Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost and google redirect vireu


  • This topic is locked This topic is locked
45 replies to this topic

#1 macker1965

macker1965

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 28 April 2011 - 03:01 PM

Hello,

This is my first post to this site and can I in advance thank anybody who may be able to help me. You guys and gals are terrific in helping us clueless victims of these malware sh1ts

I believe I have picked up the google redirect virus and some sort of svchost bug. The google redirects are from firefox and explorer though not in safe mode. I ran malwarebytes which picked up some stuff which i removed but virus remains. I have also run hitmanpro which didnt pick up anything. My machine has crashed a number of times with a blue screen of death and always crashes when I close down the pc. ?I have AVG free and Avast running which have been constantly flagging up threats. Avast gives threat detected messages every 10 mins naming svchost.exe

I have run DDS as suggested in the prep stuff and attach the log below. Anay help appreciated and thank you again in advance.

Kevin


.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Main User at 20:50:03.55 on 28/04/2011
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1788.1078 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Main User\Downloads\Defogger.exe
C:\Users\Main User\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=wbbmiMpBFGuUCAKbUzAyRQ
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TouchPadHotKey] c:\program files\fsc\touchpad hotkey utility\TouchPad_HotKey.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Skytel] Skytel.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files\fsc\wireless utility\WirelessSelector.exe
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mainus~1\appdata\roaming\mozilla\firefox\profiles\86iuu073.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.protopage.com/macker1965
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc887a0&v=6.103.018.001&i=23&tp=ab&iy=b&ychte=uk&lng=en-GB&q=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\main user\appdata\roaming\mozilla\firefox\profiles\86iuu073.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\main user\appdata\roaming\mozilla\firefox\profiles\86iuu073.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\main user\appdata\roaming\mozilla\firefox\profiles\86iuu073.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=6.103.018.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-10 64160]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-5-2 48128]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-21 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-21 307288]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-21 19544]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-4-21 53592]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-21 42184]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-24 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-27 517448]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\aldi photo service\common\database\bin\fbserver.exe [2009-7-8 1527900]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2007-6-19 81832]
S3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2008-1-16 456056]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-25 19:24:26 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-25 19:22:56 -------- d-----w- c:\progra~2\Hitman Pro
2011-04-22 19:57:57 -------- d-----w- c:\users\mainus~1\appdata\roaming\Malwarebytes
2011-04-22 19:57:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 19:57:32 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-22 19:57:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-22 19:57:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-21 20:23:14 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-21 20:23:13 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-21 20:22:18 40112 ----a-w- c:\windows\avastSS.scr
2011-04-21 20:21:38 -------- d-----w- c:\program files\AVAST Software
2011-04-21 20:21:38 -------- d-----w- c:\progra~2\AVAST Software
2011-04-21 19:12:49 -------- d-----w- c:\progra~2\STOPzilla!
2011-04-20 19:39:43 -------- d-----w- c:\users\mainus~1\appdata\roaming\xacszajonnnu2jlc3gfqpqhujqnkjllx2
2011-04-20 19:38:38 -------- d-----w- c:\users\mainus~1\appdata\roaming\Ubqaw
2011-04-20 19:38:38 -------- d-----w- c:\users\mainus~1\appdata\roaming\Qenid
2011-04-20 19:11:52 -------- d-----w- c:\users\mainus~1\appdata\roaming\qfpgf1zgcqjmvpttjadfqjcos3xnj332
2011-04-14 20:50:18 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-14 20:50:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-14 20:48:28 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-04-14 20:48:26 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-14 20:48:11 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-14 20:48:07 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-14 20:47:59 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-14 20:47:58 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-14 20:47:26 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-14 20:47:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-14 20:47:23 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-14 20:45:53 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-14 20:45:53 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-14 20:44:42 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 20:44:11 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 20:43:39 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-14 20:36:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2011-02-22 06:21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16:53 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20:39 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 20:52:29.51 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:01 PM

Posted 30 April 2011 - 11:09 PM

Hi,

Please do the following:

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 macker1965

macker1965
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 05 May 2011 - 10:46 AM

