - ok
09:23:42.0421 3752 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:23:42.0421 3752 IRENUM - ok
09:23:42.0453 3752 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:23:42.0453 3752 isapnp - ok
09:23:42.0453 3752 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:23:42.0468 3752 Kbdclass - ok
09:23:42.0468 3752 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:23:42.0484 3752 kbdhid - ok
09:23:42.0515 3752 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:23:42.0515 3752 kmixer - ok
09:23:42.0546 3752 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:23:42.0546 3752 KSecDD - ok
09:23:42.0593 3752 LVRS (7521c0c58ee91be90b6cc33e792d10c7) C:\WINDOWS\system32\DRIVERS\lvrs.sys
09:23:42.0703 3752 LVRS - ok
09:23:42.0812 3752 LVUVC (37e57c48af530df01cdd4e8a2ad77b51) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
09:23:42.0937 3752 LVUVC - ok
09:23:43.0046 3752 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
09:23:43.0140 3752 MBAMProtector - ok
09:23:43.0187 3752 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
09:23:43.0187 3752 mdmxsdk - ok
09:23:43.0218 3752 mfeapfk (c0d975d64c1af8057f2d75b1297a6979) C:\WINDOWS\system32\drivers\mfeapfk.sys
09:23:43.0218 3752 mfeapfk - ok
09:23:43.0250 3752 mfeavfk (c169326049a8a03d5f905b34f5a65f8c) C:\WINDOWS\system32\drivers\mfeavfk.sys
09:23:43.0296 3752 mfeavfk - ok
09:23:43.0296 3752 mfeavfk01 - ok
09:23:43.0328 3752 mfebopk (50b0253b2484a306a20d8695c5ae5858) C:\WINDOWS\system32\drivers\mfebopk.sys
09:23:43.0328 3752 mfebopk - ok
09:23:43.0359 3752 mfehidk (188b40866db2ab8ef262febc65291687) C:\WINDOWS\system32\drivers\mfehidk.sys
09:23:43.0453 3752 mfehidk - ok
09:23:43.0484 3752 mferkdet (c1b30af2e18e69bf8ceb39b33f32d3c1) C:\WINDOWS\system32\drivers\mferkdet.sys
09:23:43.0531 3752 mferkdet - ok
09:23:43.0546 3752 mfetdi2k (97ef4ca122ddda4781ff557e65dfb262) C:\WINDOWS\system32\drivers\mfetdi2k.sys
09:23:43.0593 3752 mfetdi2k - ok
09:23:43.0625 3752 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:23:43.0625 3752 mnmdd - ok
09:23:43.0718 3752 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:23:43.0718 3752 Modem - ok
09:23:43.0750 3752 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
09:23:43.0781 3752 motccgp - ok
09:23:43.0812 3752 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
09:23:43.0843 3752 motccgpfl - ok
09:23:43.0890 3752 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
09:23:43.0921 3752 motmodem - ok
09:23:43.0953 3752 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motport.sys
09:23:44.0000 3752 motport - ok
09:23:44.0000 3752 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:23:44.0015 3752 Mouclass - ok
09:23:44.0046 3752 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:23:44.0062 3752 mouhid - ok
09:23:44.0062 3752 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:23:44.0078 3752 MountMgr - ok
09:23:44.0078 3752 mraid35x - ok
09:23:44.0093 3752 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:23:44.0093 3752 MRxDAV - ok
09:23:44.0140 3752 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:23:44.0140 3752 MRxSmb - ok
09:23:44.0234 3752 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:23:44.0234 3752 Msfs - ok
09:23:44.0265 3752 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:23:44.0281 3752 MSKSSRV - ok
09:23:44.0281 3752 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:23:44.0296 3752 MSPCLOCK - ok
09:23:44.0312 3752 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:23:44.0312 3752 MSPQM - ok
09:23:44.0328 3752 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:23:44.0343 3752 mssmbios - ok
09:23:44.0375 3752 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
09:23:44.0375 3752 MSTEE - ok
09:23:44.0406 3752 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:23:44.0406 3752 Mup - ok
09:23:44.0437 3752 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
09:23:44.0437 3752 NABTSFEC - ok
09:23:44.0453 3752 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:23:44.0468 3752 NDIS - ok
09:23:44.0484 3752 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
09:23:44.0500 3752 NdisIP - ok
09:23:44.0531 3752 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:23:44.0531 3752 NdisTapi - ok
09:23:44.0546 3752 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:23:44.0562 3752 Ndisuio - ok
09:23:44.0593 3752 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:23:44.0593 3752 NdisWan - ok
09:23:44.0625 3752 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:23:44.0687 3752 NDProxy - ok
09:23:44.0703 3752 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:23:44.0703 3752 NetBIOS - ok
09:23:44.0812 3752 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:23:44.0843 3752 NetBT - ok
09:23:44.0906 3752 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
09:23:44.0937 3752 NIC1394 - ok
09:23:44.0953 3752 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:23:44.0968 3752 Npfs - ok
09:23:45.0000 3752 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:23:45.0015 3752 Ntfs - ok
09:23:45.0031 3752 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:23:45.0046 3752 Null - ok
09:23:45.0234 3752 nv (77f427e51479c66c09f967d15b639b37) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
09:23:45.0375 3752 nv - ok
