Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked? Redirects, tracing cookies and rootkit or Trojan?


  • This topic is locked This topic is locked
24 replies to this topic

#1 Demme

Demme

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 26 June 2011 - 12:23 PM

It seems like I have been hijacked. I run Windows 7 Ultimate x64 and it seems like someone is
trying hijack me with the use of windows server applications, WMI, services, rootkits/malware, IE/FF redirects to malicious sites, and access permissions.
Many Windows 7 files and programs have been replaced by older versions to limit control and security. I can't start windows firewall, there is windows advanced firewall
which seems to open access. I installed Comodo firewall however somehow the settings change without my consent.

CHKDSK for example looked normal when I ran it but then I found a log that might give som insight:


Checking file system on C:
The type of the file system is NTFS.
Volume label is BOOTCAMP.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
101120 file records processed.

File verification completed.
385 large file records processed.

0 bad file records processed.

2 EA records processed.

73 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
145076 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
101120 file SDs/SIDs processed.

Cleaning up 731 unused index entries from index $SII of file 0x9.
Cleaning up 731 unused index entries from index $SDH of file 0x9.
Cleaning up 731 unused security descriptors.
Security descriptor verification completed.
21979 data files processed.

CHKDSK is verifying Usn Journal...
34040504 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
101104 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
24480626 free clusters processed.

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

117979135 KB total disk space.
19795376 KB in 70560 files.
56280 KB in 21980 indexes.
0 KB in bad sectors.
204971 KB in use by the system.
65536 KB occupied by the log file.
97922508 KB available on disk.

4096 bytes in each allocation unit.
29494783 total allocation units on disk.
24480627 allocation units available on disk.

Internal Info:
00 8b 01 00 87 69 01 00 22 d9 02 00 00 00 00 00 .....i..".......
8f 00 00 00 49 00 00 00 00 00 00 00 00 00 00 00 ....I...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

-----------------------------------------------

I also ran DDS, here is the log

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Sigh at 18:55:59 on 2011-06-26
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bleepingcomputer.com
uDefault_Page_URL = hxxp://www.bleepingcomputer.com
mWinlogon: Userinit=userinit.exe,
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: UseDefaultTile = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 130.244.127.161 130.244.127.169
TCP: Interfaces\{64C73989-99A4-45F4-9671-D8087A8BA116} : DhcpNameServer = 130.244.127.161 130.244.127.169
AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
AppInit_DLLs-X64: C:\Windows\SysWOW64\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sigh\AppData\Roaming\Mozilla\Firefox\Profiles\yhfusq1v.default\
FF - prefs.js: browser.search.selectedEngine - Bing
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-06-26 14:30:31 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-26 13:31:42 35712 ----a-w- C:\Windows\SysWow64\drivers\BlackBox.sys
2011-06-26 09:20:28 -------- d-----w- C:\Windows\System32\appmgmt
2011-06-26 09:11:24 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-06-26 07:42:31 -------- d-----w- C:\Users\Sigh\AppData\Local\Apps
2011-06-26 03:48:32 -------- d-----w- C:\Users\Sigh\AppData\Local\Mozilla
2011-06-26 03:48:23 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-26 03:48:23 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-26 03:29:53 -------- d-----w- C:\Users\Sigh\AppData\Local\factormystic.net
2011-06-26 02:08:12 -------- d-----w- C:\Users\Sigh\AppData\Local\Apple
2011-06-26 00:33:27 388096 ----a-r- C:\Users\Sigh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-26 00:33:27 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-06-25 20:48:11 -------- d-----w- C:\Program Files\Windows Journal
2011-06-25 20:48:11 -------- d-----w- C:\Program Files\Hyper-V
2011-06-25 20:48:09 -------- d-----w- C:\Windows\ShellNew
2011-06-25 20:48:04 627712 ----a-w- C:\Windows\SysWow64\gpprefbr.dll
2011-06-25 20:48:03 4342784 ----a-w- C:\Windows\SysWow64\gppref.dll
2011-06-25 20:48:03 2548736 ----a-w- C:\Windows\SysWow64\propshts.dll
2011-06-25 20:48:03 225280 ----a-w- C:\Windows\SysWow64\gpregistrybrowser.dll
2011-06-25 20:48:03 166400 ----a-w- C:\Windows\SysWow64\gpprefcn.dll
2011-06-25 03:27:07 -------- d-----w- C:\Users\Sigh\AppData\Roaming\Tific
2011-06-25 01:57:39 -------- d-----w- C:\Program Files\COMODO
2011-06-25 01:57:12 -------- d-----w- C:\ProgramData\Comodo
2011-06-24 22:51:19 10240 ----a-w- C:\Windows\System32\wts.dll
2011-06-24 22:49:59 183808 ----a-w- C:\Windows\System32\dcpromo.exe
2011-06-24 16:59:30 -------- d-----w- C:\Users\Sigh\AppData\Roaming\SUPERAntiSpyware.com
2011-06-24 16:59:30 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-06-24 16:59:14 -------- d-----w- C:\ProgramData\!SASCORE
2011-06-24 16:59:13 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-06-24 16:14:49 -------- d-----w- C:\virus
2011-06-24 15:27:03 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-24 15:05:40 -------- d-----w- C:\Users\Sigh\AppData\Local\NPE
2011-06-24 14:28:17 -------- d-----w- C:\ProgramData\Symantec
2011-06-24 12:04:52 -------- d-----w- C:\Users\Sigh\AppData\Roaming\SPE
2011-06-24 08:56:51 345088 ----a-w- C:\Windows\System32\Utilman.exe
2011-06-24 06:40:41 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3BF163D3-0279-4F36-B325-79CEA262DD73}\mpengine.dll
2011-06-24 06:30:47 -------- d-----w- C:\ProgramData\NortonInstaller
2011-06-24 04:51:39 -------- d-----w- C:\Users\Sigh\AppData\Roaming\Malwarebytes
2011-06-24 04:51:00 -------- d-----w- C:\Users\Sigh\AppData\Local\VirtualStore
2011-06-24 03:17:10 -------- d-----w- C:\Program Files\CCleaner
2011-06-24 01:32:49 -------- d-----w- C:\ProgramData\XHEO INC
2011-06-22 18:16:45 -------- d-----w- C:\Program Files (x86)\VideoLAN
2011-06-22 05:46:08 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-06-22 05:41:23 -------- d-----w- C:\ProgramData\Norton
2011-06-22 02:04:48 94208 ----a-w- C:\Windows\System32\FixDownadup.exe
2011-06-18 23:03:53 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-06-18 23:03:53 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-18 23:03:52 289280 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-18 23:03:52 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-06-18 23:03:52 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-06-18 23:03:51 3135488 ----a-w- C:\Windows\System32\win32k.sys
2011-06-18 23:03:50 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-06-18 23:03:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-06-18 23:03:49 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-06-18 23:03:49 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-06-18 23:03:49 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-06-18 23:03:47 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-06-18 23:03:47 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
.
==================== Find3M ====================
.
2011-06-25 20:47:16 901632 ----a-w- C:\Windows\System32\gpprefbr.dll
2011-06-25 20:47:16 3787776 ----a-w- C:\Windows\System32\propshts.dll
2011-06-25 20:47:16 302080 ----a-w- C:\Windows\System32\gpregistrybrowser.dll
2011-06-25 20:47:16 236032 ----a-w- C:\Windows\System32\gpprefcn.dll
2011-06-25 20:47:15 4889088 ----a-w- C:\Windows\System32\gppref.dll
2011-05-29 07:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-24 17:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-21 16:40:09 0 ----a-w- C:\Windows\ativpsrm.bin
2011-05-10 06:06:08 51712 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2011-05-10 06:06:08 4517664 ----a-w- C:\Windows\System32\usbaaplrc.dll
2011-05-02 18:36:48 41712 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
2011-05-02 18:36:48 252344 ----a-w- C:\Windows\System32\drivers\cmdGuard.sys
2011-05-02 18:36:46 16016 ----a-w- C:\Windows\System32\drivers\cmderd.sys
2011-05-02 18:36:04 284744 ----a-w- C:\Windows\SysWow64\guard32.dll
2011-05-02 18:36:02 360976 ----a-w- C:\Windows\System32\guard64.dll
2011-04-23 01:29:25 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-04-23 01:19:19 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-04-22 23:35:56 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-04-22 23:25:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-04-22 22:15:29 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2011-04-13 20:48:36 95544 ----a-w- C:\Windows\System32\bcmwlcoi.dll
2011-04-13 20:48:36 4798016 ----a-w- C:\Windows\System32\drivers\BCMWL664.SYS
2011-04-13 20:48:35 85544 ----a-w- C:\Windows\System32\drivers\bScsiSDa.sys
2011-04-13 20:48:35 411688 ----a-w- C:\Windows\System32\drivers\b57nd60a.sys
2011-04-13 20:48:35 3905824 ----a-w- C:\Windows\System32\bcmihvsrv64.dll
2011-04-13 20:48:35 3571488 ----a-w- C:\Windows\System32\bcmihvui64.dll
2011-04-09 07:02:55 5562240 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-04-09 06:02:25 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:02:25 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
.
============= FINISH: 18:57:01,25 ===============


Lastly I ran HijackThis

here is the log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:03:04, on 2011-06-26
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Users\Sigh\Desktop\gmer.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bleepingcomputer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User '?')
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5088 bytes

I almost forgot that aswMBR gave me a bluescreen, it said that it tried to write in read only memory(log was disabled but enabled it now). aswMBR in fail safe mode gave me this log:


aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-26 16:32:57
-----------------------------
16:32:57.179 OS Version: Windows x64 6.1.7601 Service Pack 1
16:32:57.179 Number of processors: 8 586 0x2A07
16:32:57.179 ComputerName: MAJORTOM UserName: Sigh
16:32:58.661 Initialize success
16:33:17.069 AVAST engine defs: 11062600
16:33:25.212 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:33:25.212 Disk 0 Vendor: TOSHIBA_MK7559GSXF GQ005B Size: 715404MB BusType: 3
16:33:25.244 Disk 0 MBR read successfully
16:33:25.259 Disk 0 MBR scan
16:33:25.259 Disk 0 Windows 7 default MBR code
16:33:25.259 Service scanning
16:33:31.967 Disk 0 trace - called modules:
16:33:31.998 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys atapi.sys
16:33:31.998 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80055b1790]
16:33:31.998 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa800537e520]
16:33:32.014 5 ACPI.sys[fffff88000f617a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800537b060]
16:33:34.323 AVAST engine scan C:\Windows
16:33:51.233 Disk 0 MBR has been saved successfully to "C:\Users\Sigh\Desktop\MBR.dat"
16:33:51.249 The log file has been saved successfully to "C:\Users\Sigh\Desktop\aswMBR222.txt"

-------------------------------------------------

Malwarebytes only finds tracking cookies after every time I have browsed the net.
Now even I can see the suspiciousness of these results, but what should I do to clean this?

I have come to understand the kind of attack im under now. I have figured out two things.

1) There appears to be one or more hidden Virtual Hard Disks that I can't access.


