Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with WhiteSmoke Toolbar


  • This topic is locked This topic is locked
20 replies to this topic

#1 awidjaj1

awidjaj1

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 11 September 2011 - 09:20 PM

Hi, I am a newbie here. My laptop was infected by the WhiteSmoke Toolbar and I could not find any information on how to remove it. This forum was the only thing I found so I opened an account in hopes that I can get the help needed to remove this malware. I first noticed something was wrong when I kept getting pop-ups saying that viruses were detected and that I needed to purchase some software. I tried removing the WhiteSmoke Toolbar from the add/remove programs under Control Panel but it would not allow me to remove it. So I tried Revo Uninstaller and it looked like I succeeded but after a while the WhiteSmoke Toolbar came back. Now I can only use my laptop for maybe 10-15 minutes before it gets really slow and then hangs. I have to turn my laptop off every time now because if I leave it on, it is just so slow that I cannot do anything after leaving the laptop for a while. I have had to do all the necessary scans at different times because the laptop will hang after a while. I hope I have provided the appropriate information for somebody to help restore my laptop to its normal operation. Thank you in advance. Below is the log from dds.txt.

******************************************************************************************************************************************************

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 21:12:57 on 2011-08-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.119 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [\\Trustworthy1188\EPSON WorkForce 600 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\docume~1\user\locals~1\temp\E_S1E.tmp" /EF "HKCU"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [cfliom] c:\docume~1\networ~1\locals~1\applic~1\cfliom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{4C633CBE-1F51-44D5-B20E-847764AD1E49} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: ? - itlnfw32.dll
Notify: igfxcui - igfxdev.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-13 14336]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2008-4-13 14336]
S0 cerc6;cerc6; [x]
.
=============== Created Last 30 ================
.
2011-08-07 00:05:12 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-07 00:05:12 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-04 18:40:14 53248 ----a-w- c:\windows\system32\6to4v32.dll
2011-06-04 18:40:10 34816 ----a-w- c:\windows\system32\itlnfw32.dll
2011-06-04 18:40:10 215040 ----a-w- c:\windows\system32\itlpfw32.dll
2011-06-04 18:30:39 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-06-04 04:10:39 0 ----a-w- c:\windows\Dgaqo.bin
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK6008GAH rev.BU011A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x864A331B
user & kernel MBR OK
.
============= FINISH: 21:22:58.81 ===============
Attached File  attach.txt   13KB   2 downloadsAttached File  ark.txt   13.88KB   1 downloads

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 11 September 2011 - 10:17 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 awidjaj1

awidjaj1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 12 September 2011 - 08:22 PM

Hi,

Thanks for the instructions. Did what the instructions said to do and below is the log from ComboFix. Is my laptop clean now? I looked in the add/remove programs under Control Panel and I still see WhiteSmoke Toolbar listed as programs installed on my laptop. Right after the log was created, I tried to open Internet Explorer and the laptop froze again. I had to turn the laptop off and on again, and when the browser opened successfully, a pop-up window opened up. I am guessing there is something still in my laptop. Looking forward to more instructions. Thank you.

*************************************************************************************************************************************************

ComboFix 11-09-12.04 - User 09/12/2011 20:37:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.602 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\all users\application data\10249\sp.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\irlsj.exe
c:\documents and settings\NetworkService\Start Menu\Programs\Security Shield.lnk
c:\documents and settings\User\Application Data\PriceGong
c:\documents and settings\User\Application Data\PriceGong\Data\1.xml
c:\documents and settings\User\Application Data\PriceGong\Data\a.xml
c:\documents and settings\User\Application Data\PriceGong\Data\b.xml
c:\documents and settings\User\Application Data\PriceGong\Data\c.xml
c:\documents and settings\User\Application Data\PriceGong\Data\d.xml
c:\documents and settings\User\Application Data\PriceGong\Data\e.xml
c:\documents and settings\User\Application Data\PriceGong\Data\f.xml
c:\documents and settings\User\Application Data\PriceGong\Data\g.xml
c:\documents and settings\User\Application Data\PriceGong\Data\h.xml
c:\documents and settings\User\Application Data\PriceGong\Data\i.xml
c:\documents and settings\User\Application Data\PriceGong\Data\J.xml
c:\documents and settings\User\Application Data\PriceGong\Data\k.xml
c:\documents and settings\User\Application Data\PriceGong\Data\l.xml
c:\documents and settings\User\Application Data\PriceGong\Data\m.xml
c:\documents and settings\User\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\User\Application Data\PriceGong\Data\n.xml
c:\documents and settings\User\Application Data\PriceGong\Data\o.xml
c:\documents and settings\User\Application Data\PriceGong\Data\p.xml
c:\documents and settings\User\Application Data\PriceGong\Data\q.xml
c:\documents and settings\User\Application Data\PriceGong\Data\r.xml
c:\documents and settings\User\Application Data\PriceGong\Data\s.xml
c:\documents and settings\User\Application Data\PriceGong\Data\t.xml
c:\documents and settings\User\Application Data\PriceGong\Data\u.xml
c:\documents and settings\User\Application Data\PriceGong\Data\v.xml
c:\documents and settings\User\Application Data\PriceGong\Data\w.xml
c:\documents and settings\User\Application Data\PriceGong\Data\x.xml
c:\documents and settings\User\Application Data\PriceGong\Data\y.xml
c:\documents and settings\User\Application Data\PriceGong\Data\z.xml
c:\program files\whitesmoketoolbar\vmNTemplatex.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\itlnfw32.dll
c:\windows\system32\itlpfw32.dll
c:\windows\system32\lvci1201278.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
Pass LEGAL for license information. Built Sat Jun 25 23:20 2011c:\documents and settings\All Users\Application Data\10249\sp.Dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
-------\Service_SPService
.
.
((((((((((((((((((((((((( Files Created from 2011-08-13 to 2011-09-13 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2008-04-13 23:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-06 18:00 . 2011-06-10 23:49 413696 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\cfliom.exe
2011-07-15 13:29 . 2008-04-13 23:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-13 23:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2010-08-26 17:17 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-13 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-13 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-13 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-13 23:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-03-28 16:22 176936 ----a-w- c:\program files\BitTorrentBar\prxtbBit2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\Trustworthy1188\EPSON WorkForce 600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE" [2008-03-04 188928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"cfliom"="c:\docume~1\NETWOR~1\LOCALS~1\APPLIC~1\cfliom.exe" [2011-08-06 413696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\?]
itlnfw32.dll [?]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16Student\\spss.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10809:TCP"= 10809:TCP:spport
"14258:TCP"= 14258:TCP:spport
"15026:TCP"= 15026:TCP:spport
"22708:TCP"= 22708:TCP:spport
"29485:TCP"= 29485:TCP:spport
"9001:TCP"= 9001:TCP:spport
"10113:TCP"= 10113:TCP:spport
"6412:TCP"= 6412:TCP:spport
"22916:TCP"= 22916:TCP:spport
"21248:TCP"= 21248:TCP:spport
"6439:TCP"= 6439:TCP:spport
"5629:TCP"= 5629:TCP:spport
"23395:TCP"= 23395:TCP:spport
"13915:TCP"= 13915:TCP:spport
"22930:TCP"= 22930:TCP:spport
"23175:TCP"= 23175:TCP:spport
"28311:TCP"= 28311:TCP:spport
"6338:TCP"= 6338:TCP:spport
"13222:TCP"= 13222:TCP:spport
"29395:TCP"= 29395:TCP:spport
"18387:TCP"= 18387:TCP:spport
"11157:TCP"= 11157:TCP:spport
"5547:TCP"= 5547:TCP:spport
"7266:TCP"= 7266:TCP:spport
.
S0 cerc6;cerc6; [x]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
Notify-itlntfy - itlnfw32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-12 20:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK6008GAH rev.BU011A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8652531B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'lsass.exe'(1012)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-09-12 21:02:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-13 01:02
.
Pre-Run: 45,627,035,648 bytes free
Post-Run: 46,825,218,048 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E1764668615D1BFAF586221E55F54868