09:23:45.0468 3752 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:23:45.0468 3752 NwlnkFlt - ok
09:23:45.0484 3752 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:23:45.0484 3752 NwlnkFwd - ok
09:23:45.0515 3752 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
09:23:45.0515 3752 ohci1394 - ok
09:23:45.0562 3752 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:23:45.0578 3752 Parport - ok
09:23:45.0578 3752 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:23:45.0578 3752 PartMgr - ok
09:23:45.0609 3752 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:23:45.0609 3752 ParVdm - ok
09:23:45.0640 3752 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:23:45.0640 3752 PCI - ok
09:23:45.0640 3752 PCIDump - ok
09:23:45.0687 3752 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:23:45.0687 3752 PCIIde - ok
09:23:45.0703 3752 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
09:23:45.0703 3752 Pcmcia - ok
09:23:45.0718 3752 PDCOMP - ok
09:23:45.0718 3752 PDFRAME - ok
09:23:45.0734 3752 PDRELI - ok
09:23:45.0734 3752 PDRFRAME - ok
09:23:45.0750 3752 perc2 - ok
09:23:45.0750 3752 perc2hib - ok
09:23:45.0796 3752 pnetmdm (da19e3401f39c10df193be029c7e7bba) C:\WINDOWS\system32\DRIVERS\pnetmdm.sys
09:23:45.0843 3752 pnetmdm - ok
09:23:45.0859 3752 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:23:45.0859 3752 PptpMiniport - ok
09:23:45.0984 3752 prepdrvr (2a4514a9233d35a355f569ff8b8f6240) C:\WINDOWS\system32\CCM\prepdrv.sys
09:23:46.0125 3752 prepdrvr - ok
09:23:46.0218 3752 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:23:46.0234 3752 PSched - ok
09:23:46.0265 3752 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:23:46.0265 3752 Ptilink - ok
09:23:46.0281 3752 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
09:23:46.0296 3752 PxHelp20 - ok
09:23:46.0296 3752 ql1080 - ok
09:23:46.0312 3752 Ql10wnt - ok
09:23:46.0312 3752 ql12160 - ok
09:23:46.0328 3752 ql1240 - ok
09:23:46.0343 3752 ql1280 - ok
09:23:46.0343 3752 R72V2NT4 - ok
09:23:46.0359 3752 R72_NT4 - ok
09:23:46.0375 3752 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:23:46.0390 3752 RasAcd - ok
09:23:46.0406 3752 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:23:46.0406 3752 Rasl2tp - ok
09:23:46.0421 3752 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:23:46.0421 3752 RasPppoe - ok
09:23:46.0437 3752 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:23:46.0437 3752 Raspti - ok
09:23:46.0453 3752 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:23:46.0468 3752 Rdbss - ok
09:23:46.0468 3752 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:23:46.0484 3752 RDPCDD - ok
09:23:46.0515 3752 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:23:46.0515 3752 rdpdr - ok
09:23:46.0546 3752 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:23:46.0546 3752 RDPWD - ok
09:23:46.0562 3752 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:23:46.0562 3752 redbook - ok
09:23:46.0593 3752 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
09:23:46.0593 3752 ROOTMODEM - ok
09:23:46.0703 3752 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:23:46.0703 3752 Secdrv - ok
09:23:46.0734 3752 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:23:46.0734 3752 Serenum - ok
09:23:46.0750 3752 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:23:46.0750 3752 Serial - ok
09:23:46.0765 3752 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:23:46.0781 3752 Sfloppy - ok
09:23:46.0906 3752 Simbad - ok
09:23:47.0000 3752 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
09:23:47.0000 3752 SLIP - ok
09:23:47.0031 3752 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINDOWS\system32\DRIVERS\smsmdm.sys
09:23:47.0078 3752 smsmdd - ok
09:23:47.0093 3752 Sparrow - ok
09:23:47.0125 3752 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:23:47.0125 3752 splitter - ok
09:23:47.0140 3752 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:23:47.0140 3752 sr - ok
09:23:47.0171 3752 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:23:47.0187 3752 Srv - ok
09:23:47.0250 3752 STHDA (58f855684e163466a5c565adf0865536) C:\WINDOWS\system32\drivers\sthda.sys
09:23:47.0296 3752 STHDA - ok
09:23:47.0406 3752 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
09:23:47.0406 3752 streamip - ok
09:23:47.0421 3752 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:23:47.0421 3752 swenum - ok
09:23:47.0453 3752 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:23:47.0453 3752 swmidi - ok
09:23:47.0468 3752 symc810 - ok
09:23:47.0468 3752 symc8xx - ok
09:23:47.0515 3752 symsnap (4b016fa3594b04506b9246d8e3eb0b66) C:\WINDOWS\system32\DRIVERS\symsnap.sys
09:23:47.0609 3752 symsnap - ok
09:23:47.0625 3752 sym_hi - ok
09:23:47.0625 3752 sym_u3 - ok
09:23:47.0656 3752 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:23:47.0656 3752 sysaudio - ok
09:23:47.0656 3752 Tb2Device - ok
09:23:47.0656 3752 Tb2MirrorSys - ok
09:23:47.0703 3752 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:23:47.0703 3752 Tcpip - ok
09:23:47.0750 3752 TcUsb (125f5adc14839b4afd31cc581629d2b3) C:\WINDOWS\system32\Drivers\tcusb.sys
09:23:47.0750 3752 TcUsb - ok
09:23:47.0781 3752 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:23:47.0781 3752 TDPIPE - ok
