Don't know what's wrong

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

7 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

Don't know what's wrong

#1 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 28 January 2012 - 11:10 PM

I had a corrupted DNS long ago, although at first I thought it was my computer itself. Then I started getting a squiggly sort of sound whenever I opened a new web page which I later found out was ad blocker making noises to tell me it's working. Then I started getting a hour glass every now and then for no reason, along with some screen problems. Also when I type in my searches the letters don't show up after I've typed a few.

After running DDS (I had to run both programs as admin. DDS I actually had to go into my admin account to run because a run as option didn't appear. For some reason after moving the files from the admin account to the limited account I could not access them at first. Now I can. I would get access denied when I clicked on them in the limited account. Also, the first time I ran GMER I got a blue screen of death a little way through it. The second time I opened it, unchecked the appropriate boxes and hit scan. Then I fell asleep, woke up and it had stopped scanning although I got nothing on screen saying that.)

Let me know if you need the attach file.

Attached File(s)

log 1-28.log (3.04K)
Number of downloads: 1
dds1-28-2.txt (8.93K)
Number of downloads: 2

#2 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 30 January 2012 - 08:28 PM

Also, my browser tends to freeze up for no apparent reason.

#3 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,525
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 31 January 2012 - 01:01 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#4 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 31 January 2012 - 12:22 PM

I ran it. It told me to do the recovery console thing but I didn't as I'm not going to hook my pc to the net with my firewall down. I will be doing that now. (actually, how do you download the recovery console?)

It ran still, though. It deleted three files then restarted.

I had turned off all my security, but on reboot it was all restarted. Combo then started putting these crazy boxes all over my screen and I was unable to turn off my antivirus as I could not even type with the crazy boxes on my screen.

So, I forced my computer to shut down, and then restarted. I saw a combo box pop up and hit the x to shut it down.

I will try this again.

But tell me, how does a virus get on a computer when only a limited account is used to connect to the net?

This post has been edited by printerandink: 31 January 2012 - 12:30 PM

#5 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 31 January 2012 - 01:25 PM

Okay, so I tried putting the recovery console on my pc via the xp disc. That worked but combo didn't recognize it.

So, I ran combo, then turned my antivirus back on, then downloaded it like it asked me to via the combo prompt.

Then I shut off my pc and restarted it.

The I ran combo as asked.

Even though I had all of my antivirus off, for some reason I kept getting boxes asking me what I want to do with C:/combofix/REGT.3XE

After a few of these I said it was trusted. This happened at about stage 50.

Here is the log. What does it mean? Should I rerun this program?

Oh yeah, and my antivir tried to update during this while I wasn't connected to the net.

ComboFix 12-01-30.02 - f 01/31/2012 12:08:32.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2880 [GMT -6:00]
Running from: c:\documents and settings\j\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: FireWall *Disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\i8042prt.sys
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 17:08 . 2008-04-14 05:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-01-31 17:08 . 2008-04-14 05:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-08 23:23 . 2012-01-08 23:23 -------- d-----w- c:\documents and settings\f\Application Data\SUPERAntiSpyware.com
2012-01-08 23:11 . 2012-01-08 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-06-22 04:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 01:04 . 2011-10-11 22:01 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-25 21:57 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-02-28 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-22 03:44 . 2010-06-15 18:08 884736 ----a-w- c:\windows\system32\ati2cqag.dll
2011-11-22 03:43 . 2011-01-24 18:48 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-11-22 03:42 . 2011-01-24 18:48 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-11-22 03:42 . 2010-06-15 18:08 3953664 ----a-w- c:\windows\system32\ati3duag.dll
2011-11-22 03:38 . 2011-01-24 18:48 806912 ----a-w- c:\windows\system32\atikvmag.dll
2011-11-22 03:38 . 2011-01-24 18:48 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-11-22 03:36 . 2011-01-24 18:48 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-11-22 03:36 . 2010-06-15 18:08 3278848 ----a-w- c:\windows\system32\ativvaxx.dll
2011-11-22 03:34 . 2011-01-24 18:48 221184 ----a-w- c:\windows\system32\atiadlxx.dll
2011-11-22 03:34 . 2011-01-24 18:48 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-11-22 03:34 . 2010-06-15 18:08 304128 ----a-w- c:\windows\system32\ati2dvag.dll
2011-11-18 12:35 . 2006-02-28 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-02-28 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-02-28 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-02-28 12:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-02-28 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-26 98304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\xrEngine.exe"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sega classics\\SEGAGenesisClassics.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bastion demo\\Bastion.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\front mission evolved\\FrontMissionEvolved.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
.
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [10/11/2011 4:01 PM 111160]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/11/2011 4:01 PM 36000]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [10/11/2011 4:01 PM 616400]
R2 AntiVirMailService;Avira Mail Protection;c:\program files\Avira\AntiVir Desktop\avmailc.exe [10/11/2011 4:01 PM 342480]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/11/2011 4:01 PM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [10/11/2011 4:01 PM 463824]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [10/11/2011 4:01 PM 91096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys --> c:\windows\system32\drivers\AtihdXP3.sys [?]
S3 AtiIrRcvr;ATI Remote Receiver Service;c:\windows\system32\DRIVERS\aticir.sys --> c:\windows\system32\DRIVERS\aticir.sys [?]
S3 CXFALCON;AVerMedia AVerTV Video Capture (Falcon);c:\windows\system32\drivers\AF2VCap.sys [12/4/2011 1:29 PM 220544]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys --> c:\windows\system32\drivers\Envy24HF.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-06-16 03:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.5.98
TCP: Interfaces\{0AFA378E-2C2D-4B74-9685-C627C8FA813F}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\f\Application Data\Mozilla\Firefox\Profiles\adtt6yem.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\documents and settings\j\Local Settings\Application Data\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{Stalker Complete 2009 v1.4.4}}_is1 - c:\documents and settings\All Users\Documents\STALKER-SHOC\Stalker Complete 2009\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 12:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-854245398-1275210071-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-854245398-1275210071-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'lsass.exe'(728)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-31 12:18:01
ComboFix-quarantined-files.txt 2012-01-31 18:17
.
Pre-Run: 326,818,983,936 bytes free
Post-Run: 326,772,379,648 bytes free
.
- - End Of File - - E5CC417D7F50DCE50D94D4C4FC43AAC5