;
; Installation inf for the VHD Miniport
; Copyright © 1999 - 2007, Microsoft Corp.
;

[Version]
Signature="$Windows NT$"
Class=SCSIAdapter
ClassGUID={4D36E97B-E325-11CE-BFC1-08002BE10318}
Provider=%MSFT%
DriverVer=06/21/2006,6.1.7601.17514

[SourceDisksNames]
3426=windows cd

[SourceDisksFiles]
vhdmp.sys = 3426

[DestinationDirs]
DefaultDestDir=12

[ControlFlags]
BasicDriverOk=*

[Manufacturer]
%MSFT%=vhdmp_device,NTamd64

[vhdmp_device.NTamd64]
%MicrosoftVhd.DeviceDesc%=vhdmp_inst,{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba

;
; General installation section
;

[vhdmp_inst]
CopyFiles=vhd_copyfiles

[vhd_copyfiles]
vhdmp.sys,,,0x100

;
; Service Installation
;

[vhdmp_inst.Services]
AddService = vhdmp, 0x00000002, vhdmp_Service_Inst

[vhdmp_Service_Inst]
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %12%\vhdmp.sys
LoadOrderGroup = SCSI miniport
AddReg = vhdmp_service_addreg

[vhdmp_service_addreg]
HKR, "Parameters\PnpInterface", "5", %REG_DWORD%, 0x00000001
HKR, "Parameters", "BusType", 0x00010001, 0x0000000f
HKLM,System\CurrentControlSet\Services\vhdmp,BootFlags,%REG_DWORD_NO_CLOBBER%,2

[Strings]
;Localizable
diskId1 = " "
MicrosoftVhd.DeviceDesc = "Microsoft VHD HBA"
MSFT="Microsoft"

;
; Non-Localizable Strings
;

REG_DWORD = 0x00010001
REG_DWORD_NO_CLOBBER = 0x00010003
SERVICE_KERNEL_DRIVER = 1
SERVICE_DEMAND_START = 3
SERVICE_ERROR_NORMAL = 1

-------------------------------------------------------------------



2)
I ran Sigcheck from Sysinternals to confirm that system files were being tampered with.
Below are the unsigned files sigcheck found from C:\windows\system32

File version: 7.5.7601.17514 (win7sp1_rtm.101119-1850)
c:\windows\system32\wups.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: Windows Update client proxy stub
Product: Microsoft« Windows« Operating System
Version: 7.5.7601.17514
File version: 7.5.7601.17514 (win7sp1_rtm.101119-1850)

c:\windows\system32\wups2.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: Windows Update client proxy stub 2
Product: Microsoft« Windows« Operating System
Version: 7.5.7601.17514
File version: 7.5.7601.17514 (win7sp1_rtm.101119-1850)

c:\windows\system32\wusa.exe:
Verified: Unsigned
File date: 05:23 2010-11-21
Publisher: Microsoft Corporation
Description: Windows Update Standalone Installer
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\wuwebv.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: Windows Update Vista Web Control
Product: Microsoft« Windows« Operating System
Version: 7.5.7601.17514
File version: 7.5.7601.17514 (win7sp1_rtm.101119-1850)

c:\windows\system32\wvc.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: Windows Visual Components
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\Wwanadvui.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Wireless WAN Connection Flows
Product: Microsoft« Windows« Operating System
Version: 08.01.02.00
File version: 08.01.02.00 (win7_rtm.090713-1255)

c:\windows\system32\WWanAPI.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Mbnapi
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\wwancfg.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: MBN Netsh Helper DLL
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\wwanconn.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: Wireless WAN Connection Flows
Product: Microsoft« Windows« Operating System
Version: 08.01.02.00
File version: 08.01.02.00 (win7_rtm.090713-1255)

c:\windows\system32\WWanHC.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Wireless WAN Helper Class
Product: Microsoft« Windows« Operating System
Version: 08.01.02.00
File version: 08.01.02.00 (win7_rtm.090713-1255)

c:\windows\system32\wwaninst.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Windows NET Device Class Co-Installer for Wireless WAN
Product: Microsoft« Windows« Operating System
Version: 08.01.02.00
File version: 08.01.02.00 (win7_rtm.090713-1255)

c:\windows\system32\wwanmm.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: WWan Media Manager
Product: Microsoft« Windows« Operating System
Version: 08.01.02.00
File version: 08.01.02.00 (win7_rtm.090713-1255)

c:\windows\system32\Wwanpref.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Wireless WAN Profile Settings Editor
Product: Microsoft« Windows« Operating System
Version: 08.01.02.00
File version: 08.01.02.00 (win7_rtm.090713-1255)

c:\windows\system32\wwanprotdim.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: WWAN Device Interface Module
Product: Microsoft« Windows« Operating System
Version: 08.01.7601.17514
File version: 08.01.7601.17514 (win7sp1_rtm.101119-1850)

c:\windows\system32\wwansvc.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: WWAN Auto Config Service
Product: Microsoft« Windows« Operating System
Version: 08.01.02.00
File version: 08.01.02.00 (win7_rtm.090713-1255)

c:\windows\system32\wwapi.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: WWAN API
Product: Microsoft« Windows« Operating System
Version: 08.01.02.00
File version: 08.01.02.00 (win7_rtm.090713-1255)

c:\windows\system32\wzcdlg.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Windows Connect Now - Flash Config Enrollee
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xcopy.exe:
Verified: Unsigned
File date: 03:39 2009-07-14
Publisher: Microsoft Corporation
Description: Extended Copy Utility
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\XInput9_1_0.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: XNA Common Controller
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xmlfilter.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: XML Filter
Product: Microsoft« Windows« Operating System
Version: 2008.0.7600.16385
File version: 2008.0.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xmllite.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Microsoft XmlLite Library
Product: Microsoft XML Core Services
Version: 1.3.1000.0
File version: 1.3.1000.0

c:\windows\system32\xmlprovi.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Network Provisioning Service Client API
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xolehlp.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Microsoft Distributed Transaction Coordinator Helper API
s DLL
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 2001.12.8530.16385 (win7_rtm.090713-1255)

c:\windows\system32\XpsFilt.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: XML Paper Specification Document IFilter
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\XpsGdiConverter.dll:
Verified: Unsigned
File date: 08:15 2011-02-24
Publisher: Microsoft Corporation
Description: XPS to GDI Converter
Product: Microsoft« Windows« Operating System
Version: 6.1.7601.17566
File version: 6.1.7601.17566 (win7sp1_gdr.110223-1501)

c:\windows\system32\XpsPrint.dll:
Verified: Unsigned
File date: 14:08 2011-03-12
Publisher: Microsoft Corporation
Description: XPS Printing DLL
Product: Microsoft« Windows« Operating System
Version: 6.1.7601.17578
File version: 6.1.7601.17578 (win7sp1_gdr.110311-2052)

c:\windows\system32\XpsRasterService.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: XPS Rasterization Service Component
Product: Microsoft« Windows« Operating System
Version: 6.1.7601.17514
File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

c:\windows\system32\xpsrchvw.exe:
Verified: Unsigned
File date: 03:39 2009-07-14
Publisher: Microsoft Corporation
Description: XPS Viewer
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xpsservices.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: Xps Object Model in memory creation and deserialization
Product: Microsoft« Windows« Operating System
Version: 6.1.7601.17514
File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

c:\windows\system32\XPSSHHDR.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Package Document Shell Extension Handler
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xpssvcs.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Native Code Xps Services Library
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xwizard.exe:
Verified: Unsigned
File date: 03:39 2009-07-14
Publisher: Microsoft Corporation
Description: Extensible Wizards Host Process
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xwizards.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Extensible Wizards Manager Module
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xwreg.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Extensible Wizard Registration Manager Module
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xwtpdui.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Extensible Wizard Type Plugin for DUI
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\xwtpw32.dll:
Verified: Unsigned
File date: 03:41 2009-07-14
Publisher: Microsoft Corporation
Description: Extensible Wizard Type Plugin for Win32
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)

c:\windows\system32\zipfldr.dll:
Verified: Unsigned
File date: 05:24 2010-11-21
Publisher: Microsoft Corporation
Description: Compressed (zipped) Folders
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)



Registry keys in HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers had been modified and so the attackers could install unsigned files.

See:

hxxp://www.john.bryntze.net/jbkb/index.php?title=Certification-kb12_070-680_TS_Windows_7_Configuring_-_Exam_Notes

for a walkthrough about what has happend to my pc pretty much.


I have two questions.

1) What do I do with these unsigned files and how do i go about restoring signatures to their defaults?

2) How do I find the eventual Virtual Hard Drives? I mentioned earlier that I got a bluescreen when running aswMBR and I think it was when it accessed the VHD, which was set to read only and possibly a trojan/virus removal/repair attempt caused the BSoD.

GN for now. Thanks very much in advance for any replies!

EDIT: Posts merged ~Budapest

Edited by Budapest, 30 June 2011 - 04:31 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:49 PM

Posted 08 July 2011 - 08:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Demme

Demme
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 12 July 2011 - 07:47 AM

Thanks for the reply, however since I didn't receive a response for so long I assumed my topic had been ignored and I tried to wipe the pc clean and reinstall.

However I still have the same issue on all my computers.

If you are still willing to help me here is a hijackthis log from my stationary PC

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:41:58, on 2011-07-12
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\TweakNow PowerPack 2010\CDAuto.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Administrator\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://se.msn.com/?ocid=OIE9HP
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.msn.com/?ocid=OIE9HP
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hello
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll %windir%\SysWOW64\guard32.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - C:\Windows\
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - C:\Windows\
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5767 bytes

