Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Failing WIndows Update caused by malware/rootkit


  • This topic is locked This topic is locked
16 replies to this topic

#1 Repad

Repad

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:42 AM

Posted 19 August 2011 - 11:03 AM

Hi there,

I received a Windows Vista Home Premium SP 2 (32 bits) that was practically dead, after the lady that owns it had tried to remove a trojan by using tools like 'internet protection', 'system repair', 'trojan remover' and 'registry reviver'. After having done some initial cleaning up with Anti-Malwarebytes and Norman Malware Cleaner I managed to restore the system to end July.

I reinstalled the ladies damaged antivirus & firewall program (Norman) and verything seemed OK until I started to apply the necessary Windows Updates. Then I learned from the error code that the update could not be installed because of one or more running processes. Since this could not be overcome by using a clean boot, or the safe mode I started to suspect hidden malware or a rootkit. Other things that since then occurred to me are: IE advertising pages turning up automatically (approx. every half hour) and a lot of HDD activity while the system is in rest.

You'll find the DDS log under this message. The requested attachment is also added.
I did not attach the GMER log since it was empty (no modifications found.(N.B. In GMER most options were greyed out; so I ran it with only 'services', 'registry', 'files' and ADS ticked.)

I sincerely hope you can help me to get rid of the 'evil underneath the hood'.

Repad

--------------------------------

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Adrem PGB Begeleidin at 16:57:04 on 2011-08-19
Microsoft« Windows VistaÖ Home Premium 6.0.6002.2.1252.31.1043.18.2044.1255 [GMT 2:00]
.
AV: Norman Security Suite *Enabled/Updated* {D038CA80-26F3-90BF-94AA-03C4D945E661}
SP: Norman Security Suite *Enabled/Updated* {6B592B64-00C9-9F31-AE1A-38B6A2C2ACDC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norman Security Suite *Enabled* {E8034BA5-6C9C-91E7-BFF5-AAF12796A11A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Norman\Npm\Bin\elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nnf.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\Windows\system32\ATKFUSService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\Program Files\Norman\npf\bin\npfsvc32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Program Files\Norman\nig\bin\nigsvc32.exe
C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\ASUS\GamerOSD\ATKFastUserSwitching.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Norman\Npm\Bin\Zlh.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Philips\SA28XX Device Manager\main.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norman\nig\bin\niguser.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Norman\Nvc\Bin\Nip.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.nl/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {A057A204-BACC-4D26-9E83-2DB586E27190} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [Philips Device Listener] "c:\program files\philips\philips songbird resources\autolauncher\PhilipsDeviceListener.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Norman ZANDA] "c:\program files\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\sa28xx device manager\main.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: lcn-shop.nl\www
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A81C079-B25A-4F26-97CD-ABAF0E63269E} : DhcpNameServer = 212.54.40.25 212.54.35.25
TCP: Interfaces\{2E36B1D4-F4A3-4147-B194-F688013A0DA5} : DhcpNameServer = 212.54.40.25 212.54.35.25
TCP: Interfaces\{9F0BE1E7-3FFE-440B-B418-103693724D87} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DD40B72C-0401-406D-9528-A77C7775B874} : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ALE_NF;Norman Network Filter ALE driver;c:\windows\system32\drivers\ale_nf.sys [2011-8-17 61472]
R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2011-8-17 26744]
R1 NPROSEC;Norman Security driver;c:\program files\norman\ngs\bin\nprosec.sys [2011-8-17 74144]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-10 21504]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys [2011-8-17 22880]
R2 NNFSVC;Norman Network Filtering service;c:\program files\norman\ngs\bin\nnf.exe [2011-8-17 223000]
R2 Norman ZANDA;Norman ZANDA;c:\program files\norman\npm\bin\Zanda.exe [2010-12-2 308408]
R2 NPFSvc32;Norman Personal Firewall Service;c:\program files\norman\npf\bin\npfsvc32.exe [2011-8-17 290472]
R2 NPROSECSVC;Norman Security service;c:\program files\norman\ngs\bin\nprosec.exe [2011-8-17 90656]
R2 nregsec;Norman Registry Security driver;c:\program files\norman\ngs\bin\nregsec.sys [2011-8-17 40384]
R2 NVOY;Norman Resource Provider;c:\program files\norman\npm\bin\nvoy.exe [2011-8-17 100336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-1 2214504]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]
R3 NIG;Norman Intrusion Guard;c:\program files\norman\nig\bin\nigsvc32.exe [2011-8-17 336304]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\norman\nse\bin\Nsesvc.exe [2011-8-17 288072]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcv32mf.sys [2011-8-17 24688]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\norman\nvc\bin\Nvcoas.exe [2011-8-17 198168]
R3 Scheduler;Norman Scheduler Service;c:\program files\norman\npm\bin\scheduler.exe [2011-8-17 99312]
R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [2009-5-6 413208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-1-2 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2010-1-3 79360]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2010-5-22 501248]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-18 22:15:47 -------- d-----w- c:\program files\ESET
2011-08-18 22:10:44 388096 ----a-r- c:\users\adrem pgb begeleidin\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-18 22:10:44 -------- d-----w- c:\program files\Trend Micro
2011-08-18 21:07:03 -------- d-----w- c:\users\adrem pgb begeleidin\appdata\local\temp
2011-08-18 21:03:30 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-18 19:25:44 98816 ----a-w- c:\windows\sed.exe
2011-08-18 19:25:44 518144 ----a-w- c:\windows\SWREG.exe
2011-08-18 19:25:44 256000 ----a-w- c:\windows\PEV.exe
2011-08-18 19:25:44 208896 ----a-w- c:\windows\MBR.exe
2011-08-18 19:24:28 -------- d-----w- C:\ComboFix
2011-08-18 05:30:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-17 18:28:53 68176 ----a-w- c:\windows\system32\drivers\ale_nf64.sys
2011-08-17 18:28:53 61472 ----a-w- c:\windows\system32\drivers\ale_nf.sys
2011-08-17 18:28:53 48272 ----a-w- c:\windows\system32\drivers\nnetsec.sys
2011-08-17 18:28:53 378000 ----a-w- c:\windows\system32\drivers\tdi_nf.sys
2011-08-17 18:28:53 34192 ----a-w- c:\windows\system32\drivers\nnetsecl64.sys
2011-08-17 18:28:53 30584 ----a-w- c:\windows\system32\drivers\nnetsecl.sys
2011-08-17 18:28:52 24688 ----a-w- c:\windows\system32\drivers\nvcv32mf.sys
2011-08-17 18:28:52 222352 ----a-w- c:\windows\system32\nscrnsav.scr
2011-08-17 18:14:21 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d8a633f8-6adc-4e96-88fd-abbf66673c37}\mpengine.dll
2011-08-12 09:50:19 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-12 09:50:18 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-12 09:50:17 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-08-12 09:49:36 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-11 17:41:33 -------- d-----w- c:\users\adrem pgb begeleidin\appdata\local\{EBECCF25-A7CE-4F9D-A747-DE092BD8E2EA}
2011-08-11 17:33:57 -------- d-----w- c:\users\adrem pgb begeleidin\appdata\roaming\Malwarebytes
2011-08-11 17:33:46 -------- d-----w- c:\programdata\Malwarebytes
2011-07-29 12:39:41 -------- d-----w- c:\users\adrem pgb begeleidin\appdata\roaming\Reviversoft
2011-07-29 12:39:22 16704 ----a-w- c:\windows\system32\roboot.exe
2011-07-29 12:39:22 -------- d-----w- c:\program files\Reviversoft
2011-07-29 12:29:51 -------- d--h--w- c:\users\adrem pgb begeleidin\appdata\local\Norman Malware Cleaner
.
==================== Find3M ====================
.
2011-08-12 09:21:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-02 13:34:49 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 17:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2007-03-12 16:59:00 299008 ----a-w- c:\program files\navigram_register.exe
.
============= FINISH: 17:06:12,40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 24 August 2011 - 11:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415158 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Repad