This post has been edited by printerandink: 31 January 2012 - 01:26 PM

#6 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 31 January 2012 - 01:37 PM

I reran combo just to make sure of things. This time, even though avira was off it still asked me to approve the the program, but this time it was near the start up of combo and the first time (on this run of combo) I did not really look at the file I had to ad as trusted as it had combofix in it. But the second pop up had me approve of C:/combofix/sed.exe

for some reason.

Here's the new log.

ComboFix 12-01-30.02 - f 01/31/2012 12:28:42.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2844 [GMT -6:00]
Running from: c:\documents and settings\j\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: FireWall *Disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 17:08 . 2008-04-14 05:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-01-31 17:08 . 2008-04-14 05:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-08 23:23 . 2012-01-08 23:23 -------- d-----w- c:\documents and settings\f\Application Data\SUPERAntiSpyware.com
2012-01-08 23:11 . 2012-01-08 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-06-22 04:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 01:04 . 2011-10-11 22:01 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-25 21:57 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-02-28 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-22 03:44 . 2010-06-15 18:08 884736 ----a-w- c:\windows\system32\ati2cqag.dll
2011-11-22 03:43 . 2011-01-24 18:48 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-11-22 03:42 . 2011-01-24 18:48 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-11-22 03:42 . 2010-06-15 18:08 3953664 ----a-w- c:\windows\system32\ati3duag.dll
2011-11-22 03:38 . 2011-01-24 18:48 806912 ----a-w- c:\windows\system32\atikvmag.dll
2011-11-22 03:38 . 2011-01-24 18:48 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-11-22 03:36 . 2011-01-24 18:48 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-11-22 03:36 . 2010-06-15 18:08 3278848 ----a-w- c:\windows\system32\ativvaxx.dll
2011-11-22 03:34 . 2011-01-24 18:48 221184 ----a-w- c:\windows\system32\atiadlxx.dll
2011-11-22 03:34 . 2011-01-24 18:48 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-11-22 03:34 . 2010-06-15 18:08 304128 ----a-w- c:\windows\system32\ati2dvag.dll
2011-11-18 12:35 . 2006-02-28 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-02-28 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-02-28 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-02-28 12:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-02-28 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-31_18.16.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-31 18:22 . 2012-01-31 18:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-15 17:57 . 2012-01-31 18:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-06-15 17:57 . 2012-01-31 17:53 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-01-31 18:22 . 2012-01-31 18:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-06-15 17:57 . 2012-01-31 17:53 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-26 98304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\xrEngine.exe"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sega classics\\SEGAGenesisClassics.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bastion demo\\Bastion.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\front mission evolved\\FrontMissionEvolved.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
.
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [10/11/2011 4:01 PM 111160]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/11/2011 4:01 PM 36000]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [10/11/2011 4:01 PM 616400]
R2 AntiVirMailService;Avira Mail Protection;c:\program files\Avira\AntiVir Desktop\avmailc.exe [10/11/2011 4:01 PM 342480]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/11/2011 4:01 PM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [10/11/2011 4:01 PM 463824]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [10/11/2011 4:01 PM 91096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys --> c:\windows\system32\drivers\AtihdXP3.sys [?]
S3 AtiIrRcvr;ATI Remote Receiver Service;c:\windows\system32\DRIVERS\aticir.sys --> c:\windows\system32\DRIVERS\aticir.sys [?]
S3 CXFALCON;AVerMedia AVerTV Video Capture (Falcon);c:\windows\system32\drivers\AF2VCap.sys [12/4/2011 1:29 PM 220544]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys --> c:\windows\system32\drivers\Envy24HF.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-06-16 03:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: Interfaces\{0AFA378E-2C2D-4B74-9685-C627C8FA813F}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\f\Application Data\Mozilla\Firefox\Profiles\adtt6yem.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\documents and settings\j\Local Settings\Application Data\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 12:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-854245398-1275210071-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-854245398-1275210071-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'lsass.exe'(728)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(928)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-31 12:32:53
ComboFix-quarantined-files.txt 2012-01-31 18:32
ComboFix2.txt 2012-01-31 18:18
.
Pre-Run: 326,778,830,848 bytes free
Post-Run: 326,765,154,304 bytes free
.
- - End Of File - - 748F9EE96EED3DDEE53A1A591DF6E90B