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 12 September 2011 - 08:51 PM

Hi

go ahead and see if you can uninstall that tool bar from your installed programs list


NEXT


Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic418558.html/page__pid__2404918

Collect::
c:\documents and settings\NetworkService\Local Settings\Application Data\cfliom.exe

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"cfliom"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\?]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10809:TCP"=- 
"14258:TCP"=-
"15026:TCP"=-
"22708:TCP"=-
"29485:TCP"=-
"9001:TCP"=-
"10113:TCP"=-
"6412:TCP"=-
"22916:TCP"=-
"21248:TCP"=-
"6439:TCP"=-
"5629:TCP"=-
"23395:TCP"=-
"13915:TCP"=-
"22930:TCP"=-
"23175:TCP"=-
"28311:TCP"=-
"6338:TCP"=-
"13222:TCP"=-
"29395:TCP"=-
"18387:TCP"=-
"11157:TCP"=-
"5547:TCP"=-
"7266:TCP"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 awidjaj1

awidjaj1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 14 September 2011 - 08:28 PM

Hi,

I removed the WhiteSmoke Toolbar program from the Add/Remove Program under Control Panel and it looks like it is gone. Hopefully this time it will stay gone. Anyway, did the ComboFix and the TDSSKiller. At the end of ComboFix scan, it said that there were some files that had to be uploaded to the ComboFix server for further analysis so I did that. And TDSSKiller found 1 malicious object so I selected cure. What should I do next? Thank you.

Here is the log for ComboFix:

*************************************************************************************************************************************************
ComboFix 11-09-14.02 - User 09/14/2011 20:45:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.580 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
* Created a new restore point
.
file zipped: c:\documents and settings\NetworkService\Local Settings\Application Data\cfliom.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\cfliom.exe
c:\documents and settings\User\Application Data\PriceGong
c:\documents and settings\User\Application Data\PriceGong\Data\1.xml
c:\documents and settings\User\Application Data\PriceGong\Data\a.xml
c:\documents and settings\User\Application Data\PriceGong\Data\b.xml
c:\documents and settings\User\Application Data\PriceGong\Data\c.xml
c:\documents and settings\User\Application Data\PriceGong\Data\d.xml
c:\documents and settings\User\Application Data\PriceGong\Data\e.xml
c:\documents and settings\User\Application Data\PriceGong\Data\f.xml
c:\documents and settings\User\Application Data\PriceGong\Data\g.xml
c:\documents and settings\User\Application Data\PriceGong\Data\h.xml
c:\documents and settings\User\Application Data\PriceGong\Data\i.xml
c:\documents and settings\User\Application Data\PriceGong\Data\j.xml
c:\documents and settings\User\Application Data\PriceGong\Data\k.xml
c:\documents and settings\User\Application Data\PriceGong\Data\l.xml
c:\documents and settings\User\Application Data\PriceGong\Data\m.xml
c:\documents and settings\User\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\User\Application Data\PriceGong\Data\n.xml
c:\documents and settings\User\Application Data\PriceGong\Data\o.xml
c:\documents and settings\User\Application Data\PriceGong\Data\p.xml
c:\documents and settings\User\Application Data\PriceGong\Data\q.xml
c:\documents and settings\User\Application Data\PriceGong\Data\r.xml
c:\documents and settings\User\Application Data\PriceGong\Data\s.xml
c:\documents and settings\User\Application Data\PriceGong\Data\t.xml
c:\documents and settings\User\Application Data\PriceGong\Data\u.xml
c:\documents and settings\User\Application Data\PriceGong\Data\v.xml
c:\documents and settings\User\Application Data\PriceGong\Data\w.xml
c:\documents and settings\User\Application Data\PriceGong\Data\x.xml
c:\documents and settings\User\Application Data\PriceGong\Data\y.xml
c:\documents and settings\User\Application Data\PriceGong\Data\z.xml
c:\windows\system32\d3d9caps.dat
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2008-04-13 23:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2008-04-13 23:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-13 23:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2010-08-26 17:17 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-13 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-13 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-13 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-13 23:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-13_00.55.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-15 00:59 . 2011-09-15 00:59 16384 c:\windows\Temp\Perflib_Perfdata_6cc.dat
+ 2008-04-13 23:00 . 2011-09-15 00:38 40394 c:\windows\system32\perfc009.dat
- 2008-04-13 23:00 . 2011-09-13 00:58 40394 c:\windows\system32\perfc009.dat
+ 2008-04-13 23:00 . 2011-09-15 00:38 312172 c:\windows\system32\perfh009.dat
- 2008-04-13 23:00 . 2011-09-13 00:58 312172 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-03-28 16:22 176936 ----a-w- c:\program files\BitTorrentBar\prxtbBit2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\Trustworthy1188\EPSON WorkForce 600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE" [2008-03-04 188928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16Student\\spss.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S0 cerc6;cerc6; [x]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-14 20:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK6008GAH rev.BU011A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x864A731B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2200)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-09-14 21:07:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-15 01:07
ComboFix2.txt 2011-09-13 01:03
.
Pre-Run: 46,775,472,128 bytes free
Post-Run: 46,782,480,384 bytes free
.
- - End Of File - - 15DFBA6A5769D1F5212DFEF3C6CF382B
Upload was successful
****************************************************************************************************************************************************



Here is the log from TDSSKiller:

****************************************************************************************************************************************************
2011/09/14 21:11:17.0375 3752 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17
2011/09/14 21:11:18.0328 3752 ================================================================================
2011/09/14 21:11:18.0328 3752 SystemInfo:
2011/09/14 21:11:18.0328 3752
2011/09/14 21:11:18.0328 3752 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/14 21:11:18.0328 3752 Product type: Workstation
2011/09/14 21:11:18.0328 3752 ComputerName: NEWLAPTOP
2011/09/14 21:11:18.0328 3752 UserName: User
2011/09/14 21:11:18.0328 3752 Windows directory: C:\WINDOWS
2011/09/14 21:11:18.0328 3752 System windows directory: C:\WINDOWS
2011/09/14 21:11:18.0328 3752 Processor architecture: Intel x86
2011/09/14 21:11:18.0328 3752 Number of processors: 2
2011/09/14 21:11:18.0328 3752 Page size: 0x1000
2011/09/14 21:11:18.0328 3752 Boot type: Normal boot
2011/09/14 21:11:18.0328 3752 ================================================================================
2011/09/14 21:11:20.0359 3752 Initialize success
2011/09/14 21:11:38.0828 0844 ================================================================================
2011/09/14 21:11:38.0828 0844 Scan started
2011/09/14 21:11:38.0828 0844 Mode: Manual;
2011/09/14 21:11:38.0828 0844 ================================================================================
2011/09/14 21:11:41.0046 0844 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/14 21:11:41.0312 0844 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/14 21:11:41.0578 0844 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/14 21:11:41.0812 0844 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/14 21:11:42.0812 0844 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/09/14 21:11:43.0093 0844 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/14 21:11:43.0671 0844 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/14 21:11:43.0828 0844 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/14 21:11:44.0125 0844 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/14 21:11:44.0296 0844 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/14 21:11:44.0500 0844 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/09/14 21:11:44.0640 0844 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/14 21:11:44.0781 0844 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/09/14 21:11:44.0906 0844 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/09/14 21:11:45.0046 0844 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/09/14 21:11:45.0218 0844 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/09/14 21:11:45.0515 0844 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/14 21:11:45.0640 0844 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/14 21:11:45.0921 0844 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/14 21:11:46.0046 0844 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/14 21:11:46.0203 0844 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/14 21:11:46.0484 0844 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/14 21:11:46.0734 0844 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/14 21:11:47.0203 0844 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/14 21:11:47.0421 0844 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/14 21:11:47.0609 0844 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/14 21:11:47.0734 0844 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/14 21:11:47.0875 0844 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/14 21:11:48.0109 0844 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/14 21:11:48.0328 0844 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/14 21:11:48.0515 0844 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/14 21:11:48.0625 0844 FilterService (a75ddc492d2d1d6558ad8003a4adb73a) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/09/14 21:11:48.0781 0844 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/14 21:11:48.0890 0844 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/14 21:11:49.0046 0844 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/14 21:11:49.0171 0844 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/14 21:11:49.0328 0844 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/14 21:11:49.0484 0844 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/09/14 21:11:49.0625 0844 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/14 21:11:49.0750 0844 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/14 21:11:49.0890 0844 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/14 21:11:50.0187 0844 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
2011/09/14 21:11:50.0500 0844 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
2011/09/14 21:11:50.0953 0844 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/14 21:11:51.0296 0844 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/14 21:11:51.0796 0844 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/09/14 21:11:52.0328 0844 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/14 21:11:52.0687 0844 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/14 21:11:52.0812 0844 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/14 21:11:52.0953 0844 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/14 21:11:53.0125 0844 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/14 21:11:53.0265 0844 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/14 21:11:53.0453 0844 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/14 21:11:53.0593 0844 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/14 21:11:53.0750 0844 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/14 21:11:53.0953 0844 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/14 21:11:54.0156 0844 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/14 21:11:54.0312 0844 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/14 21:11:54.0640 0844 lvpopflt (01f0e010acb61472163e9d02d3ff531a) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
2011/09/14 21:11:54.0812 0844 LVPr2Mon (c57c48fb9ae3efb9848af594e3123a63) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/09/14 21:11:54.0984 0844 LVRS (87ecce893d8aec5a9337b917742d339c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/09/14 21:11:55.0546 0844 LVUVC (291f69b3dda0f033d2490c5ba5179f7c) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/09/14 21:11:56.0078 0844 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/09/14 21:11:56.0218 0844 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/14 21:11:56.0468 0844 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/14 21:11:56.0609 0844 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/14 21:11:56.0734 0844 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/14 21:11:56.0890 0844 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/14 21:11:57.0125 0844 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/14 21:11:57.0312 0844 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/14 21:11:57.0500 0844 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/14 21:11:57.0640 0844 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/14 21:11:57.0781 0844 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/14 21:11:57.0953 0844 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/14 21:11:58.0062 0844 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/14 21:11:58.0203 0844 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/14 21:11:58.0328 0844 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/14 21:11:58.0500 0844 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/14 21:11:58.0687 0844 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/14 21:11:58.0828 0844 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/14 21:11:58.0968 0844 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/14 21:11:59.0093 0844 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/14 21:11:59.0250 0844 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/14 21:11:59.0515 0844 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/14 21:11:59.0718 0844 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/14 21:11:59.0859 0844 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/14 21:12:00.0296 0844 NETw5x32 (91f027c242d3ff6e5c09f92a0518297f) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/09/14 21:12:01.0125 0844 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/14 21:12:01.0265 0844 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/14 21:12:01.0515 0844 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/14 21:12:01.0671 0844 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/14 21:12:01.0921 0844 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/14 21:12:02.0078 0844 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/14 21:12:02.0203 0844 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/14 21:12:02.0328 0844 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/09/14 21:12:02.0484 0844 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/14 21:12:02.0609 0844 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/14 21:12:02.0765 0844 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/14 21:12:02.0984 0844 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/14 21:12:03.0140 0844 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/09/14 21:12:04.0062 0844 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/14 21:12:04.0203 0844 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/14 21:12:04.0328 0844 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/14 21:12:04.0921 0844 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/14 21:12:05.0078 0844 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/14 21:12:05.0234 0844 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/14 21:12:05.0375 0844 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/14 21:12:05.0484 0844 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/14 21:12:05.0625 0844 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/14 21:12:05.0765 0844 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/14 21:12:05.0906 0844 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/14 21:12:06.0078 0844 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/14 21:12:06.0234 0844 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/09/14 21:12:06.0453 0844 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/09/14 21:12:06.0625 0844 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/09/14 21:12:06.0765 0844 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/14 21:12:06.0921 0844 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/09/14 21:12:07.0062 0844 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/14 21:12:07.0296 0844 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/14 21:12:07.0453 0844 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/14 21:12:07.0609 0844 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/14 21:12:07.0781 0844 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/14 21:12:07.0984 0844 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2011/09/14 21:12:08.0218 0844 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/14 21:12:08.0390 0844 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/14 21:12:08.0562 0844 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/14 21:12:09.0406 0844 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/14 21:12:09.0750 0844 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/14 21:12:09.0875 0844 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/14 21:12:10.0000 0844 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/14 21:12:10.0109 0844 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/14 21:12:10.0453 0844 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/14 21:12:10.0843 0844 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/14 21:12:11.0031 0844 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/14 21:12:11.0171 0844 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/09/14 21:12:11.0375 0844 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/14 21:12:11.0515 0844 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
2011/09/14 21:12:11.0656 0844 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/14 21:12:11.0781 0844 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/14 21:12:11.0937 0844 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/14 21:12:12.0078 0844 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/14 21:12:12.0265 0844 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/09/14 21:12:12.0421 0844 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/14 21:12:12.0687 0844 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/14 21:12:12.0859 0844 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/14 21:12:13.0109 0844 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/14 21:12:13.0296 0844 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2011/09/14 21:12:13.0484 0844 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/09/14 21:12:13.0656 0844 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/14 21:12:13.0765 0844 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/09/14 21:12:13.0765 0844 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/09/14 21:12:13.0781 0844 Boot (0x1200) (6967c677866620c04602c66e3cc98cb2) \Device\Harddisk0\DR0\Partition0
2011/09/14 21:12:13.0796 0844 ================================================================================
2011/09/14 21:12:13.0796 0844 Scan finished
2011/09/14 21:12:13.0796 0844 ================================================================================
2011/09/14 21:12:13.0828 3884 Detected object count: 1
2011/09/14 21:12:13.0828 3884 Actual detected object count: 1
2011/09/14 21:12:34.0140 3884 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/09/14 21:12:34.0140 3884 \Device\Harddisk0\DR0 - ok
2011/09/14 21:12:34.0140 3884 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/14 21:12:45.0875 1956 Deinitialize success
*************************************************************************************************************************************************