Repad
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:42 AM

Posted 24 August 2011 - 03:17 PM

Hi there,

Following the instructions above.

1. Description of the problem
Quote I received a Windows Vista Home Premium SP 2 (32 bits) desktop that was practically dead, after the lady that owns it had tried to remove a trojan by using tools like 'internet protection', 'system repair', 'trojan remover' and 'registry reviver'. After having done some initial cleaning up with Anti-Malwarebytes and Norman Malware Cleaner I managed to restore the system to end July.

I reinstalled the ladies damaged antivirus & firewall program (Norman) and verything seemed OK until I started to apply the necessary Windows Updates. Then I learned from the error code that the update could not be installed because of one or more running processes. Since this could not be overcome by using a clean boot, or the safe mode I started to suspect hidden malware or a rootkit. Other things that since then occurred to me are: IE advertising pages turning up automatically (approx. every half hour) and a lot of HDD activity while the system is in rest.

You'll find the DDS log under this message. The requested attachment is also added.
I did not attach the GMER log since it was empty (no modifications found.(N.B. In GMER most options were greyed out; so I ran it with only 'services', 'registry', 'files' and ADS ticked.
) Unquote

I can add the following to this:
- I also ran ComboFix and RKUnhooker before re-installing the antivirus program (without any luck).
- The problem with GMER is that I get an error message when I open it: LoadDriver("C:\Users\ADREMP~1|AppData\Local|Temp\fwpyauoc.sys") error 0xC000010E: De service is al gestart. (see attachment). Today I searched for this .sys file in the register and deleted the key Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fwpyauoc as well as the .sys file itself and rebooted before running GMER again, but that did not help.

2. New DDS log, see below
3. Windows Vista DVD: available

I'll be happy to carry out further instructions in order to destroy the beast.

