Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is there Win32/Eyesty.N residue after removal?


  • This topic is locked This topic is locked
12 replies to this topic

#1 AndrewSFTSN

AndrewSFTSN

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 16 September 2011 - 05:10 PM

Hello all:

Yesterday I received a message from Microsoft Security Essentials telling me that it had detected the trojan Win32/Eyesty.c!cfg, which I then quarantined and removed. This happened three times in succession,

So I ran Malwarebytes, which told me it had found an infected Registry Key (Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\exqonczctruceg (Malware.Trace) -> Quarantined and deleted successfully.)

I thought everything was fine but then several hours later Microsoft Security Essentials informed me of two more trojans, WIN32/Eyesty.N

I ran another scan and all three programs said everything is clear, but after quickly googling the name of this Trojan I'm very worried about its activity and what it may have left behind. Apparently it involves keylogs with internet banking, here is the information that spooked me: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aWin32%2fEyeStye.N&threatid=2147645167

EDIT: Something else that has just occurred to me recently is that I have been having trouble with being granted permission to certain folders I have made-before all of this occurred I have had various folders I created myself tell me I did not have permission to delete them. This is the only user account on the machine.

I'd appreciate any input, thanks a lot.

I'm running Windows 7, 32 Bit OS on a Samsung Laptop...

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Run by Andrew at 22:05:37 on 2011-09-16
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3033.2160 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskhost.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F1150705-6652-4ABF-9BA0-0083811E2A81} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\jbyai0hj.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsla62ff8f0;MpKsla62ff8f0;c:\programdata\microsoft\microsoft antimalware\definition updates\{63e1f294-7a88-4e11-9a2f-334b8f7bba04}\MpKsla62ff8f0.sys [2011-9-16 28752]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2009-12-5 10752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-12-5 122880]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-8 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-8 1343400]
S4 Lspnlasw;Lspnlasw; [x]
.
=============== Created Last 30 ================
.
2011-09-16 21:01:43 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{63e1f294-7a88-4e11-9a2f-334b8f7bba04}\MpKsla62ff8f0.sys
2011-09-16 19:20:47 -------- d-----w- c:\users\andrew\appdata\local\Safe mirror
2011-09-16 19:20:25 -------- d-----w- c:\program files\Cobian Backup 10
2011-09-15 21:39:01 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{63e1f294-7a88-4e11-9a2f-334b8f7bba04}\mpengine.dll
2011-09-08 13:06:35 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{06981cf7-1c04-41b3-95ad-22fafa639d1a}\gapaengine.dll
2011-08-29 20:51:01 -------- d-----w- c:\users\andrew\appdata\roaming\Azureus
2011-08-29 20:49:46 -------- d-----w- c:\users\andrew\appdata\local\Conduit
2011-08-25 09:58:53 -------- d-----w- c:\program files\GOG.com
2011-08-24 15:04:00 2048 ----a-w- c:\windows\system32\tzres.dll
.
==================== Find3M ====================
.
2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:26:10 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-23 04:38:05 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-23 04:38:04 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-21 05:39:53 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-21 05:36:36 981504 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 05:35:05 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-21 04:26:02 386048 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 22:06:54.48 ===============

Attached Files


Edited by AndrewSFTSN, 16 September 2011 - 05:14 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:01 PM

Posted 21 September 2011 - 09:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your log is clean.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Please post the logs and let me know if the problem persists..

#3 AndrewSFTSN

AndrewSFTSN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 21 September 2011 - 12:12 PM

Thanks so much for your help. MBR.dat zipped and attached. PLEASE NOTE: WHEN I RAN ASWMBR.EXE IT ASKED IF I WANTED TO DOWNLOAD SOME OTHER DEFINITIONS. THIS WAS NOT IN YOUR INSTRUCTIONS SO I CLICKED "NO" hope this is ok.