This post has been edited by printerandink: 31 January 2012 - 02:12 PM

#7 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,525
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 31 January 2012 - 05:32 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#8 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 31 January 2012 - 10:05 PM

21:02:30.0859 2484 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
21:02:30.0890 2484 ============================================================
21:02:30.0890 2484 Current date / time: 2012/01/31 21:02:30.0890
21:02:30.0890 2484 SystemInfo:
21:02:30.0890 2484
21:02:30.0890 2484 OS Version: 5.1.2600 ServicePack: 3.0
21:02:30.0890 2484 Product type: Workstation
21:02:30.0890 2484 ComputerName: V
21:02:30.0890 2484 UserName: f
21:02:30.0890 2484 Windows directory: C:\WINDOWS
21:02:30.0890 2484 System windows directory: C:\WINDOWS
21:02:30.0890 2484 Processor architecture: Intel x86
21:02:30.0890 2484 Number of processors: 2
21:02:30.0890 2484 Page size: 0x1000
21:02:30.0890 2484 Boot type: Normal boot
21:02:30.0890 2484 ============================================================
21:02:32.0468 2484 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
21:02:32.0468 2484 \Device\Harddisk0\DR0:
21:02:32.0468 2484 MBR used
21:02:32.0468 2484 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41
21:02:32.0484 2484 Initialize success
21:02:32.0484 2484 ============================================================
21:02:41.0171 2672 ============================================================
21:02:41.0171 2672 Scan started
21:02:41.0171 2672 Mode: Manual;
21:02:41.0171 2672 ============================================================
21:02:41.0453 2672 Abiosdsk - ok
21:02:41.0468 2672 abp480n5 - ok
21:02:41.0515 2672 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:02:41.0515 2672 ACPI - ok
21:02:41.0546 2672 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:02:41.0546 2672 ACPIEC - ok
21:02:41.0546 2672 adpu160m - ok
21:02:41.0593 2672 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:02:41.0593 2672 aec - ok
21:02:41.0640 2672 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
21:02:41.0640 2672 Afc - ok
21:02:41.0687 2672 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:02:41.0687 2672 AFD - ok
21:02:41.0687 2672 Aha154x - ok
21:02:41.0687 2672 aic78u2 - ok
21:02:41.0703 2672 aic78xx - ok
21:02:41.0703 2672 AliIde - ok
21:02:41.0718 2672 amsint - ok
21:02:41.0734 2672 asc - ok
21:02:41.0734 2672 asc3350p - ok
21:02:41.0750 2672 asc3550 - ok
21:02:41.0796 2672 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:02:41.0796 2672 AsyncMac - ok
21:02:41.0796 2672 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:02:41.0796 2672 atapi - ok
21:02:41.0812 2672 Atdisk - ok
21:02:42.0000 2672 ati2mtag (f27a0b0d1373d36d866f29b434b7aa92) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:02:42.0031 2672 ati2mtag - ok
21:02:42.0046 2672 ATIAVPCI - ok
21:02:42.0046 2672 AtiHDAudioService - ok
21:02:42.0062 2672 AtiIrRcvr - ok
21:02:42.0109 2672 atksgt (3c4b9850a2631c2263507400d029057b) C:\WINDOWS\system32\DRIVERS\atksgt.sys
21:02:42.0109 2672 atksgt - ok
21:02:42.0125 2672 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:02:42.0140 2672 Atmarpc - ok
21:02:42.0156 2672 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:02:42.0156 2672 audstub - ok
21:02:42.0171 2672 avfwim (83d71e1911f235e9c0d2f53d54df3129) C:\WINDOWS\system32\DRIVERS\avfwim.sys
21:02:42.0171 2672 avfwim - ok
21:02:42.0203 2672 avfwot (ae0c5d218e815af8f38670a8c5773e6e) C:\WINDOWS\system32\DRIVERS\avfwot.sys
21:02:42.0203 2672 avfwot - ok
21:02:42.0203 2672 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
21:02:42.0203 2672 avgntflt - ok
21:02:42.0218 2672 avipbb (475fbb85956534720858ae72010c0a43) C:\WINDOWS\system32\DRIVERS\avipbb.sys
21:02:42.0218 2672 avipbb - ok
21:02:42.0218 2672 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
21:02:42.0218 2672 avkmgr - ok
21:02:42.0234 2672 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:02:42.0234 2672 Beep - ok
21:02:42.0312 2672 catchme - ok
21:02:42.0328 2672 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:02:42.0328 2672 cbidf2k - ok
21:02:42.0343 2672 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:02:42.0343 2672 CCDECODE - ok
21:02:42.0359 2672 cd20xrnt - ok
21:02:42.0359 2672 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:02:42.0359 2672 Cdaudio - ok
21:02:42.0375 2672 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:02:42.0375 2672 Cdfs - ok
21:02:42.0390 2672 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:02:42.0390 2672 Cdrom - ok
21:02:42.0390 2672 Changer - ok
21:02:42.0406 2672 CmdIde - ok
21:02:42.0421 2672 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:02:42.0421 2672 Compbatt - ok
21:02:42.0437 2672 Cpqarray - ok