and DDS

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Administrator at 14:46:10 on 2011-07-12
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.4094.2360 [GMT 2:00]
.
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files (x86)\TweakNow PowerPack 2010\CDAuto.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Administrator\Downloads\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Hello
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-explorer: NoThemesTab = 1 (0x1)
uPolicies-explorer: NoAddPrinter = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A2020031-88F6-4CCE-90F5-523560921E59} : DhcpNameServer = 192.168.1.1
AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll %windir%\SysWOW64\guard32.dll
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
AppInit_DLLs-X64: C:\Windows\SysWOW64\guard32.dll %windir%\SysWOW64\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9lk4tbsn.default\
FF - prefs.js: browser.search.selectedEngine -
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [2011-5-19 1143416]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110712.033\IDSviA64.sys [2011-7-12 488056]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMNETS.SYS --> C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMNETS.SYS [?]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe [2011-7-11 130008]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-4-19 993848]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-4-19 399416]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-7-11 136824]
R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-6-16 366640]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys --> C:\Windows\system32\drivers\synth3dvsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S4 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2009-7-14 20992]
.
=============== Created Last 30 ================
.
2011-07-12 11:27:46 -------- d-----w- C:\Users\Administrator\AppData\Local\CrashDumps
2011-07-11 21:51:34 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-11 17:26:35 -------- d-----w- C:\Program Files\Realtek
2011-07-11 17:26:34 -------- d-----w- C:\Windows\SysWow64\RTCOM
2011-07-11 17:26:00 518896 ----a-w- C:\Windows\System32\SRSTSX64.dll
2011-07-11 17:26:00 332392 ----a-w- C:\Windows\System32\RtlCPAPI64.dll
2011-07-11 17:26:00 2899176 ----a-w- C:\Windows\System32\drivers\RTKVHD64.sys
2011-07-11 17:26:00 2601816 ----a-w- C:\Windows\System32\WavesGUILib.dll
2011-07-11 17:26:00 2405992 ----a-w- C:\Windows\System32\RtPgEx64.dll
2011-07-11 17:26:00 211184 ----a-w- C:\Windows\System32\SRSTSH64.dll
2011-07-11 17:26:00 198896 ----a-w- C:\Windows\System32\SRSHP64.dll
2011-07-11 17:26:00 1560680 ----a-w- C:\Windows\System32\RTSnMg64.cpl
2011-07-11 17:26:00 155888 ----a-w- C:\Windows\System32\SRSWOW64.dll
2011-07-11 17:24:24 74344 ----a-w- C:\Windows\System32\RtNicProp64.dll
2011-07-11 17:24:24 535656 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2011-07-11 17:24:24 107624 ----a-w- C:\Windows\System32\RTNUninst64.dll
2011-07-11 17:24:19 -------- d-----w- C:\Program Files (x86)\Realtek
2011-07-11 17:23:35 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2011-07-11 17:23:22 -------- d-----w- C:\Intel
2011-07-11 15:41:19 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Spotify
2011-07-11 15:41:19 -------- d-----w- C:\Users\Administrator\AppData\Local\Spotify
2011-07-11 12:59:44 43640 ----a-r- C:\Windows\System32\drivers\SymIMV.sys
2011-07-11 12:17:28 -------- d-----w- C:\Program Files (x86)\VideoLAN
2011-07-11 11:41:02 -------- d-----w- C:\Users\Administrator\AppData\Roaming\.purple
2011-07-11 05:59:19 -------- d-----w- C:\Users\Administrator\AppData\Local\Secunia CSI
2011-07-11 05:39:31 -------- d-----w- C:\4f5cd9d77f24c4ca1423c4c63e60335c
2011-07-11 05:34:56 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-07-11 05:34:56 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-07-11 04:49:41 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-07-11 04:34:24 -------- d-----w- C:\ProgramData\NortonInstaller
2011-07-11 04:34:24 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2011-07-11 04:32:42 -------- d-----w- C:\ProgramData\Norton
2011-07-11 04:13:50 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BA3E1713-5D73-42DA-A2EB-807DB8950FC1}\mpengine.dll
2011-07-11 03:23:21 -------- d-----w- C:\Users\Administrator\AppData\Roaming\TweakNow PowerPack Professional
2011-07-11 03:22:29 0 ----a-w- C:\Windows\ativpsrm.bin
2011-07-11 03:13:49 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Fighters
2011-07-11 03:13:48 -------- d-----w- C:\Users\Administrator\AppData\Local\PackageAware
2011-07-11 03:13:30 -------- d-----w- C:\Users\Administrator\AppData\Local\Secunia PSI
2011-07-11 03:13:27 -------- d-----w- C:\Program Files (x86)\Secunia
2011-07-11 03:10:41 -------- d-----w- C:\Users\Administrator\AppData\Roaming\TweakNow PowerPack 2010
2011-07-11 03:10:41 -------- d-----w- C:\Program Files (x86)\TweakNow PowerPack 2010
2011-07-11 02:54:06 -------- d-----w- C:\Users\Administrator\AppData\Roaming\XYplorer
2011-07-11 02:54:04 -------- d-----w- C:\Program Files (x86)\XYplorer
2011-07-11 02:52:55 -------- d-----w- C:\Program Files\COMODO
2011-07-11 02:52:28 -------- d-----w- C:\ProgramData\Comodo
2011-07-11 01:12:42 -------- d-----w- C:\Users\Administrator\AppData\Roaming\DAEMON Tools Lite
2011-07-11 00:55:47 -------- d-----w- C:\Users\Administrator\AppData\Roaming\ESET
2011-07-11 00:52:28 -------- d-----w- C:\Program Files\ESET
2011-07-10 23:25:52 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-10 22:15:11 -------- d-----w- C:\Users\Administrator\AppData\Roaming\AVG10
2011-07-10 22:13:21 -------- d-----w- C:\ProgramData\AVG10
2011-07-10 22:12:12 -------- d-----w- C:\Program Files (x86)\AV2G
2011-07-10 22:07:06 -------- d-----w- C:\ProgramData\MFAData
2011-07-10 22:03:49 -------- d-----w- C:\Users\Administrator\AppData\Local\Mozilla
2011-07-10 21:58:47 -------- d-----w- C:\Users\Administrator\AppData\Local\ATI
2011-07-10 21:39:56 -------- d-----w- C:\$WINDOWS.~LS
2011-07-10 21:27:10 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Malwarebytes
2011-07-10 21:18:30 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Simply Super Software
2011-07-10 19:15:37 -------- d-----w- C:\Windows\System32\appmgmt
2011-07-10 16:04:24 33920 ----a-w- C:\Windows\SysWow64\drivers\fsbts.sys
2011-07-10 15:38:01 -------- d-----w- C:\ProgramData\F-Secure
2011-06-17 06:59:44 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2011-06-17 06:59:44 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-06-17 06:59:43 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-06-17 06:59:43 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-06-17 06:59:43 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2011-06-16 23:53:21 519000 ----a-w- C:\Windows\System32\d3dx10_40.dll
2011-06-16 23:53:21 452440 ----a-w- C:\Windows\SysWow64\d3dx10_40.dll
2011-06-16 23:53:21 2605920 ----a-w- C:\Windows\System32\D3DCompiler_40.dll
2011-06-16 23:53:21 2036576 ----a-w- C:\Windows\SysWow64\D3DCompiler_40.dll
2011-06-16 23:53:20 5631312 ----a-w- C:\Windows\System32\D3DX9_40.dll
2011-06-16 23:53:20 4379984 ----a-w- C:\Windows\SysWow64\D3DX9_40.dll
2011-06-16 20:30:04 -------- d-----w- C:\Program Files (x86)\Combined Community Codec Pack
2011-06-16 19:58:49 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-16 19:57:55 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-06-16 19:57:55 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-06-16 19:57:51 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-06-16 19:57:51 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-06-16 16:58:26 -------- d-----w- C:\Program Files (x86)\Spotify
.
==================== Find3M ====================
.
2011-07-11 17:55:15 25640 ----a-w- C:\Windows\gdrv.sys
2011-07-11 04:35:28 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-06-03 06:11:36 1805928 ----a-w- C:\Windows\System32\RtkApi64.dll
2011-06-02 09:03:58 92264 ----a-w- C:\Windows\System32\RCoInst64.dll
2011-05-31 02:09:30 3114088 ----a-w- C:\Windows\System32\RtkAPO64.dll
2011-05-29 23:22:14 254528 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2011-05-29 07:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-28 03:06:58 3135488 ----a-w- C:\Windows\System32\win32k.sys
2011-05-27 09:58:00 1284712 ----a-w- C:\Windows\RtlExUpd.dll
2011-05-24 17:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2011-05-23 09:12:36 1245288 ----a-w- C:\Windows\System32\RTCOM64.dll
2011-05-05 07:24:02 2085440 ----a-w- C:\Windows\System32\FMAPO64.dll
2011-05-04 23:28:10 59904 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2011-05-04 23:27:58 51712 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2011-05-04 23:27:42 12385280 ----a-w- C:\Windows\SysWow64\amdocl.dll
2011-05-04 05:25:03 2315776 ----a-w- C:\Windows\System32\tquery.dll
2011-05-04 05:22:25 778752 ----a-w- C:\Windows\System32\mssvp.dll
2011-05-04 05:22:25 2223616 ----a-w- C:\Windows\System32\mssrch.dll
2011-05-04 05:22:24 75264 ----a-w- C:\Windows\System32\msscntrs.dll
2011-05-04 05:22:24 491520 ----a-w- C:\Windows\System32\mssph.dll
2011-05-04 05:22:24 288256 ----a-w- C:\Windows\System32\mssphtb.dll
2011-05-04 05:19:28 591872 ----a-w- C:\Windows\System32\SearchIndexer.exe
2011-05-04 05:19:28 249856 ----a-w- C:\Windows\System32\SearchProtocolHost.exe
2011-05-04 05:19:28 113664 ----a-w- C:\Windows\System32\SearchFilterHost.exe
2011-05-04 04:34:43 1549312 ----a-w- C:\Windows\SysWow64\tquery.dll
2011-05-04 04:32:02 666624 ----a-w- C:\Windows\SysWow64\mssvp.dll
2011-05-04 04:32:01 337408 ----a-w- C:\Windows\SysWow64\mssph.dll
2011-05-04 04:32:01 197120 ----a-w- C:\Windows\SysWow64\mssphtb.dll
2011-05-04 04:32:01 1401344 ----a-w- C:\Windows\SysWow64\mssrch.dll
2011-05-04 04:32:00 59392 ----a-w- C:\Windows\SysWow64\msscntrs.dll
2011-05-04 04:28:31 86528 ----a-w- C:\Windows\SysWow64\SearchFilterHost.exe
2011-05-04 04:28:31 427520 ----a-w- C:\Windows\SysWow64\SearchIndexer.exe
2011-05-04 04:28:31 164352 ----a-w- C:\Windows\SysWow64\SearchProtocolHost.exe
2011-04-29 03:06:10 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-04-29 03:05:49 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-04-29 03:05:37 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-27 02:40:40 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-27 02:39:40 289280 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-27 02:39:37 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-04-25 05:33:51 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-04-25 02:34:03 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-04-23 01:29:25 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-04-23 01:19:19 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-04-22 23:35:56 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-04-22 23:25:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-04-22 22:15:29 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2011-04-20 02:30:16 22900736 ----a-w- C:\Windows\System32\atio6axx.dll
2011-04-20 02:09:18 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-04-20 02:09:04 676864 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-04-20 02:07:46 795648 ----a-w- C:\Windows\System32\aticfx64.dll
2011-04-20 02:07:02 17693184 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-04-20 02:05:08 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-04-20 02:04:54 480256 ----a-w- C:\Windows\System32\atieclxx.exe
2011-04-20 02:04:18 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-04-20 02:03:04 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-04-20 02:02:48 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-04-20 02:02:42 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-04-20 02:02:30 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-04-20 02:02:24 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-04-20 02:02:20 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-04-20 02:02:16 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-04-20 01:46:16 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-04-20 01:46:14 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-04-20 01:46:04 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-04-20 01:46:02 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-04-20 01:45:52 7768064 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-04-20 01:42:04 6389760 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-04-20 01:40:48 1222656 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-04-20 01:40:14 1923584 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-04-20 01:27:00 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-04-20 01:23:12 366080 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-04-20 01:23:06 262144 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-04-20 01:22:54 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-04-20 01:22:52 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-04-20 01:22:52 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-04-20 01:22:48 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-04-20 01:22:40 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-04-20 01:22:32 306176 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-04-20 01:21:44 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-04-20 01:21:38 31232 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-04-20 01:21:32 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-04-20 01:21:24 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-04-20 01:20:50 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-04-20 01:13:36 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-04-20 01:13:28 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-04-20 00:44:50 9319936 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-04-19 23:59:22 4161536 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-04-19 23:49:32 4951552 ----a-w- C:\Windows\System32\atidxx64.dll
2011-04-19 23:40:04 3868672 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-04-19 23:38:06 4286464 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-04-19 23:31:14 5440000 ----a-w- C:\Windows\System32\atiumd64.dll
2011-04-19 23:30:38 4056576 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-04-19 23:13:38 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-04-19 23:13:30 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-04-19 20:10:34 61952 ----a-w- C:\Windows\System32\OVDecode64.dll
.
============= FINISH: 14:46:27,22 ===============

Thanks in advance and sorry for the inconvenience I have caused. If you help me to solve these issues I will make a donation for sure!

Edited by Demme, 12 July 2011 - 07:53 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:49 PM

Posted 12 July 2011 - 04:51 PM

The reinstallation deals with almost all malware but there a few settings which don't change. If we can be sure that they are not there any more then we can reset your system.

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Demme

Demme
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 13 July 2011 - 07:44 AM

When I try to download the file it says it is 1.8Mb not 511kb, also when I run the program and click scan after a few seconds it stops working with the following details:

Problem signature:
Problem Event Name: APPCRASH
Application Name: aswMBR.exe
Application Version: 0.9.7.707
Application Timestamp: 4e1c9fbd
Fault Module Name: aswMBR.exe
Fault Module Version: 0.9.7.707
Fault Module Timestamp: 4e1c9fbd
Exception Code: c0000005
Exception Offset: 00019180
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1053
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789
Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:49 PM

Posted 13 July 2011 - 05:13 PM

That's a new one. The file size has clearly got larger as the problems have got larger - I have removed the file size from the instructions. Thanks.

Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Edited by m0le, 13 July 2011 - 05:15 PM.

Posted Image
m0le is a proud member of UNITE

#7 Demme

Demme
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 14 July 2011 - 06:30 AM

The scan only took 10s. Nothing was found. Is this normal?