aswMBR log:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-21 17:19:18
-----------------------------
17:19:18.442 OS Version: Windows 6.1.7600
17:19:18.442 Number of processors: 2 586 0x170A
17:19:18.442 ComputerName: ANDREW18091984 UserName: Andrew
17:19:39.674 Initialize success
17:19:57.349 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:19:57.349 Disk 0 Vendor: SAMSUNG_ 2AJ1 Size: 305245MB BusType: 3
17:19:57.364 Disk 0 MBR read successfully
17:19:57.380 Disk 0 MBR scan
17:19:57.380 Disk 0 unknown MBR code
17:19:57.380 Disk 0 scanning sectors +625139712
17:19:57.473 Disk 0 scanning C:\windows\system32\drivers
17:20:02.216 Service scanning
17:20:03.745 Service MpKsl152ba1fe C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A2513CCD-8DC0-4F33-8D2B-073C4152504C}\MpKsl152ba1fe.sys **LOCKED** 32
17:20:03.760 Service MpNWMon C:\windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
17:20:04.431 Modules scanning
17:20:13.105 Disk 0 trace - called modules:
17:20:13.136 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
17:20:13.151 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d5d030]
17:20:13.651 3 CLASSPNP.SYS[8c21b59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85f67028]
17:20:13.651 Scan finished successfully
17:20:46.036 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
17:20:46.099 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"

TDSSKiller Report (No reboot was required)