Thanks for the reply .... aswMBR scanlog attached below
Cheers, macker1965


aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-05 16:42:39
-----------------------------
16:42:39.723 OS Version: Windows 6.0.6001 Service Pack 1
16:42:39.723 Number of processors: 1 586 0x1601
16:42:39.725 ComputerName: BROADCALLLAPTOP UserName: Main User
16:42:46.992 Initialize success
16:42:52.362 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
16:42:52.366 Disk 0 Vendor: Hitachi_HTS543216L9A300 FB2OC40C Size: 152627MB BusType: 3
16:42:54.370 Disk 0 MBR read successfully
16:42:54.374 Disk 0 MBR scan
16:42:54.388 Disk 0 TDL4@MBR code has been found
16:42:54.391 Disk 0 MBR hidden
16:42:54.395 Disk 0 MBR [TDL4] **ROOTKIT**
16:42:54.404 Disk 0 trace - called modules:
16:42:54.409 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x862534f0]<<
16:42:54.413 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85bb7888]
16:42:54.424 3 CLASSPNP.SYS[879c2745] -> nt!IofCallDriver -> [0x85409918]
16:42:54.429 5 acpi.sys[826946a0] -> nt!IofCallDriver -> [0x8541c538]
16:42:54.439 \Driver\atapi[0x86239e48] -> IRP_MJ_CREATE -> 0x862534f0
16:42:54.444 Scan finished successfully
16:43:31.155 Disk 0 MBR has been saved successfully to "C:\Users\Main User\Documents\MBR.dat"
16:43:31.161 The log file has been saved successfully to "C:\Users\Main User\Documents\aswMBR.txt"

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:01 PM

Posted 05 May 2011 - 03:58 PM

Hi,

Please do the following

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 macker1965

macker1965
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 10 May 2011 - 07:36 AM

Hi Catbyte

Thank you for your assistance again and apologies for the delay in replying. I was in Ireland at the weekend. I have run the combofix as instructed. It ran then popped up that a rootkit had been foud and it needed to reboot the computer. When closing down my PC crashed with a bluescreen error. the message stated that it was an I/O error. This has happened every time I shut down since the malware infection. I restarted and looked for a combofix log but could not find anything. I then restarted Combofix and it ran as previously popping up the same message about rootkit and saying it needed to restart. It again closed down the laptop and again crashed with an oi/o error however I cannot now restart as it goes into boot up repaiir mode and asks me to insert a Cindows Vists disk which I have lost.

This does not sound good. What do you recommend?

Kevin

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:01 PM

Posted 10 May 2011 - 11:25 AM

Hi

Please do the following:


Verify that you can access the Recovery Environment

To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.

If the option Repair your computer is available, select it.

Select a language, a keyboard or an input method, and then click Next

It will ask for a password > if you have one > enter it now, or just hit OK if you don't have one.

(If Recovery Environment is not preinstalled, you will need to insert your installation DVD and restart, then press any key when prompted to boot from the CD. If you cannot locate your CD, try and borrow one, we just need it to access the Recovery Environment

At the Install Windows screen, select Repair your computer )


In the System Recovery Options dialog box, click Command Prompt

Type bootrec /fixmbr and then press ENTER

You should see "The operation completed successfully"

Type EXIT at the command prompt, then select the RESTART button to reboot your system normally.

Edited by CatByte, 10 May 2011 - 11:26 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 macker1965

macker1965
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 13 May 2011 - 04:24 PM

Hi Catbyte

Thanks for the instructions above. It has gotten me back online again (in Safe Mode only) When I try to restart normally Windows starts but then reboots before fully loaded. I can only complete boot process in safe mode.

In safe mode I have managed to run combofix again. It deleted some files and produced a log which I attach below. I await your further advices. Thanks again, Kevin