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 14 September 2011 - 10:46 PM

Hi

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.


NEXT


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 awidjaj1

awidjaj1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 15 September 2011 - 10:30 PM

Hi,

Did the 3 scans. Logs below and MBR file attached.


Log from aswMBR:
**************************************************************************************************************************************************
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-15 21:07:35
-----------------------------
21:07:35.296 OS Version: Windows 5.1.2600 Service Pack 3
21:07:35.296 Number of processors: 2 586 0xE08
21:07:35.296 ComputerName: NEWLAPTOP UserName: User
21:07:36.437 Initialize success
21:11:11.671 AVAST engine defs: 11091501
21:11:27.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:11:27.687 Disk 0 Vendor: TOSHIBA_MK6008GAH BU011A Size: 57231MB BusType: 3
21:11:29.734 Disk 0 MBR read successfully
21:11:29.734 Disk 0 MBR scan
21:11:29.796 Disk 0 Windows XP default MBR code
21:11:29.828 Disk 0 scanning sectors +117210240
21:11:29.859 Disk 0 scanning C:\WINDOWS\system32\drivers
21:11:41.421 Service scanning
21:11:42.734 Modules scanning
21:12:00.593 Disk 0 trace - called modules:
21:12:00.609 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:12:00.609 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x864f4ab8]
21:12:00.609 3 CLASSPNP.SYS[f761efd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x864f5d98]
21:12:01.484 AVAST engine scan C:\WINDOWS
21:12:22.000 AVAST engine scan C:\WINDOWS\system32
21:14:31.437 AVAST engine scan C:\WINDOWS\system32\drivers
21:14:45.796 AVAST engine scan C:\Documents and Settings\User
21:19:32.843 AVAST engine scan C:\Documents and Settings\All Users
21:21:55.234 Scan finished successfully
21:33:47.515 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
21:33:47.515 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"
**************************************************************************************************************************************************


Log from MBAM:
**************************************************************************************************************************************************
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7725

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/15/2011 9:44:35 PM
mbam-log-2011-09-15 (21-44-35).txt

Scan type: Quick scan
Objects scanned: 160026
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
************************************************************************************************************************************************


Log from ESET:
************************************************************************************************************************************************
C:\Documents and Settings\User\Application Data\521BBD3F930F94C2A1DBA8E5DE6AC92E\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\19\aa89693-502e02fd a variant of Java/Agent.BR trojan
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\30\2c7c219e-6c0468ca probably a variant of Java/Agent.BR trojan
C:\Documents and Settings\User\My Documents\Downloads\VA - The Best Remixes (20-04-2011)\Extras.7z multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\10249\sp.dll.vir a variant of Win32/TrojanProxy.Agent.NHB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\irlsj.exe.vir Win32/Adware.SecurityShield.C application
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir probably a variant of Win32/Wimpixo.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\itlnfw32.dll.vir a variant of Win32/Wimpixo.AL trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\itlpfw32.dll.vir a variant of Win32/Wimpixo.AL trojan
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP296\A0018389.dll a variant of Win32/Kryptik.OSP trojan
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP296\A0018396.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP296\A0018397.exe a variant of Win32/Kryptik.OQS trojan
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP296\A0018398.exe a variant of Win32/Kryptik.OQD trojan
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP296\A0018399.dll a variant of Win32/Kryptik.OPZ trojan
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP308\A0037236.DLL a variant of Win32/TrojanProxy.Agent.NHB trojan
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP308\A0037237.exe Win32/Adware.SecurityShield.C application
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP308\A0037240.dll probably a variant of Win32/Wimpixo.AA trojan
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP308\A0037241.dll a variant of Win32/Wimpixo.AL trojan
C:\System Volume Information\_restore{E65B70BA-0E74-4E6B-AAAF-7CD108B51DF9}\RP308\A0037242.dll a variant of Win32/Wimpixo.AL trojan
***********************************************************************************************************************************************

Attached File  MBR.zip   499bytes   0 downloads

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 16 September 2011 - 06:25 AM

Hi,

Please do the following:



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\User\Application Data\521BBD3F930F94C2A1DBA8E5DE6AC92E\enemies-names.txt 
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\19\aa89693-502e02fd 
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\30\2c7c219e-6c0468ca 
C:\Documents and Settings\User\My Documents\Downloads\VA - The Best Remixes (20-04-2011)\Extras.7z 

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.




NEXT

Please advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 awidjaj1

awidjaj1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 18 September 2011 - 06:07 PM

Hi,

I tried to scan the computer using ComboFix four times over the weekend but for some reason it is not scanning. Here is what happened each time.