Regards,
Repad


-------------------------------------------------
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Adrem PGB Begeleidin at 20:38:52 on 2011-08-24
Microsoft« Windows VistaÖ Home Premium 6.0.6002.2.1252.31.1043.18.2044.1106 [GMT 2:00]
.
AV: Norman Security Suite *Enabled/Updated* {D038CA80-26F3-90BF-94AA-03C4D945E661}
SP: Norman Security Suite *Enabled/Updated* {6B592B64-00C9-9F31-AE1A-38B6A2C2ACDC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norman Security Suite *Enabled* {E8034BA5-6C9C-91E7-BFF5-AAF12796A11A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Norman\Npm\Bin\elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nnf.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\Windows\system32\ATKFUSService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\Program Files\Norman\npf\bin\npfsvc32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\nig\bin\nigsvc32.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\ASUS\GamerOSD\ATKFastUserSwitching.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Norman\Npm\Bin\Zlh.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Philips\SA28XX Device Manager\main.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Norman\nig\bin\niguser.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Adrem PGB Begeleidin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
C:\Users\Adrem PGB Begeleidin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Norman\Nvc\Bin\Nip.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.nl/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {A057A204-BACC-4D26-9E83-2DB586E27190} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [Philips Device Listener] "c:\program files\philips\philips songbird resources\autolauncher\PhilipsDeviceListener.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Norman ZANDA] "c:\program files\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\sa28xx device manager\main.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: lcn-shop.nl\www
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A81C079-B25A-4F26-97CD-ABAF0E63269E} : DhcpNameServer = 212.54.40.25 212.54.35.25
TCP: Interfaces\{2E36B1D4-F4A3-4147-B194-F688013A0DA5} : DhcpNameServer = 212.54.40.25 212.54.35.25
TCP: Interfaces\{9F0BE1E7-3FFE-440B-B418-103693724D87} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DD40B72C-0401-406D-9528-A77C7775B874} : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ALE_NF;Norman Network Filter ALE driver;c:\windows\system32\drivers\ale_nf.sys [2011-8-17 61472]
R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2011-8-17 26744]
R1 NPROSEC;Norman Security driver;c:\program files\norman\ngs\bin\nprosec.sys [2011-8-17 74144]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-10 21504]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys [2011-8-17 22880]
R2 NNFSVC;Norman Network Filtering service;c:\program files\norman\ngs\bin\nnf.exe [2011-8-17 223000]
R2 Norman ZANDA;Norman ZANDA;c:\program files\norman\npm\bin\Zanda.exe [2010-12-2 308408]
R2 NPFSvc32;Norman Personal Firewall Service;c:\program files\norman\npf\bin\npfsvc32.exe [2011-8-17 290472]
R2 NPROSECSVC;Norman Security service;c:\program files\norman\ngs\bin\nprosec.exe [2011-8-17 90656]
R2 nregsec;Norman Registry Security driver;c:\program files\norman\ngs\bin\nregsec.sys [2011-8-17 40384]
R2 NVOY;Norman Resource Provider;c:\program files\norman\npm\bin\nvoy.exe [2011-8-17 100336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-1 2214504]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]
R3 NIG;Norman Intrusion Guard;c:\program files\norman\nig\bin\nigsvc32.exe [2011-8-17 336304]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\norman\nse\bin\Nsesvc.exe [2011-8-17 288072]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcv32mf.sys [2011-8-17 24688]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\norman\nvc\bin\Nvcoas.exe [2011-8-17 198168]
R3 Scheduler;Norman Scheduler Service;c:\program files\norman\npm\bin\scheduler.exe [2011-8-17 99312]
R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [2009-5-6 413208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-1-2 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2010-1-3 79360]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2010-5-22 501248]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-24 18:37:29 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e4e8f482-14a0-44bb-8953-1f6990be4961}\mpengine.dll
2011-08-18 22:15:47 -------- d-----w- c:\program files\ESET
2011-08-18 22:10:44 388096 ----a-r- c:\users\adrem pgb begeleidin\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-18 22:10:44 -------- d-----w- c:\program files\Trend Micro
2011-08-18 21:07:03 -------- d-----w- c:\users\adrem pgb begeleidin\appdata\local\temp
2011-08-18 21:03:30 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-18 19:25:44 98816 ----a-w- c:\windows\sed.exe
2011-08-18 19:25:44 518144 ----a-w- c:\windows\SWREG.exe
2011-08-18 19:25:44 256000 ----a-w- c:\windows\PEV.exe
2011-08-18 19:25:44 208896 ----a-w- c:\windows\MBR.exe
2011-08-18 19:24:28 -------- d-----w- C:\ComboFix
2011-08-18 05:30:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-17 18:28:53 68176 ----a-w- c:\windows\system32\drivers\ale_nf64.sys
2011-08-17 18:28:53 61472 ----a-w- c:\windows\system32\drivers\ale_nf.sys
2011-08-17 18:28:53 48272 ----a-w- c:\windows\system32\drivers\nnetsec.sys
2011-08-17 18:28:53 378000 ----a-w- c:\windows\system32\drivers\tdi_nf.sys
2011-08-17 18:28:53 34192 ----a-w- c:\windows\system32\drivers\nnetsecl64.sys
2011-08-17 18:28:53 30584 ----a-w- c:\windows\system32\drivers\nnetsecl.sys
2011-08-17 18:28:52 24688 ----a-w- c:\windows\system32\drivers\nvcv32mf.sys
2011-08-17 18:28:52 222352 ----a-w- c:\windows\system32\nscrnsav.scr
2011-08-12 09:50:19 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-12 09:50:18 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-12 09:50:17 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-08-12 09:49:36 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-11 17:41:33 -------- d-----w- c:\users\adrem pgb begeleidin\appdata\local\{EBECCF25-A7CE-4F9D-A747-DE092BD8E2EA}
2011-08-11 17:33:57 -------- d-----w- c:\users\adrem pgb begeleidin\appdata\roaming\Malwarebytes
2011-08-11 17:33:46 -------- d-----w- c:\programdata\Malwarebytes
2011-07-29 12:39:41 -------- d-----w- c:\users\adrem pgb begeleidin\appdata\roaming\Reviversoft
2011-07-29 12:39:22 16704 ----a-w- c:\windows\system32\roboot.exe
2011-07-29 12:39:22 -------- d-----w- c:\program files\Reviversoft
2011-07-29 12:29:51 -------- d--h--w- c:\users\adrem pgb begeleidin\appdata\local\Norman Malware Cleaner
.
==================== Find3M ====================
.
2011-08-12 09:21:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-02 13:34:49 2043392 ----a-w- c:\windows\system32\win32k.sys
2007-03-12 16:59:00 299008 ----a-w- c:\program files\navigram_register.exe
.
============= FINISH: 20:48:26,39 ===============

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:42 AM

Posted 24 August 2011 - 08:57 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Repad

Repad
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:42 AM

Posted 25 August 2011 - 03:25 PM

Hi Gringo,

Appreciate your help!