21:02:42.0468 2672 CXFALCON (a54b388c7549bf04eeff1fc82ed8e186) C:\WINDOWS\system32\drivers\AF2VCap.sys
21:02:42.0468 2672 CXFALCON - ok
21:02:42.0484 2672 dac2w2k - ok
21:02:42.0484 2672 dac960nt - ok
21:02:42.0500 2672 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:02:42.0500 2672 Disk - ok
21:02:42.0531 2672 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:02:42.0546 2672 dmboot - ok
21:02:42.0578 2672 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:02:42.0578 2672 dmio - ok
21:02:42.0593 2672 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:02:42.0593 2672 dmload - ok
21:02:42.0625 2672 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:02:42.0640 2672 DMusic - ok
21:02:42.0640 2672 dpti2o - ok
21:02:42.0656 2672 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:02:42.0656 2672 drmkaud - ok
21:02:42.0671 2672 Envy24HFS - ok
21:02:42.0687 2672 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:02:42.0703 2672 Fastfat - ok
21:02:42.0703 2672 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:02:42.0703 2672 Fdc - ok
21:02:42.0718 2672 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:02:42.0718 2672 Fips - ok
21:02:42.0718 2672 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:02:42.0718 2672 Flpydisk - ok
21:02:42.0734 2672 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:02:42.0734 2672 FltMgr - ok
21:02:42.0750 2672 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:02:42.0750 2672 Fs_Rec - ok
21:02:42.0750 2672 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:02:42.0750 2672 Ftdisk - ok
21:02:42.0765 2672 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:02:42.0765 2672 Gpc - ok
21:02:42.0796 2672 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:02:42.0796 2672 HDAudBus - ok
21:02:42.0812 2672 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
21:02:42.0812 2672 HidBatt - ok
21:02:42.0859 2672 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:02:42.0859 2672 hidusb - ok
21:02:42.0859 2672 hpn - ok
21:02:42.0906 2672 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:02:42.0906 2672 HTTP - ok
21:02:42.0921 2672 i2omgmt - ok
21:02:42.0921 2672 i2omp - ok
21:02:42.0937 2672 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:02:42.0937 2672 Imapi - ok
21:02:42.0937 2672 ini910u - ok
21:02:42.0953 2672 IntelIde - ok
21:02:42.0984 2672 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:02:42.0984 2672 Ip6Fw - ok
21:02:43.0015 2672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:02:43.0015 2672 IpFilterDriver - ok
21:02:43.0031 2672 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:02:43.0031 2672 IpInIp - ok
21:02:43.0062 2672 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:02:43.0062 2672 IpNat - ok
21:02:43.0062 2672 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:02:43.0062 2672 IPSec - ok
21:02:43.0093 2672 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:02:43.0093 2672 IRENUM - ok
21:02:43.0109 2672 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:02:43.0109 2672 isapnp - ok
21:02:43.0109 2672 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:02:43.0109 2672 Kbdclass - ok
21:02:43.0109 2672 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:02:43.0109 2672 kbdhid - ok
21:02:43.0125 2672 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:02:43.0140 2672 kmixer - ok
21:02:43.0140 2672 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:02:43.0140 2672 KSecDD - ok
21:02:43.0156 2672 lbrtfdc - ok
21:02:43.0187 2672 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
21:02:43.0187 2672 lirsgt - ok
21:02:43.0218 2672 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:02:43.0218 2672 mnmdd - ok
21:02:43.0234 2672 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:02:43.0234 2672 Modem - ok
21:02:43.0250 2672 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:02:43.0250 2672 Mouclass - ok
21:02:43.0265 2672 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:02:43.0265 2672 mouhid - ok
21:02:43.0265 2672 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:02:43.0265 2672 MountMgr - ok
21:02:43.0296 2672 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
21:02:43.0296 2672 MPE - ok
21:02:43.0296 2672 mraid35x - ok
21:02:43.0312 2672 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:02:43.0328 2672 MRxDAV - ok
21:02:43.0375 2672 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:02:43.0375 2672 MRxSmb - ok
21:02:43.0390 2672 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:02:43.0390 2672 Msfs - ok
21:02:43.0406 2672 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:02:43.0406 2672 MSKSSRV - ok
21:02:43.0421 2672 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:02:43.0421 2672 MSPCLOCK - ok
21:02:43.0421 2672 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:02:43.0437 2672 MSPQM - ok