1st Try:
Did what was asked, saved the CFScript file and dragged it onto the ComboFix icon. Everything looked normal. ComboFix loaded, and then it said there was a new version available, so I allowed it to update. After updating, ComboFix started up, created a new restore point, backed up some files to some registry, and then it looked like it started scanning. There was a message on the screen that said it was scanning and that the scan should not take more than 10 minutes but could easily double for badly infected computers. After the message, there was a blinking cursor. So I thought everything was scanning properly. But after more than 30 or 40 minutes, I realized that there was no update. I think I left it for a total of close to 1 hour and I was wondering if the scan was even running. I tried to close the window but the computer froze up so I turned the laptop off.

2nd Try:
After turning the computer back on, tried to scan again. Dragged the CFScript file onto the ComboFix icon. This time it did not ask to update to a newer version. Same thing, backed up some registry, etc, and was at the same spot - the blinking cursor. This time I left it all night. Next morning, still at the same spot - blinking cursor. Tried to close window but froze again. Turned computer off again.

3rd Try:
Turned computer back on. I noticed there were some windows, java, and adobe updates ready for install so this time I updated everything first. Waited for a while to make sure computer was okay before tried scanning again. This time, ComboFix did not ask for a newer version again, and everything was the same until the blinking cursor. This time however, the cursor was not blinking. Left the computer for a few hours but still no progress. Turned off computer again.

4th Try:
The computer was on for a while before I tried scanning again today. This time, ComboFix updated to a newer version and everything was the same as the 1st try but again, it was stuck at the blinking cursor.

Is there something else I need to try? Please help. Thank you.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 18 September 2011 - 09:36 PM

Try running it without the script,

if it wont run in normal mode > try it in safe mode, see if it completes


Manually navigate to and delete thes3 infected files:

(you will need to show hidden files and folders)

C:\Documents and Settings\User\Application Data\521BBD3F930F94C2A1DBA8E5DE6AC92E\enemies-names.txt
C:\Documents and Settings\User\My Documents\Downloads\VA - The Best Remixes (20-04-2011)\Extras.7z

  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.




To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


delete the Java cache:

Click Start > Control Panel.
Double-click the Java icon in the control panel.
The Java Control Panel appears.
Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box appears.

There are three options on this window to clear the cache.

  • Delete Files
  • View Applications
  • View Applets


Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
Click OK on Temporary Files Settings window.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 awidjaj1

awidjaj1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 22 September 2011 - 09:10 PM

Hi,

I tried running ComboFix without the script and it still did nothing. I tried it both on the normal windows and in safe mode. Both froze. I deleted the 2 files and the Java cache. What else do I need to do? Thank you.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 22 September 2011 - 09:15 PM

Hi

Please delete the copy of combofix that you have on your desktop and download a fresh copy from here and save it to your desktop,

now do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

"%userprofile%\desktop\combofix.exe" /nombr

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 awidjaj1

awidjaj1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 23 September 2011 - 08:08 PM

Hi,

Downloaded the new ComboFix and it finally scanned. Log below. After the scan, when I opened up IE, a window said that IE was not my default web browser and asked if I wanted to make IE my default browser. I clicked yes and same as the first scan above, the computer froze. Had to restart computer. Just FYI. What should I do next? Thank you.



***************************************************************************************************************************************************
ComboFix 11-09-23.03 - User 09/23/2011 20:37:57.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.500 [GMT -4:00]
Running from: c:\documents and settings\User\desktop\combofix.exe
Command switches used :: /nombr
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Application Data\PriceGong
c:\documents and settings\User\Application Data\PriceGong\Data\1.xml
c:\documents and settings\User\Application Data\PriceGong\Data\a.xml
c:\documents and settings\User\Application Data\PriceGong\Data\b.xml
c:\documents and settings\User\Application Data\PriceGong\Data\c.xml
c:\documents and settings\User\Application Data\PriceGong\Data\d.xml
c:\documents and settings\User\Application Data\PriceGong\Data\e.xml
c:\documents and settings\User\Application Data\PriceGong\Data\f.xml
c:\documents and settings\User\Application Data\PriceGong\Data\g.xml
c:\documents and settings\User\Application Data\PriceGong\Data\h.xml
c:\documents and settings\User\Application Data\PriceGong\Data\i.xml
c:\documents and settings\User\Application Data\PriceGong\Data\j.xml
c:\documents and settings\User\Application Data\PriceGong\Data\k.xml
c:\documents and settings\User\Application Data\PriceGong\Data\l.xml
c:\documents and settings\User\Application Data\PriceGong\Data\m.xml
c:\documents and settings\User\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\User\Application Data\PriceGong\Data\n.xml
c:\documents and settings\User\Application Data\PriceGong\Data\o.xml
c:\documents and settings\User\Application Data\PriceGong\Data\p.xml
c:\documents and settings\User\Application Data\PriceGong\Data\q.xml
c:\documents and settings\User\Application Data\PriceGong\Data\r.xml
c:\documents and settings\User\Application Data\PriceGong\Data\s.xml
c:\documents and settings\User\Application Data\PriceGong\Data\t.xml
c:\documents and settings\User\Application Data\PriceGong\Data\u.xml
c:\documents and settings\User\Application Data\PriceGong\Data\v.xml
c:\documents and settings\User\Application Data\PriceGong\Data\w.xml
c:\documents and settings\User\Application Data\PriceGong\Data\x.xml
c:\documents and settings\User\Application Data\PriceGong\Data\y.xml
c:\documents and settings\User\Application Data\PriceGong\Data\z.xml
c:\windows\system32\d3d9caps.dat
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
.
.
2011-09-20 18:32 . 2011-09-20 18:32 -------- d--h--w- c:\windows\PIF
2011-09-17 13:48 . 2011-09-17 13:48 -------- d-----w- c:\program files\Common Files\Java
2011-09-16 01:55 . 2011-09-16 01:55 -------- d-----w- c:\program files\ESET
2011-09-16 01:35 . 2011-09-16 01:35 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-09-16 01:35 . 2011-09-16 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-16 01:35 . 2011-09-16 01:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-16 01:35 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2008-04-13 23:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2008-04-13 23:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-13 23:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-13_00.55.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-24 00:47 . 2011-09-24 00:47 16384 c:\windows\Temp\Perflib_Perfdata_298.dat
+ 2008-04-13 23:00 . 2011-09-23 21:54 40394 c:\windows\system32\perfc009.dat
- 2008-04-13 23:00 . 2011-09-13 00:58 40394 c:\windows\system32\perfc009.dat
+ 2008-04-13 23:00 . 2011-09-23 21:54 312172 c:\windows\system32\perfh009.dat
- 2008-04-13 23:00 . 2011-09-13 00:58 312172 c:\windows\system32\perfh009.dat
+ 2011-09-17 13:47 . 2011-05-04 08:52 157472 c:\windows\system32\javaws.exe
- 2010-12-29 13:02 . 2010-11-12 23:53 157472 c:\windows\system32\javaws.exe
+ 2011-09-17 13:47 . 2011-05-04 08:52 145184 c:\windows\system32\javaw.exe
- 2010-12-29 13:02 . 2010-11-12 23:53 145184 c:\windows\system32\javaw.exe
- 2010-12-29 13:02 . 2010-11-12 23:53 145184 c:\windows\system32\java.exe
+ 2011-09-17 13:47 . 2011-05-04 08:52 145184 c:\windows\system32\java.exe
- 2008-04-13 23:00 . 2011-09-03 10:17 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2008-04-13 23:00 . 2011-09-09 09:12 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2010-08-27 02:06 . 2011-05-04 08:52 472808 c:\windows\system32\deployJava1.dll
- 2010-08-27 02:06 . 2010-11-12 23:53 472808 c:\windows\system32\deployJava1.dll
+ 2011-09-17 13:48 . 2011-09-17 13:48 203776 c:\windows\Installer\c5dd5.msi
+ 2011-09-07 23:36 . 2011-09-07 23:36 6069248 c:\windows\Installer\c5dbd.msp
+ 2010-08-26 20:50 . 2011-09-17 13:20 46249416 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBit0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-05-09 09:49 176936 ----a-w- c:\program files\BitTorrentBar\prxtbBit0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBit0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBit0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\Trustworthy1188\EPSON WorkForce 600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE" [2008-03-04 188928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16Student\\spss.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S0 cerc6;cerc6; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 20:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(5404)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-23 20:53:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-24 00:53
ComboFix2.txt 2011-09-15 01:09
ComboFix3.txt 2011-09-13 01:03
.
Pre-Run: 48,819,085,312 bytes free
Post-Run: 49,073,610,752 bytes free
.
- - End Of File - - 069D64A0FC5567239A042A0948D0BEFA
*****************************************************************************************************************************************************