2011/07/14 13:28:49.0544 1592 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/14 13:28:51.0556 1592 ================================================================================
2011/07/14 13:28:51.0556 1592 SystemInfo:
2011/07/14 13:28:51.0556 1592
2011/07/14 13:28:51.0556 1592 OS Version: 6.1.7601 ServicePack: 1.0
2011/07/14 13:28:51.0556 1592 Product type: Workstation
2011/07/14 13:28:51.0556 1592 ComputerName: DEMME-PC
2011/07/14 13:28:51.0556 1592 UserName: Administrator
2011/07/14 13:28:51.0556 1592 Windows directory: C:\Windows
2011/07/14 13:28:51.0556 1592 System windows directory: C:\Windows
2011/07/14 13:28:51.0556 1592 Running under WOW64
2011/07/14 13:28:51.0556 1592 Processor architecture: Intel x64
2011/07/14 13:28:51.0556 1592 Number of processors: 2
2011/07/14 13:28:51.0556 1592 Page size: 0x1000
2011/07/14 13:28:51.0556 1592 Boot type: Normal boot
2011/07/14 13:28:51.0556 1592 ================================================================================
2011/07/14 13:28:52.0445 1592 Initialize success
2011/07/14 13:28:55.0846 2700 ================================================================================
2011/07/14 13:28:55.0846 2700 Scan started
2011/07/14 13:28:55.0846 2700 Mode: Manual;
2011/07/14 13:28:55.0846 2700 ================================================================================
2011/07/14 13:28:56.0829 2700 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/07/14 13:28:56.0860 2700 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
2011/07/14 13:28:56.0891 2700 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
2011/07/14 13:28:56.0907 2700 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
2011/07/14 13:28:56.0938 2700 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
2011/07/14 13:28:56.0954 2700 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
2011/07/14 13:28:57.0000 2700 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
2011/07/14 13:28:57.0032 2700 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
2011/07/14 13:28:57.0047 2700 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
2011/07/14 13:28:57.0078 2700 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
2011/07/14 13:28:57.0094 2700 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
2011/07/14 13:28:57.0281 2700 amdkmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/07/14 13:28:57.0422 2700 amdkmdap (6b4e9261b613b047a9a145f328889968) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/07/14 13:28:57.0453 2700 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\drivers\amdppm.sys
2011/07/14 13:28:57.0500 2700 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
2011/07/14 13:28:57.0515 2700 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
2011/07/14 13:28:57.0531 2700 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
2011/07/14 13:28:57.0531 2700 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
2011/07/14 13:28:57.0562 2700 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
2011/07/14 13:28:57.0578 2700 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
2011/07/14 13:28:57.0593 2700 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/14 13:28:57.0609 2700 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
2011/07/14 13:28:57.0656 2700 AtiHDAudioService (cbd14f698def12ee3557604b726cb8eb) C:\Windows\system32\drivers\AtihdW76.sys
2011/07/14 13:28:57.0827 2700 atikmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/07/14 13:28:57.0905 2700 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
2011/07/14 13:28:57.0936 2700 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/07/14 13:28:57.0968 2700 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/07/14 13:28:58.0077 2700 BHDrvx64 (2175fbc1639e623872081b0f057409c8) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110701.001\BHDrvx64.sys
2011/07/14 13:28:58.0092 2700 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/07/14 13:28:58.0139 2700 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/14 13:28:58.0155 2700 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
2011/07/14 13:28:58.0186 2700 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
2011/07/14 13:28:58.0217 2700 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/07/14 13:28:58.0233 2700 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/07/14 13:28:58.0248 2700 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/07/14 13:28:58.0264 2700 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/07/14 13:28:58.0280 2700 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
2011/07/14 13:28:58.0311 2700 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/14 13:28:58.0342 2700 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
2011/07/14 13:28:58.0358 2700 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
2011/07/14 13:28:58.0389 2700 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/07/14 13:28:58.0420 2700 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\drivers\CmBatt.sys
2011/07/14 13:28:58.0467 2700 cmdGuard (0020e6598d80b92e4d8618554c4843ab) C:\Windows\system32\DRIVERS\cmdguard.sys
2011/07/14 13:28:58.0498 2700 cmdHlp (7a2af19b01bf433c23ac1111610acf84) C:\Windows\system32\DRIVERS\cmdhlp.sys
2011/07/14 13:28:58.0514 2700 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
2011/07/14 13:28:58.0545 2700 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
2011/07/14 13:28:58.0560 2700 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\drivers\compbatt.sys
2011/07/14 13:28:58.0576 2700 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/07/14 13:28:58.0592 2700 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
2011/07/14 13:28:58.0638 2700 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
2011/07/14 13:28:58.0670 2700 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
2011/07/14 13:28:58.0685 2700 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/07/14 13:28:58.0701 2700 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
2011/07/14 13:28:58.0748 2700 dmvsc (5db085a8a6600be6401f2b24eecb5415) C:\Windows\system32\drivers\dmvsc.sys
2011/07/14 13:28:58.0779 2700 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/07/14 13:28:58.0810 2700 dtsoftbus01 (fb9bef3401ee5ecc2603311b9c64f44a) C:\Windows\system32\DRIVERS\dtsoftbus01.sys
2011/07/14 13:28:58.0826 2700 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/14 13:28:58.0904 2700 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
2011/07/14 13:28:59.0013 2700 eeCtrl (eb0883462ac43829e47929d705d40933) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
2011/07/14 13:28:59.0075 2700 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
2011/07/14 13:28:59.0106 2700 EraserUtilRebootDrv (86fc0d272f6bb43e7214d4ba955a41e7) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/07/14 13:28:59.0122 2700 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
2011/07/14 13:28:59.0153 2700 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/07/14 13:28:59.0184 2700 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/07/14 13:28:59.0216 2700 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
2011/07/14 13:28:59.0231 2700 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/07/14 13:28:59.0231 2700 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/07/14 13:28:59.0262 2700 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
2011/07/14 13:28:59.0278 2700 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
2011/07/14 13:28:59.0309 2700 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/07/14 13:28:59.0309 2700 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/14 13:28:59.0325 2700 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
2011/07/14 13:28:59.0356 2700 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
2011/07/14 13:28:59.0403 2700 gdrv (7907e14f9bcf3a4689c9a74a1a873cb6) C:\Windows\gdrv.sys
2011/07/14 13:28:59.0434 2700 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/07/14 13:28:59.0465 2700 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
2011/07/14 13:28:59.0481 2700 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/07/14 13:28:59.0496 2700 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
2011/07/14 13:28:59.0512 2700 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
2011/07/14 13:28:59.0528 2700 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
2011/07/14 13:28:59.0543 2700 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
2011/07/14 13:28:59.0590 2700 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
2011/07/14 13:28:59.0606 2700 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
2011/07/14 13:28:59.0621 2700 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
2011/07/14 13:28:59.0637 2700 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
2011/07/14 13:28:59.0715 2700 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
2011/07/14 13:28:59.0840 2700 IDSVia64 (d321ff68ff6986bcc18fe85943cb55ef) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110713.031\IDSvia64.sys
2011/07/14 13:28:59.0855 2700 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
2011/07/14 13:28:59.0902 2700 inspect (fc863d6ec8fc977ac4be6ca7ddc10dae) C:\Windows\system32\DRIVERS\inspect.sys
2011/07/14 13:28:59.0996 2700 IntcAzAudAddService (718a4008ee5da174400396b27509ef82) C:\Windows\system32\drivers\RTKVHD64.sys
2011/07/14 13:29:00.0027 2700 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
2011/07/14 13:29:00.0042 2700 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/14 13:29:00.0074 2700 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/14 13:29:00.0089 2700 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
2011/07/14 13:29:00.0120 2700 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/07/14 13:29:00.0136 2700 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/07/14 13:29:00.0152 2700 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
2011/07/14 13:29:00.0167 2700 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
2011/07/14 13:29:00.0198 2700 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/07/14 13:29:00.0214 2700 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/07/14 13:29:00.0245 2700 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/14 13:29:00.0261 2700 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
2011/07/14 13:29:00.0276 2700 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/07/14 13:29:00.0308 2700 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/14 13:29:00.0323 2700 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
2011/07/14 13:29:00.0339 2700 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
2011/07/14 13:29:00.0354 2700 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
2011/07/14 13:29:00.0401 2700 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
2011/07/14 13:29:00.0432 2700 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/07/14 13:29:00.0479 2700 MBAMProtector (ed49fd1373de93617a1f6d128d98fe4d) C:\Windows\system32\drivers\mbam.sys
2011/07/14 13:29:00.0510 2700 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
2011/07/14 13:29:00.0542 2700 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
2011/07/14 13:29:00.0573 2700 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/07/14 13:29:00.0573 2700 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/14 13:29:00.0604 2700 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2011/07/14 13:29:00.0620 2700 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/14 13:29:00.0620 2700 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
2011/07/14 13:29:00.0635 2700 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
2011/07/14 13:29:00.0651 2700 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/14 13:29:00.0682 2700 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
2011/07/14 13:29:00.0698 2700 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/14 13:29:00.0729 2700 mrxsmb10 (2086d463bd371d8a37d153897430916d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/14 13:29:00.0760 2700 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/14 13:29:00.0776 2700 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
2011/07/14 13:29:00.0791 2700 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
2011/07/14 13:29:00.0822 2700 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/07/14 13:29:00.0854 2700 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/07/14 13:29:00.0869 2700 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
2011/07/14 13:29:00.0932 2700 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/14 13:29:00.0947 2700 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/14 13:29:00.0963 2700 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/07/14 13:29:00.0978 2700 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
2011/07/14 13:29:00.0994 2700 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/07/14 13:29:01.0010 2700 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/07/14 13:29:01.0041 2700 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
2011/07/14 13:29:01.0181 2700 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/07/14 13:29:01.0212 2700 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/14 13:29:01.0322 2700 NAVENG (f594e1acbbb3ba48586b5dd69b3a6bc2) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\VirusDefs\20110713.037\ENG64.SYS
2011/07/14 13:29:01.0384 2700 NAVEX15 (cfe00b55488acf0cd9f62b0401297864) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\VirusDefs\20110713.037\EX64.SYS
2011/07/14 13:29:01.0431 2700 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
2011/07/14 13:29:01.0462 2700 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/07/14 13:29:01.0478 2700 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/14 13:29:01.0493 2700 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/14 13:29:01.0509 2700 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/14 13:29:01.0524 2700 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
2011/07/14 13:29:01.0540 2700 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/14 13:29:01.0556 2700 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/14 13:29:01.0571 2700 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
2011/07/14 13:29:01.0587 2700 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/07/14 13:29:01.0602 2700 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/14 13:29:01.0665 2700 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
2011/07/14 13:29:01.0712 2700 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/07/14 13:29:01.0727 2700 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
2011/07/14 13:29:01.0758 2700 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
2011/07/14 13:29:01.0790 2700 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
2011/07/14 13:29:01.0790 2700 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
2011/07/14 13:29:01.0821 2700 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/07/14 13:29:01.0836 2700 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
2011/07/14 13:29:01.0852 2700 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
2011/07/14 13:29:01.0852 2700 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
2011/07/14 13:29:01.0868 2700 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
2011/07/14 13:29:01.0883 2700 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/07/14 13:29:01.0899 2700 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/07/14 13:29:01.0977 2700 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/14 13:29:01.0977 2700 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
2011/07/14 13:29:02.0008 2700 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/14 13:29:02.0055 2700 PSI (fb46e9a827a8799ebd7bfa9128c91f37) C:\Windows\system32\DRIVERS\psi_mf.sys
2011/07/14 13:29:02.0086 2700 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
2011/07/14 13:29:02.0102 2700 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
2011/07/14 13:29:02.0117 2700 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/14 13:29:02.0133 2700 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/14 13:29:02.0148 2700 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/07/14 13:29:02.0164 2700 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/14 13:29:02.0180 2700 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/14 13:29:02.0195 2700 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/14 13:29:02.0211 2700 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/14 13:29:02.0226 2700 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/07/14 13:29:02.0258 2700 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/14 13:29:02.0273 2700 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
2011/07/14 13:29:02.0304 2700 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/14 13:29:02.0320 2700 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/07/14 13:29:02.0351 2700 RdpVideoMiniport (70cba1a0c98600a2aa1863479b35cb90) C:\Windows\system32\drivers\rdpvideominiport.sys
2011/07/14 13:29:02.0382 2700 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
2011/07/14 13:29:02.0382 2700 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
2011/07/14 13:29:02.0429 2700 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/14 13:29:02.0460 2700 RTL8167 (0039de6a0a1293889a3f21ecc473263d) C:\Windows\system32\DRIVERS\Rt64win7.sys
2011/07/14 13:29:02.0476 2700 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
2011/07/14 13:29:02.0492 2700 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
2011/07/14 13:29:02.0507 2700 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
2011/07/14 13:29:02.0538 2700 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/07/14 13:29:02.0570 2700 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/07/14 13:29:02.0585 2700 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/07/14 13:29:02.0601 2700 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
2011/07/14 13:29:02.0632 2700 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
2011/07/14 13:29:02.0663 2700 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
2011/07/14 13:29:02.0663 2700 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
2011/07/14 13:29:02.0694 2700 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
2011/07/14 13:29:02.0710 2700 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
2011/07/14 13:29:02.0726 2700 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
2011/07/14 13:29:02.0741 2700 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/07/14 13:29:02.0757 2700 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/07/14 13:29:02.0835 2700 SRTSP (90ef30c3867bcde4579c01a6d6e75a7a) C:\Windows\system32\drivers\NAVx64\1206000.01D\SRTSP64.SYS
2011/07/14 13:29:02.0850 2700 SRTSPX (c513e8a5e7978da49077f5484344ee1b) C:\Windows\system32\drivers\NAVx64\1206000.01D\SRTSPX64.SYS
2011/07/14 13:29:02.0897 2700 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
2011/07/14 13:29:02.0928 2700 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/14 13:29:02.0944 2700 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/14 13:29:02.0960 2700 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
2011/07/14 13:29:02.0991 2700 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
2011/07/14 13:29:03.0006 2700 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
2011/07/14 13:29:03.0022 2700 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2011/07/14 13:29:03.0038 2700 SymDS (6160145c7a87fc7672e8e3b886888176) C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS
2011/07/14 13:29:03.0084 2700 SymEFA (96aeed40d4d3521568b42027687e69e0) C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS
2011/07/14 13:29:03.0116 2700 SymEvent (21a1c2d694c3cf962d31f5e873ab3d6f) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
2011/07/14 13:29:03.0162 2700 SymIM (3aa3b2df451da88c38ab00b19fa3562e) C:\Windows\system32\DRIVERS\SymIMv.sys
2011/07/14 13:29:03.0178 2700 SymIRON (bd0d711d8cbfcaa19ca123306eaf53a5) C:\Windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS
2011/07/14 13:29:03.0194 2700 SymNetS (81d134628a98a22b6e054e971af525dc) C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMNETS.SYS
2011/07/14 13:29:03.0225 2700 Synth3dVsc (c3a39c4079305480972d29c44b868c78) C:\Windows\system32\drivers\synth3dvsc.sys
2011/07/14 13:29:03.0303 2700 Tcpip (92ce29d95ac9dd2d0ee9061d551ba250) C:\Windows\system32\drivers\tcpip.sys
2011/07/14 13:29:03.0365 2700 TCPIP6 (92ce29d95ac9dd2d0ee9061d551ba250) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/14 13:29:03.0412 2700 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/14 13:29:03.0428 2700 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/07/14 13:29:03.0443 2700 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/07/14 13:29:03.0459 2700 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/14 13:29:03.0474 2700 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\DRIVERS\termdd.sys
2011/07/14 13:29:03.0490 2700 terminpt (2b5bdff688ec9871d7ec5837833374e9) C:\Windows\system32\drivers\terminpt.sys
2011/07/14 13:29:03.0521 2700 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/14 13:29:03.0552 2700 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
2011/07/14 13:29:03.0568 2700 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
2011/07/14 13:29:03.0584 2700 tsusbhub (e1748d04ae40118b62bc18ac86032192) C:\Windows\system32\drivers\tsusbhub.sys
2011/07/14 13:29:03.0599 2700 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/14 13:29:03.0615 2700 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
2011/07/14 13:29:03.0630 2700 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/14 13:29:03.0646 2700 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
2011/07/14 13:29:03.0662 2700 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
2011/07/14 13:29:03.0693 2700 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
2011/07/14 13:29:03.0724 2700 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/07/14 13:29:03.0740 2700 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
2011/07/14 13:29:03.0771 2700 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/14 13:29:03.0818 2700 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
2011/07/14 13:29:03.0849 2700 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
2011/07/14 13:29:03.0849 2700 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\drivers\usbprint.sys
2011/07/14 13:29:03.0896 2700 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\drivers\USBSTOR.SYS
2011/07/14 13:29:03.0927 2700 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/07/14 13:29:03.0958 2700 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
2011/07/14 13:29:03.0958 2700 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/14 13:29:03.0974 2700 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/07/14 13:29:04.0020 2700 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
2011/07/14 13:29:04.0020 2700 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
2011/07/14 13:29:04.0052 2700 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
2011/07/14 13:29:04.0067 2700 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
2011/07/14 13:29:04.0083 2700 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
2011/07/14 13:29:04.0098 2700 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
2011/07/14 13:29:04.0114 2700 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
2011/07/14 13:29:04.0130 2700 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
2011/07/14 13:29:04.0145 2700 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
2011/07/14 13:29:04.0161 2700 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
2011/07/14 13:29:04.0176 2700 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/14 13:29:04.0192 2700 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/14 13:29:04.0223 2700 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
2011/07/14 13:29:04.0254 2700 WDC_SAM (a3d04ebf5227886029b4532f20d026f7) C:\Windows\system32\DRIVERS\wdcsam64.sys
2011/07/14 13:29:04.0270 2700 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/14 13:29:04.0301 2700 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/07/14 13:29:04.0317 2700 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/07/14 13:29:04.0395 2700 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
2011/07/14 13:29:04.0410 2700 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
2011/07/14 13:29:04.0426 2700 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/14 13:29:04.0457 2700 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
2011/07/14 13:29:04.0473 2700 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/14 13:29:04.0520 2700 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/14 13:29:04.0535 2700 Boot (0x1200) (ed172f018d25afeba7bdbcc773e5cbe1) \Device\Harddisk0\DR0\Partition0
2011/07/14 13:29:04.0535 2700 Boot (0x1200) (db015f292e28c12784873d18e667c800) \Device\Harddisk0\DR0\Partition1
2011/07/14 13:29:04.0551 2700 ================================================================================
2011/07/14 13:29:04.0551 2700 Scan finished
2011/07/14 13:29:04.0551 2700 ================================================================================
2011/07/14 13:29:04.0551 1592 Detected object count: 0
2011/07/14 13:29:04.0551 1592 Actual detected object count: 0