21:02:43.0453 2672 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:02:43.0453 2672 mssmbios - ok
21:02:43.0484 2672 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
21:02:43.0484 2672 MSTEE - ok
21:02:43.0500 2672 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:02:43.0500 2672 Mup - ok
21:02:43.0515 2672 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:02:43.0531 2672 NABTSFEC - ok
21:02:43.0531 2672 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:02:43.0531 2672 NDIS - ok
21:02:43.0562 2672 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:02:43.0562 2672 NdisIP - ok
21:02:43.0578 2672 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:02:43.0578 2672 NdisTapi - ok
21:02:43.0609 2672 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:02:43.0609 2672 Ndisuio - ok
21:02:43.0609 2672 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:02:43.0609 2672 NdisWan - ok
21:02:43.0640 2672 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:02:43.0640 2672 NDProxy - ok
21:02:43.0640 2672 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:02:43.0640 2672 NetBIOS - ok
21:02:43.0671 2672 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:02:43.0671 2672 NetBT - ok
21:02:43.0687 2672 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:02:43.0687 2672 Npfs - ok
21:02:43.0718 2672 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:02:43.0718 2672 Ntfs - ok
21:02:43.0750 2672 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:02:43.0750 2672 Null - ok
21:02:43.0765 2672 NVENETFD (85f2ffe9aa05487c7e48503b0c336d70) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
21:02:43.0765 2672 NVENETFD - ok
21:02:43.0781 2672 nvgts (619d8943725402d1179941fd58574cc8) C:\WINDOWS\system32\DRIVERS\nvgts.sys
21:02:43.0781 2672 nvgts - ok
21:02:43.0796 2672 nvnetbus (683ed64f70cb63c8ea84657e45a66974) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
21:02:43.0796 2672 nvnetbus - ok
21:02:43.0828 2672 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:02:43.0828 2672 NwlnkFlt - ok
21:02:43.0859 2672 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:02:43.0859 2672 NwlnkFwd - ok
21:02:43.0875 2672 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
21:02:43.0875 2672 Parport - ok
21:02:43.0875 2672 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:02:43.0875 2672 PartMgr - ok
21:02:43.0890 2672 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:02:43.0890 2672 ParVdm - ok
21:02:43.0906 2672 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:02:43.0906 2672 PCI - ok
21:02:43.0906 2672 PCIDump - ok
21:02:43.0937 2672 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:02:43.0937 2672 PCIIde - ok
21:02:43.0953 2672 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:02:43.0968 2672 Pcmcia - ok
21:02:43.0968 2672 PDCOMP - ok
21:02:43.0968 2672 PDFRAME - ok
21:02:43.0984 2672 PDRELI - ok
21:02:43.0984 2672 PDRFRAME - ok
21:02:44.0000 2672 perc2 - ok
21:02:44.0000 2672 perc2hib - ok
21:02:44.0031 2672 Point32 (896d916de06f5502d301e8c4dc442ae8) C:\WINDOWS\system32\DRIVERS\point32.sys
21:02:44.0046 2672 Point32 - ok
21:02:44.0046 2672 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:02:44.0046 2672 PptpMiniport - ok
21:02:44.0062 2672 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
21:02:44.0062 2672 Processor - ok
21:02:44.0062 2672 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:02:44.0062 2672 PSched - ok
21:02:44.0078 2672 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:02:44.0078 2672 Ptilink - ok
21:02:44.0078 2672 ql1080 - ok
21:02:44.0093 2672 Ql10wnt - ok
21:02:44.0093 2672 ql12160 - ok
21:02:44.0093 2672 ql1240 - ok
21:02:44.0109 2672 ql1280 - ok
21:02:44.0109 2672 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:02:44.0109 2672 RasAcd - ok
21:02:44.0125 2672 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:02:44.0125 2672 Rasl2tp - ok
21:02:44.0125 2672 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:02:44.0125 2672 RasPppoe - ok
21:02:44.0140 2672 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:02:44.0140 2672 Raspti - ok
21:02:44.0140 2672 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:02:44.0140 2672 Rdbss - ok
21:02:44.0156 2672 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:02:44.0156 2672 RDPCDD - ok
21:02:44.0156 2672 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:02:44.0156 2672 rdpdr - ok
21:02:44.0203 2672 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:02:44.0203 2672 RDPWD - ok
21:02:44.0218 2672 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:02:44.0218 2672 redbook - ok
21:02:44.0250 2672 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:02:44.0250 2672 Secdrv - ok
21:02:44.0265 2672 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:02:44.0265 2672 serenum - ok
21:02:44.0265 2672 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