You'll find the ComboFix log below.
The only thing I encountered during it's execution was a message that Norman Antivirus and Antispyware were still running, although I had disabled the real-time protection. To make sure no interference was present I therefore de-installed Norman altogether before running ComboFix. (Windows firewall OK).

Hope the log will give you some clues.
Looking forward to hearing from you again.

Repad

------------------------------------------

ComboFix 11-08-24.06 - Adrem PGB Begeleidin 25-08-2011 21:00:43.2.2 - x86
Microsoft« Windows VistaÖ Home Premium 6.0.6002.2.1252.31.1043.18.2044.1177 [GMT 2:00]
Gestart vanuit: d:\malware cleanup\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-07-25 to 2011-08-25 ))))))))))))))))))))))))))))))
.
.
2011-08-25 19:48 . 2011-08-25 19:51 -------- d-----w- c:\users\Adrem PGB Begeleidin\AppData\Local\temp
2011-08-25 19:48 . 2011-08-25 19:48 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-08-25 19:48 . 2011-08-25 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-24 18:37 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E4E8F482-14A0-44BB-8953-1F6990BE4961}\mpengine.dll
2011-08-18 22:15 . 2011-08-18 22:15 -------- d-----w- c:\program files\ESET
2011-08-18 22:10 . 2011-08-18 22:10 388096 ----a-r- c:\users\Adrem PGB Begeleidin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-18 22:10 . 2011-08-18 22:10 -------- d-----w- c:\program files\Trend Micro
2011-08-18 05:30 . 2011-05-04 02:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-12 09:50 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-12 09:50 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-12 09:50 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-08-12 09:49 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-11 17:33 . 2011-08-11 17:33 -------- d-----w- c:\users\Adrem PGB Begeleidin\AppData\Roaming\Malwarebytes
2011-08-11 17:33 . 2011-08-11 17:33 -------- d-----w- c:\programdata\Malwarebytes
2011-07-29 12:39 . 2011-07-29 12:39 -------- d-----w- c:\users\Adrem PGB Begeleidin\AppData\Roaming\Reviversoft
2011-07-29 12:39 . 2011-08-11 15:59 -------- d-----w- c:\program files\Reviversoft
2011-07-29 12:39 . 2011-05-17 12:51 16704 ----a-w- c:\windows\system32\roboot.exe
2011-07-29 12:29 . 2011-07-29 12:29 -------- d--h--w- c:\users\Adrem PGB Begeleidin\AppData\Local\Norman Malware Cleaner
2011-07-29 09:37 . 2011-07-29 09:37 -------- d--h--w- c:\programdata\WindowsSearch
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-12 09:21 . 2011-05-18 09:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-01 12:19 . 2011-07-01 12:19 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-01 12:19 . 2011-07-01 12:19 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-07-01 12:19 . 2011-07-01 12:19 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-07-01 12:19 . 2011-07-01 12:19 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-07-01 12:19 . 2011-07-01 12:19 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-07-01 12:19 . 2011-07-01 12:19 367104 ----a-w- c:\windows\system32\html.iec
2011-07-01 12:19 . 2011-07-01 12:19 1785344 ----a-w- c:\windows\system32\iertutil(14903).dll
2011-07-01 12:19 . 2011-07-01 12:19 161792 ----a-w- c:\windows\system32\msls31.dll
2011-07-01 12:19 . 2011-07-01 12:19 1126912 ----a-w- c:\windows\system32\wininet(17241).dll
2011-07-01 12:19 . 2011-07-01 12:19 1102336 ----a-w- c:\windows\system32\urlmon(16717).dll
2011-07-01 12:19 . 2011-07-01 12:19 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-07-01 12:19 . 2011-07-01 12:19 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-07-01 12:19 . 2011-07-01 12:19 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-07-01 12:19 . 2011-07-01 12:19 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-01 12:19 . 2011-07-01 12:19 152064 ----a-w- c:\windows\system32\wextract.exe
2011-07-01 12:19 . 2011-07-01 12:19 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-07-01 12:19 . 2011-07-01 12:19 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-01 12:19 . 2011-07-01 12:19 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-01 12:19 . 2011-07-01 12:19 11776 ----a-w- c:\windows\system32\mshta.exe
2011-07-01 12:19 . 2011-07-01 12:19 101888 ----a-w- c:\windows\system32\admparse.dll
2011-07-01 12:19 . 2011-07-01 12:19 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-06-02 13:34 . 2011-07-13 06:09 2043392 ----a-w- c:\windows\system32\win32k.sys
2007-03-12 16:59 . 2007-03-12 16:59 299008 ----a-w- c:\program files\navigram_register.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-12 39408]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 180224]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"SPIRunE"="SPIRunE.dll" [2007-05-09 18432]
"Philips Device Listener"="c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [2010-05-27 375296]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-02 150552]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-02 173592]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2008-04-14 380928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [N/A]
Philips Apparaatbeheer.lnk - c:\program files\Philips\SA28XX Device Manager\main.exe [2008-10-29 7975169]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1479722293-3608961187-4261260398-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-01-02 79360]
R3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2010-01-02 79360]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-05-24 501248]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [2009-05-06 413208]
S4 ALE_NF;Norman Network Filter ALE driver;c:\windows\system32\drivers\ale_nf.sys [x]
S4 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\NDISKIO.SYS [x]
S4 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin\nprosec.sys [x]
.
.
--- Andere Services/Drivers In Geheugen ---
.
*Deregistered* - mchInjDrv
*Deregistered* - NGS
*Deregistered* - nregsec
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhoud van de 'Gedeelde Taken' map
.
2010-02-18 c:\windows\Tasks\fba_Backup.job
- c:\program files\Softland\FBackup 4\fbaSchedStarter.exe [2010-02-18 11:39]
.
2011-08-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-02-13 12:39]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1479722293-3608961187-4261260398-1000Core.job
- c:\users\Adrem PGB Begeleidin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-13 12:39]
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1479722293-3608961187-4261260398-1000UA.job
- c:\users\Adrem PGB Begeleidin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-13 12:39]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: lcn-shop.nl\www
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS VERWIJDERD - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-25 21:51
Windows 6.0.6002 Service Pack 2 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
Voltooingstijd: 2011-08-25 22:08:01
ComboFix-quarantined-files.txt 2011-08-25 20:07
ComboFix2.txt 2011-08-18 21:06
.
Pre-Run: 51.810.787.328 bytes beschikbaar
Post-Run: 52.110.688.256 bytes beschikbaar
.
- - End Of File - - 5B008D96D7E18C3AE73EE7F4A243B744