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 23 September 2011 - 08:18 PM

Please re-run TDSSKiller now, I want to make sure it comes back clean,

then run the following as IE may be locked down:

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 awidjaj1

awidjaj1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 23 September 2011 - 10:11 PM

Hi,

Did the 2 scans. TDSS did not find anything. I am not sure if Junction scanned or not because the log mentioned that access to some files or folders were denied. Anyway, logs are below. Please let me know what to do next. Thank you.



Log from TDSS Scan:
****************************************************************************************************************************************************
22:40:43.0515 1796 TDSS rootkit removing tool 2.6.0.0 Sep 23 2011 07:42:37
22:40:43.0937 1796 ============================================================
22:40:43.0937 1796 Current date / time: 2011/09/23 22:40:43.0937
22:40:43.0937 1796 SystemInfo:
22:40:43.0937 1796
22:40:43.0937 1796 OS Version: 5.1.2600 ServicePack: 3.0
22:40:43.0937 1796 Product type: Workstation
22:40:43.0937 1796 ComputerName: NEWLAPTOP
22:40:43.0937 1796 UserName: User
22:40:43.0937 1796 Windows directory: C:\WINDOWS
22:40:43.0937 1796 System windows directory: C:\WINDOWS
22:40:43.0937 1796 Processor architecture: Intel x86
22:40:43.0937 1796 Number of processors: 2
22:40:43.0937 1796 Page size: 0x1000
22:40:43.0937 1796 Boot type: Normal boot
22:40:43.0937 1796 ============================================================
22:40:45.0828 1796 Initialize success
22:40:58.0406 2788 ============================================================
22:40:58.0406 2788 Scan started
22:40:58.0406 2788 Mode: Manual;
22:40:58.0406 2788 ============================================================
22:40:58.0937 2788 Abiosdsk - ok
22:40:58.0968 2788 abp480n5 - ok
22:40:59.0125 2788 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:40:59.0125 2788 ACPI - ok
22:40:59.0234 2788 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:40:59.0234 2788 ACPIEC - ok
22:40:59.0328 2788 adpu160m - ok
22:40:59.0437 2788 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:40:59.0437 2788 aec - ok
22:40:59.0562 2788 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
22:40:59.0562 2788 AFD - ok
22:40:59.0656 2788 Aha154x - ok
22:40:59.0671 2788 aic78u2 - ok
22:40:59.0687 2788 aic78xx - ok
22:40:59.0718 2788 AliIde - ok
22:40:59.0734 2788 amsint - ok
22:40:59.0781 2788 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
22:40:59.0796 2788 APPDRV - ok
22:40:59.0921 2788 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:40:59.0921 2788 Arp1394 - ok
22:41:00.0015 2788 asc - ok
22:41:00.0031 2788 asc3350p - ok
22:41:00.0046 2788 asc3550 - ok
22:41:00.0078 2788 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:41:00.0078 2788 AsyncMac - ok
22:41:00.0218 2788 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:41:00.0218 2788 atapi - ok
22:41:00.0296 2788 Atdisk - ok
22:41:00.0343 2788 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:41:00.0343 2788 Atmarpc - ok
22:41:00.0468 2788 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:41:00.0468 2788 audstub - ok
22:41:00.0546 2788 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
22:41:00.0546 2788 b57w2k - ok
22:41:00.0687 2788 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:41:00.0687 2788 Beep - ok
22:41:00.0875 2788 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
22:41:00.0890 2788 BthEnum - ok
22:41:01.0031 2788 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
22:41:01.0031 2788 BthPan - ok
22:41:01.0203 2788 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
22:41:01.0218 2788 BTHPORT - ok
22:41:01.0375 2788 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
22:41:01.0375 2788 BTHUSB - ok
22:41:01.0578 2788 catchme - ok
22:41:01.0734 2788 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:41:01.0750 2788 cbidf2k - ok
22:41:01.0890 2788 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:41:01.0890 2788 CCDECODE - ok
22:41:01.0921 2788 cd20xrnt - ok
22:41:02.0062 2788 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:41:02.0062 2788 Cdaudio - ok
22:41:02.0203 2788 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:41:02.0203 2788 Cdfs - ok
22:41:02.0375 2788 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:41:02.0375 2788 Cdrom - ok
22:41:02.0468 2788 cerc6 - ok
22:41:02.0515 2788 Changer - ok
22:41:02.0671 2788 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:41:02.0671 2788 CmBatt - ok
22:41:02.0781 2788 CmdIde - ok
22:41:02.0859 2788 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:41:02.0859 2788 Compbatt - ok
22:41:03.0000 2788 Cpqarray - ok
22:41:03.0015 2788 dac2w2k - ok
22:41:03.0031 2788 dac960nt - ok
22:41:03.0109 2788 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:41:03.0109 2788 Disk - ok
22:41:03.0312 2788 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:41:03.0421 2788 dmboot - ok
22:41:03.0593 2788 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:41:03.0609 2788 dmio - ok
22:41:03.0734 2788 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:41:03.0750 2788 dmload - ok
22:41:03.0890 2788 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:41:03.0906 2788 DMusic - ok
22:41:04.0015 2788 dpti2o - ok
22:41:04.0109 2788 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:41:04.0109 2788 drmkaud - ok
22:41:04.0265 2788 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:41:04.0265 2788 Fastfat - ok
22:41:04.0375 2788 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:41:04.0375 2788 Fdc - ok
22:41:04.0515 2788 FilterService (a75ddc492d2d1d6558ad8003a4adb73a) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
22:41:04.0515 2788 FilterService - ok
22:41:04.0640 2788 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:41:04.0640 2788 Fips - ok
22:41:04.0750 2788 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:41:04.0750 2788 Flpydisk - ok
22:41:04.0890 2788 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:41:04.0890 2788 FltMgr - ok
22:41:05.0015 2788 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:41:05.0015 2788 Fs_Rec - ok
22:41:05.0140 2788 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:41:05.0140 2788 Ftdisk - ok
22:41:05.0265 2788 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:41:05.0281 2788 GEARAspiWDM - ok
22:41:05.0406 2788 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:41:05.0406 2788 Gpc - ok
22:41:05.0531 2788 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:41:05.0531 2788 HDAudBus - ok
22:41:05.0687 2788 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:41:05.0687 2788 hidusb - ok