2011/09/21 17:22:16.0953 3452 TDSS rootkit removing tool 2.5.23.0 Sep 20 2011 08:53:10
2011/09/21 17:22:17.0062 3452 ================================================================================
2011/09/21 17:22:17.0062 3452 SystemInfo:
2011/09/21 17:22:17.0062 3452
2011/09/21 17:22:17.0062 3452 OS Version: 6.1.7600 ServicePack: 0.0
2011/09/21 17:22:17.0062 3452 Product type: Workstation
2011/09/21 17:22:17.0062 3452 ComputerName: ANDREW18091984
2011/09/21 17:22:17.0062 3452 UserName: Andrew
2011/09/21 17:22:17.0062 3452 Windows directory: C:\windows
2011/09/21 17:22:17.0062 3452 System windows directory: C:\windows
2011/09/21 17:22:17.0062 3452 Processor architecture: Intel x86
2011/09/21 17:22:17.0062 3452 Number of processors: 2
2011/09/21 17:22:17.0062 3452 Page size: 0x1000
2011/09/21 17:22:17.0062 3452 Boot type: Normal boot
2011/09/21 17:22:17.0062 3452 ================================================================================
2011/09/21 17:22:17.0702 3452 Initialize success
2011/09/21 17:22:27.0359 2060 ================================================================================
2011/09/21 17:22:27.0359 2060 Scan started
2011/09/21 17:22:27.0359 2060 Mode: Manual;
2011/09/21 17:22:27.0359 2060 ================================================================================
2011/09/21 17:22:27.0733 2060 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\windows\system32\DRIVERS\1394ohci.sys
2011/09/21 17:22:27.0795 2060 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\windows\system32\DRIVERS\ACPI.sys
2011/09/21 17:22:27.0858 2060 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\windows\system32\DRIVERS\acpipmi.sys
2011/09/21 17:22:27.0951 2060 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
2011/09/21 17:22:27.0983 2060 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
2011/09/21 17:22:28.0014 2060 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
2011/09/21 17:22:28.0123 2060 AFD (0db7a48388d54d154ebec120461a0fcd) C:\windows\system32\drivers\afd.sys
2011/09/21 17:22:28.0154 2060 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\DRIVERS\agp440.sys
2011/09/21 17:22:28.0217 2060 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
2011/09/21 17:22:28.0263 2060 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\DRIVERS\aliide.sys
2011/09/21 17:22:28.0279 2060 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\DRIVERS\amdagp.sys
2011/09/21 17:22:28.0326 2060 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\DRIVERS\amdide.sys
2011/09/21 17:22:28.0341 2060 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
2011/09/21 17:22:28.0373 2060 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
2011/09/21 17:22:28.0419 2060 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\windows\system32\DRIVERS\amdsata.sys
2011/09/21 17:22:28.0435 2060 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
2011/09/21 17:22:28.0466 2060 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\windows\system32\DRIVERS\amdxata.sys
2011/09/21 17:22:28.0497 2060 AppID (feb834c02ce1e84b6a38f953ca067706) C:\windows\system32\drivers\appid.sys
2011/09/21 17:22:28.0544 2060 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
2011/09/21 17:22:28.0560 2060 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
2011/09/21 17:22:28.0622 2060 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
2011/09/21 17:22:28.0669 2060 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\DRIVERS\atapi.sys
2011/09/21 17:22:28.0763 2060 athr (0f4b6b99d6cdc1d93df1fa690796b2f7) C:\windows\system32\DRIVERS\athr.sys
2011/09/21 17:22:28.0934 2060 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
2011/09/21 17:22:28.0965 2060 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
2011/09/21 17:22:28.0997 2060 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
2011/09/21 17:22:29.0043 2060 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
2011/09/21 17:22:29.0075 2060 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\windows\system32\DRIVERS\bowser.sys
2011/09/21 17:22:29.0090 2060 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
2011/09/21 17:22:29.0121 2060 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
2011/09/21 17:22:29.0153 2060 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
2011/09/21 17:22:29.0168 2060 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
2011/09/21 17:22:29.0199 2060 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
2011/09/21 17:22:29.0215 2060 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
2011/09/21 17:22:29.0231 2060 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
2011/09/21 17:22:29.0309 2060 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
2011/09/21 17:22:29.0371 2060 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\windows\system32\DRIVERS\cdrom.sys
2011/09/21 17:22:29.0418 2060 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
2011/09/21 17:22:29.0449 2060 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
2011/09/21 17:22:29.0496 2060 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
2011/09/21 17:22:29.0511 2060 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\DRIVERS\cmdide.sys
2011/09/21 17:22:29.0543 2060 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