ComboFix 11-05-06.05 - Main User 13/05/2011 14:14:52.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1788.1375 [GMT 1:00]
Running from: c:\users\Main User\Desktop\ComboFix.exe
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Main User\AppData\Roaming\igfxtray.dat
c:\users\Main User\AppData\Roaming\igxpdv32.dat
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
.
.
2011-05-13 13:17 . 2011-05-13 13:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-13 13:17 . 2011-05-13 13:18 -------- d-----w- c:\users\Main User\AppData\Local\temp
2011-04-25 19:24 . 2011-04-25 19:24 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-25 19:22 . 2011-04-25 19:22 -------- d-----w- c:\programdata\Hitman Pro
2011-04-22 19:57 . 2011-04-22 19:57 -------- d-----w- c:\users\Main User\AppData\Roaming\Malwarebytes
2011-04-22 19:57 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 19:57 . 2011-04-22 19:57 -------- d-----w- c:\programdata\Malwarebytes
2011-04-22 19:57 . 2011-04-25 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 19:57 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 20:23 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-21 20:23 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-21 20:23 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-21 20:23 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-21 20:23 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-21 20:23 . 2011-04-18 17:13 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-21 20:22 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-04-21 20:22 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-21 20:21 . 2011-04-21 20:21 -------- d-----w- c:\programdata\AVAST Software
2011-04-21 20:21 . 2011-04-21 20:21 -------- d-----w- c:\program files\AVAST Software
2011-04-21 19:12 . 2011-04-22 06:34 -------- d-----w- c:\programdata\STOPzilla!
2011-04-20 19:39 . 2011-04-20 20:03 -------- d-----w- c:\users\Main User\AppData\Roaming\xacszajonnnu2jlc3gfqpqhujqnkjllx2
2011-04-20 19:38 . 2011-04-20 20:02 -------- d-----w- c:\users\Main User\AppData\Roaming\Qenid
2011-04-20 19:38 . 2011-04-20 19:38 -------- d-----w- c:\users\Main User\AppData\Roaming\Ubqaw
2011-04-20 19:11 . 2011-04-20 20:02 -------- d-----w- c:\users\Main User\AppData\Roaming\qfpgf1zgcqjmvpttjadfqjcos3xnj332
2011-04-14 20:50 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-14 20:50 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-14 20:48 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-04-14 20:48 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-14 20:48 . 2011-02-22 12:52 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-14 20:48 . 2011-02-22 12:52 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-14 20:47 . 2011-02-22 12:51 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-14 20:47 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-14 20:47 . 2011-02-18 13:31 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-14 20:47 . 2011-02-18 13:31 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-14 20:47 . 2011-02-18 13:31 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-14 20:45 . 2011-03-02 14:49 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-14 20:45 . 2009-05-04 10:11 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-14 20:44 . 2011-03-03 12:53 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 20:44 . 2011-03-03 15:00 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 20:43 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-14 20:36 . 2011-03-03 10:49 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-08 21:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 869936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"TouchPadHotKey"="c:\program files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe" [2007-08-13 364544]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 4493312]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-26 185632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WirelessSelector.lnk - c:\program files\FSC\Wireless Utility\WirelessSelector.exe [2007-10-26 650752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"PromptOnSecureDesktop"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-01 20:29 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Photo Service]
2007-09-12 14:30 1171456 ----a-w- c:\program files\ALDI Photo Service\ALDI_Photo_Service\FotoSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-21 23:28 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDtoiPodConverter_upgrade]
2009-12-29 11:16 924672 ----a-w- c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 20:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2010-02-05 13:45 385856 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-06-15 16:45 1826816 ----a-w- c:\windows\SkyTel.exe
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-04-18 53592]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 136176]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\ALDI Photo Service\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 136176]
R3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\DRIVERS\s816bus.sys [2007-06-19 81832]
R3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-07-02 456056]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2008-05-02 48128]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-08-10 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-01 1029456]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4747be28-c427-11dc-9e72-806e6f6e6963}]
\shell\AutoRun\command - D:\start.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1dd5402-83d4-11dc-b31f-f7c3b438f854}]
\shell\AutoRun\command - e:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:29]
.
2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 07:02]
.
2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 07:02]
.
2011-05-07 c:\windows\Tasks\User_Feed_Synchronization-{77B4EFA6-1904-46E3-8538-7CA884C0836F}.job
- c:\windows\system32\msfeedssync.exe [2011-04-14 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=wbbmiMpBFGuUCAKbUzAyRQ
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\users\Main User\AppData\Roaming\Mozilla\Firefox\Profiles\86iuu073.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.protopage.com/macker1965
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc887a0&v=6.103.018.001&i=23&tp=ab&iy=b&ychte=uk&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-13 14:18
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PEVSystemStart]
"ImagePath"="\"c:\combofix\PEV.cfxxe\" EXEC /i \"c:\combofix\HIDEC.exe\" \"c:\combofix\SWREG.EXE\" ACL \"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep\" /RESET /Q"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1344)
c:\program files\SmartFTP Client\sfShellTools.dll
.
Completion time: 2011-05-13 14:21:10
ComboFix-quarantined-files.txt 2011-05-13 13:20
.
Pre-Run: 34,443,067,392 bytes free
Post-Run: 35,294,445,568 bytes free
.
- - End Of File - - 30AB4AD70CBE5CE3C0BF6A2399428A60

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:01 PM

Posted 13 May 2011 - 04:39 PM

Hi,

Continue working in safe mode with networking till the machine stabilizes

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

Folder::
c:\users\Main User\AppData\Roaming\xacszajonnnu2jlc3gfqpqhujqnkjllx2
c:\users\Main User\AppData\Roaming\Qenid
c:\users\Main User\AppData\Roaming\Ubqaw
c:\users\Main User\AppData\Roaming\qfpgf1zgcqjmvpttjadfqjcos3xnj332

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4747be28-c427-11dc-9e72-806e6f6e6963}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1dd5402-83d4-11dc-b31f-f7c3b438f854}]

DDS::
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=wbbmiMpBFGuUCAKbUzAyRQ

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


now boot into normal mode and see if it is OK

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 macker1965

macker1965
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 15 May 2011 - 10:37 AM

Hi Catbyte

I completed your instructions with the text file and reran Combofix. It ran and deleted some files and directories. It then rebooted. However I could not find any logfile. I then downloaded TSSkiller and ran it. It found no threats.