21:02:44.0265 2672 Serial - ok
21:02:44.0328 2672 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:02:44.0328 2672 Sfloppy - ok
21:02:44.0359 2672 SilverLink (392834adb35deb199b03ae6a6caab23a) C:\WINDOWS\system32\Drivers\SilvrLnk.sys
21:02:44.0359 2672 SilverLink - ok
21:02:44.0359 2672 Simbad - ok
21:02:44.0390 2672 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:02:44.0390 2672 SLIP - ok
21:02:44.0406 2672 Sparrow - ok
21:02:44.0437 2672 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:02:44.0437 2672 splitter - ok
21:02:44.0453 2672 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:02:44.0453 2672 sr - ok
21:02:44.0500 2672 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
21:02:44.0500 2672 ssmdrv - ok
21:02:44.0515 2672 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:02:44.0515 2672 streamip - ok
21:02:44.0531 2672 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:02:44.0531 2672 swenum - ok
21:02:44.0546 2672 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:02:44.0562 2672 swmidi - ok
21:02:44.0562 2672 symc810 - ok
21:02:44.0578 2672 symc8xx - ok
21:02:44.0578 2672 sym_hi - ok
21:02:44.0578 2672 sym_u3 - ok
21:02:44.0609 2672 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:02:44.0609 2672 sysaudio - ok
21:02:44.0671 2672 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:02:44.0671 2672 Tcpip - ok
21:02:44.0703 2672 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:02:44.0703 2672 TDPIPE - ok
21:02:44.0718 2672 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:02:44.0718 2672 TDTCP - ok
21:02:44.0734 2672 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:02:44.0734 2672 TermDD - ok
21:02:44.0750 2672 TosIde - ok
21:02:44.0765 2672 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:02:44.0781 2672 Udfs - ok
21:02:44.0781 2672 ultra - ok
21:02:44.0812 2672 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:02:44.0812 2672 Update - ok
21:02:44.0843 2672 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
21:02:44.0843 2672 usbaudio - ok
21:02:44.0890 2672 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:02:44.0890 2672 usbccgp - ok
21:02:44.0890 2672 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:02:44.0890 2672 usbehci - ok
21:02:44.0906 2672 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:02:44.0906 2672 usbhub - ok
21:02:44.0906 2672 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:02:44.0906 2672 usbohci - ok
21:02:44.0937 2672 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:02:44.0937 2672 usbprint - ok
21:02:44.0984 2672 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:02:44.0984 2672 usbscan - ok
21:02:45.0015 2672 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:02:45.0015 2672 USBSTOR - ok
21:02:45.0015 2672 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:02:45.0015 2672 VgaSave - ok
21:02:45.0031 2672 ViaIde - ok
21:02:45.0031 2672 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:02:45.0031 2672 VolSnap - ok
21:02:45.0062 2672 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:02:45.0062 2672 Wanarp - ok
21:02:45.0109 2672 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
21:02:45.0109 2672 Wdf01000 - ok
21:02:45.0109 2672 WDICA - ok
21:02:45.0140 2672 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:02:45.0140 2672 wdmaud - ok
21:02:45.0171 2672 WmBEnum (5d410936831f7fb58eff941eac3f6d3d) C:\WINDOWS\system32\drivers\WmBEnum.sys
21:02:45.0171 2672 WmBEnum - ok
21:02:45.0187 2672 WmFilter (7a13cfde92956ca61a0927d766c5ad4f) C:\WINDOWS\system32\drivers\WmFilter.sys
21:02:45.0203 2672 WmFilter - ok
21:02:45.0218 2672 WmVirHid (6f04646bc690f8bbfc344be32a60796d) C:\WINDOWS\system32\drivers\WmVirHid.sys
21:02:45.0218 2672 WmVirHid - ok
21:02:45.0234 2672 WmXlCore (1d6ca43d562333f4dfb40bcef2453f3a) C:\WINDOWS\system32\drivers\WmXlCore.sys
21:02:45.0234 2672 WmXlCore - ok
21:02:45.0250 2672 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:02:45.0250 2672 WS2IFSL - ok
21:02:45.0281 2672 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:02:45.0296 2672 WSTCODEC - ok
21:02:45.0312 2672 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:02:45.0328 2672 WudfPf - ok
21:02:45.0343 2672 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:02:45.0343 2672 WudfRd - ok
21:02:45.0359 2672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:02:45.0484 2672 \Device\Harddisk0\DR0 - ok
21:02:45.0484 2672 Boot (0x1200) (0fbe19ac656f9cf8e0d46719d7b62434) \Device\Harddisk0\DR0\Partition0
21:02:45.0484 2672 \Device\Harddisk0\DR0\Partition0 - ok
21:02:45.0484 2672 ============================================================
21:02:45.0484 2672 Scan finished
21:02:45.0484 2672 ============================================================
21:02:45.0500 2464 Detected object count: 0
21:02:45.0500 2464 Actual detected object count: 0