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:42 AM

Posted 25 August 2011 - 07:10 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Repad

Repad
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:42 AM

Posted 25 August 2011 - 11:53 PM

Hi Gringo,

I'm unsure what you want me to do since you posted the same instructions again.

Rgds,
Repad

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:42 AM

Posted 26 August 2011 - 12:33 AM

Hello

Very sorry

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Repad

Repad
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:42 AM

Posted 26 August 2011 - 01:16 PM

Hi Gringo,

Thank you for sending the next step.
Unfortunately TDSSKiller.exe will not run even after I renamed it to test.com (as per http://www.bleepingcomputer.com/forums/topic372491.html).

Kindly advise how to overcome this.

P.S. It appears that the HDD has been reduced considerably since our previous action.

Regards,
Repad

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:42 AM

Posted 26 August 2011 - 10:42 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Repad

Repad
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:42 AM

Posted 27 August 2011 - 05:38 AM

Hello Gringo,

The fixTDSS tool (v 2.1.3) did a good job!

I ran it twice.
- The first time it said almost immediately "Infected MBR detected" so I pressed the 'repair' button which gave back the message that it had been repaired.
- To make sure I rebooted the pc and ran the tool again. This time it took a bit longer and it showed the files it was scanning. Finally it gave the result: "Backdoor.Tidserv has not been found on your system".

After a reboot I ran TDSSkiller (v2.5.17.0, log below), which now worked flawlessly and reported that it did not find any infections.

Seems we are making progress :clapping:
Repad

P.S. The pc has been used with two external HDD's for backing up date. Is there a risk that these disk a compromised?