Log from TDSSKiller

2011/05/15 16:32:18.0243 0420 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/15 16:32:18.0726 0420 ================================================================================
2011/05/15 16:32:18.0726 0420 SystemInfo:
2011/05/15 16:32:18.0726 0420
2011/05/15 16:32:18.0726 0420 OS Version: 6.0.6001 ServicePack: 1.0
2011/05/15 16:32:18.0726 0420 Product type: Workstation
2011/05/15 16:32:18.0726 0420 ComputerName: BROADCALLLAPTOP
2011/05/15 16:32:18.0726 0420 UserName: Main User
2011/05/15 16:32:18.0726 0420 Windows directory: C:\Windows
2011/05/15 16:32:18.0726 0420 System windows directory: C:\Windows
2011/05/15 16:32:18.0726 0420 Processor architecture: Intel x86
2011/05/15 16:32:18.0726 0420 Number of processors: 1
2011/05/15 16:32:18.0726 0420 Page size: 0x1000
2011/05/15 16:32:18.0726 0420 Boot type: Safe boot with network
2011/05/15 16:32:18.0726 0420 ================================================================================
2011/05/15 16:32:18.0976 0420 Initialize success
2011/05/15 16:32:24.0061 1552 ================================================================================
2011/05/15 16:32:24.0061 1552 Scan started
2011/05/15 16:32:24.0077 1552 Mode: Manual;
2011/05/15 16:32:24.0077 1552 ================================================================================
2011/05/15 16:32:24.0701 1552 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2011/05/15 16:32:24.0857 1552 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/05/15 16:32:25.0060 1552 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/05/15 16:32:25.0216 1552 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/05/15 16:32:25.0309 1552 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/05/15 16:32:25.0590 1552 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
2011/05/15 16:32:25.0793 1552 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/05/15 16:32:25.0887 1552 aliide (5c42a992e68724d2cd3ddb4fc3b0409f) C:\Windows\system32\drivers\aliide.sys
2011/05/15 16:32:26.0027 1552 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
2011/05/15 16:32:26.0121 1552 amdide (849dfacdde533da5d1810f0caf84eb19) C:\Windows\system32\drivers\amdide.sys
2011/05/15 16:32:26.0292 1552 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/05/15 16:32:26.0370 1552 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/05/15 16:32:26.0635 1552 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/05/15 16:32:26.0745 1552 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/05/15 16:32:26.0869 1552 aswFsBlk (9bdb29e81abceb883556df44649696c4) C:\Windows\system32\drivers\aswFsBlk.sys
2011/05/15 16:32:27.0057 1552 aswMonFlt (a80fb17ce4ed7af4a5f24aaa753e4168) C:\Windows\system32\drivers\aswMonFlt.sys
2011/05/15 16:32:27.0228 1552 aswRdr (a90cf680ca7a323913ca3a0810c8e02d) C:\Windows\system32\drivers\aswRdr.sys
2011/05/15 16:32:27.0415 1552 aswSnx (f7969934cca2e566e95df17380a3cb11) C:\Windows\system32\drivers\aswSnx.sys
2011/05/15 16:32:27.0899 1552 aswSP (478d6a0e0630c31bf4a7f5eb0a05b92c) C:\Windows\system32\drivers\aswSP.sys
2011/05/15 16:32:28.0071 1552 aswTdi (e52e45743e27fd6184c55618a10b81ab) C:\Windows\system32\drivers\aswTdi.sys
2011/05/15 16:32:28.0242 1552 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/15 16:32:28.0320 1552 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2011/05/15 16:32:28.0523 1552 athr (dcdfc3a5a8b239055aab6bd975ada889) C:\Windows\system32\DRIVERS\athr.sys
2011/05/15 16:32:28.0773 1552 b57nd60x (8e287eb3a52fd30c999482c576f4a61b) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/05/15 16:32:28.0975 1552 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/05/15 16:32:29.0303 1552 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/15 16:32:29.0443 1552 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/05/15 16:32:29.0521 1552 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/05/15 16:32:29.0599 1552 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/05/15 16:32:29.0724 1552 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/05/15 16:32:29.0818 1552 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/05/15 16:32:29.0880 1552 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/05/15 16:32:30.0021 1552 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/05/15 16:32:30.0114 1552 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/15 16:32:30.0317 1552 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/15 16:32:30.0457 1552 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/05/15 16:32:30.0551 1552 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2011/05/15 16:32:30.0769 1552 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/05/15 16:32:30.0863 1552 cmdide (de11a06e187756ecb86cfa82dac40ff7) C:\Windows\system32\drivers\cmdide.sys
2011/05/15 16:32:31.0019 1552 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/05/15 16:32:31.0159 1552 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/05/15 16:32:31.0315 1552 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/05/15 16:32:31.0503 1552 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