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:49 PM

Posted 14 July 2011 - 05:55 PM

Yes, it is a quick scan.

Please next download and run Combofix (this averages 10 minutes but can be longer)

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 Demme

Demme
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 July 2011 - 04:23 PM

Some of the log came out in swedish so I added translations. If I missed anything let me know.


ComboFix 11-07-15.02 - Administrator 2011-07-15 22:18:22.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.4094.2982 [GMT 2:00]
Körs från: c:\users\Administrator\Desktop\comfix.exe
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Skapade en ny återställningspunkt / Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar )))))))))))))))))))))))))))))))))))))))))))))))) / Other deletes
.
.
c:\windows\system32\config\systemprofile\UDDE4FA.tmp
c:\windows\system32\config\systemprofile\UDDEEB3.tmp
.
.
(((((((((((((((((((((((( Filer skapade från 2011-06-15 till 2011-07-15 )))))))))))))))))))))))))))))) / Files created between 2011-06-15 and 2011-07-15
.
.
2011-07-15 20:16 . 2011-07-15 20:16 -------- d-----w- C:\32788R22FWJFW
2011-07-14 14:13 . 2011-07-14 14:14 -------- d-----w- c:\program files (x86)\mIRC
2011-07-13 11:40 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3C2979F8-2C63-4377-90FA-1DCA513B40C3}\mpengine.dll
2011-07-11 17:55 . 2011-07-11 17:55 -------- d-----w- c:\programdata\InstallShield
2011-07-11 17:55 . 2011-07-11 17:55 -------- d-----w- c:\program files (x86)\Gigabyte
2011-07-11 17:55 . 2005-02-17 05:15 73728 ----a-w- c:\windows\SysWow64\ISUSPM.cpl
2011-07-11 17:55 . 2011-07-11 17:55 25640 ----a-w- c:\windows\gdrv.sys
2011-07-11 17:26 . 2011-07-11 17:26 -------- d-----w- c:\program files\Realtek
2011-07-11 17:26 . 2011-07-11 17:26 -------- d-----w- c:\windows\SysWow64\RTCOM
2011-07-11 17:26 . 2011-06-14 11:38 2899176 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2011-07-11 17:26 . 2011-06-13 11:04 1560680 ----a-w- c:\windows\system32\RTSnMg64.cpl
2011-07-11 17:26 . 2011-06-07 09:09 2405992 ----a-w- c:\windows\system32\RtPgEx64.dll
2011-07-11 17:26 . 2011-04-18 10:50 2601816 ----a-w- c:\windows\system32\WavesGUILib.dll
2011-07-11 17:26 . 2010-11-03 10:31 332392 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2011-07-11 17:26 . 2009-11-24 01:55 518896 ----a-w- c:\windows\system32\SRSTSX64.dll
2011-07-11 17:26 . 2009-11-24 01:55 211184 ----a-w- c:\windows\system32\SRSTSH64.dll
2011-07-11 17:26 . 2009-11-24 01:55 198896 ----a-w- c:\windows\system32\SRSHP64.dll
2011-07-11 17:26 . 2009-11-24 01:55 155888 ----a-w- c:\windows\system32\SRSWOW64.dll
2011-07-11 17:24 . 2011-06-01 03:16 74344 ----a-w- c:\windows\system32\RtNicProp64.dll
2011-07-11 17:24 . 2011-06-01 03:16 535656 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2011-07-11 17:24 . 2011-06-01 03:16 107624 ----a-w- c:\windows\system32\RTNUninst64.dll
2011-07-11 17:24 . 2011-07-11 17:25 -------- d-----w- c:\program files (x86)\Realtek
2011-07-11 17:24 . 2011-07-11 17:55 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2011-07-11 17:23 . 2011-07-11 17:23 -------- d-----w- c:\program files (x86)\Intel
2011-07-11 17:23 . 2010-03-02 08:04 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2011-07-11 17:23 . 2011-07-11 17:23 -------- d-----w- C:\Intel
2011-07-11 12:59 . 2011-03-31 03:04 43640 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2011-07-11 12:17 . 2011-07-11 14:32 -------- d-----w- c:\program files (x86)\VideoLAN
2011-07-11 05:39 . 2011-07-11 05:39 -------- d-----w- C:\4f5cd9d77f24c4ca1423c4c63e60335c
2011-07-11 05:34 . 2011-05-29 22:44 1780 ----a-w- c:\windows\system32\config\systemprofile\nss623E.tmp
2011-07-11 05:34 . 2010-01-01 08:00 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-07-11 05:34 . 2010-01-01 08:00 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-07-11 05:32 . 2011-07-11 05:33 -------- d-----w- c:\windows\SysWow64\config\systemprofile\Secunia PSI Agent
2011-07-11 05:28 . 2011-07-11 05:28 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-07-11 04:49 . 2011-07-11 04:49 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-07-11 04:35 . 2011-07-11 04:35 -------- d-----w- c:\program files\Symantec
2011-07-11 04:35 . 2011-07-11 04:35 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-07-11 04:35 . 2011-07-11 04:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-07-11 04:35 . 2011-07-11 04:35 -------- d-----w- c:\windows\system32\drivers\NAVx64
2011-07-11 04:35 . 2011-07-11 04:35 -------- d-----w- c:\program files (x86)\Norton AntiVirus
2011-07-11 04:34 . 2011-07-11 04:34 -------- d-----w- c:\program files (x86)\NortonInstaller
2011-07-11 04:32 . 2011-07-11 21:44 -------- d-----w- c:\programdata\Norton
2011-07-11 03:22 . 2011-07-11 03:22 0 ----a-w- c:\windows\ativpsrm.bin
2011-07-11 03:13 . 2011-07-11 14:07 -------- d-----w- c:\program files (x86)\Secunia
2011-07-11 03:10 . 2011-07-11 03:11 -------- d-----w- c:\program files (x86)\TweakNow PowerPack 2010
2011-07-11 02:54 . 2011-07-11 02:54 -------- d-----w- c:\program files (x86)\XYplorer
2011-07-11 02:52 . 2011-07-11 02:52 -------- d-----w- c:\program files\COMODO
2011-07-11 02:52 . 2011-07-11 03:26 -------- d-----w- c:\programdata\Comodo
2011-07-11 00:52 . 2011-07-11 11:46 -------- d-----w- c:\program files\ESET
2011-07-11 00:35 . 2011-07-11 00:35 0 ----atw- c:\windows\system32\config\systemprofile\avg-794f2920-c469-4800-8ec2-dd5fcb310d7c.tmp
2011-07-10 23:25 . 2011-07-11 11:34 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-10 22:19 . 2011-07-10 22:19 -------- d-----w- c:\users\Demme\AppData\Local\AVG Security Toolbar
2011-07-10 22:17 . 2011-07-10 22:17 -------- d-----w- c:\users\Demme\WPDNSE
2011-07-10 22:17 . 2011-07-10 22:17 -------- d-----w- c:\users\Demme\AppData\Roaming\AVG10
2011-07-10 22:13 . 2011-07-11 00:53 -------- d-----w- c:\programdata\AVG10
2011-07-10 22:12 . 2011-07-10 22:12 -------- d-----w- c:\program files (x86)\AV2G
2011-07-10 22:07 . 2011-07-11 01:13 -------- d-----w- c:\programdata\MFAData
2011-07-10 21:58 . 2011-07-11 20:13 -------- d-----r- c:\users\Public
2011-07-10 21:39 . 2011-07-10 21:39 -------- d-----w- C:\$WINDOWS.~LS
2011-07-10 21:10 . 2011-07-12 12:43 -------- d-----w- c:\users\Administrator
2011-07-10 20:11 . 2011-07-10 20:11 -------- d-----w- c:\users\Demme\AppData\Local\Apps
2011-07-10 19:24 . 2011-07-10 19:24 -------- d-----w- c:\users\Demme\AppData\Roaming\Media Player Classic
2011-07-10 19:15 . 2011-07-10 22:59 -------- d-----w- c:\windows\system32\appmgmt
2011-07-10 19:08 . 2011-07-10 19:08 -------- d-----w- c:\users\Demme\hsperfdata_Demme
2011-07-10 18:01 . 2011-07-10 18:01 -------- d-----w- c:\users\Demme\AppData\Local\Mozilla
2011-07-10 17:50 . 2011-07-10 20:54 -------- d-----w- c:\users\Demme\Low
2011-07-10 16:10 . 2011-07-11 03:19 -------- d-----w- c:\users\Standard\desktopMozilla Firefox
2011-07-10 16:04 . 2011-07-10 16:04 33920 ----a-w- c:\windows\SysWow64\drivers\fsbts.sys
2011-07-10 15:38 . 2011-07-10 15:38 -------- d-----w- c:\users\Demme\AppData\Roaming\f-secure
2011-07-10 15:38 . 2011-07-10 15:38 -------- d-----w- c:\programdata\F-Secure
2011-06-17 06:59 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2011-06-17 06:59 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-06-17 06:59 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
2011-06-17 06:59 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-06-17 06:59 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-06-16 23:53 . 2008-10-15 04:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2011-06-16 23:53 . 2008-10-15 04:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2011-06-16 23:53 . 2008-10-15 04:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2011-06-16 23:53 . 2008-10-15 04:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2011-06-16 23:53 . 2008-10-15 04:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2011-06-16 23:53 . 2008-10-15 04:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2011-06-16 23:38 . 2011-06-16 23:38 -------- d-----w- c:\users\Demme\AppData\Local\Downloaded Installations
2011-06-16 23:28 . 2011-06-16 23:28 -------- d-----w- c:\users\Standard\AppData\Roaming\DAEMON Tools Lite
2011-06-16 20:30 . 2011-06-16 20:30 -------- d-----w- c:\users\Standard\AppData\Roaming\Media Player Classic
2011-06-16 20:30 . 2011-06-16 20:30 -------- d-----w- c:\program files (x86)\Combined Community Codec Pack
2011-06-16 20:03 . 2011-06-16 20:03 -------- d-----w- c:\users\Standard\AppData\Roaming\Malwarebytes
2011-06-16 19:58 . 2011-05-29 07:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-16 19:57 . 2011-02-25 06:22 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-16 19:57 . 2011-02-25 05:34 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-06-16 19:57 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-16 19:57 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-06-16 16:58 . 2011-06-17 16:53 -------- d-----w- c:\users\Standard\AppData\Roaming\Spotify
2011-06-16 16:58 . 2011-06-16 16:58 -------- d-----w- c:\program files (x86)\Spotify
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 12:23 . 2010-12-28 23:42 285256 ----a-w- c:\windows\SysWow64\guard32.dll
2011-07-13 12:23 . 2010-12-28 23:42 363560 ----a-w- c:\windows\system32\guard64.dll
2011-07-13 12:23 . 2011-01-06 15:37 92688 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-07-13 12:23 . 2011-01-06 15:37 41712 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-07-13 12:23 . 2011-01-06 15:36 252344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-07-13 12:23 . 2011-01-06 15:36 16016 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-06-03 05:57 . 2011-07-13 11:40 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-29 23:22 . 2011-05-29 23:22 254528 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-05-24 17:14 . 2010-11-21 03:27 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-04 23:28 . 2011-05-04 23:28 59904 ----a-w- c:\windows\SysWow64\OVDecode.dll
2011-05-04 23:27 . 2011-05-04 23:27 51712 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-05-04 23:27 . 2011-05-04 23:27 12385280 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-04-22 22:15 . 2011-05-29 22:25 27520 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-20 02:30 . 2011-04-20 02:30 22900736 ----a-w- c:\windows\system32\atio6axx.dll
2011-04-20 02:09 . 2011-04-20 02:09 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-04-20 02:09 . 2011-04-20 02:09 676864 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-04-20 02:07 . 2011-04-20 02:07 795648 ----a-w- c:\windows\system32\aticfx64.dll
2011-04-20 02:07 . 2011-04-20 02:07 17693184 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-04-20 02:05 . 2011-04-20 02:05 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-04-20 02:04 . 2011-04-20 02:04 480256 ----a-w- c:\windows\system32\atieclxx.exe
2011-04-20 02:04 . 2011-04-20 02:04 203776 ----a-w- c:\windows\system32\atiesrxx.exe
2011-04-20 02:03 . 2011-04-20 02:03 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-04-20 02:02 . 2011-04-20 02:02 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-04-20 02:02 . 2011-04-20 02:02 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-04-20 02:02 . 2011-04-20 02:02 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-04-20 02:02 . 2011-04-20 02:02 16384 ----a-w- c:\windows\system32\atimuixx.dll
2011-04-20 02:02 . 2011-04-20 02:02 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-04-20 02:02 . 2011-04-20 02:02 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-04-20 01:46 . 2011-04-20 01:46 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-04-20 01:46 . 2011-04-20 01:46 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-04-20 01:46 . 2011-04-20 01:46 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-04-20 01:46 . 2011-04-20 01:46 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-04-20 01:45 . 2011-04-20 01:45 7768064 ----a-w- c:\windows\system32\aticaldd64.dll
2011-04-20 01:42 . 2011-04-20 01:42 6389760 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-04-20 01:40 . 2011-04-20 01:40 1222656 ----a-w- c:\windows\system32\atiumd6v.dll
2011-04-20 01:40 . 2011-04-20 01:40 1923584 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-04-20 01:27 . 2011-04-20 01:27 58880 ----a-w- c:\windows\system32\coinst.dll
2011-04-20 01:23 . 2011-04-20 01:23 366080 ----a-w- c:\windows\system32\atiadlxx.dll
2011-04-20 01:23 . 2011-04-20 01:23 262144 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-04-20 01:22 . 2011-04-20 01:22 14848 ----a-w- c:\windows\system32\atig6pxx.dll
2011-04-20 01:22 . 2011-04-20 01:22 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-04-20 01:22 . 2011-04-20 01:22 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-04-20 01:22 . 2011-04-20 01:22 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-04-20 01:22 . 2011-04-20 01:22 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-04-20 01:22 . 2011-04-20 01:22 306176 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-04-20 01:21 . 2011-04-20 01:21 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-04-20 01:21 . 2011-04-20 01:21 31232 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-04-20 01:21 . 2011-04-20 01:21 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-04-20 01:21 . 2011-04-20 01:21 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-04-20 01:20 . 2011-04-20 01:20 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-04-20 01:13 . 2011-04-20 01:13 53760 ----a-w- c:\windows\system32\atimpc64.dll
2011-04-20 01:13 . 2011-04-20 01:13 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-04-20 00:44 . 2011-04-20 00:44 9319936 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-04-19 23:59 . 2011-04-19 23:59 4161536 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-04-19 23:49 . 2009-07-13 21:59 4951552 ----a-w- c:\windows\system32\atidxx64.dll
2011-04-19 23:40 . 2011-04-19 23:40 3868672 ----a-w- c:\windows\system32\atiumd6a.dll
2011-04-19 23:38 . 2009-07-13 21:59 4286464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-04-19 23:31 . 2011-04-19 23:31 5440000 ----a-w- c:\windows\system32\atiumd64.dll
2011-04-19 23:30 . 2009-07-13 21:59 4056576 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-04-19 23:13 . 2011-04-19 23:13 53760 ----a-w- c:\windows\system32\amdpcom64.dll
2011-04-19 23:13 . 2011-04-19 23:13 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-04-19 20:10 . 2011-04-19 20:10 61952 ----a-w- c:\windows\system32\OVDecode64.dll
2011-04-19 20:10 . 2011-04-19 20:10 53760 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-19 20:10 . 2011-04-19 20:10 16116224 ----a-w- c:\windows\system32\amdocl64.dll
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret ))))))))))))))))))))))))))))))))))))))))))))))) / Startingpoints in the registry.
.
.
*Not* tomma poster & legitima standardposter visas inte. / *Not* empty and legit standardposts are not shown.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
"NoAddPrinter"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [2011-05-19 1143416]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110714.034\IDSvia64.sys [2011-07-08 488056]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NAVx64\1206000.01D\SYMNETS.SYS [x]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-04-19 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-04-19 399416]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-09 136824]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Innehåll i mappen 'Schemalagda aktiviteter': / Contents of the folder "Scheduled activities":
.
2011-07-11 c:\windows\Tasks\Norton AntiVirus - Administrator - Full System Scan.job
- c:\program files (x86)\Norton AntiVirus\Engine\18.6.0.29\Navw32.exe [2011-07-11 00:28]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-07-13 9048392]
"CD Autorun"="c:\program files (x86)\TweakNow PowerPack 2010\CDAuto.exe" [2010-08-17 429312]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-09 11860072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Extra genomsökning ------- / Extra search
.
uLocal Page = c:\windows\system32\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9lk4tbsn.default\
FF - prefs.js: browser.search.selectedEngine -
.
.
------- Filassociationer ------- / File associations
.
.scr does not exist!
.reg does not exist!
.txt does not exist!
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - - / Parentless posts that have been deleted
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LÅSTA REGISTERNYCKLAR --------------------- / Locked Registrykeyes
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,3b,1b,94,f0,43,
76,9b,31,ef,0c,b4,e3,b1,22,8d,43,40,17
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:77,f2,a9,c7,49,3f,cc,01
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bf,43,fe,a5,07,6b,ae,44,b0,21,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bf,43,fe,a5,07,6b,ae,44,b0,21,2c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ab,99,28,87,45,d1,2b,43,be,ae,81,\
"027C9CB72E593A8F02C55092F385DBAC99DF56D067"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ab,99,28,87,45,d1,2b,43,be,ae,81,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Sluttid: 2011-07-15 23:14:10 - datorn startades om. / End time 2011-07-15 23:14:10 - the computer was rebooted.
ComboFix-quarantined-files.txt 2011-07-15 21:14
.
Före genomsökningen: 700 465 254 400 bytes free / Before the search: 700 465 254 400 bytes free
Efter genomsökningen: 700 851 642 368 bytes free / After the search 700 851 642 368 bytes free
.
- - End Of File - - 2D525B95FA5B3C26979ED4888C38BFE3

Edited by Demme, 15 July 2011 - 04:44 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:49 PM

Posted 16 July 2011 - 02:54 PM

Thanks for the translations :thumbup2:

Combofix didn't seem to find much which was a surprise. As you have a redirect there is usually something obvious in the log.

We will continue the clean and once that's done it might be just a matter of resetting the router. Let's see.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#11 Demme

Demme
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 18 July 2011 - 10:54 AM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7191

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

2011-07-18 17:47:23
mbam-log-2011-07-18 (17-47-23).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 267391
Time elapsed: 11 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Norton still finds these tracking cookies after every time I go online.

