Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans have resurfaced.


  • This topic is locked This topic is locked
40 replies to this topic

#1 Kjolin

Kjolin

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 22 June 2011 - 01:28 PM

... I know it's been less than a day since I said that everything was running as it should be, but honestly, it was. I scanned with a few different tools daily for a few days, restarted the computer a couple of times, had no problems, and now... It's back. I've done little to nothing on the internet with this computer for the past couple days, so I didn't just pick it up again. And so begins the process anew. Still, the previous topic did get some issues cleared up, so it was still helpful. I can only assume that there is some odd underlying problem that reinstalls these at will.

If it'll help the process, I can do a bit of manual registry cleaning. I know enough to navigate, identify some of what I'm looking at, and I will ~not~ go overboard and start carpet-bombing it, unless I am absolutely certain of what I'm looking it.

This time 'round, I'm getting notifications from one of my firewalls that uxtheme32.exe and wmploc32.exe is attempting to access the internet, in addtion, authfwcfg32.exe is back, as well as the Google redirections. So, here's my DDS log, and a small report from Malwarebytes. (I saved the Malwarebytes logged before I removed them, so even though it says "No action taken.", there was.)

.
DDS (Ver_2011-06-12.02) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_16
Run by Kajiri at 14:09:12 on 2011-06-22
AV: Windows Live OneCare *Enabled/Outdated* {2E6C4BAB-3371-CD46-62DC-0E0A86B42619}
SP: Windows Live OneCare *Enabled/Outdated* {950DAA4F-154B-C2C8-586C-3578FD336CA4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Windows Live OneCare *Enabled* {1657CA8E-791E-CC1E-4983-A73F78676162}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\RtkAudioService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\uxtheme32.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\ProgramData\KBDCA32.exe
C:\Windows\SysWOW64\wmploc32.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Care\collsvc.exe
C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe
C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe
C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\winss.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESGfxMgr.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\iashost.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\programdata\authfwcfg32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\conime.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
BHO: {01c9a903-8373-4e8f-a8f5-fd122f252784} - C:\Windows\SysWow64\authfwcfg32.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [OneCareUI] "C:\Program Files (x86)\Microsoft Windows OneCare Live\winssnotify.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
TCP: Interfaces\{1FE8ECA8-DAFB-4B72-8D92-34E85F00792B} : DhcpNameServer = 192.168.58.1
TCP: Interfaces\{82ED6B58-DF83-493E-BE0E-0ADD52F2EE0B} : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
Notify: VESWinlogon - VESWinlogon.dll
C:\Windows\SysWow64\authfwcfg32.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO-X64: Ask Toolbar BHO - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [OneCareUI] "C:\Program Files (x86)\Microsoft Windows OneCare Live\winssnotify.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kajiri\AppData\Roaming\Mozilla\Firefox\Profiles\zzln0dxn.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Users\Kajiri\AppData\Roaming\Mozilla\Firefox\Profiles\zzln0dxn.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: XUL Cache: {6ec8cd3c-051f-40c4-9316-924a79e60c56} - %profile%\extensions\{6ec8cd3c-051f-40c4-9316-924a79e60c56}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R2 CertPropSvc32;Certificate Propagation ;C:\Windows\System32\uxtheme32.exe [2011-6-22 561664]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-5-25 2275720]
R2 MpsSvc32;Windows Firewall ;C:\Windows\System32\wmploc32.exe [2011-6-22 561664]
R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files (x86)\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-7-9 26104]
R2 RtkAudioService;Realtek Audio Service;C:\Windows\RTKAUDIOSERVICE.EXE [2008-11-13 134656]
R2 SampleCollector;Intel® Sample Collector;C:\Program Files\Sony\VAIO Care\collsvc.exe [2008-12-11 167424]
R2 SOHCImp;VAIO Media plus Content Importer;C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe [2008-12-11 103712]
R2 SOHDms;VAIO Media plus Digital Media Server;C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe [2008-12-11 353568]
R2 SOHDs;VAIO Media plus Device Searcher;C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe [2008-12-11 62752]
R2 Themes32;Themes ;C:\ProgramData\authfwcfg32.exe [2011-6-22 561664]
R2 uCamMonitor;CamMonitor;C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-12-11 104960]
R2 VAIO Power Management;VAIO Power Management;C:\Program Files\Sony\VAIO Power Management\SPMService.exe [2008-11-13 407392]
R2 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2008-9-3 446464]
R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-12-11 369952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [2009-7-9 24652]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys --> C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys --> C:\Windows\system32\DRIVERS\SFEP.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 hidserv32;Human Interface Device Access ;c:\windows\system32\mstext4032.exe --> c:\windows\system32\mstext4032.exe [?]
S2 WerSvc32;Windows Error Reporting Service ;c:\windows\system32\wmvcore32.exe --> c:\windows\system32\wmvcore32.exe [?]
S2 WPFFontCache_v040032;Windows Presentation Foundation Font Cache 4.0.0.0 ;c:\windows\system32\x3daudio1_232.exe --> c:\windows\system32\x3daudio1_232.exe [?]
S3 cpudrv64;cpudrv64;C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [2009-12-18 17864]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2008-12-11 108832]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-22 17:43:17 561664 ----a-w- C:\ProgramData\authfwcfg32.exe
2011-06-22 16:54:34 561664 ----a-w- C:\ProgramData\KBDCA32.exe
2011-06-22 16:54:24 561664 ----a-w- C:\Windows\SysWow64\wmploc32.exe
2011-06-22 16:54:21 561664 ----a-w- C:\Windows\SysWow64\uxtheme32.exe
2011-06-22 16:54:18 351232 ----a-w- C:\Windows\SysWow64\authfwcfg32.dll
2011-06-22 06:25:00 161792 ----a-w- C:\Windows\SysWow64\msls31.dll
2011-06-22 06:25:00 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-06-20 06:35:56 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-06-20 06:34:54 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll
2011-06-20 06:34:54 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll
2011-06-20 06:34:53 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
2011-06-20 06:34:52 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll
2011-06-20 06:29:42 8718160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FE755DED-51B2-4FF4-B44C-39C248B43F46}\mpengine.dll
2011-06-20 05:52:24 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-06-20 01:36:51 -------- d-----w- C:\Users\Kajiri\AppData\Roaming\f-secure
2011-06-20 01:36:38 -------- d-----w- C:\ProgramData\F-Secure
2011-06-20 00:49:17 -------- d-----w- C:\Program Files (x86)\ESET
2011-06-20 00:10:51 388096 ----a-r- C:\Users\Kajiri\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-19 22:18:07 -------- d-----w- C:\Users\Kajiri\AppData\Local\temp
2011-06-19 22:08:27 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-19 19:04:14 -------- d-----w- C:\comfix
2011-06-19 17:29:23 -------- d-----w- C:\Program Files\CCleaner
2011-06-16 21:08:57 33856 ---ha-w- C:\Windows\System32\hamachi.sys
2011-06-16 21:08:09 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
2011-06-11 04:43:25 -------- d-----w- C:\Program Files (x86)\Astral
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-24 23:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-21 15:29:11 43520 ----a-w- C:\Windows\SysWow64\CmdLineExt03.dll
2011-05-18 13:56:59 2762752 ----a-w- C:\Windows\System32\win32k.sys
2011-05-02 17:16:14 739328 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-05-02 17:13:21 975360 ----a-w- C:\Windows\System32\inetcomm.dll
2011-04-29 13:40:56 145920 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-29 13:39:34 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-29 13:39:34 135680 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-29 13:39:31 107008 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-04-21 14:20:24 405504 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-04-14 15:14:19 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys
.
============= FINISH: 14:10:07.70 ===============