22:41:05.0796 2788 hpn - ok
22:41:05.0968 2788 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
22:41:05.0984 2788 HSF_DPV - ok
22:41:06.0140 2788 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
22:41:06.0156 2788 HSXHWAZL - ok
22:41:06.0328 2788 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:41:06.0343 2788 HTTP - ok
22:41:06.0453 2788 i2omgmt - ok
22:41:06.0500 2788 i2omp - ok
22:41:06.0625 2788 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:41:06.0625 2788 i8042prt - ok
22:41:07.0265 2788 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
22:41:07.0750 2788 ialm - ok
22:41:07.0921 2788 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:41:07.0921 2788 Imapi - ok
22:41:08.0031 2788 ini910u - ok
22:41:08.0078 2788 IntelIde - ok
22:41:08.0218 2788 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:41:08.0218 2788 intelppm - ok
22:41:08.0390 2788 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:41:08.0390 2788 Ip6Fw - ok
22:41:08.0546 2788 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:41:08.0546 2788 IpFilterDriver - ok
22:41:08.0703 2788 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:41:08.0703 2788 IpInIp - ok
22:41:08.0875 2788 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:41:08.0890 2788 IpNat - ok
22:41:09.0062 2788 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:41:09.0062 2788 IPSec - ok
22:41:09.0203 2788 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:41:09.0203 2788 IRENUM - ok
22:41:09.0375 2788 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:41:09.0375 2788 isapnp - ok
22:41:09.0531 2788 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:41:09.0531 2788 Kbdclass - ok
22:41:09.0703 2788 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:41:09.0703 2788 kmixer - ok
22:41:09.0875 2788 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:41:09.0875 2788 KSecDD - ok
22:41:09.0984 2788 lbrtfdc - ok
22:41:10.0078 2788 lvpopflt (01f0e010acb61472163e9d02d3ff531a) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
22:41:10.0078 2788 lvpopflt - ok
22:41:10.0218 2788 LVPr2Mon (c57c48fb9ae3efb9848af594e3123a63) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
22:41:10.0218 2788 LVPr2Mon - ok
22:41:10.0375 2788 LVRS (87ecce893d8aec5a9337b917742d339c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
22:41:10.0390 2788 LVRS - ok
22:41:11.0109 2788 LVUVC (291f69b3dda0f033d2490c5ba5179f7c) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
22:41:11.0703 2788 LVUVC - ok
22:41:11.0812 2788 MBAMSwissArmy - ok
22:41:11.0875 2788 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:41:11.0890 2788 mdmxsdk - ok
22:41:12.0000 2788 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:41:12.0000 2788 mnmdd - ok
22:41:12.0125 2788 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:41:12.0125 2788 Modem - ok
22:41:12.0281 2788 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:41:12.0281 2788 Mouclass - ok
22:41:12.0437 2788 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:41:12.0437 2788 mouhid - ok
22:41:12.0578 2788 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:41:12.0593 2788 MountMgr - ok
22:41:12.0687 2788 mraid35x - ok
22:41:12.0781 2788 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:41:12.0796 2788 MRxDAV - ok
22:41:12.0937 2788 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:41:12.0953 2788 MRxSmb - ok
22:41:13.0109 2788 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:41:13.0109 2788 Msfs - ok
22:41:13.0234 2788 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:41:13.0234 2788 MSKSSRV - ok
22:41:13.0359 2788 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:41:13.0390 2788 MSPCLOCK - ok
22:41:13.0500 2788 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:41:13.0500 2788 MSPQM - ok
22:41:13.0562 2788 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:41:13.0562 2788 mssmbios - ok
22:41:13.0718 2788 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:41:13.0718 2788 MSTEE - ok
22:41:13.0875 2788 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:41:13.0890 2788 Mup - ok
22:41:14.0046 2788 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:41:14.0046 2788 NABTSFEC - ok
22:41:14.0234 2788 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:41:14.0234 2788 NDIS - ok
22:41:14.0375 2788 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:41:14.0375 2788 NdisIP - ok
22:41:14.0453 2788 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:41:14.0453 2788 NdisTapi - ok
22:41:14.0593 2788 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:41:14.0593 2788 Ndisuio - ok
22:41:14.0703 2788 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:41:14.0703 2788 NdisWan - ok
22:41:14.0843 2788 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:41:14.0843 2788 NDProxy - ok
22:41:14.0984 2788 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:41:14.0984 2788 NetBIOS - ok
22:41:15.0109 2788 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:41:15.0125 2788 NetBT - ok
22:41:15.0640 2788 NETw5x32 (91f027c242d3ff6e5c09f92a0518297f) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
22:41:16.0000 2788 NETw5x32 - ok
22:41:16.0171 2788 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:41:16.0171 2788 NIC1394 - ok
22:41:16.0328 2788 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:41:16.0328 2788 Npfs - ok
22:41:16.0531 2788 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:41:16.0546 2788 Ntfs - ok
22:41:16.0703 2788 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:41:16.0703 2788 Null - ok
22:41:16.0843 2788 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:41:16.0843 2788 NwlnkFlt - ok
22:41:16.0968 2788 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:41:16.0968 2788 NwlnkFwd - ok
22:41:17.0109 2788 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:41:17.0125 2788 ohci1394 - ok
22:41:17.0281 2788 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
22:41:17.0281 2788 Parport - ok
22:41:17.0453 2788 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:41:17.0453 2788 PartMgr - ok
22:41:17.0593 2788 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:41:17.0593 2788 ParVdm - ok
22:41:17.0890 2788 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:41:17.0890 2788 PCI - ok
22:41:18.0000 2788 PCIDump - ok
22:41:18.0062 2788 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:41:18.0078 2788 PCIIde - ok
22:41:18.0203 2788 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
22:41:18.0218 2788 Pcmcia - ok
22:41:18.0296 2788 PDCOMP - ok
22:41:18.0312 2788 PDFRAME - ok
22:41:18.0328 2788 PDRELI - ok
22:41:18.0343 2788 PDRFRAME - ok
22:41:18.0359 2788 perc2 - ok
22:41:18.0375 2788 perc2hib - ok