Full Path: Not Available
____________________________
____________________________
On computers as of:
Not Available
Last Used:
2011-07-18 at 17:48:49
Startup Item:
No
Launched:
No
____________________________
____________________________
Unknown
Number of users in the Norton Community that have used this file: Unknown
____________________________
Low
This file risk is low.
____________________________
Threat Details
Threat type: Tracking Cookies. A tracking cookie is a file that can track your computing activities and report them to a third party.
____________________________
Origin
Downloaded from URL Not Available

____________________________
Tracking Cookies
Tracking cookie: .apmebf.com
Removed
Tracking cookie: .quantserve.com
Removed
Tracking cookie: .doubleclick.net
Removed
Tracking cookie: ad.yieldmanager.com
Removed
Tracking cookie: .adtech.de
Removed
Tracking cookie: .serving-sys.com
Removed
Tracking cookie: .research-int.se
Removed
Tracking cookie: m.webtrends.com
Removed
Tracking cookie: .fastclick.net
Removed
Tracking cookie: .rubiconproject.com
Removed
Tracking cookie: .statcounter.com
Removed
Tracking cookie: .content.yieldmanager.com
Removed
Tracking cookie: .atdmt.com
Removed
Tracking cookie: track.adform.net
Removed
Tracking cookie: .revsci.net
Removed
Tracking cookie: Post process
Removed
Tracking cookie: Orphan cleanup
Removed
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available
____________________________

#12 Demme

Demme
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 18 July 2011 - 11:30 AM

I noticed that my firewall was running during my last combofix scan even though I exited it so now I disabled it and ran a new scan

ComboFix 11-07-18.01 - Administrator 2011-07-18 17:58:35.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.4094.2799 [GMT 2:00]
Körs från: c:\users\Administrator\Desktop\comfix.exe
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Skapade en ny återställningspunkt
.
.
(((((((((((((((((((((((( Filer skapade från 2011-06-18 till 2011-07-18 ))))))))))))))))))))))))))))))
.
.
2011-07-18 16:01 . 2011-07-18 16:01 -------- d-----w- c:\users\Standard\AppData\Local\temp
2011-07-18 16:01 . 2011-07-18 16:01 -------- d-----w- c:\users\Demme\AppData\Local\temp
2011-07-18 16:01 . 2011-07-18 16:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-14 14:13 . 2011-07-14 14:14 -------- d-----w- c:\program files (x86)\mIRC
2011-07-13 11:40 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3C2979F8-2C63-4377-90FA-1DCA513B40C3}\mpengine.dll
2011-07-11 17:55 . 2011-07-11 17:55 -------- d-----w- c:\programdata\InstallShield
2011-07-11 17:55 . 2011-07-11 17:55 -------- d-----w- c:\program files (x86)\Gigabyte
2011-07-11 17:55 . 2005-02-17 05:15 73728 ----a-w- c:\windows\SysWow64\ISUSPM.cpl
2011-07-11 17:55 . 2011-07-11 17:55 25640 ----a-w- c:\windows\gdrv.sys
2011-07-11 17:26 . 2011-07-11 17:26 -------- d-----w- c:\program files\Realtek
2011-07-11 17:26 . 2011-07-11 17:26 -------- d-----w- c:\windows\SysWow64\RTCOM
2011-07-11 17:26 . 2011-06-14 11:38 2899176 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2011-07-11 17:26 . 2011-06-13 11:04 1560680 ----a-w- c:\windows\system32\RTSnMg64.cpl
2011-07-11 17:26 . 2011-06-07 09:09 2405992 ----a-w- c:\windows\system32\RtPgEx64.dll
2011-07-11 17:26 . 2011-04-18 10:50 2601816 ----a-w- c:\windows\system32\WavesGUILib.dll
2011-07-11 17:26 . 2010-11-03 10:31 332392 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2011-07-11 17:26 . 2009-11-24 01:55 518896 ----a-w- c:\windows\system32\SRSTSX64.dll
2011-07-11 17:26 . 2009-11-24 01:55 211184 ----a-w- c:\windows\system32\SRSTSH64.dll
2011-07-11 17:26 . 2009-11-24 01:55 198896 ----a-w- c:\windows\system32\SRSHP64.dll
2011-07-11 17:26 . 2009-11-24 01:55 155888 ----a-w- c:\windows\system32\SRSWOW64.dll
2011-07-11 17:24 . 2011-06-01 03:16 74344 ----a-w- c:\windows\system32\RtNicProp64.dll
2011-07-11 17:24 . 2011-06-01 03:16 535656 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2011-07-11 17:24 . 2011-06-01 03:16 107624 ----a-w- c:\windows\system32\RTNUninst64.dll
2011-07-11 17:24 . 2011-07-11 17:25 -------- d-----w- c:\program files (x86)\Realtek
2011-07-11 17:24 . 2011-07-11 17:55 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2011-07-11 17:23 . 2011-07-11 17:23 -------- d-----w- c:\program files (x86)\Intel
2011-07-11 17:23 . 2010-03-02 08:04 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2011-07-11 17:23 . 2011-07-11 17:23 -------- d-----w- C:\Intel
2011-07-11 12:59 . 2011-03-31 03:04 43640 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2011-07-11 12:17 . 2011-07-11 14:32 -------- d-----w- c:\program files (x86)\VideoLAN
2011-07-11 05:39 . 2011-07-11 05:39 -------- d-----w- C:\4f5cd9d77f24c4ca1423c4c63e60335c
2011-07-11 05:34 . 2011-05-29 22:44 1780 ----a-w- c:\windows\system32\config\systemprofile\nss623E.tmp
2011-07-11 05:34 . 2010-01-01 08:00 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-07-11 05:34 . 2010-01-01 08:00 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-07-11 05:32 . 2011-07-11 05:33 -------- d-----w- c:\windows\SysWow64\config\systemprofile\Secunia PSI Agent
2011-07-11 05:28 . 2011-07-11 05:28 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-07-11 04:49 . 2011-07-11 04:49 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-07-11 04:35 . 2011-07-11 04:35 -------- d-----w- c:\program files\Symantec
2011-07-11 04:35 . 2011-07-11 04:35 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-07-11 04:35 . 2011-07-11 04:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-07-11 04:35 . 2011-07-11 04:35 -------- d-----w- c:\windows\system32\drivers\NAVx64
2011-07-11 04:35 . 2011-07-11 04:35 -------- d-----w- c:\program files (x86)\Norton AntiVirus
2011-07-11 04:34 . 2011-07-11 04:34 -------- d-----w- c:\program files (x86)\NortonInstaller
2011-07-11 04:32 . 2011-07-11 21:44 -------- d-----w- c:\programdata\Norton
2011-07-11 03:22 . 2011-07-11 03:22 0 ----a-w- c:\windows\ativpsrm.bin
2011-07-11 03:13 . 2011-07-11 14:07 -------- d-----w- c:\program files (x86)\Secunia
2011-07-11 03:10 . 2011-07-11 03:11 -------- d-----w- c:\program files (x86)\TweakNow PowerPack 2010
2011-07-11 02:54 . 2011-07-11 02:54 -------- d-----w- c:\program files (x86)\XYplorer
2011-07-11 02:52 . 2011-07-11 02:52 -------- d-----w- c:\program files\COMODO
2011-07-11 02:52 . 2011-07-11 03:26 -------- d-----w- c:\programdata\Comodo
2011-07-11 00:52 . 2011-07-11 11:46 -------- d-----w- c:\program files\ESET
2011-07-11 00:35 . 2011-07-11 00:35 0 ----atw- c:\windows\system32\config\systemprofile\avg-794f2920-c469-4800-8ec2-dd5fcb310d7c.tmp
2011-07-10 23:25 . 2011-07-11 11:34 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-10 22:19 . 2011-07-10 22:19 -------- d-----w- c:\users\Demme\AppData\Local\AVG Security Toolbar
2011-07-10 22:17 . 2011-07-10 22:17 -------- d-----w- c:\users\Demme\WPDNSE
2011-07-10 22:17 . 2011-07-10 22:17 -------- d-----w- c:\users\Demme\AppData\Roaming\AVG10
2011-07-10 22:13 . 2011-07-11 00:53 -------- d-----w- c:\programdata\AVG10
2011-07-10 22:12 . 2011-07-10 22:12 -------- d-----w- c:\program files (x86)\AV2G
2011-07-10 22:07 . 2011-07-11 01:13 -------- d-----w- c:\programdata\MFAData
2011-07-10 21:58 . 2011-07-15 21:14 -------- d-----r- c:\users\Public
2011-07-10 21:39 . 2011-07-10 21:39 -------- d-----w- C:\$WINDOWS.~LS
2011-07-10 21:10 . 2011-07-12 12:43 -------- d-----w- c:\users\Administrator
2011-07-10 20:11 . 2011-07-10 20:11 -------- d-----w- c:\users\Demme\AppData\Local\Apps
2011-07-10 19:24 . 2011-07-10 19:24 -------- d-----w- c:\users\Demme\AppData\Roaming\Media Player Classic
2011-07-10 19:15 . 2011-07-10 22:59 -------- d-----w- c:\windows\system32\appmgmt
2011-07-10 19:08 . 2011-07-10 19:08 -------- d-----w- c:\users\Demme\hsperfdata_Demme
2011-07-10 18:01 . 2011-07-10 18:01 -------- d-----w- c:\users\Demme\AppData\Local\Mozilla
2011-07-10 17:50 . 2011-07-10 20:54 -------- d-----w- c:\users\Demme\Low
2011-07-10 16:10 . 2011-07-11 03:19 -------- d-----w- c:\users\Standard\desktopMozilla Firefox
2011-07-10 16:04 . 2011-07-10 16:04 33920 ----a-w- c:\windows\SysWow64\drivers\fsbts.sys
2011-07-10 15:38 . 2011-07-10 15:38 -------- d-----w- c:\users\Demme\AppData\Roaming\f-secure
2011-07-10 15:38 . 2011-07-10 15:38 -------- d-----w- c:\programdata\F-Secure
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 12:23 . 2010-12-28 23:42 285256 ----a-w- c:\windows\SysWow64\guard32.dll
2011-07-13 12:23 . 2010-12-28 23:42 363560 ----a-w- c:\windows\system32\guard64.dll
2011-07-13 12:23 . 2011-01-06 15:37 92688 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-07-13 12:23 . 2011-01-06 15:37 41712 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-07-13 12:23 . 2011-01-06 15:36 252344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-07-13 12:23 . 2011-01-06 15:36 16016 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-07-06 17:52 . 2011-06-16 19:58 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-03 05:57 . 2011-07-13 11:40 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-29 23:22 . 2011-05-29 23:22 254528 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-05-24 17:14 . 2010-11-21 03:27 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-04 23:28 . 2011-05-04 23:28 59904 ----a-w- c:\windows\SysWow64\OVDecode.dll