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6897

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/22/2011 1:38:13 PM
mbam-log-2011-06-22 (13-38-05).txt

Scan type: Quick scan
Objects scanned: 164957
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Kajiri\0.16480740354756562.exe (Trojan.Agent.Gen) -> No action taken.
c:\Users\Kajiri\0.8002314686130673.exe (Trojan.Agent.Gen) -> No action taken.

Attached Files


Edited by Budapest, 26 June 2011 - 06:12 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:29 AM

Posted 02 July 2011 - 08:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Kjolin

Kjolin
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 03 July 2011 - 11:49 AM

Alright, so first things first, the logs may have changed a bit since I posted the last one, so I'll include new ones in this post, and in addition, my latest Malwarebytes log. (Had to keep running scans before to keep it at bay, but I'll refrain from launching any further scans or fixes unless requested to do so. Many thanks in advance for the assistance!)

Problems that I am certain of with all of this include Tracur, an XUL Cache add-on for Firefox, and some other underlying program reinstalling them.

.
DDS (Ver_2011-06-12.02) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_16
Run by Kajiri at 12:35:17 on 2011-07-03
AV: Windows Live OneCare *Enabled/Outdated* {2E6C4BAB-3371-CD46-62DC-0E0A86B42619}
SP: Windows Live OneCare *Enabled/Outdated* {950DAA4F-154B-C2C8-586C-3578FD336CA4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Windows Live OneCare *Enabled* {1657CA8E-791E-CC1E-4983-A73F78676162}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\RtkAudioService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\uxtheme32.exe
c:\programdata\kbdbulg32.exe
C:\ProgramData\KBDCA32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\programdata\xaudio2_032.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\SysWOW64\wmploc32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\winssnotify.exe
c:\programdata\authfwcfg32.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Sony\VAIO Care\collsvc.exe
C:\Program Files\Sony\VAIO Care\listener.exe
c:\programdata\xaudio2_432.exe
C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe
C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe
C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\programdata\authfwcfg32.exe
C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESGfxMgr.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
c:\programdata\kbdcan32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\winss.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\iashost.exe
c:\programdata\sdl_net32.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\conime.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [OneCareUI] "C:\Program Files (x86)\Microsoft Windows OneCare Live\winssnotify.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1FE8ECA8-DAFB-4B72-8D92-34E85F00792B} : DhcpNameServer = 192.168.58.1
TCP: Interfaces\{82ED6B58-DF83-493E-BE0E-0ADD52F2EE0B} : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
Notify: VESWinlogon - VESWinlogon.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [OneCareUI] "C:\Program Files (x86)\Microsoft Windows OneCare Live\winssnotify.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kajiri\AppData\Roaming\Mozilla\Firefox\Profiles\zzln0dxn.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Users\Kajiri\AppData\Roaming\Mozilla\Firefox\Profiles\zzln0dxn.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R2 CertPropSvc32;Certificate Propagation ;C:\Windows\System32\uxtheme32.exe [2011-6-22 561664]
R2 EventSystem32;COM+ Event System ;C:\ProgramData\KBDBULG32.exe [2011-6-25 561664]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 idsvc32;Windows CardSpace ;C:\ProgramData\XAudio2_032.exe [2011-6-30 561664]
R2 MpsSvc32;Windows Firewall ;C:\Windows\System32\wmploc32.exe [2011-6-22 561664]
R2 MSDTC32;Distributed Transaction Coordinator ;C:\ProgramData\authfwcfg32.exe [2011-6-29 561664]
R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files (x86)\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-7-9 26104]
R2 RtkAudioService;Realtek Audio Service;C:\Windows\RTKAUDIOSERVICE.EXE [2008-11-13 134656]
R2 SampleCollector;Intel® Sample Collector;C:\Program Files\Sony\VAIO Care\collsvc.exe [2008-12-11 167424]
R2 SampleCollector32;Intel® Sample Collector ;C:\ProgramData\XAudio2_432.exe [2011-6-30 561664]
R2 SOHCImp;VAIO Media plus Content Importer;C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe [2008-12-11 103712]
R2 SOHDms;VAIO Media plus Digital Media Server;C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe [2008-12-11 353568]
R2 SOHDs;VAIO Media plus Device Searcher;C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe [2008-12-11 62752]
R2 Themes32;Themes ;C:\ProgramData\authfwcfg32.exe [2011-6-29 561664]
R2 uCamMonitor;CamMonitor;C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-12-11 104960]
R2 VAIO Power Management;VAIO Power Management;C:\Program Files\Sony\VAIO Power Management\SPMService.exe [2008-11-13 407392]
R2 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2008-9-3 446464]
R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-12-11 369952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [2009-7-9 24652]
R2 WerSvc3232;Windows Error Reporting Service ;C:\ProgramData\KBDCAN32.exe [2011-6-29 561664]