2011/09/21 17:22:29.0574 2060 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
2011/09/21 17:22:29.0605 2060 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\windows\system32\DRIVERS\CompositeBus.sys
2011/09/21 17:22:29.0652 2060 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
2011/09/21 17:22:29.0730 2060 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\windows\system32\Drivers\dfsc.sys
2011/09/21 17:22:29.0761 2060 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
2011/09/21 17:22:29.0792 2060 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
2011/09/21 17:22:29.0839 2060 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
2011/09/21 17:22:29.0886 2060 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\windows\System32\drivers\dxgkrnl.sys
2011/09/21 17:22:29.0979 2060 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
2011/09/21 17:22:30.0182 2060 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
2011/09/21 17:22:30.0198 2060 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\DRIVERS\errdev.sys
2011/09/21 17:22:30.0260 2060 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
2011/09/21 17:22:30.0276 2060 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
2011/09/21 17:22:30.0307 2060 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
2011/09/21 17:22:30.0338 2060 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
2011/09/21 17:22:30.0369 2060 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
2011/09/21 17:22:30.0385 2060 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
2011/09/21 17:22:30.0416 2060 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
2011/09/21 17:22:30.0463 2060 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
2011/09/21 17:22:30.0525 2060 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\windows\system32\DRIVERS\fssfltr.sys
2011/09/21 17:22:30.0572 2060 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
2011/09/21 17:22:30.0603 2060 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\windows\system32\DRIVERS\fvevol.sys
2011/09/21 17:22:30.0650 2060 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
2011/09/21 17:22:30.0681 2060 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
2011/09/21 17:22:30.0713 2060 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\windows\system32\drivers\HdAudio.sys
2011/09/21 17:22:30.0759 2060 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\windows\system32\DRIVERS\HDAudBus.sys
2011/09/21 17:22:30.0775 2060 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
2011/09/21 17:22:30.0791 2060 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
2011/09/21 17:22:30.0837 2060 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
2011/09/21 17:22:30.0884 2060 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\windows\system32\DRIVERS\hidusb.sys
2011/09/21 17:22:30.0931 2060 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\DRIVERS\HpSAMD.sys
2011/09/21 17:22:30.0978 2060 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\windows\system32\drivers\HTTP.sys
2011/09/21 17:22:31.0009 2060 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\windows\system32\drivers\hwpolicy.sys
2011/09/21 17:22:31.0071 2060 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\DRIVERS\i8042prt.sys
2011/09/21 17:22:31.0118 2060 iaStor (0baa4115dfffd6a6d809a89d65e1281a) C:\windows\system32\DRIVERS\iaStor.sys
2011/09/21 17:22:31.0165 2060 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\windows\system32\DRIVERS\iaStorV.sys
2011/09/21 17:22:31.0383 2060 igfx (8266ae06df974e5ba047b3e9e9e70b3f) C:\windows\system32\DRIVERS\igdkmd32.sys
2011/09/21 17:22:31.0742 2060 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
2011/09/21 17:22:31.0867 2060 IntcAzAudAddService (3202e26501e5e18c35dc2cc74709a704) C:\windows\system32\drivers\RTKVHDA.sys
2011/09/21 17:22:32.0007 2060 IntcHdmiAddService (264632ade8127b7baa2190cf6fad435b) C:\windows\system32\drivers\IntcHdmi.sys
2011/09/21 17:22:32.0054 2060 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\DRIVERS\intelide.sys
2011/09/21 17:22:32.0085 2060 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
2011/09/21 17:22:32.0132 2060 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
2011/09/21 17:22:32.0148 2060 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\windows\system32\DRIVERS\IPMIDrv.sys
2011/09/21 17:22:32.0179 2060 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
2011/09/21 17:22:32.0210 2060 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
2011/09/21 17:22:32.0241 2060 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\DRIVERS\isapnp.sys
2011/09/21 17:22:32.0273 2060 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\windows\system32\DRIVERS\msiscsi.sys
2011/09/21 17:22:32.0319 2060 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\DRIVERS\kbdclass.sys
2011/09/21 17:22:32.0335 2060 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\windows\system32\DRIVERS\kbdhid.sys
2011/09/21 17:22:32.0382 2060 KSecDD (e36a061ec11b373826905b21be10948f) C:\windows\system32\Drivers\ksecdd.sys
2011/09/21 17:22:32.0413 2060 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\windows\system32\Drivers\ksecpkg.sys