2011-05-04 23:27 . 2011-05-04 23:27 51712 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-05-04 23:27 . 2011-05-04 23:27 12385280 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-05-03 05:29 . 2011-06-16 19:57 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-03 04:30 . 2011-06-16 19:57 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-04-29 03:06 . 2011-06-16 19:58 467456 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-29 03:05 . 2011-06-16 19:58 410112 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 03:05 . 2011-06-16 19:58 168448 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:40 . 2011-06-16 19:58 158208 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-27 02:39 . 2011-06-16 19:58 289280 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-27 02:39 . 2011-06-16 19:58 128000 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-25 05:33 . 2011-06-16 19:58 1923968 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-25 02:34 . 2011-06-16 19:58 499200 ----a-w- c:\windows\system32\drivers\afd.sys
2011-04-23 01:29 . 2011-06-16 19:59 2303488 ----a-w- c:\windows\system32\jscript9.dll
2011-04-23 01:19 . 2011-06-16 19:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-04-22 23:35 . 2011-06-16 19:59 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-04-22 23:25 . 2011-06-16 19:59 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-04-22 22:15 . 2011-05-29 22:25 27520 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-20 02:30 . 2011-04-20 02:30 22900736 ----a-w- c:\windows\system32\atio6axx.dll
2011-04-20 02:09 . 2011-04-20 02:09 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-04-20 02:09 . 2011-04-20 02:09 676864 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-04-20 02:07 . 2011-04-20 02:07 795648 ----a-w- c:\windows\system32\aticfx64.dll
2011-04-20 02:07 . 2011-04-20 02:07 17693184 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-04-20 02:05 . 2011-04-20 02:05 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-04-20 02:04 . 2011-04-20 02:04 480256 ----a-w- c:\windows\system32\atieclxx.exe
2011-04-20 02:04 . 2011-04-20 02:04 203776 ----a-w- c:\windows\system32\atiesrxx.exe
2011-04-20 02:03 . 2011-04-20 02:03 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-04-20 02:02 . 2011-04-20 02:02 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-04-20 02:02 . 2011-04-20 02:02 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-04-20 02:02 . 2011-04-20 02:02 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-04-20 02:02 . 2011-04-20 02:02 16384 ----a-w- c:\windows\system32\atimuixx.dll
2011-04-20 02:02 . 2011-04-20 02:02 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-04-20 02:02 . 2011-04-20 02:02 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-04-20 01:46 . 2011-04-20 01:46 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-04-20 01:46 . 2011-04-20 01:46 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-04-20 01:46 . 2011-04-20 01:46 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-04-20 01:46 . 2011-04-20 01:46 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-04-20 01:45 . 2011-04-20 01:45 7768064 ----a-w- c:\windows\system32\aticaldd64.dll
2011-04-20 01:42 . 2011-04-20 01:42 6389760 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-04-20 01:40 . 2011-04-20 01:40 1222656 ----a-w- c:\windows\system32\atiumd6v.dll
2011-04-20 01:40 . 2011-04-20 01:40 1923584 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-04-20 01:27 . 2011-04-20 01:27 58880 ----a-w- c:\windows\system32\coinst.dll
2011-04-20 01:23 . 2011-04-20 01:23 366080 ----a-w- c:\windows\system32\atiadlxx.dll
2011-04-20 01:23 . 2011-04-20 01:23 262144 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-04-20 01:22 . 2011-04-20 01:22 14848 ----a-w- c:\windows\system32\atig6pxx.dll
2011-04-20 01:22 . 2011-04-20 01:22 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-04-20 01:22 . 2011-04-20 01:22 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-04-20 01:22 . 2011-04-20 01:22 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-04-20 01:22 . 2011-04-20 01:22 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-04-20 01:22 . 2011-04-20 01:22 306176 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-04-20 01:21 . 2011-04-20 01:21 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-04-20 01:21 . 2011-04-20 01:21 31232 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-04-20 01:21 . 2011-04-20 01:21 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-04-20 01:21 . 2011-04-20 01:21 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-04-20 01:20 . 2011-04-20 01:20 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-04-20 01:13 . 2011-04-20 01:13 53760 ----a-w- c:\windows\system32\atimpc64.dll
2011-04-20 01:13 . 2011-04-20 01:13 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-04-20 00:44 . 2011-04-20 00:44 9319936 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-04-19 23:59 . 2011-04-19 23:59 4161536 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-04-19 23:49 . 2009-07-13 21:59 4951552 ----a-w- c:\windows\system32\atidxx64.dll
2011-04-19 23:40 . 2011-04-19 23:40 3868672 ----a-w- c:\windows\system32\atiumd6a.dll
2011-04-19 23:38 . 2009-07-13 21:59 4286464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-04-19 23:31 . 2011-04-19 23:31 5440000 ----a-w- c:\windows\system32\atiumd64.dll
2011-04-19 23:30 . 2009-07-13 21:59 4056576 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-04-19 23:13 . 2011-04-19 23:13 53760 ----a-w- c:\windows\system32\amdpcom64.dll
2011-04-19 23:13 . 2011-04-19 23:13 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-04-19 20:10 . 2011-04-19 20:10 61952 ----a-w- c:\windows\system32\OVDecode64.dll
2011-04-19 20:10 . 2011-04-19 20:10 53760 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-19 20:10 . 2011-04-19 20:10 16116224 ----a-w- c:\windows\system32\amdocl64.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-15_21.11.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-18 15:35 . 2011-07-06 17:52 41272 c:\windows\SysWOW64\drivers\mbamswissarmy.sys
- 2009-07-14 04:54 . 2011-07-15 21:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-07-18 16:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-07-15 21:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-07-18 16:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-07-15 21:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-07-18 16:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-01 06:34 . 2011-07-15 13:29 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-01 06:34 . 2011-07-18 15:29 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-01 06:34 . 2011-07-15 13:29 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-01 06:34 . 2011-07-18 15:29 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-07-15 13:29 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-07-18 15:29 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-18 16:03 . 2011-07-18 16:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-15 21:11 . 2011-07-15 21:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 05:01 . 2011-07-18 16:01 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-07-15 20:50 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-07-11 04:45 . 2011-07-12 11:05 1035457 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2222876667-2147473713-615843949-500-8192.dat
+ 2011-07-11 04:45 . 2011-07-18 16:01 1035457 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2222876667-2147473713-615843949-500-8192.dat
+ 2011-07-10 22:15 . 2011-07-18 16:01 5269892 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2222876667-2147473713-615843949-500-12288.dat
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
"NoAddPrinter"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [2011-05-19 1143416]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110715.032\IDSvia64.sys [2011-07-08 488056]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NAVx64\1206000.01D\SYMNETS.SYS [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-04-19 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-04-19 399416]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-09 136824]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*NewlyCreated* - MBAMPROTECTOR
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2011-07-11 c:\windows\Tasks\Norton AntiVirus - Administrator - Full System Scan.job
- c:\program files (x86)\Norton AntiVirus\Engine\18.6.0.29\Navw32.exe [2011-07-11 00:28]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-07-13 9048392]
"CD Autorun"="c:\program files (x86)\TweakNow PowerPack 2010\CDAuto.exe" [2010-08-17 429312]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-09 11860072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Extra genomsökning -------
.
uLocal Page = c:\windows\system32\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9lk4tbsn.default\
FF - prefs.js: browser.search.selectedEngine -
.
.
------- Filassociationer -------
.
.scr does not exist!
.reg does not exist!
.txt does not exist!
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,3b,1b,94,f0,43,
76,9b,31,ef,0c,b4,e3,b1,22,8d,43,40,17
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:77,f2,a9,c7,49,3f,cc,01
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bf,43,fe,a5,07,6b,ae,44,b0,21,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bf,43,fe,a5,07,6b,ae,44,b0,21,2c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ab,99,28,87,45,d1,2b,43,be,ae,81,\
"027C9CB72E593A8F02C55092F385DBAC99DF56D067"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ab,99,28,87,45,d1,2b,43,be,ae,81,\
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2222876667-2147473713-615843949-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Sluttid: 2011-07-18 18:05:56 - datorn startades om.
ComboFix-quarantined-files.txt 2011-07-18 16:05
ComboFix2.txt 2011-07-15 21:14
.
Före genomsökningen: 700 941 082 624 bytes free
Efter genomsökningen: 700 750 401 536 bytes free
.
- - End Of File - - 6D967A934B2E86E3CD631906E95524C2