R2 WPDBusEnum32;Portable Device Enumerator Service ;C:\ProgramData\SDL_net32.exe [2011-7-3 561664]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys --> C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys --> C:\Windows\system32\DRIVERS\SFEP.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 VcmXmlIfHelper32;VAIO Content Metadata XML Interface ;C:\ProgramData\fdWNet32.exe [2011-6-30 561664]
S2 WPCSvc32;Parental Controls ;C:\ProgramData\feclient32.exe [2011-6-30 561664]
S3 cpudrv64;cpudrv64;C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [2009-12-18 17864]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2008-12-11 108832]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-07-03 16:30:36 561664 ----a-w- C:\ProgramData\SDL_net32.exe
2011-06-30 19:12:56 -------- d-----w- C:\Program Files (x86)\SimCity 2000
2011-06-30 16:25:36 561664 ----a-w- C:\ProgramData\feclient32.exe
2011-06-30 16:03:08 561664 ----a-w- C:\ProgramData\fdWNet32.exe
2011-06-30 15:08:23 561664 ----a-w- C:\ProgramData\XAudio2_432.exe
2011-06-30 08:02:08 561664 ----a-w- C:\ProgramData\XAudio2_032.exe
2011-06-29 05:07:29 344576 ----a-w- C:\Windows\System32\schannel.dll
2011-06-29 05:07:29 276992 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-06-29 04:52:37 561664 ----a-w- C:\ProgramData\KBDCAN32.exe
2011-06-29 04:26:21 561664 ----a-w- C:\ProgramData\authfwcfg32.exe
2011-06-28 02:41:55 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-06-25 17:30:45 561664 ----a-w- C:\ProgramData\KBDBULG32.exe
2011-06-23 06:10:03 -------- d-----w- C:\Users\Kajiri\AppData\Local\Sony Corporation
2011-06-22 16:54:34 561664 ----a-w- C:\ProgramData\KBDCA32.exe
2011-06-22 16:54:24 561664 ----a-w- C:\Windows\SysWow64\wmploc32.exe
2011-06-22 16:54:21 561664 ----a-w- C:\Windows\SysWow64\uxtheme32.exe
2011-06-22 06:25:00 161792 ----a-w- C:\Windows\SysWow64\msls31.dll
2011-06-22 06:25:00 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-06-20 06:35:56 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-06-20 06:34:54 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll
2011-06-20 06:34:54 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll
2011-06-20 06:34:53 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
2011-06-20 06:34:52 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll
2011-06-20 06:29:42 8718160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FE755DED-51B2-4FF4-B44C-39C248B43F46}\mpengine.dll
2011-06-20 05:52:24 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-06-20 01:36:51 -------- d-----w- C:\Users\Kajiri\AppData\Roaming\f-secure
2011-06-20 01:36:38 -------- d-----w- C:\ProgramData\F-Secure
2011-06-20 00:49:17 -------- d-----w- C:\Program Files (x86)\ESET
2011-06-20 00:10:51 388096 ----a-r- C:\Users\Kajiri\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-19 22:18:07 -------- d-----w- C:\Users\Kajiri\AppData\Local\temp
2011-06-19 22:08:27 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-19 19:04:14 -------- d-----w- C:\comfix
2011-06-19 17:29:23 -------- d-----w- C:\Program Files\CCleaner
2011-06-16 21:08:57 33856 ---ha-w- C:\Windows\System32\hamachi.sys
2011-06-11 04:43:25 -------- d-----w- C:\Program Files (x86)\Astral
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-24 23:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-21 15:29:11 43520 ----a-w- C:\Windows\SysWow64\CmdLineExt03.dll
2011-05-18 13:56:59 2762752 ----a-w- C:\Windows\System32\win32k.sys
2011-05-02 17:16:14 739328 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-05-02 17:13:21 975360 ----a-w- C:\Windows\System32\inetcomm.dll
2011-04-29 13:40:56 145920 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-29 13:39:34 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-29 13:39:34 135680 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-29 13:39:31 107008 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-04-21 14:20:24 405504 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-04-14 15:14:19 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys
.
============= FINISH: 12:37:58.85 ===============


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7011

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/3/2011 12:19:48 PM
mbam-log-2011-07-03 (12-19-48).txt

Scan type: Quick scan
Objects scanned: 167710
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
c:\Users\Kajiri\AppData\Local\temp\0.21719191237992452.exe (Exploit.Drop.2) -> 5348 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{01C9A903-8373-4E8F-A8F5-FD122F252784} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01C9A903-8373-4E8F-A8F5-FD122F252784} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\SysWOW64\authfwcfg32.dll (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
c:\Windows\System32\authfwcfg32.dll (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
c:\Users\Kajiri\AppData\Local\temp\0.3578615507343901.exe (Trojan.Tracur.Wow) -> Quarantined and deleted successfully.
c:\Users\Kajiri\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Kajiri\AppData\Local\temp\0.21719191237992452.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Users\Kajiri\AppData\Local\temp\0.9381001338827001.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:29 AM

Posted 03 July 2011 - 06:10 PM

Let's go in and have a look at what Tracur has got to offer here

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 Kjolin

Kjolin
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 03 July 2011 - 07:31 PM

Got a few errors while running ComboFix: PV.cfxxe, pev.cfxxe, grep.cfxxe, sed.cfxxe, and Find String (QGREP) Utility, had to close.