---------------------------------------------------------

2011/08/27 10:32:16.0609 3656 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/27 10:32:16.0765 3656 ================================================================================
2011/08/27 10:32:16.0765 3656 SystemInfo:
2011/08/27 10:32:16.0765 3656
2011/08/27 10:32:16.0765 3656 OS Version: 6.0.6002 ServicePack: 2.0
2011/08/27 10:32:16.0765 3656 Product type: Workstation
2011/08/27 10:32:16.0765 3656 ComputerName: PC_VAN_ADREMPGB
2011/08/27 10:32:16.0765 3656 UserName: Adrem PGB Begeleidin
2011/08/27 10:32:16.0765 3656 Windows directory: C:\Windows
2011/08/27 10:32:16.0765 3656 System windows directory: C:\Windows
2011/08/27 10:32:16.0765 3656 Processor architecture: Intel x86
2011/08/27 10:32:16.0765 3656 Number of processors: 2
2011/08/27 10:32:16.0765 3656 Page size: 0x1000
2011/08/27 10:32:16.0765 3656 Boot type: Normal boot
2011/08/27 10:32:16.0765 3656 ================================================================================
2011/08/27 10:32:18.0418 3656 Initialize success
2011/08/27 10:33:06.0185 2012 ================================================================================
2011/08/27 10:33:06.0201 2012 Scan started
2011/08/27 10:33:06.0201 2012 Mode: Manual;
2011/08/27 10:33:06.0201 2012 ================================================================================
2011/08/27 10:33:06.0529 2012 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/08/27 10:33:06.0575 2012 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/08/27 10:33:06.0622 2012 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/08/27 10:33:06.0638 2012 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/08/27 10:33:06.0653 2012 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/08/27 10:33:06.0700 2012 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
2011/08/27 10:33:06.0716 2012 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/08/27 10:33:06.0747 2012 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/08/27 10:33:06.0763 2012 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/08/27 10:33:06.0794 2012 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/08/27 10:33:06.0809 2012 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/08/27 10:33:06.0825 2012 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/08/27 10:33:06.0841 2012 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/08/27 10:33:06.0887 2012 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/08/27 10:33:06.0903 2012 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/08/27 10:33:06.0919 2012 asusgsb (b6e6b264e9c4d0ad0e97af8434c8754d) C:\Windows\system32\drivers\asusgsb.sys
2011/08/27 10:33:06.0950 2012 ASUSVRC (94442e3029ff6c9f08140fe6718af4fb) C:\Windows\system32\DRIVERS\AsusVRC.sys
2011/08/27 10:33:06.0981 2012 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/08/27 10:33:06.0997 2012 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/08/27 10:33:07.0028 2012 atkdisplf (697339ff5cea803625bb452eadbd3b2c) C:\Windows\system32\drivers\ATKDispLowFilter.sys
2011/08/27 10:33:07.0059 2012 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/08/27 10:33:07.0106 2012 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/08/27 10:33:07.0121 2012 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/08/27 10:33:07.0137 2012 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/08/27 10:33:07.0168 2012 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/08/27 10:33:07.0184 2012 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/08/27 10:33:07.0199 2012 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/08/27 10:33:07.0215 2012 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/08/27 10:33:07.0231 2012 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/08/27 10:33:07.0402 2012 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/08/27 10:33:07.0418 2012 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/08/27 10:33:07.0433 2012 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/08/27 10:33:07.0480 2012 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/08/27 10:33:07.0511 2012 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/08/27 10:33:07.0527 2012 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
2011/08/27 10:33:07.0558 2012 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/08/27 10:33:07.0589 2012 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/08/27 10:33:07.0636 2012 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
2011/08/27 10:33:07.0683 2012 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/08/27 10:33:07.0730 2012 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/08/27 10:33:07.0777 2012 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/08/27 10:33:07.0808 2012 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/08/27 10:33:07.0839 2012 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/08/27 10:33:07.0886 2012 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/08/27 10:33:07.0933 2012 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/08/27 10:33:07.0964 2012 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/08/27 10:33:07.0979 2012 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/08/27 10:33:07.0995 2012 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/08/27 10:33:08.0026 2012 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/08/27 10:33:08.0042 2012 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/08/27 10:33:08.0073 2012 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/08/27 10:33:08.0104 2012 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/08/27 10:33:08.0120 2012 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/08/27 10:33:08.0135 2012 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2011/08/27 10:33:08.0167 2012 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/08/27 10:33:08.0213 2012 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/08/27 10:33:08.0245 2012 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/08/27 10:33:08.0260 2012 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/08/27 10:33:08.0276 2012 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/08/27 10:33:08.0291 2012 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/08/27 10:33:08.0323 2012 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/08/27 10:33:08.0354 2012 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/08/27 10:33:08.0369 2012 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/08/27 10:33:08.0385 2012 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/08/27 10:33:08.0588 2012 igfx (837854ea63e6cc805454d0b97d9adf11) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/08/27 10:33:08.0681 2012 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/08/27 10:33:08.0728 2012 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/08/27 10:33:08.0744 2012 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/08/27 10:33:08.0775 2012 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/08/27 10:33:08.0822 2012 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/08/27 10:33:08.0837 2012 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/08/27 10:33:08.0853 2012 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/08/27 10:33:08.0869 2012 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/08/27 10:33:08.0900 2012 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/08/27 10:33:08.0915 2012 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/08/27 10:33:08.0931 2012 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/08/27 10:33:08.0962 2012 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/08/27 10:33:08.0993 2012 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/08/27 10:33:09.0025 2012 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/08/27 10:33:09.0056 2012 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/08/27 10:33:09.0087 2012 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/08/27 10:33:09.0103 2012 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/08/27 10:33:09.0118 2012 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/08/27 10:33:09.0134 2012 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/08/27 10:33:09.0181 2012 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/08/27 10:33:09.0212 2012 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/08/27 10:33:09.0227 2012 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/08/27 10:33:09.0243 2012 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/08/27 10:33:09.0259 2012 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/08/27 10:33:09.0274 2012 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/08/27 10:33:09.0305 2012 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/08/27 10:33:09.0321 2012 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/08/27 10:33:09.0337 2012 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/08/27 10:33:09.0368 2012 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/08/27 10:33:09.0383 2012 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/08/27 10:33:09.0446 2012 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/08/27 10:33:09.0477 2012 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/08/27 10:33:09.0493 2012 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/08/27 10:33:09.0508 2012 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/08/27 10:33:09.0555 2012 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/08/27 10:33:09.0586 2012 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/08/27 10:33:09.0617 2012 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/08/27 10:33:09.0633 2012 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/08/27 10:33:09.0649 2012 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/08/27 10:33:09.0664 2012 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/08/27 10:33:09.0695 2012 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/08/27 10:33:09.0711 2012 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/08/27 10:33:09.0727 2012 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/08/27 10:33:09.0789 2012 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/08/27 10:33:09.0836 2012 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/08/27 10:33:09.0867 2012 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/08/27 10:33:09.0883 2012 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/08/27 10:33:09.0914 2012 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/08/27 10:33:09.0929 2012 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/08/27 10:33:09.0945 2012 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/08/27 10:33:09.0976 2012 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/08/27 10:33:10.0007 2012 netr73 (c9afe484b3645da74fd459f45e4f756f) C:\Windows\system32\DRIVERS\netr73.sys