Maybe you can find something else in this log now that combofix updated itself before the scan.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:49 PM

Posted 18 July 2011 - 05:11 PM

No, there's nothing new there. Tracking cookies aren't great but read this:

Cookies are text string messages given to a Web browser by a Web server. Whenever you visit a web page or navigate different pages with your browser, the web site generates a unique ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server. Cookies allow third-party providers such as ad serving networks, spyware or adware providers to track personal information. The main purpose of cookies is to identify users and prepare customized Web pages for them.

  • Persistent cookies have expiration dates set by the Web server when it passes the cookie and are stored on a user's hard drive until they expire or are deleted. These types of cookies are used to store information between visits to a site and collect identifying information about the user such as surfing behavior or preferences for a specific web site.
  • Session (transient) cookies are not saved to the hard drive, do not collect any information and have no set expiration date. They are used to temporarily hold information in the form of a session identification stored in memory as you browse web pages. These types of cookies are cached only while a user is visiting the Web server issuing the session cookie and are deleted from the cache when the user closes the session.
Cookies can be categorized as:
  • Trusted cookies are from sites you trust, use often, and want to be able to identify and personalize content for you.
  • Nuisance cookies are from those sites you do not recognize or often use but somehow it's put a cookie on your machine.
  • Bad cookies (i.e. persistent cookies, long term and third party tracking cookies) are those that can be linked to an ad company or something that tracks your movements across the web.
The type of persistent cookie that is a cause for some concern are "tracking cookies" because they can be considered a privacy risk. These types of cookies are used to track your Web browsing habits (your movement from site to site). Ad companies use them to record your activity on all sites where they have placed ads. They can keep count of how many times you visited a web page, store your username and password so you don't have to log in and retain your custom settings. When you visit one of these sites, a cookie is placed on your computer. Each time you visit another site that hosts one of their ads, that same cookie is read, and soon they have assembled a list of which of their sites you have visited and which of their ads that you have clicked on. Cookies are used all over the Internet and advertisement companies often plant them whenever your browser loads one of their banners.

Cookies are NOT a "threat". As text files they cannot be executed to cause any damage. Cookies do not cause any pop ups or install malware and they cannot erase or read information from a computer.

Cookies cannot be used to run code (run programs) or to deliver viruses to your computer.

MS Article ID: 60971 - Description of Cookies

To learn more about Cookies, please refer to:Flash cookies (or Local Shared Objects) and Evercookies are a newer way of tracking user behavior and surfing habits but they too are not a threat, nor can they harm your computer.

An Evercookie is a Javascript API created and managed persistent cookie which can be used to identify a user even after they have removed standard and Flash cookies. This is accomplished by creating a new cookie and storing the data in as many storage locations (currently eight) as it can find on the local browser. Storage mechanisms range from Standard HTTP and Flash cookies to HTML5's new storage methods. When evercookie finds that other types of cookies have been removed, it recreates them so they can be reused over and over.Flash cookies are cookie-like data stored on a computer and used by all versions of Adobe Flash Player and similar applications. They can store much more information than traditional browser cookies and they are typically stored within each user’s Application Data directory with a ".SOL" extension, under the Macromedia\FlashPlayer\#SharedObjects folder. Unlike traditional cookies, Flash cookies cannot be managed through browser controls so they are more difficult to find and remove. However, they can be viewed, managed and deleted using the Website Storage Settings panel at Macromedia's Support Site. From this panel, you can change storage settings for a website, delete a specific website or delete all sites which erases any information that may have been stored on the computer. To prevent any Flash Cookies from being stored on your computer, go to the Global Storage Settings panel and uncheck the option “Allow third-party Flash content to store data on your computer”. For more information, please refer to:As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. However, you can minimize the number of them which are stored on your computer by referring to:
We can remove them by running SAS

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

If you are still getting redirects at this point then let me know in your next post.
Posted Image
m0le is a proud member of UNITE

#14 Demme

Demme
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 19 July 2011 - 04:57 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/19/2011 at 11:36 PM

Application Version : 4.55.1000

Core Rules Database Version : 7423
Trace Rules Database Version: 5235

Scan type : Complete Scan
Total Scan Time : 00:49:15

Memory items scanned : 515
Memory threats detected : 0
Registry items scanned : 11018
Registry threats detected : 0
File items scanned : 98120
File threats detected : 22

Adware.Tracking Cookie
C:\Users\Demme\AppData\Roaming\Microsoft\Windows\Cookies\Low\demme@ad.yieldmanager[1].txt
C:\Users\Demme\AppData\Roaming\Microsoft\Windows\Cookies\Low\demme@ads.bleepingcomputer[1].txt
C:\Users\Demme\AppData\Roaming\Microsoft\Windows\Cookies\Low\demme@atdmt[1].txt
C:\Users\Demme\AppData\Roaming\Microsoft\Windows\Cookies\Low\demme@collective-media[1].txt
C:\Users\Demme\AppData\Roaming\Microsoft\Windows\Cookies\Low\demme@content.yieldmanager[1].txt
C:\Users\Demme\AppData\Roaming\Microsoft\Windows\Cookies\Low\demme@doubleclick[1].txt
media.ign.com [ C:\Users\Standard\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\9TYVUPUA ]
media.mtvnservices.com [ C:\Users\Standard\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\9TYVUPUA ]
secure-us.imrworldwide.com [ C:\Users\Standard\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\9TYVUPUA ]
us.media.blizzard.com [ C:\Users\Standard\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\9TYVUPUA ]
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@247realmedia[2].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@adform[2].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@apmebf[1].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@atdmt[1].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@doubleclick[1].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@eyewonder[2].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@imrworldwide[2].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@invitemedia[1].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@serving-sys[2].txt
C:\Users\Standard\AppData\Roaming\Microsoft\Windows\Cookies\Low\standard@track.adform[1].txt

Trojan.Agent/Gen
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\MSL-3332-2
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\MSL-3332-3

I'll come back to you when I know if the redirect problem is gone.

edit: I ran the scan again to see if the trojans had been removed successfully but they are still there.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/20/2011 at 00:35 AM

Application Version : 4.55.1000

Core Rules Database Version : 7429
Trace Rules Database Version: 5241

Scan type : Complete Scan
Total Scan Time : 00:33:22

Memory items scanned : 524
Memory threats detected : 0
Registry items scanned : 11020
Registry threats detected : 0
File items scanned : 98044
File threats detected : 2

Trojan.Agent/Gen
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\MSL-3796-2
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\MSL-3796-3

Edited by Demme, 19 July 2011 - 06:00 PM.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:49 PM

Posted 19 July 2011 - 06:19 PM

I'll come back to you when I know if the redirect problem is gone.


:thumbup2:


edit: I ran the scan again to see if the trojans had been removed successfully but they are still there.



But these are Trojan.Agent/Gen findings and they may not be what they seem - it could be a false positive because Gen is a generic finding as opposed to a specific malware. Can you run SystemLook and let's take a look at one of the folders

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\MSL-3796-2 /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users