ComboFix 11-07-03.01 - Kajiri 3/2011 Sun 19:26:21.5.2 - x64
Running from: c:\users\Kajiri\Desktop\comfix.exe
AV: Windows Live OneCare *Disabled/Outdated* {2E6C4BAB-3371-CD46-62DC-0E0A86B42619}
FW: Windows Live OneCare *Disabled* {1657CA8E-791E-CC1E-4983-A73F78676162}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Live OneCare *Disabled/Outdated* {950DAA4F-154B-C2C8-586C-3578FD336CA4}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\authfwcfg32.exe
c:\programdata\fdWNet32.exe
c:\programdata\feclient32.exe
c:\programdata\KBDBULG32.exe
c:\programdata\KBDCA32.exe
c:\programdata\KBDCAN32.exe
c:\programdata\SDL_net32.exe
c:\programdata\XAudio2_032.exe
c:\programdata\XAudio2_432.exe
c:\users\Kajiri\Documents\cc_20110629_011103.reg
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_EventSystem32
-------\Service_idsvc32
-------\Service_MSDTC32
-------\Service_SampleCollector32
-------\Service_Themes32
-------\Service_VcmXmlIfHelper32
-------\Service_WerSvc3232
-------\Service_WPCSvc32
-------\Service_WPDBusEnum32
.
.
((((((((((((((((((((((((( Files Created from 2011-06-04 to 2011-07-04 )))))))))))))))))))))))))))))))
.
.
2011-07-04 00:01 . 2011-07-04 00:01 351232 ----a-w- c:\windows\SysWow64\authfwcfg32.dll
2011-07-03 23:22 . 2011-07-03 23:23 -------- d-----w- C:\32788R22FWJFW
2011-06-30 19:12 . 2011-06-30 19:43 -------- d-----w- c:\program files (x86)\SimCity 2000
2011-06-29 05:07 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-29 05:07 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-28 02:41 . 2011-06-28 02:41 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-28 02:41 . 2011-06-28 02:41 -------- d-----w- c:\program files\Java
2011-06-22 16:54 . 2011-06-22 16:54 561664 ----a-w- c:\windows\SysWow64\wmploc32.exe
2011-06-22 16:54 . 2011-06-22 16:54 561664 ----a-w- c:\windows\SysWow64\uxtheme32.exe
2011-06-22 06:25 . 2011-06-22 06:25 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-06-22 06:25 . 2011-06-22 06:25 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-06-20 06:35 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-20 06:34 . 2011-03-03 15:59 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-06-20 06:34 . 2011-03-03 15:40 28672 ----a-w- c:\windows\SysWow64\Apphlpdm.dll
2011-06-20 06:34 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\SysWow64\GameUXLegacyGDFs.dll
2011-06-20 06:34 . 2011-03-03 14:00 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-06-20 06:29 . 2011-05-24 23:12 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FE755DED-51B2-4FF4-B44C-39C248B43F46}\mpengine.dll
2011-06-20 05:52 . 2011-06-28 23:21 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-06-20 00:49 . 2011-06-20 00:49 -------- d-----w- c:\program files (x86)\ESET
2011-06-20 00:10 . 2011-06-20 00:10 388096 ----a-r- c:\users\Kajiri\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-19 19:04 . 2011-06-19 19:45 -------- d-----w- C:\comfix
2011-06-19 17:29 . 2011-06-19 17:29 -------- d-----w- c:\program files\CCleaner
2011-06-16 21:08 . 2009-03-18 21:35 33856 ---ha-w- c:\windows\system32\hamachi.sys
2011-06-11 04:43 . 2011-07-03 18:52 -------- d-----w- c:\program files (x86)\Astral
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-02-03 23:23 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-02-03 23:23 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 23:14 . 2009-11-19 06:33 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-21 15:29 . 2011-05-14 15:16 43520 ----a-w- c:\windows\SysWow64\CmdLineExt03.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="c:\program files (x86)\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-10-18 02:19 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [2009-12-18 17864]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\comfix1302c\CF1542.cfxxe" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-30 15880224]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-30 82464]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-06 11057768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-26 151064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-26 209432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-26 182808]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Kajiri\AppData\Roaming\Mozilla\Firefox\Profiles\zzln0dxn.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-igfxcui - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~2\UNWISE.EXE
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\X6va002]
"ImagePath"="\??\c:\users\Kajiri\AppData\Local\Temp\002F01F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{01D8DAD4-3497-4833-BE44-DF8172232C2D}"=hex:51,66,7a,6c,4c,1d,38,12,ba,d9,cb,
05,a5,7a,5d,0d,c1,52,9c,c1,77,7d,68,39
.
[HKEY_USERS\S-1-5-21-3580577667-9133317-3317146486-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q0・n0S・*年-*]
@Allowed: (Read) (RestrictedCode)
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\uxtheme32.exe
c:\program files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\programdata\KBDCA32.exe
c:\windows\SysWOW64\wmploc32.exe
c:\program files (x86)\Microsoft Windows OneCare Live\OcHealthMon.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\Sony\VAIO Media plus\SOHCImp.exe
c:\program files (x86)\Sony\VAIO Media plus\SOHDms.exe
c:\program files (x86)\Sony\VAIO Media plus\SOHDs.exe
c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
c:\program files (x86)\Sony\VAIO Event Service\VESMgr.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
c:\program files (x86)\Viewpoint\Common\ViewpointService.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files (x86)\Microsoft Windows OneCare Live\winss.exe
c:\program files\Sony\VAIO Care\listener.exe
c:\program files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\programdata\authfwcfg32.exe
.
**************************************************************************
.
Completion time: 2011-07-03 20:25:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-04 00:25
.
Pre-Run: 109,810,880,512 bytes free
Post-Run: 109,041,565,696 bytes free
.
- - End Of File - - 1E43569D1EABDC50DD7019C9D4444F78