2011/08/27 10:33:10.0039 2012 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/08/27 10:33:10.0070 2012 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/08/27 10:33:10.0085 2012 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/08/27 10:33:10.0117 2012 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/08/27 10:33:10.0163 2012 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/08/27 10:33:10.0179 2012 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/08/27 10:33:10.0912 2012 nvlddmkm (847b1755f7757f825305a1ffe6dac3e9) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/08/27 10:33:11.0224 2012 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/08/27 10:33:11.0255 2012 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/08/27 10:33:11.0271 2012 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/08/27 10:33:11.0287 2012 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/08/27 10:33:11.0318 2012 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/08/27 10:33:11.0333 2012 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2011/08/27 10:33:11.0365 2012 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/08/27 10:33:11.0411 2012 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/08/27 10:33:11.0489 2012 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/08/27 10:33:11.0505 2012 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/08/27 10:33:11.0536 2012 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/08/27 10:33:11.0552 2012 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\Windows\system32\Drivers\PxHelp20.sys
2011/08/27 10:33:11.0583 2012 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/08/27 10:33:11.0614 2012 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/08/27 10:33:11.0645 2012 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/08/27 10:33:11.0661 2012 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/08/27 10:33:11.0677 2012 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/08/27 10:33:11.0692 2012 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/08/27 10:33:11.0708 2012 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/08/27 10:33:11.0739 2012 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/08/27 10:33:11.0755 2012 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/08/27 10:33:11.0786 2012 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/08/27 10:33:11.0801 2012 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/08/27 10:33:11.0833 2012 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/08/27 10:33:11.0864 2012 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/08/27 10:33:11.0911 2012 RTL8169 (2d19a7469ea19993d0c12e627f4530bc) C:\Windows\system32\DRIVERS\Rtlh86.sys
2011/08/27 10:33:11.0926 2012 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/08/27 10:33:11.0957 2012 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/08/27 10:33:11.0973 2012 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2011/08/27 10:33:12.0004 2012 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2011/08/27 10:33:12.0020 2012 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/08/27 10:33:12.0051 2012 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/08/27 10:33:12.0067 2012 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/08/27 10:33:12.0082 2012 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/08/27 10:33:12.0113 2012 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/08/27 10:33:12.0129 2012 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/08/27 10:33:12.0145 2012 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/08/27 10:33:12.0160 2012 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/08/27 10:33:12.0191 2012 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/08/27 10:33:12.0207 2012 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/08/27 10:33:12.0269 2012 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/08/27 10:33:12.0285 2012 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
2011/08/27 10:33:12.0301 2012 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
2011/08/27 10:33:12.0316 2012 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/08/27 10:33:12.0347 2012 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/08/27 10:33:12.0363 2012 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/08/27 10:33:12.0379 2012 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/08/27 10:33:12.0425 2012 t3 (5f5d2ca8d3e15b183e6bdf59c370b39a) C:\Windows\system32\drivers\t3.sys
2011/08/27 10:33:12.0503 2012 Tcpip (2756186e287139310997090797e0182b) C:\Windows\system32\drivers\tcpip.sys
2011/08/27 10:33:12.0535 2012 Tcpip6 (2756186e287139310997090797e0182b) C:\Windows\system32\DRIVERS\tcpip.sys
2011/08/27 10:33:12.0566 2012 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/08/27 10:33:12.0581 2012 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/08/27 10:33:12.0613 2012 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/08/27 10:33:12.0628 2012 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/08/27 10:33:12.0644 2012 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/08/27 10:33:12.0706 2012 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/08/27 10:33:12.0722 2012 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/08/27 10:33:12.0737 2012 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/08/27 10:33:12.0769 2012 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/08/27 10:33:12.0784 2012 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/08/27 10:33:12.0815 2012 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/08/27 10:33:12.0831 2012 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/08/27 10:33:12.0862 2012 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/08/27 10:33:12.0878 2012 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/08/27 10:33:12.0893 2012 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/08/27 10:33:12.0925 2012 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/08/27 10:33:12.0940 2012 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/08/27 10:33:12.0956 2012 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/08/27 10:33:12.0987 2012 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/08/27 10:33:13.0003 2012 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/08/27 10:33:13.0034 2012 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/08/27 10:33:13.0065 2012 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/08/27 10:33:13.0081 2012 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/08/27 10:33:13.0096 2012 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/08/27 10:33:13.0112 2012 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/08/27 10:33:13.0127 2012 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/08/27 10:33:13.0159 2012 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/08/27 10:33:13.0174 2012 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/08/27 10:33:13.0190 2012 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/08/27 10:33:13.0205 2012 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/08/27 10:33:13.0237 2012 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/08/27 10:33:13.0252 2012 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/08/27 10:33:13.0268 2012 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/08/27 10:33:13.0299 2012 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/08/27 10:33:13.0315 2012 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/27 10:33:13.0330 2012 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/27 10:33:13.0346 2012 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/08/27 10:33:13.0377 2012 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/08/27 10:33:13.0439 2012 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/08/27 10:33:13.0486 2012 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/08/27 10:33:13.0517 2012 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/08/27 10:33:13.0564 2012 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
2011/08/27 10:33:13.0580 2012 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk1\DR1
2011/08/27 10:33:13.0580 2012 Boot (0x1200) (149fa37606f214f559a4cd0f60a3f30a) \Device\Harddisk0\DR0\Partition0
2011/08/27 10:33:13.0595 2012 Boot (0x1200) (b8073315ece00861e202cd90453e2dcd) \Device\Harddisk0\DR0\Partition1
2011/08/27 10:33:13.0611 2012 Boot (0x1200) (a5d62552d83776d642793f5557b326f2) \Device\Harddisk1\DR1\Partition0
2011/08/27 10:33:13.0611 2012 ================================================================================
2011/08/27 10:33:13.0611 2012 Scan finished
2011/08/27 10:33:13.0611 2012 ================================================================================
2011/08/27 10:33:13.0611 2616 Detected object count: 0
2011/08/27 10:33:13.0611 2616 Actual detected object count: 0