2011/05/15 16:32:31.0752 1552 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2011/05/15 16:32:31.0924 1552 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2011/05/15 16:32:32.0049 1552 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/05/15 16:32:32.0080 1552 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/05/15 16:32:32.0283 1552 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/05/15 16:32:32.0376 1552 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/15 16:32:32.0563 1552 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/05/15 16:32:32.0735 1552 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2011/05/15 16:32:32.0922 1552 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/05/15 16:32:33.0109 1552 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2011/05/15 16:32:33.0250 1552 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2011/05/15 16:32:33.0406 1552 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/15 16:32:33.0609 1552 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/05/15 16:32:33.0749 1552 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/05/15 16:32:33.0889 1552 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/15 16:32:34.0061 1552 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2011/05/15 16:32:34.0264 1552 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/15 16:32:34.0357 1552 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/05/15 16:32:34.0498 1552 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/05/15 16:32:34.0747 1552 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/05/15 16:32:34.0950 1552 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/05/15 16:32:35.0044 1552 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/05/15 16:32:35.0169 1552 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/05/15 16:32:35.0262 1552 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/15 16:32:35.0434 1552 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/05/15 16:32:35.0574 1552 HTTP (33b02459e86d0a2b86a6b9fe19139390) C:\Windows\system32\drivers\HTTP.sys
2011/05/15 16:32:35.0777 1552 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/05/15 16:32:35.0995 1552 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/05/15 16:32:36.0120 1552 ialm (496db78e6a0c4c44023d9a92b4a7ac31) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/05/15 16:32:36.0323 1552 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/05/15 16:32:36.0463 1552 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/05/15 16:32:36.0635 1552 IntcAzAudAddService (75334eceef6f39eec569f2f445254eda) C:\Windows\system32\drivers\RTKVHDA.sys
2011/05/15 16:32:36.0838 1552 intelide (1b16626beae3a52e611fc681cd796f86) C:\Windows\system32\drivers\intelide.sys
2011/05/15 16:32:36.0931 1552 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/15 16:32:37.0087 1552 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/15 16:32:37.0243 1552 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/05/15 16:32:37.0368 1552 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/05/15 16:32:37.0509 1552 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/05/15 16:32:37.0649 1552 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
2011/05/15 16:32:37.0758 1552 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/05/15 16:32:37.0852 1552 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/05/15 16:32:38.0008 1552 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/05/15 16:32:38.0133 1552 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/05/15 16:32:38.0289 1552 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/05/15 16:32:38.0491 1552 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/15 16:32:38.0757 1552 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\Windows\system32\DRIVERS\Lbd.sys
2011/05/15 16:32:38.0959 1552 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/15 16:32:39.0162 1552 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/05/15 16:32:39.0271 1552 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/05/15 16:32:39.0427 1552 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/05/15 16:32:39.0537 1552 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/05/15 16:32:39.0724 1552 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/05/15 16:32:39.0817 1552 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/05/15 16:32:39.0973 1552 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/15 16:32:40.0083 1552 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motmodem.sys
2011/05/15 16:32:40.0270 1552 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/15 16:32:40.0410 1552 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/15 16:32:40.0551 1552 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/05/15 16:32:40.0707 1552 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/05/15 16:32:40.0800 1552 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/15 16:32:40.0925 1552 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/05/15 16:32:41.0034 1552 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2011/05/15 16:32:41.0190 1552 mrxsmb (cc752d233ef39875ca6885d9415ba869) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/15 16:32:41.0299 1552 mrxsmb10 (9049dddd4bd27d43d82f5968f1da76e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/15 16:32:41.0471 1552 mrxsmb20 (91dc069b6831ef564e7d8c97eaf0343e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/15 16:32:41.0580 1552 msahci (0d1c042188ffe61a702a9df5944de5ba) C:\Windows\system32\drivers\msahci.sys