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:29 AM

Posted 03 July 2011 - 07:36 PM

Please now run MBAM and SAS

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then SAS


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#7 Kjolin

Kjolin
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 03 July 2011 - 11:43 PM

After SAS finished scanning, it asked to reboot, and as it was doing so, I got a BlueScreen crash, after restarting the computer, I got ~another~ BlueScreen crash. Hopefully those were one-time effects? Also, after ComboFix finished running (from a couple posts back), it created an Internet Explorer application on my desktop which was named "The Internet", it's most likely nothing; it just seems strange that it was created it under that name.

Something else to note, authfwcfg32 comes back immediately after removal, and I'm nearly certain that others such as XAudio2_432.exe KBDCA32.exe KBDCAN32.exe wmploc32.exe and uxtheme32.exe are malware as well, but have so far gone unnoticed by anything.

(Sorry if there are any needless details, but I figure that more info is better than less.)

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7014

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/3/2011 10:15:01 PM
mbam-log-2011-07-03 (22-15-01).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 436036
Time elapsed: 1 hour(s), 18 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\authfwcfg32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\authfwcfg32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/04/2011 at 00:23 AM

Application Version : 4.55.1000

Core Rules Database Version : 7369
Trace Rules Database Version: 5181

Scan type : Complete Scan
Total Scan Time : 01:45:28

Memory items scanned : 630
Memory threats detected : 0
Registry items scanned : 14728
Registry threats detected : 0
File items scanned : 55487
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Kajiri\AppData\Roaming\Microsoft\Windows\Cookies\kajiri@ar.atwola[2].txt
C:\Users\Kajiri\AppData\Roaming\Microsoft\Windows\Cookies\kajiri@atwola[2].txt
C:\Users\Kajiri\AppData\Roaming\Microsoft\Windows\Cookies\kajiri@cdn.at.atwola[1].txt
C:\Users\Kajiri\AppData\Roaming\Microsoft\Windows\Cookies\kajiri@at.atwola[1].txt
C:\Users\Kajiri\AppData\Roaming\Microsoft\Windows\Cookies\kajiri@tacoda.at.atwola[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@2o7[1].txt

Edited by Kjolin, 04 July 2011 - 04:38 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:29 AM

Posted 04 July 2011 - 06:17 PM

Yes, something's holding the trojan there.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#9 Kjolin

Kjolin
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 04 July 2011 - 07:50 PM

'Got another BlueScreen just as it started to scan. Suggestions or alternatives?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:29 AM

Posted 05 July 2011 - 05:21 PM

I'm concerned that the system is blue screening. Please run TDSSKiller and let's see if we can get any results

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#11 Kjolin

Kjolin
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 05 July 2011 - 09:43 PM

'After rebooting it didn't create a report in C:\

It did find two malicious items though, one of them being something about harddisk0, and I fail to remember what the other was. (All I know is it had a string of random numbers in its name.)

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:29 AM

Posted 06 July 2011 - 02:11 PM

Sounds like a rootkit but it's going to be hard to check and dangerous to guess.

Please rerun TDSSKiller and see if we can get a log - even if it's clean.
Posted Image
m0le is a proud member of UNITE

#13 Kjolin

Kjolin
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 06 July 2011 - 07:06 PM