2011/09/21 17:22:32.0491 2060 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
2011/09/21 17:22:32.0522 2060 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
2011/09/21 17:22:32.0538 2060 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
2011/09/21 17:22:32.0569 2060 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
2011/09/21 17:22:32.0585 2060 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
2011/09/21 17:22:32.0663 2060 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
2011/09/21 17:22:32.0694 2060 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
2011/09/21 17:22:32.0725 2060 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
2011/09/21 17:22:32.0756 2060 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
2011/09/21 17:22:32.0803 2060 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
2011/09/21 17:22:32.0850 2060 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
2011/09/21 17:22:32.0881 2060 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
2011/09/21 17:22:32.0912 2060 mountmgr (921c18727c5920d6c0300736646931c2) C:\windows\system32\drivers\mountmgr.sys
2011/09/21 17:22:32.0959 2060 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\windows\system32\DRIVERS\MpFilter.sys
2011/09/21 17:22:32.0990 2060 mpio (2af5997438c55fb79d33d015c30e1974) C:\windows\system32\DRIVERS\mpio.sys
2011/09/21 17:22:33.0224 2060 MpKsl152ba1fe (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A2513CCD-8DC0-4F33-8D2B-073C4152504C}\MpKsl152ba1fe.sys
2011/09/21 17:22:33.0957 2060 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\windows\system32\DRIVERS\MpNWMon.sys
2011/09/21 17:22:33.0989 2060 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
2011/09/21 17:22:34.0020 2060 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\windows\system32\drivers\mrxdav.sys
2011/09/21 17:22:34.0082 2060 mrxsmb (ca7570e42522e24324a12161db14ec02) C:\windows\system32\DRIVERS\mrxsmb.sys
2011/09/21 17:22:34.0129 2060 mrxsmb10 (f965c3ab2b2ae5c378f4562486e35051) C:\windows\system32\DRIVERS\mrxsmb10.sys
2011/09/21 17:22:34.0160 2060 mrxsmb20 (25c38264a3c72594dd21d355d70d7a5d) C:\windows\system32\DRIVERS\mrxsmb20.sys
2011/09/21 17:22:34.0176 2060 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\windows\system32\DRIVERS\msahci.sys
2011/09/21 17:22:34.0207 2060 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\windows\system32\DRIVERS\msdsm.sys
2011/09/21 17:22:34.0254 2060 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
2011/09/21 17:22:34.0269 2060 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
2011/09/21 17:22:34.0301 2060 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\DRIVERS\msisadrv.sys
2011/09/21 17:22:34.0347 2060 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
2011/09/21 17:22:34.0394 2060 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
2011/09/21 17:22:34.0410 2060 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
2011/09/21 17:22:34.0457 2060 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
2011/09/21 17:22:34.0488 2060 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\DRIVERS\mssmbios.sys
2011/09/21 17:22:34.0503 2060 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
2011/09/21 17:22:34.0535 2060 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
2011/09/21 17:22:34.0566 2060 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
2011/09/21 17:22:34.0613 2060 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
2011/09/21 17:22:34.0659 2060 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\windows\system32\drivers\ndis.sys
2011/09/21 17:22:34.0691 2060 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
2011/09/21 17:22:34.0722 2060 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
2011/09/21 17:22:34.0737 2060 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\windows\system32\DRIVERS\ndisuio.sys
2011/09/21 17:22:34.0769 2060 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\windows\system32\DRIVERS\ndiswan.sys
2011/09/21 17:22:34.0800 2060 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\windows\system32\drivers\NDProxy.sys
2011/09/21 17:22:34.0831 2060 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
2011/09/21 17:22:34.0847 2060 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\windows\system32\DRIVERS\netbt.sys
2011/09/21 17:22:34.0909 2060 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
2011/09/21 17:22:34.0971 2060 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\windows\system32\DRIVERS\NisDrvWFP.sys
2011/09/21 17:22:35.0034 2060 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
2011/09/21 17:22:35.0049 2060 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
2011/09/21 17:22:35.0127 2060 Ntfs (3795dcd21f740ee799fb7223234215af) C:\windows\system32\drivers\Ntfs.sys
2011/09/21 17:22:35.0159 2060 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
2011/09/21 17:22:35.0190 2060 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\windows\system32\DRIVERS\nvraid.sys
2011/09/21 17:22:35.0205 2060 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\windows\system32\DRIVERS\nvstor.sys
2011/09/21 17:22:35.0221 2060 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\DRIVERS\nv_agp.sys