2011/05/15 16:32:41.0736 1552 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/05/15 16:32:41.0908 1552 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/05/15 16:32:42.0111 1552 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/05/15 16:32:42.0267 1552 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/15 16:32:42.0407 1552 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/15 16:32:42.0438 1552 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/05/15 16:32:42.0516 1552 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2011/05/15 16:32:42.0672 1552 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/05/15 16:32:42.0750 1552 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/05/15 16:32:42.0828 1552 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2011/05/15 16:32:43.0031 1552 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/15 16:32:43.0203 1552 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
2011/05/15 16:32:43.0343 1552 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/15 16:32:43.0421 1552 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/15 16:32:43.0561 1552 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/15 16:32:43.0655 1552 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/05/15 16:32:43.0827 1552 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/15 16:32:44.0014 1552 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/15 16:32:44.0232 1552 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/05/15 16:32:44.0341 1552 nmwcd (28e36e677849174c910faaead3e60e9e) C:\Windows\system32\drivers\ccdcmb.sys
2011/05/15 16:32:44.0497 1552 nmwcdc (3823deb17f9f6775de0187a98fa0536d) C:\Windows\system32\drivers\ccdcmbo.sys
2011/05/15 16:32:44.0653 1552 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2011/05/15 16:32:44.0809 1552 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/15 16:32:44.0997 1552 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2011/05/15 16:32:45.0168 1552 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/05/15 16:32:45.0262 1552 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/05/15 16:32:45.0402 1552 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/05/15 16:32:45.0683 1552 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/05/15 16:32:46.0104 1552 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
2011/05/15 16:32:47.0103 1552 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/05/15 16:32:47.0508 1552 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\DRIVERS\parport.sys
2011/05/15 16:32:47.0649 1552 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2011/05/15 16:32:47.0805 1552 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\DRIVERS\parvdm.sys
2011/05/15 16:32:47.0929 1552 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\Windows\system32\DRIVERS\pccsmcfd.sys
2011/05/15 16:32:48.0179 1552 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2011/05/15 16:32:48.0413 1552 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/05/15 16:32:48.0522 1552 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/05/15 16:32:48.0787 1552 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/05/15 16:32:49.0099 1552 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/15 16:32:49.0224 1552 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/05/15 16:32:49.0489 1552 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/15 16:32:49.0645 1552 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
2011/05/15 16:32:49.0864 1552 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/05/15 16:32:50.0051 1552 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/05/15 16:32:50.0207 1552 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/15 16:32:50.0347 1552 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/15 16:32:50.0488 1552 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/15 16:32:50.0644 1552 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/15 16:32:50.0722 1552 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/15 16:32:50.0878 1552 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/15 16:32:51.0034 1552 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/15 16:32:51.0174 1552 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys
2011/05/15 16:32:51.0299 1552 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/15 16:32:51.0408 1552 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2011/05/15 16:32:51.0673 1552 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/15 16:32:51.0829 1552 s816bus (8c156e6b568aa927eb5deadeb870bdd2) C:\Windows\system32\DRIVERS\s816bus.sys
2011/05/15 16:32:51.0970 1552 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/05/15 16:32:52.0188 1552 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/15 16:32:52.0297 1552 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
2011/05/15 16:32:52.0453 1552 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\DRIVERS\serial.sys
2011/05/15 16:32:52.0563 1552 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/05/15 16:32:52.0765 1552 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\drivers\sffdisk.sys
2011/05/15 16:32:52.0875 1552 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/15 16:32:52.0921 1552 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/15 16:32:53.0062 1552 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/05/15 16:32:53.0202 1552 SiS6350 (1ba6c0518b2b5b53e7d9ad93553669f7) C:\Windows\system32\DRIVERS\SISGRKMD.sys
2011/05/15 16:32:53.0499 1552 SISAGP (df1af7f5f1ec7800b3ac398acc06c754) C:\Windows\system32\DRIVERS\SISAGPX.sys
2011/05/15 16:32:53.0670 1552 SiSGbeLH (f7da61bd62a16510227656c3477e2b52) C:\Windows\system32\DRIVERS\SiSGB6.sys