2011/07/06 20:02:57.0022 5712 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21
2011/07/06 20:02:57.0475 5712 ================================================================================
2011/07/06 20:02:57.0475 5712 SystemInfo:
2011/07/06 20:02:57.0475 5712
2011/07/06 20:02:57.0475 5712 OS Version: 6.0.6002 ServicePack: 2.0
2011/07/06 20:02:57.0475 5712 Product type: Workstation
2011/07/06 20:02:57.0475 5712 ComputerName: KAJIRI-PC
2011/07/06 20:02:57.0475 5712 UserName: Kajiri
2011/07/06 20:02:57.0475 5712 Windows directory: C:\Windows
2011/07/06 20:02:57.0475 5712 System windows directory: C:\Windows
2011/07/06 20:02:57.0475 5712 Running under WOW64
2011/07/06 20:02:57.0475 5712 Processor architecture: Intel x64
2011/07/06 20:02:57.0475 5712 Number of processors: 2
2011/07/06 20:02:57.0475 5712 Page size: 0x1000
2011/07/06 20:02:57.0475 5712 Boot type: Normal boot
2011/07/06 20:02:57.0475 5712 ================================================================================
2011/07/06 20:02:58.0902 5712 Initialize success
2011/07/06 20:03:15.0011 4784 ================================================================================
2011/07/06 20:03:15.0011 4784 Scan started
2011/07/06 20:03:15.0011 4784 Mode: Manual;
2011/07/06 20:03:15.0011 4784 ================================================================================
2011/07/06 20:03:15.0590 4784 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
2011/07/06 20:03:15.0681 4784 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
2011/07/06 20:03:15.0794 4784 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
2011/07/06 20:03:15.0837 4784 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
2011/07/06 20:03:15.0872 4784 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
2011/07/06 20:03:16.0039 4784 AFD (0cc146c4addea45791b18b1e2659f4a9) C:\Windows\system32\drivers\afd.sys
2011/07/06 20:03:16.0121 4784 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
2011/07/06 20:03:16.0181 4784 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
2011/07/06 20:03:16.0248 4784 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
2011/07/06 20:03:16.0271 4784 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
2011/07/06 20:03:16.0339 4784 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
2011/07/06 20:03:16.0398 4784 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
2011/07/06 20:03:16.0460 4784 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
2011/07/06 20:03:16.0496 4784 ArcSoftKsUFilter (1ce3822b05a5e229286a15ea39369870) C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys
2011/07/06 20:03:16.0564 4784 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/06 20:03:16.0627 4784 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys
2011/07/06 20:03:16.0718 4784 athr (390bc9b68e1ef2a299731bc775d43004) C:\Windows\system32\DRIVERS\athrx.sys
2011/07/06 20:03:16.0958 4784 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
2011/07/06 20:03:17.0018 4784 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/06 20:03:17.0124 4784 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
2011/07/06 20:03:17.0171 4784 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
2011/07/06 20:03:17.0266 4784 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
2011/07/06 20:03:17.0306 4784 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
2011/07/06 20:03:17.0339 4784 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
2011/07/06 20:03:17.0399 4784 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
2011/07/06 20:03:17.0523 4784 BthEnum (471ff09330a53177bbe9fd6ddf8a8259) C:\Windows\system32\DRIVERS\BthEnum.sys
2011/07/06 20:03:17.0585 4784 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
2011/07/06 20:03:17.0638 4784 BthPan (befc5311736b475ac5b60c14ff7c775a) C:\Windows\system32\DRIVERS\bthpan.sys
2011/07/06 20:03:17.0721 4784 BTHPORT (7d104f22c04a76f0d2f96f789ac07fcb) C:\Windows\system32\Drivers\BTHport.sys
2011/07/06 20:03:17.0836 4784 BTHUSB (d9324f0c142267961ce900bfc3798bb1) C:\Windows\system32\Drivers\BTHUSB.sys
2011/07/06 20:03:18.0049 4784 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/06 20:03:18.0153 4784 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
2011/07/06 20:03:18.0254 4784 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
2011/07/06 20:03:18.0327 4784 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
2011/07/06 20:03:18.0492 4784 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
2011/07/06 20:03:18.0523 4784 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys
2011/07/06 20:03:18.0667 4784 cpudrv64 (3ca734ce373e5675fbc15ca2c45228e5) C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys
2011/07/06 20:03:18.0721 4784 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
2011/07/06 20:03:18.0885 4784 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys
2011/07/06 20:03:19.0029 4784 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
2011/07/06 20:03:19.0254 4784 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
2011/07/06 20:03:19.0325 4784 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/06 20:03:19.0458 4784 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
2011/07/06 20:03:19.0524 4784 e1yexpress (50f95e488c99ae2b0d9def392acc61fc) C:\Windows\system32\DRIVERS\e1y60x64.sys
2011/07/06 20:03:19.0619 4784 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
2011/07/06 20:03:19.0713 4784 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
2011/07/06 20:03:19.0767 4784 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
2011/07/06 20:03:19.0858 4784 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
2011/07/06 20:03:19.0922 4784 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
2011/07/06 20:03:19.0978 4784 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/06 20:03:20.0031 4784 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
2011/07/06 20:03:20.0069 4784 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
2011/07/06 20:03:20.0101 4784 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/06 20:03:20.0167 4784 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
2011/07/06 20:03:20.0251 4784 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/06 20:03:20.0283 4784 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
2011/07/06 20:03:20.0376 4784 hamachi (1e6438d4ea6e1174a3b3b1edc4de660b) C:\Windows\system32\DRIVERS\hamachi.sys
2011/07/06 20:03:20.0444 4784 HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys
2011/07/06 20:03:20.0533 4784 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/07/06 20:03:20.0587 4784 HECIx64 (72d70bcf68c092978bfcd32f88bd6454) C:\Windows\system32\DRIVERS\HECIx64.sys
2011/07/06 20:03:20.0618 4784 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
2011/07/06 20:03:20.0651 4784 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
2011/07/06 20:03:20.0720 4784 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
2011/07/06 20:03:20.0784 4784 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
2011/07/06 20:03:20.0852 4784 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
2011/07/06 20:03:20.0882 4784 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
2011/07/06 20:03:20.0937 4784 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/07/06 20:03:20.0981 4784 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
2011/07/06 20:03:21.0201 4784 igfx (8254f64c0b738c167b7f487ed7c28db5) C:\Windows\system32\DRIVERS\igdkmd64.sys
2011/07/06 20:03:21.0380 4784 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
2011/07/06 20:03:21.0537 4784 IntcAzAudAddService (f5872a11eb4f6db170d636cd4e53ca9f) C:\Windows\system32\drivers\RTKVHD64.sys
2011/07/06 20:03:21.0660 4784 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