09:23:47.0796 3752 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:23:47.0812 3752 TDTCP - ok
09:23:47.0828 3752 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:23:47.0828 3752 TermDD - ok
09:23:47.0906 3752 TosIde - ok
09:23:47.0921 3752 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
09:23:47.0984 3752 tosporte - ok
09:23:48.0015 3752 tosrfbd (8c3bfaf3fca90502e6fa35503b8e979e) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
09:23:48.0062 3752 tosrfbd - ok
09:23:48.0078 3752 tosrfbnp (90c8525bc578aaffe87c2d0ed4379e9e) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
09:23:48.0125 3752 tosrfbnp - ok
09:23:48.0171 3752 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys
09:23:48.0171 3752 Tosrfcom - ok
09:23:48.0203 3752 Tosrfhid (7c807ba9660e2995cc0217a14a24094c) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
09:23:48.0234 3752 Tosrfhid - ok
09:23:48.0250 3752 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
09:23:48.0265 3752 tosrfnds - ok
09:23:48.0296 3752 TosRfSnd (a4ce9572bc4ac8d329455059b43c5bea) C:\WINDOWS\system32\drivers\tosrfsnd.sys
09:23:48.0328 3752 TosRfSnd - ok
09:23:48.0375 3752 tosrfusb (01c90086cd37e7e8d9a827e24167fcb7) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
09:23:48.0406 3752 tosrfusb - ok
09:23:48.0437 3752 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:23:48.0437 3752 Udfs - ok
09:23:48.0453 3752 ultra - ok
09:23:48.0468 3752 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:23:48.0500 3752 Update - ok
09:23:48.0593 3752 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
09:23:48.0687 3752 USBAAPL - ok
09:23:48.0703 3752 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
09:23:48.0703 3752 usbaudio - ok
09:23:48.0734 3752 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:23:48.0734 3752 usbccgp - ok
09:23:48.0765 3752 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
09:23:48.0843 3752 USBCCID - ok
09:23:48.0875 3752 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:23:48.0875 3752 usbehci - ok
09:23:48.0890 3752 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:23:48.0906 3752 usbhub - ok
09:23:48.0921 3752 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:23:48.0921 3752 usbprint - ok
09:23:48.0968 3752 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:23:48.0968 3752 usbscan - ok
09:23:48.0984 3752 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:23:49.0000 3752 USBSTOR - ok
09:23:49.0015 3752 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:23:49.0031 3752 usbuhci - ok
09:23:49.0046 3752 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
09:23:49.0046 3752 usbvideo - ok
09:23:49.0062 3752 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
09:23:49.0078 3752 usb_rndisx - ok
09:23:49.0171 3752 v2imount (16662738e1ab857fb91ed2d4065440b0) C:\WINDOWS\system32\DRIVERS\v2imount.sys
09:23:49.0281 3752 v2imount - ok
09:23:49.0296 3752 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:23:49.0312 3752 VgaSave - ok
09:23:49.0312 3752 ViaIde - ok
09:23:49.0343 3752 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:23:49.0343 3752 VolSnap - ok
09:23:49.0375 3752 VProEventMonitor (e14b7ae35be1e97830d42ec191d0dea2) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
09:23:49.0500 3752 VProEventMonitor - ok
09:23:49.0515 3752 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:23:49.0531 3752 Wanarp - ok
09:23:49.0562 3752 Wdf01000 (4769596d7cc0f5fa447d2babc239672a) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
09:23:49.0750 3752 Wdf01000 - ok
09:23:49.0765 3752 WDICA - ok
09:23:49.0812 3752 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:23:49.0828 3752 wdmaud - ok
09:23:49.0906 3752 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
09:23:49.0921 3752 WimFltr - ok
09:23:49.0984 3752 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
09:23:50.0046 3752 winachsf - ok
09:23:50.0093 3752 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
09:23:50.0156 3752 WinUSB - ok
09:23:50.0171 3752 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
09:23:50.0187 3752 WmiAcpi - ok
09:23:50.0218 3752 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:23:50.0218 3752 WS2IFSL - ok
09:23:50.0265 3752 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
09:23:50.0296 3752 WSTCODEC - ok
09:23:50.0328 3752 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:23:50.0328 3752 WudfPf - ok
09:23:50.0406 3752 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
09:23:50.0421 3752 WudfRd - ok
09:23:50.0468 3752 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
09:23:50.0515 3752 \Device\Harddisk0\DR0 - ok
09:23:50.0515 3752 Boot (0x1200) (bb05c6d90aa644de88e787d2ea34af92) \Device\Harddisk0\DR0\Partition0
09:23:50.0515 3752 \Device\Harddisk0\DR0\Partition0 - ok
09:23:50.0531 3752 Boot (0x1200) (e4fc33fb170944d9174965511819d284) \Device\Harddisk0\DR0\Partition1
09:23:50.0531 3752 \Device\Harddisk0\DR0\Partition1 - ok
09:23:50.0531 3752 ============================================================
09:23:50.0531 3752 Scan finished
09:23:50.0531 3752 ============================================================
09:23:50.0546 2640 Detected object count: 0
09:23:50.0546 2640 Actual detected object count: 0
09:24:05.0296 2392 Deinitialize success