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:42 AM

Posted 27 August 2011 - 12:56 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Repad

Repad
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:42 AM

Posted 28 August 2011 - 08:06 AM

Hi Gringo,

Thank you for your warning regarding P2P programs. I assume you were referring to SoulSeek? I removed from the lady's pc after having carried out out the other instructions.

One of the positive things I found is that Windows Update KB2556532 now finally installed succesfully (this is the one I referred to in my initial post that could not install because of another running process).

As too your instructions I can report as follows:

TFC (v 3.1.7.0)
Deleted 87 MB in various temp locations

MBAM (v 1.51.1.1800)
Internet Explorer was redirected when I tried to download the installer. So I downloaded it through Chrome. Ran a full scan. Found no infections though. (Log below.)

HiJackThis (v 2.0.4)
Log below MBAM log.

Computer is more responsive, but the re-direction of IE still worries me.
QUESTION: The pc has been used with two external HDD's for backing up date. Is there a risk that these disk are compromised as well?

Regards,
Repad


-----------------------------------------

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Databaseversie: 7593

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

28-8-2011 14:12:22
mbam-log-2011-08-28 (14-12-22).txt

Scantype: Volledige scan (C:\|D:\|E:\|)
Objecten gescand: 303011
Verstreken tijd: 28 minuut/minuten, 30 seconde(n)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 0
Registerwaarden ge´nfecteerd: 0
Registerdata ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerdata ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Mappen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

-----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:41:43, on 28-8-2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files\ASUS\GamerOSD\ATKFastUserSwitching.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [Philips Device Listener] "C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe"
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-21-1479722293-3608961187-4261260398-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1479722293-3608961187-4261260398-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'UpdatusUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Philips Apparaatbeheer.lnk = C:\Program Files\Philips\SA28XX Device Manager\main.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.lcn-shop.nl
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ATK Fast User Switch Service (ATKFUSService) - ASUSTeK COMPUTER INC. - C:\Windows\system32\ATKFUSService.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Media Toolbox 6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 8758 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:42 AM

Posted 28 August 2011 - 12:38 PM

Hello

With this virus it will not go to the other drives but it would still be best to scan the drives as they are put back onto the system

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
      O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
      O4 - HKLM\..\Run: [Philips Device Listener] "C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe"
      O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
      O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
      O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
      O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKUS\S-1-5-21-1479722293-3608961187-4261260398-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
      O4 - HKUS\S-1-5-21-1479722293-3608961187-4261260398-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'UpdatusUser')
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
      O4 - Global Startup: Philips Apparaatbeheer.lnk = C:\Program Files\Philips\SA28XX Device Manager\main.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo

Edited by gringo_pr, 28 August 2011 - 12:39 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Repad

Repad
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:42 AM

Posted 28 August 2011 - 03:56 PM

Hello Gringo,

It is really wonderful that you are so helpful.

I removed most of the startup entries you indicated

The log of the online ESET scan is below.

Rgds,
Repad

-------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9a8606be05b6f040857e0edd2fd398c5
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-19 12:07:59
# local_time=2011-08-19 02:07:59 (+0100, West-Europa (zomertijd))
# country="Netherlands"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 440 440 0 0
# compatibility_mode=5378 16777213 100 97 762 148992476 0 0
# compatibility_mode=5892 16776573 100 100 101023 151238612 0 0
# compatibility_mode=8192 67108863 100 0 137 137 0 0
# scanned=299096
# found=27
# cleaned=0
# scan_time=6595
C:\Program Files\Reviversoft\Registry Reviver\aso3sys.dll probably a variant of Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\ASOHelper.dll a variant of Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\RegistryReviver.exe a variant of Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\SendLogs.exe Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\bg\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\cs\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\DA\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\DTCH\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\el\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\ENG\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\ES\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\fi\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\FR\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\GRMN\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\hu\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\in\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\ITLY\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\JA\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\no\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\pl\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\pt\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\ro\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\sv\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\th\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\TR\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\ZH\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Reviversoft\Registry Reviver\zhcn\regclean.ini Win32/RegistryReviver application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9a8606be05b6f040857e0edd2fd398c5
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-19 07:54:56
# local_time=2011-08-19 09:54:56 (+0100, West-Europa (zomertijd))
# country="Netherlands"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 27572 27572 0 0
# compatibility_mode=5378 16777213 100 97 118 149019608 0 0
# compatibility_mode=5892 16776573 100 100 128155 151265744 0 0
# compatibility_mode=8192 67108863 100 0 27269 27269 0 0
# scanned=302839
# found=27
# cleaned=27
# scan_time=7479
C:\Program Files\Reviversoft\Registry Reviver\aso3sys.dll probably a variant of Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\ASOHelper.dll a variant of Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\RegistryReviver.exe a variant of Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\SendLogs.exe Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\bg\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\cs\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\DA\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\DTCH\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\el\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\ENG\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\ES\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\fi\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\FR\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\GRMN\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\hu\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\in\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\ITLY\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\JA\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\no\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\pl\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\pt\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\ro\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\sv\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\th\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\TR\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\ZH\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Reviversoft\Registry Reviver\zhcn\regclean.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9a8606be05b6f040857e0edd2fd398c5
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-28 07:57:47
# local_time=2011-08-28 09:57:47 (+0100, West-Europa (zomertijd))
# country="Netherlands"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 852525 852525 0 0
# compatibility_mode=5378 16777214 0 4 254303 260141 0 0
# compatibility_mode=5892 16776573 100 100 177579 152090697 0 0
# compatibility_mode=8192 67108863 100 0 852222 852222 0 0
# scanned=142983
# found=0
# cleaned=0
# scan_time=3498




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users