2011/09/21 17:22:35.0237 2060 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\DRIVERS\ohci1394.sys
2011/09/21 17:22:35.0299 2060 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
2011/09/21 17:22:35.0330 2060 partmgr (ff4218952b51de44fe910953a3e686b9) C:\windows\system32\drivers\partmgr.sys
2011/09/21 17:22:35.0346 2060 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
2011/09/21 17:22:35.0393 2060 pci (c858cb77c577780ecc456a892e7e7d0f) C:\windows\system32\DRIVERS\pci.sys
2011/09/21 17:22:35.0408 2060 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\DRIVERS\pciide.sys
2011/09/21 17:22:35.0439 2060 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
2011/09/21 17:22:35.0455 2060 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
2011/09/21 17:22:35.0502 2060 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
2011/09/21 17:22:35.0595 2060 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
2011/09/21 17:22:35.0627 2060 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
2011/09/21 17:22:35.0673 2060 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
2011/09/21 17:22:35.0720 2060 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
2011/09/21 17:22:35.0767 2060 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
2011/09/21 17:22:35.0783 2060 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
2011/09/21 17:22:35.0798 2060 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
2011/09/21 17:22:35.0861 2060 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
2011/09/21 17:22:35.0892 2060 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
2011/09/21 17:22:35.0923 2060 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
2011/09/21 17:22:35.0954 2060 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
2011/09/21 17:22:35.0970 2060 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\windows\system32\DRIVERS\rdbss.sys
2011/09/21 17:22:36.0001 2060 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
2011/09/21 17:22:36.0032 2060 RDPCDD (1e016846895b15a99f9a176a05029075) C:\windows\system32\DRIVERS\RDPCDD.sys
2011/09/21 17:22:36.0063 2060 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
2011/09/21 17:22:36.0079 2060 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
2011/09/21 17:22:36.0110 2060 RDPWD (801371ba9782282892d00aadb08ee367) C:\windows\system32\drivers\RDPWD.sys
2011/09/21 17:22:36.0157 2060 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\windows\system32\drivers\rdyboost.sys
2011/09/21 17:22:36.0219 2060 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
2011/09/21 17:22:36.0235 2060 RTL8167 (7dfd48e24479b68b258d8770121155a0) C:\windows\system32\DRIVERS\Rt86win7.sys
2011/09/21 17:22:36.0313 2060 rtport (41ce6b172542a9a227e34a45881e1d2a) C:\windows\system32\drivers\rtport.sys
2011/09/21 17:22:36.0375 2060 SABI (6e5fbb7cbaec47038b945d5e9b144a64) C:\windows\system32\Drivers\SABI.sys
2011/09/21 17:22:36.0485 2060 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/21 17:22:36.0500 2060 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/09/21 17:22:36.0547 2060 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\windows\system32\DRIVERS\sbp2port.sys
2011/09/21 17:22:36.0563 2060 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\windows\system32\DRIVERS\scfilter.sys
2011/09/21 17:22:36.0625 2060 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
2011/09/21 17:22:36.0672 2060 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
2011/09/21 17:22:36.0719 2060 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
2011/09/21 17:22:36.0734 2060 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
2011/09/21 17:22:36.0765 2060 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\DRIVERS\sffdisk.sys
2011/09/21 17:22:36.0781 2060 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\DRIVERS\sffp_mmc.sys
2011/09/21 17:22:36.0812 2060 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\windows\system32\DRIVERS\sffp_sd.sys
2011/09/21 17:22:36.0828 2060 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
2011/09/21 17:22:36.0859 2060 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\DRIVERS\sisagp.sys
2011/09/21 17:22:36.0890 2060 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
2011/09/21 17:22:36.0921 2060 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
2011/09/21 17:22:36.0937 2060 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
2011/09/21 17:22:36.0968 2060 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
2011/09/21 17:22:37.0031 2060 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\windows\system32\DRIVERS\srv.sys
2011/09/21 17:22:37.0062 2060 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\windows\system32\DRIVERS\srv2.sys
2011/09/21 17:22:37.0109 2060 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\windows\system32\DRIVERS\srvnet.sys
2011/09/21 17:22:37.0140 2060 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
2011/09/21 17:22:37.0187 2060 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\DRIVERS\swenum.sys
2011/09/21 17:22:37.0249 2060 SynTP (215a45246c6e2d0a9c263ce1786c8d8a) C:\windows\system32\DRIVERS\SynTP.sys
2011/09/21 17:22:37.0343 2060 Tcpip (c2daaeb48f3a47c410b041a0d2382ee1) C:\windows\system32\drivers\tcpip.sys