#21 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 14 January 2012 - 10:46 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the ActiveX control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

<-- Don't worry every little bit helps.

#22 JR2_Alaska

Member

Group: Members
Posts: 24
Joined: 24-February 11

Posted 15 January 2012 - 02:50 AM

Ran ESET, it did not give me a report but it did find one item and I copied the location:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XGSRMLQF\movie-infos_biz[1].htm HTML/Iframe.B.Gen virus

I don't know that is still there after running TFC a few steps back. Strange, I suppose the next step is to run TFC again? I will not do anything until you say.

#23 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 15 January 2012 - 03:36 AM

Hello

There are some minor things in your online scan that should be removed.

delete files

Copy all text in the quote box (below)...to Notepad.

Quote
@echo off
del /f /s /q "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XGSRMLQF\movie-infos_biz[1].htm"
del %0
Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
It should look like this: <--XP<--vista
Double click on delfile.bat to execute it.
A black CMD window will flash, then disappear...this is normal.
The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

DeFogger

The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

:Uninstall ComboFix:

turn off all active protection software
push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box ComboFix /Uninstall and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:Make your Internet Explorer more secure:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

How to Secure Firefox

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector

:Turn On Automatic Updates:

Start

Run,

sysdm.cpl

ENTER

Automatic Updates

Automatic (recommended)

http://www.windowsupdate.com

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need?

Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online

Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

Gringo

<-- Don't worry every little bit helps.

#24 JR2_Alaska

Member

Group: Members
Posts: 24
Joined: 24-February 11

Posted 15 January 2012 - 09:21 PM

Thanks Gringo. I ran the script file to delete that infected temp file with no problems. The command to uninstall combofix does not seem to work. No big deal. I ran the rest of the stuff and life appears to be good. Thanks so much for your help. Small donation coming your way.

John

#25 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 15 January 2012 - 10:10 PM

Hello thank you very much that was nice of you and you are more than welcome

go ahead and run this to make sure combofix and its folders are removed

http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE

gringo

<-- Don't worry every little bit helps.

#26 JR2_Alaska

Member

Group: Members
Posts: 24
Joined: 24-February 11

Posted 15 January 2012 - 11:26 PM

Thanks again, this is the second time this year that you have saved me from just giving up and reloading software. Keep up the good work.

John

#27 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 15 January 2012 - 11:44 PM

You are more than welcome and glad I was able to help

come back anytime

gringo

<-- Don't worry every little bit helps.

#28 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 19 January 2012 - 01:03 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.