22:41:18.0453 2788 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:41:18.0453 2788 PptpMiniport - ok
22:41:18.0578 2788 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:41:18.0578 2788 PSched - ok
22:41:18.0765 2788 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:41:18.0765 2788 Ptilink - ok
22:41:18.0843 2788 ql1080 - ok
22:41:18.0890 2788 Ql10wnt - ok
22:41:18.0937 2788 ql12160 - ok
22:41:18.0968 2788 ql1240 - ok
22:41:19.0078 2788 ql1280 - ok
22:41:19.0171 2788 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:41:19.0171 2788 RasAcd - ok
22:41:19.0265 2788 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:41:19.0281 2788 Rasl2tp - ok
22:41:19.0390 2788 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:41:19.0390 2788 RasPppoe - ok
22:41:19.0515 2788 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:41:19.0531 2788 Raspti - ok
22:41:19.0656 2788 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:41:19.0671 2788 Rdbss - ok
22:41:19.0781 2788 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:41:19.0781 2788 RDPCDD - ok
22:41:19.0921 2788 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:41:19.0937 2788 rdpdr - ok
22:41:20.0062 2788 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
22:41:20.0062 2788 RDPWD - ok
22:41:20.0203 2788 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:41:20.0218 2788 redbook - ok
22:41:20.0406 2788 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
22:41:20.0406 2788 RFCOMM - ok
22:41:20.0578 2788 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
22:41:20.0578 2788 s24trans - ok
22:41:20.0765 2788 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
22:41:20.0765 2788 sdbus - ok
22:41:20.0906 2788 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:41:20.0906 2788 Secdrv - ok
22:41:21.0078 2788 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
22:41:21.0093 2788 Serial - ok
22:41:21.0250 2788 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:41:21.0250 2788 Sfloppy - ok
22:41:21.0359 2788 Simbad - ok
22:41:21.0437 2788 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:41:21.0437 2788 SLIP - ok
22:41:21.0546 2788 Sparrow - ok
22:41:21.0625 2788 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:41:21.0625 2788 splitter - ok
22:41:21.0765 2788 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:41:21.0765 2788 sr - ok
22:41:21.0906 2788 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:41:21.0906 2788 Srv - ok
22:41:22.0171 2788 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
22:41:22.0187 2788 STHDA - ok
22:41:22.0328 2788 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:41:22.0343 2788 streamip - ok
22:41:22.0500 2788 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:41:22.0500 2788 swenum - ok
22:41:22.0640 2788 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:41:22.0640 2788 swmidi - ok
22:41:22.0750 2788 symc810 - ok
22:41:22.0812 2788 symc8xx - ok
22:41:22.0875 2788 sym_hi - ok
22:41:22.0921 2788 sym_u3 - ok
22:41:23.0046 2788 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:41:23.0046 2788 sysaudio - ok
22:41:23.0234 2788 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:41:23.0250 2788 Tcpip - ok
22:41:23.0390 2788 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:41:23.0390 2788 TDPIPE - ok
22:41:23.0421 2788 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:41:23.0421 2788 TDTCP - ok
22:41:23.0562 2788 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:41:23.0578 2788 TermDD - ok
22:41:23.0703 2788 TosIde - ok
22:41:23.0750 2788 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:41:23.0750 2788 Udfs - ok
22:41:23.0843 2788 UIUSys - ok
22:41:23.0859 2788 ultra - ok
22:41:23.0953 2788 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:41:23.0968 2788 Update - ok
22:41:24.0125 2788 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:41:24.0140 2788 USBAAPL - ok
22:41:24.0281 2788 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
22:41:24.0281 2788 usbaudio - ok
22:41:24.0421 2788 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:41:24.0421 2788 usbccgp - ok
22:41:24.0546 2788 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
22:41:24.0562 2788 USBCCID - ok
22:41:24.0625 2788 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:41:24.0625 2788 usbehci - ok
22:41:24.0750 2788 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:41:24.0765 2788 usbhub - ok
22:41:24.0890 2788 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:41:24.0890 2788 usbstor - ok
22:41:25.0031 2788 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:41:25.0031 2788 usbuhci - ok
22:41:25.0156 2788 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
22:41:25.0156 2788 usbvideo - ok
22:41:25.0312 2788 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:41:25.0312 2788 VgaSave - ok
22:41:25.0406 2788 ViaIde - ok
22:41:25.0500 2788 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:41:25.0500 2788 VolSnap - ok
22:41:25.0656 2788 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:41:25.0671 2788 Wanarp - ok
22:41:25.0750 2788 WDICA - ok
22:41:25.0843 2788 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:41:25.0843 2788 wdmaud - ok
22:41:26.0062 2788 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
22:41:26.0062 2788 winachsf - ok
22:41:26.0234 2788 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
22:41:26.0234 2788 WmiAcpi - ok
22:41:26.0406 2788 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:41:26.0406 2788 WSTCODEC - ok
22:41:26.0453 2788 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:41:26.0687 2788 \Device\Harddisk0\DR0 - ok
22:41:26.0703 2788 Boot (0x1200) (6967c677866620c04602c66e3cc98cb2) \Device\Harddisk0\DR0\Partition0
22:41:26.0703 2788 \Device\Harddisk0\DR0\Partition0 - ok
22:41:26.0703 2788 ============================================================
22:41:26.0703 2788 Scan finished
22:41:26.0703 2788 ============================================================
22:41:26.0718 1064 Detected object count: 0
22:41:26.0718 1064 Actual detected object count: 0
22:44:32.0953 3844 Deinitialize success

****************************************************************************************************************************************************




Log from Junction Scan:
***************************************************************************************************************************************************

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

...

...

...

...

...

..No reparse points found.

***************************************************************************************************************************************************




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users