2011/07/06 20:03:21.0703 4784 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/06 20:03:21.0822 4784 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/06 20:03:21.0923 4784 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
2011/07/06 20:03:21.0962 4784 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
2011/07/06 20:03:22.0000 4784 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
2011/07/06 20:03:22.0079 4784 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
2011/07/06 20:03:22.0142 4784 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/07/06 20:03:22.0188 4784 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
2011/07/06 20:03:22.0246 4784 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
2011/07/06 20:03:22.0309 4784 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/07/06 20:03:22.0377 4784 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/07/06 20:03:22.0455 4784 KSecDD (476e2c1dcea45895994bef11c2a98715) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/06 20:03:22.0516 4784 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
2011/07/06 20:03:22.0595 4784 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/06 20:03:22.0664 4784 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
2011/07/06 20:03:22.0696 4784 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
2011/07/06 20:03:22.0746 4784 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
2011/07/06 20:03:22.0782 4784 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
2011/07/06 20:03:22.0845 4784 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
2011/07/06 20:03:22.0887 4784 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
2011/07/06 20:03:22.0930 4784 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
2011/07/06 20:03:22.0957 4784 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/06 20:03:22.0993 4784 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
2011/07/06 20:03:23.0043 4784 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/06 20:03:23.0080 4784 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
2011/07/06 20:03:23.0128 4784 MpFilter (f09ebb7bc6199d20731b54e0b1417e3f) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/07/06 20:03:23.0163 4784 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
2011/07/06 20:03:23.0196 4784 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/06 20:03:23.0542 4784 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
2011/07/06 20:03:23.0628 4784 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
2011/07/06 20:03:23.0693 4784 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/06 20:03:23.0727 4784 mrxsmb10 (6dc9461915a551c2a625986f5fb3b851) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/06 20:03:23.0772 4784 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/06 20:03:23.0810 4784 msahci (1ac860612b85d8e85ee257d372e39f4d) C:\Windows\system32\drivers\msahci.sys
2011/07/06 20:03:23.0857 4784 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
2011/07/06 20:03:23.0906 4784 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
2011/07/06 20:03:23.0993 4784 MSFWDrv (191bb0874910ca5b090af4e26ad71121) C:\Windows\system32\DRIVERS\msfwdrv.sys
2011/07/06 20:03:24.0020 4784 MSFWHLPR (f0f142b49026b4a1ca6d0d7c397baf32) C:\Windows\system32\DRIVERS\msfwhlpr.sys
2011/07/06 20:03:24.0182 4784 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
2011/07/06 20:03:24.0223 4784 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/06 20:03:24.0286 4784 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/06 20:03:24.0314 4784 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
2011/07/06 20:03:24.0377 4784 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
2011/07/06 20:03:24.0414 4784 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/07/06 20:03:24.0440 4784 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
2011/07/06 20:03:24.0499 4784 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
2011/07/06 20:03:24.0578 4784 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/06 20:03:24.0693 4784 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
2011/07/06 20:03:24.0759 4784 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/06 20:03:24.0790 4784 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/06 20:03:24.0855 4784 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/06 20:03:24.0887 4784 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
2011/07/06 20:03:24.0921 4784 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/06 20:03:24.0984 4784 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/06 20:03:25.0050 4784 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
2011/07/06 20:03:25.0117 4784 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
2011/07/06 20:03:25.0152 4784 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/06 20:03:25.0238 4784 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
2011/07/06 20:03:25.0315 4784 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
2011/07/06 20:03:25.0568 4784 nvlddmkm (234913760c6b8aede986753999cd973d) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/07/06 20:03:25.0769 4784 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
2011/07/06 20:03:25.0812 4784 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
2011/07/06 20:03:25.0867 4784 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
2011/07/06 20:03:26.0032 4784 ohci1394 (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/07/06 20:03:26.0173 4784 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
2011/07/06 20:03:26.0239 4784 partmgr (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys
2011/07/06 20:03:26.0319 4784 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
2011/07/06 20:03:26.0416 4784 pciide (2657f6c0b78c36d95034be109336e382) C:\Windows\system32\drivers\pciide.sys
2011/07/06 20:03:26.0457 4784 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
2011/07/06 20:03:26.0502 4784 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
2011/07/06 20:03:26.0693 4784 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/06 20:03:26.0736 4784 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
2011/07/06 20:03:26.0820 4784 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/06 20:03:26.0857 4784 PxHlpa64 (fbf4db6d53585437e41a113300002a2b) C:\Windows\system32\Drivers\PxHlpa64.sys
2011/07/06 20:03:26.0933 4784 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
2011/07/06 20:03:27.0007 4784 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
2011/07/06 20:03:27.0080 4784 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/06 20:03:27.0116 4784 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/06 20:03:27.0199 4784 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/06 20:03:27.0267 4784 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/06 20:03:27.0325 4784 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/06 20:03:27.0399 4784 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/06 20:03:27.0447 4784 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/06 20:03:27.0488 4784 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
2011/07/06 20:03:27.0531 4784 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/06 20:03:27.0597 4784 RDPWD (b1d741c87cea8d7282146366cc9c3f81) C:\Windows\system32\drivers\RDPWD.sys
2011/07/06 20:03:27.0677 4784 RFCOMM (72c35598ba591abddc37fce7d26fe1c4) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/07/06 20:03:27.0719 4784 rimsptsk (7eae3999b94a8ce60bfbaa83462b89a1) C:\Windows\system32\DRIVERS\rimssn64.sys
2011/07/06 20:03:27.0747 4784 risdptsk (fa6d7cd63ad08a01d9259f58e0c5c09e) C:\Windows\system32\DRIVERS\risdsn64.sys
2011/07/06 20:03:27.0804 4784 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/06 20:03:27.0931 4784 SASDIFSV (99df79c258b3342b6c8a5f802998de56) C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