2011/05/15 16:32:53.0779 1552 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/05/15 16:32:53.0935 1552 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/05/15 16:32:54.0091 1552 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2011/05/15 16:32:54.0294 1552 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/05/15 16:32:54.0450 1552 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
2011/05/15 16:32:54.0606 1552 srv2 (96512f4a30b741e7d33a7936b9abbc20) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/15 16:32:54.0684 1552 srvnet (1c69e33e0e23626da5a34ca5ba0dd990) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/15 16:32:54.0809 1552 ss_bus (5a1d0ca8a5f1e7b4ec50b9d76c001f0e) C:\Windows\system32\DRIVERS\ss_bus.sys
2011/05/15 16:32:54.0949 1552 ss_mdfl (f0a85580e36a3a85059037d39a9cf079) C:\Windows\system32\DRIVERS\ss_mdfl.sys
2011/05/15 16:32:55.0012 1552 ss_mdm (84c3dbfd1bfa4adc0a950b3d5506cb00) C:\Windows\system32\DRIVERS\ss_mdm.sys
2011/05/15 16:32:55.0168 1552 StarOpen (306521935042fc0a6988d528643619b3) C:\Windows\system32\drivers\StarOpen.sys
2011/05/15 16:32:55.0277 1552 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/05/15 16:32:55.0464 1552 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/05/15 16:32:55.0511 1552 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/05/15 16:32:55.0651 1552 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/05/15 16:32:55.0729 1552 SynTP (9131b8ab722629a33649d6deee4fbfbe) C:\Windows\system32\DRIVERS\SynTP.sys
2011/05/15 16:32:56.0026 1552 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
2011/05/15 16:32:56.0322 1552 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/15 16:32:56.0525 1552 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/15 16:32:56.0665 1552 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/05/15 16:32:56.0743 1552 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/05/15 16:32:56.0946 1552 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/15 16:32:57.0133 1552 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2011/05/15 16:32:57.0399 1552 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/15 16:32:57.0539 1552 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/05/15 16:32:57.0633 1552 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/15 16:32:57.0726 1552 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\DRIVERS\uagp35.sys
2011/05/15 16:32:57.0913 1552 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/15 16:32:58.0069 1552 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/15 16:32:58.0225 1552 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/05/15 16:32:58.0381 1552 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/05/15 16:32:58.0459 1552 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/05/15 16:32:58.0537 1552 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/05/15 16:32:58.0756 1552 upperdev (b1b8bee26227dad9835019201552cb05) C:\Windows\system32\DRIVERS\usbser_lowerflt.sys
2011/05/15 16:32:58.0881 1552 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/05/15 16:32:59.0005 1552 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/05/15 16:32:59.0130 1552 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/15 16:32:59.0302 1552 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2011/05/15 16:32:59.0380 1552 usbohci (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
2011/05/15 16:32:59.0520 1552 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/05/15 16:32:59.0598 1552 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/05/15 16:32:59.0707 1552 usbser (a96191470581a7091420d25ecd444502) C:\Windows\system32\DRIVERS\usbser.sys
2011/05/15 16:32:59.0848 1552 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/15 16:32:59.0973 1552 usbuhci (4013315fed70a2d293b998cbba4022ee) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/15 16:33:00.0113 1552 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/15 16:33:00.0269 1552 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/05/15 16:33:00.0363 1552 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
2011/05/15 16:33:00.0519 1552 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/05/15 16:33:00.0612 1552 viaide (c0ace9d0f5a5ee0b00f58345947a57fc) C:\Windows\system32\drivers\viaide.sys
2011/05/15 16:33:00.0737 1552 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/05/15 16:33:00.0987 1552 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2011/05/15 16:33:01.0252 1552 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
2011/05/15 16:33:01.0423 1552 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/05/15 16:33:01.0564 1552 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/05/15 16:33:01.0704 1552 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/15 16:33:01.0735 1552 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/15 16:33:01.0954 1552 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/05/15 16:33:02.0141 1552 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/15 16:33:02.0469 1552 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/05/15 16:33:02.0656 1552 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/05/15 16:33:02.0812 1552 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/15 16:33:02.0968 1552 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/15 16:33:03.0155 1552 zntport (bdfa6a3a7ce1d083889b316a484a356a) C:\Windows\system32\drivers\zntport.sys
2011/05/15 16:33:03.0373 1552 ================================================================================
2011/05/15 16:33:03.0373 1552 Scan finished
2011/05/15 16:33:03.0373 1552 ================================================================================