#9 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,525
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 31 January 2012 - 10:22 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.

Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo

<-- Don't worry every little bit helps.

#10 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 31 January 2012 - 10:39 PM

Should I run these as admin or just straight from my limited account? (I really don't use the admin account much and never on the net.)

This post has been edited by printerandink: 31 January 2012 - 10:40 PM

#11 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 01 February 2012 - 01:51 AM

I tried it in limited mode and got this.

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-31 21:40:08
-----------------------------
21:40:08.000 OS Version: Windows 5.1.2600 Service Pack 3
21:40:08.000 Number of processors: 2 586 0x4303
21:40:08.000
21:40:08.015 Initialze error C0000061 - driver not loaded
21:45:06.906 AVAST engine defs: 12013100
21:45:34.546 Service scanning
21:45:35.375 Modules scanning
21:45:35.375 Disk 0 trace - called modules:
21:45:35.375
21:45:35.375 AVAST engine scan C:\
21:45:35.375 Scan finished successfully
21:45:55.796 The log file has been saved successfully to "C:\Documents and Settings\j\Desktop\aswMBR # 1.txt"

Running as admin I got this.

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-31 21:46:28
-----------------------------
21:46:28.750 OS Version: Windows 5.1.2600 Service Pack 3
21:46:28.750 Number of processors: 2 586 0x4303
21:46:28.750
21:46:29.812 Initialize success
21:58:11.093 AVAST engine defs: 12012600
22:00:36.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0
22:00:36.218 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
22:00:36.218 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS b7ecb40e
22:00:36.234 Disk 0 MBR read successfully
22:00:36.234 Disk 0 MBR scan
22:00:36.281 Disk 0 Windows XP default MBR code
22:00:36.281 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
22:00:36.281 Disk 0 scanning sectors +976752000
22:00:36.343 Disk 0 scanning C:\WINDOWS\system32\drivers
22:00:44.937 Service scanning
22:00:45.812 Modules scanning
22:00:48.703 Disk 0 trace - called modules:
22:00:48.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
22:00:49.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7d1ab8]
22:00:49.062 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8a712700]
22:00:49.062 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port2Path1Target1Lun0[0x8a754030]
22:00:50.015 AVAST engine scan C:\
00:08:50.531 Scan finished successfully
00:17:37.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\j\Desktop\MBR.dat"
00:17:37.906 The log file has been saved successfully to "C:\Documents and Settings\j\Desktop\aswMBR # 2.txt"

TR/Crypt.XPACK.Gen was found repeatedly by avira while I ran this.

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,525
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 01 February 2012 - 08:31 AM

Hello

Quote

TR/Crypt.XPACK.Gen was found repeatedly by avira while I ran this.

can you give me the location that it is finding it at?

gringo

<-- Don't worry every little bit helps.

#13 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 01 February 2012 - 02:26 PM

in order from first to last

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp261753251.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp254726804.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp79237763.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp415960.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp194727694.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp235146969.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp212441417.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp42649405.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp139972390.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp139972390.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp139972390.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp139972390.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp139972390.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp142173991.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp142173991.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp142173991.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp142173991.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp142173991.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp160625839.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp160625839.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp160625839.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp160625839.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp160625839.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp250518898.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp250518898.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp250518898.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp250518898.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp250518898.tmp.
Action performed: Deny access

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp142173991.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '4d52676a.qua'.

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp160625839.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '4d526201.qua'.

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp250518898.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '4d526768.qua'.

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp125102435.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp125102435.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp125102435.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp125102435.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp125102435.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp115288535.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp115288535.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp115288535.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp115288535.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp115288535.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp60183127.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp60183127.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp60183127.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp60183127.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp60183127.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp245942632.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp245942632.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp245942632.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp245942632.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp245942632.tmp.
Action performed: Deny access

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp115288535.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '61ad59bf.qua'.

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp125102435.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '079a167d.qua'.

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp60183127.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '4d526332.qua'.

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp245942632.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '55c54c95.qua'.

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp139972390.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '4d5266b8.qua'.