2011/07/06 20:03:27.0960 4784 SASKUTIL (2859c35c0651e8eb0d86d48e740388f2) C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
2011/07/06 20:03:28.0059 4784 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
2011/07/06 20:03:28.0136 4784 sdbus (b42ee50f7d24f837f925332eb349eca5) C:\Windows\system32\DRIVERS\sdbus.sys
2011/07/06 20:03:28.0174 4784 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/07/06 20:03:28.0220 4784 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
2011/07/06 20:03:28.0250 4784 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
2011/07/06 20:03:28.0282 4784 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
2011/07/06 20:03:28.0380 4784 SFEP (70f9c476b62de4f2823e918a6c181ade) C:\Windows\system32\DRIVERS\SFEP.sys
2011/07/06 20:03:28.0411 4784 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
2011/07/06 20:03:28.0436 4784 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
2011/07/06 20:03:28.0464 4784 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
2011/07/06 20:03:28.0502 4784 sfloppy (40567781f0785c4a69411d1b40da8987) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/07/06 20:03:28.0555 4784 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
2011/07/06 20:03:28.0585 4784 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
2011/07/06 20:03:28.0668 4784 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
2011/07/06 20:03:28.0804 4784 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
2011/07/06 20:03:28.0911 4784 sptd (602884696850c86434530790b110e8eb) C:\Windows\system32\Drivers\sptd.sys
2011/07/06 20:03:28.0911 4784 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 602884696850c86434530790b110e8eb
2011/07/06 20:03:28.0921 4784 sptd - detected LockedFile.Multi.Generic (1)
2011/07/06 20:03:29.0001 4784 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys
2011/07/06 20:03:29.0082 4784 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/06 20:03:29.0141 4784 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/06 20:03:29.0270 4784 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
2011/07/06 20:03:29.0323 4784 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
2011/07/06 20:03:29.0381 4784 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
2011/07/06 20:03:29.0427 4784 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
2011/07/06 20:03:29.0564 4784 Tcpip (973658a2ea9c06b2976884b9046dfc6c) C:\Windows\system32\drivers\tcpip.sys
2011/07/06 20:03:29.0639 4784 Tcpip6 (973658a2ea9c06b2976884b9046dfc6c) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/06 20:03:29.0707 4784 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/06 20:03:29.0755 4784 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
2011/07/06 20:03:29.0785 4784 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
2011/07/06 20:03:30.0087 4784 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/06 20:03:30.0160 4784 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
2011/07/06 20:03:30.0250 4784 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/06 20:03:30.0302 4784 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
2011/07/06 20:03:30.0360 4784 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/06 20:03:30.0398 4784 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
2011/07/06 20:03:30.0506 4784 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/06 20:03:30.0583 4784 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
2011/07/06 20:03:30.0625 4784 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
2011/07/06 20:03:30.0656 4784 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
2011/07/06 20:03:30.0691 4784 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
2011/07/06 20:03:30.0731 4784 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
2011/07/06 20:03:30.0817 4784 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/07/06 20:03:30.0863 4784 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
2011/07/06 20:03:30.0911 4784 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/06 20:03:30.0977 4784 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
2011/07/06 20:03:31.0017 4784 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
2011/07/06 20:03:31.0055 4784 usbprint (acfee697af477021bb3ec78c5431fed2) C:\Windows\system32\drivers\usbprint.sys
2011/07/06 20:03:31.0115 4784 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/07/06 20:03:31.0147 4784 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/07/06 20:03:31.0214 4784 usbvideo (fc33099877790d51b0927b7039059855) C:\Windows\system32\Drivers\usbvideo.sys
2011/07/06 20:03:31.0412 4784 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/06 20:03:31.0447 4784 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
2011/07/06 20:03:31.0478 4784 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
2011/07/06 20:03:31.0560 4784 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
2011/07/06 20:03:31.0627 4784 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
2011/07/06 20:03:31.0696 4784 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
2011/07/06 20:03:31.0733 4784 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
2011/07/06 20:03:31.0808 4784 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
2011/07/06 20:03:31.0887 4784 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/06 20:03:31.0910 4784 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/06 20:03:31.0978 4784 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
2011/07/06 20:03:32.0028 4784 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/06 20:03:32.0192 4784 WimFltr (52ded146e4797e6ccf94799e8e22bb2a) C:\Windows\system32\DRIVERS\wimfltr.sys
2011/07/06 20:03:32.0317 4784 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys
2011/07/06 20:03:32.0423 4784 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/07/06 20:03:32.0476 4784 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/06 20:03:32.0575 4784 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/06 20:03:32.0691 4784 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
2011/07/06 20:03:32.0723 4784 Boot (0x1200) (24fa32473328792fe84d54f2e8881adf) \Device\Harddisk0\DR0\Partition0
2011/07/06 20:03:32.0734 4784 ================================================================================
2011/07/06 20:03:32.0734 4784 Scan finished
2011/07/06 20:03:32.0734 4784 ================================================================================
2011/07/06 20:03:32.0752 4128 Detected object count: 1
2011/07/06 20:03:32.0752 4128 Actual detected object count: 1
2011/07/06 20:03:38.0615 4128 LockedFile.Multi.Generic(sptd) - User select action: Skip

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:29 AM

Posted 06 July 2011 - 08:11 PM

2011/07/06 20:03:32.0691 4784 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
2011/07/06 20:03:32.0723 4784 Boot (0x1200) (24fa32473328792fe84d54f2e8881adf) \Device\Harddisk0\DR0\Partition0
2011/07/06 20:03:32.0734 4784 ================================================================================
2011/07/06 20:03:32.0734 4784 Scan finished
2011/07/06 20:03:32.0734 4784 ================================================================================
2011/07/06 20:03:32.0752 4128 Detected object count: 1
2011/07/06 20:03:32.0752 4128 Actual detected object count: 1
2011/07/06 20:03:38.0615 4128 LockedFile.Multi.Generic(sptd) - User select action: Skip


Is this how the first log looked?
Posted Image
m0le is a proud member of UNITE

#15 Kjolin

Kjolin
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 06 July 2011 - 09:03 PM

Looks about right, yes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users