#10 macker1965

macker1965
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 15 May 2011 - 11:31 AM

Further update. Windows still constantly reboots itself when started in mormal mode.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:01 PM

Posted 15 May 2011 - 05:23 PM

you should be able to find the combofix log at C:\combofix.txt if you could post the log


You may have a driver issue

can you access Device Manager and see if you have any warning triangles beside any drivers

to access device manager > Press the WinKey + R to open a run box, copy/paste the following into the open run box > press enter

devmgmt.msc

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 macker1965

macker1965
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 16 May 2011 - 02:10 PM

Here is the second combofix log

ComboFix 11-05-06.05 - Main User 13/05/2011 14:14:52.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1788.1375 [GMT 1:00]
Running from: c:\users\Main User\Desktop\ComboFix.exe
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Main User\AppData\Roaming\igfxtray.dat
c:\users\Main User\AppData\Roaming\igxpdv32.dat
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
.
.
2011-05-13 13:17 . 2011-05-13 13:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-13 13:17 . 2011-05-13 13:18 -------- d-----w- c:\users\Main User\AppData\Local\temp
2011-04-25 19:24 . 2011-04-25 19:24 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-25 19:22 . 2011-04-25 19:22 -------- d-----w- c:\programdata\Hitman Pro
2011-04-22 19:57 . 2011-04-22 19:57 -------- d-----w- c:\users\Main User\AppData\Roaming\Malwarebytes
2011-04-22 19:57 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 19:57 . 2011-04-22 19:57 -------- d-----w- c:\programdata\Malwarebytes
2011-04-22 19:57 . 2011-04-25 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 19:57 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 20:23 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-21 20:23 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-21 20:23 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-21 20:23 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-21 20:23 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-21 20:23 . 2011-04-18 17:13 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-21 20:22 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-04-21 20:22 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-21 20:21 . 2011-04-21 20:21 -------- d-----w- c:\programdata\AVAST Software
2011-04-21 20:21 . 2011-04-21 20:21 -------- d-----w- c:\program files\AVAST Software
2011-04-21 19:12 . 2011-04-22 06:34 -------- d-----w- c:\programdata\STOPzilla!
2011-04-20 19:39 . 2011-04-20 20:03 -------- d-----w- c:\users\Main User\AppData\Roaming\xacszajonnnu2jlc3gfqpqhujqnkjllx2
2011-04-20 19:38 . 2011-04-20 20:02 -------- d-----w- c:\users\Main User\AppData\Roaming\Qenid
2011-04-20 19:38 . 2011-04-20 19:38 -------- d-----w- c:\users\Main User\AppData\Roaming\Ubqaw
2011-04-20 19:11 . 2011-04-20 20:02 -------- d-----w- c:\users\Main User\AppData\Roaming\qfpgf1zgcqjmvpttjadfqjcos3xnj332
2011-04-14 20:50 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-14 20:50 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-14 20:48 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-04-14 20:48 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-14 20:48 . 2011-02-22 12:52 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-14 20:48 . 2011-02-22 12:52 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-14 20:47 . 2011-02-22 12:51 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-14 20:47 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-14 20:47 . 2011-02-18 13:31 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-14 20:47 . 2011-02-18 13:31 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-14 20:47 . 2011-02-18 13:31 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-14 20:45 . 2011-03-02 14:49 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-14 20:45 . 2009-05-04 10:11 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-14 20:44 . 2011-03-03 12:53 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 20:44 . 2011-03-03 15:00 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 20:43 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-14 20:36 . 2011-03-03 10:49 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-08 21:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 869936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"TouchPadHotKey"="c:\program files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe" [2007-08-13 364544]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 4493312]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-26 185632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WirelessSelector.lnk - c:\program files\FSC\Wireless Utility\WirelessSelector.exe [2007-10-26 650752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"PromptOnSecureDesktop"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-01 20:29 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Photo Service]
2007-09-12 14:30 1171456 ----a-w- c:\program files\ALDI Photo Service\ALDI_Photo_Service\FotoSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-21 23:28 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDtoiPodConverter_upgrade]
2009-12-29 11:16 924672 ----a-w- c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 20:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2010-02-05 13:45 385856 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-06-15 16:45 1826816 ----a-w- c:\windows\SkyTel.exe
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-04-18 53592]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 136176]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\ALDI Photo Service\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 136176]
R3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\DRIVERS\s816bus.sys [2007-06-19 81832]
R3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-07-02 456056]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2008-05-02 48128]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-08-10 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-01 1029456]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4747be28-c427-11dc-9e72-806e6f6e6963}]
\shell\AutoRun\command - D:\start.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1dd5402-83d4-11dc-b31f-f7c3b438f854}]
\shell\AutoRun\command - e:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:29]
.
2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 07:02]
.
2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 07:02]
.
2011-05-07 c:\windows\Tasks\User_Feed_Synchronization-{77B4EFA6-1904-46E3-8538-7CA884C0836F}.job
- c:\windows\system32\msfeedssync.exe [2011-04-14 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=wbbmiMpBFGuUCAKbUzAyRQ
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\users\Main User\AppData\Roaming\Mozilla\Firefox\Profiles\86iuu073.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.protopage.com/macker1965
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc887a0&v=6.103.018.001&i=23&tp=ab&iy=b&ychte=uk&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-13 14:18
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PEVSystemStart]
"ImagePath"="\"c:\combofix\PEV.cfxxe\" EXEC /i \"c:\combofix\HIDEC.exe\" \"c:\combofix\SWREG.EXE\" ACL \"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep\" /RESET /Q"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1344)
c:\program files\SmartFTP Client\sfShellTools.dll
.
Completion time: 2011-05-13 14:21:10
ComboFix-quarantined-files.txt 2011-05-13 13:20
.
Pre-Run: 34,443,067,392 bytes free
Post-Run: 35,294,445,568 bytes free
.
- - End Of File - - 30AB4AD70CBE5CE3C0BF6A2399428A60

#13 macker1965

macker1965
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 16 May 2011 - 02:13 PM

No triangles / warnings on the device list

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:01 PM

Posted 16 May 2011 - 06:37 PM

OK

Let's give the ComboFix Script another try, that was the first log, so the 2nd attempt may not have worked:

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

Folder::
c:\users\Main User\AppData\Roaming\xacszajonnnu2jlc3gfqpqhujqnkjllx2
c:\users\Main User\AppData\Roaming\Qenid
c:\users\Main User\AppData\Roaming\Ubqaw
c:\users\Main User\AppData\Roaming\qfpgf1zgcqjmvpttjadfqjcos3xnj332

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4747be28-c427-11dc-9e72-806e6f6e6963}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1dd5402-83d4-11dc-b31f-f7c3b438f854}]

DDS::
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=wbbmiMpBFGuUCAKbUzAyRQ


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 macker1965

macker1965
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 17 May 2011 - 03:20 PM

I ran the Combofix script as advised. It sets a system restore point then starts. a series of messages saying completed task numbers show on the screen to about no30 then suddenly the machine reboots. When I restart there is no combofix log and the CFScript has been deleted ( seems like it has gone back to restore point)

Any advice.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users