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp228573195.tmp.
Action performed: Transfer to Scanner

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp228573195.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp228573195.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp228573195.tmp.
Action performed: Deny access

The file 'C:\Documents and Settings\f\Local Settings\temp\_avast4_\unp228573195.tmp'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '4d527634.qua'.

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,525
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 01 February 2012 - 02:57 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Folder::
'C:\Documents and Settings\f\Local Settings\temp\_avast4_

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#15 printerandink

Forum Regular

Group: Members
Posts: 190
Joined: 03-January 12

Posted 01 February 2012 - 09:26 PM

Something was detected when I started this up. I'll have to go back into my other account and get it.

I could not run as and had to use my admin account directly. My limited account was left running although I was not logged into it.

ComboFix 12-01-30.02 - f 02/01/2012 19:52:19.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2731 [GMT -6:00]
Running from: c:\documents and settings\All Users\Documents\ComboFix.exe
Command switches used :: c:\documents and settings\f\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: FireWall *Disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
.
.
2012-02-02 01:50 . 2012-02-02 01:51 -------- d-----w- C:\32788R22FWJFW
2012-01-31 17:08 . 2008-04-14 05:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-01-31 17:08 . 2008-04-14 05:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-08 23:23 . 2012-01-08 23:23 -------- d-----w- c:\documents and settings\f\Application Data\SUPERAntiSpyware.com
2012-01-08 23:11 . 2012-01-08 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-06-22 04:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 01:04 . 2011-10-11 22:01 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-25 21:57 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-02-28 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-22 03:44 . 2010-06-15 18:08 884736 ----a-w- c:\windows\system32\ati2cqag.dll
2011-11-22 03:43 . 2011-01-24 18:48 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-11-22 03:42 . 2011-01-24 18:48 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-11-22 03:42 . 2010-06-15 18:08 3953664 ----a-w- c:\windows\system32\ati3duag.dll
2011-11-22 03:38 . 2011-01-24 18:48 806912 ----a-w- c:\windows\system32\atikvmag.dll
2011-11-22 03:38 . 2011-01-24 18:48 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-11-22 03:36 . 2011-01-24 18:48 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-11-22 03:36 . 2010-06-15 18:08 3278848 ----a-w- c:\windows\system32\ativvaxx.dll
2011-11-22 03:34 . 2011-01-24 18:48 221184 ----a-w- c:\windows\system32\atiadlxx.dll
2011-11-22 03:34 . 2011-01-24 18:48 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-11-22 03:34 . 2010-06-15 18:08 304128 ----a-w- c:\windows\system32\ati2dvag.dll
2011-11-18 12:35 . 2006-02-28 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-02-28 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-02-28 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-31_18.16.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-31 18:22 . 2012-02-01 19:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-15 17:57 . 2012-02-01 19:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-06-15 17:57 . 2012-01-31 17:53 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-01-31 18:22 . 2012-02-01 19:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-06-15 17:57 . 2012-01-31 17:53 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-26 98304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\xrEngine.exe"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sega classics\\SEGAGenesisClassics.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bastion demo\\Bastion.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\front mission evolved\\FrontMissionEvolved.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
.
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [10/11/2011 4:01 PM 111160]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/11/2011 4:01 PM 36000]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [10/11/2011 4:01 PM 616400]
R2 AntiVirMailService;Avira Mail Protection;c:\program files\Avira\AntiVir Desktop\avmailc.exe [10/11/2011 4:01 PM 342480]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/11/2011 4:01 PM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [10/11/2011 4:01 PM 463824]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [10/11/2011 4:01 PM 91096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys --> c:\windows\system32\drivers\AtihdXP3.sys [?]
S3 AtiIrRcvr;ATI Remote Receiver Service;c:\windows\system32\DRIVERS\aticir.sys --> c:\windows\system32\DRIVERS\aticir.sys [?]
S3 CXFALCON;AVerMedia AVerTV Video Capture (Falcon);c:\windows\system32\drivers\AF2VCap.sys [12/4/2011 1:29 PM 220544]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys --> c:\windows\system32\drivers\Envy24HF.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-06-16 03:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: Interfaces\{0AFA378E-2C2D-4B74-9685-C627C8FA813F}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\f\Application Data\Mozilla\Firefox\Profiles\adtt6yem.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\documents and settings\j\Local Settings\Application Data\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-01 19:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-854245398-1275210071-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-854245398-1275210071-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'winlogon.exe'(1424)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'lsass.exe'(728)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-01 20:00:22
ComboFix-quarantined-files.txt 2012-02-02 02:00
ComboFix2.txt 2012-01-31 18:32
ComboFix3.txt 2012-01-31 18:18
.
Pre-Run: 326,113,787,904 bytes free
Post-Run: 326,309,756,928 bytes free
.
- - End Of File - - 92BC5215B6D0299E39C9034AFF395AF0