2011/09/21 17:22:37.0389 2060 TCPIP6 (c2daaeb48f3a47c410b041a0d2382ee1) C:\windows\system32\DRIVERS\tcpip.sys
2011/09/21 17:22:37.0452 2060 tcpipreg (e64444523add154f86567c469bc0b17f) C:\windows\system32\drivers\tcpipreg.sys
2011/09/21 17:22:37.0483 2060 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\windows\system32\drivers\tdpipe.sys
2011/09/21 17:22:37.0499 2060 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\windows\system32\drivers\tdtcp.sys
2011/09/21 17:22:37.0530 2060 tdx (cb39e896a2a83702d1737bfd402b3542) C:\windows\system32\DRIVERS\tdx.sys
2011/09/21 17:22:37.0561 2060 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\windows\system32\DRIVERS\termdd.sys
2011/09/21 17:22:37.0608 2060 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\windows\system32\DRIVERS\tssecsrv.sys
2011/09/21 17:22:37.0639 2060 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\windows\system32\DRIVERS\tunnel.sys
2011/09/21 17:22:37.0655 2060 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
2011/09/21 17:22:37.0701 2060 udfs (eb0a7bd4d471ac3ce55564a4c55b9d8e) C:\windows\system32\DRIVERS\udfs.sys
2011/09/21 17:22:37.0748 2060 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\DRIVERS\uliagpkx.sys
2011/09/21 17:22:37.0795 2060 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\windows\system32\DRIVERS\umbus.sys
2011/09/21 17:22:37.0811 2060 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
2011/09/21 17:22:37.0842 2060 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\windows\system32\DRIVERS\usbccgp.sys
2011/09/21 17:22:37.0873 2060 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\DRIVERS\usbcir.sys
2011/09/21 17:22:37.0904 2060 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\windows\system32\DRIVERS\usbehci.sys
2011/09/21 17:22:37.0935 2060 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\windows\system32\DRIVERS\usbhub.sys
2011/09/21 17:22:37.0967 2060 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\windows\system32\DRIVERS\usbohci.sys
2011/09/21 17:22:37.0998 2060 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
2011/09/21 17:22:38.0045 2060 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys
2011/09/21 17:22:38.0060 2060 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\windows\system32\DRIVERS\USBSTOR.SYS
2011/09/21 17:22:38.0107 2060 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\windows\system32\DRIVERS\usbuhci.sys
2011/09/21 17:22:38.0154 2060 usbvideo (f642a7e4bf78cfa359cca0a3557c28d7) C:\windows\system32\Drivers\usbvideo.sys
2011/09/21 17:22:38.0201 2060 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\DRIVERS\vdrvroot.sys
2011/09/21 17:22:38.0232 2060 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
2011/09/21 17:22:38.0247 2060 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
2011/09/21 17:22:38.0279 2060 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\windows\system32\DRIVERS\vhdmp.sys
2011/09/21 17:22:38.0294 2060 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\DRIVERS\viaagp.sys
2011/09/21 17:22:38.0325 2060 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
2011/09/21 17:22:38.0341 2060 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\DRIVERS\viaide.sys
2011/09/21 17:22:38.0372 2060 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\windows\system32\DRIVERS\volmgr.sys
2011/09/21 17:22:38.0403 2060 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
2011/09/21 17:22:38.0435 2060 volsnap (58df9d2481a56edde167e51b334d44fd) C:\windows\system32\DRIVERS\volsnap.sys
2011/09/21 17:22:38.0481 2060 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
2011/09/21 17:22:38.0513 2060 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
2011/09/21 17:22:38.0559 2060 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
2011/09/21 17:22:38.0591 2060 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\windows\system32\DRIVERS\vwifimp.sys
2011/09/21 17:22:38.0622 2060 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
2011/09/21 17:22:38.0669 2060 WANARP (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
2011/09/21 17:22:38.0669 2060 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
2011/09/21 17:22:38.0762 2060 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
2011/09/21 17:22:38.0793 2060 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
2011/09/21 17:22:38.0887 2060 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
2011/09/21 17:22:38.0903 2060 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
2011/09/21 17:22:38.0981 2060 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\DRIVERS\wmiacpi.sys
2011/09/21 17:22:39.0027 2060 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
2011/09/21 17:22:39.0074 2060 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\windows\system32\drivers\WudfPf.sys
2011/09/21 17:22:39.0105 2060 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\windows\system32\DRIVERS\WUDFRd.sys
2011/09/21 17:22:39.0168 2060 yukonw7 (30b73eb97218a16cbc6de535782a1b35) C:\windows\system32\DRIVERS\yk62x86.sys
2011/09/21 17:22:39.0230 2060 MBR (0x1B8) (2e5debb2116b3417023e0d6562d7ed07) \Device\Harddisk0\DR0
2011/09/21 17:22:39.0386 2060 Boot (0x1200) (80f1f6505f4f7557f37c3705680228dc) \Device\Harddisk0\DR0\Partition0
2011/09/21 17:22:39.0417 2060 Boot (0x1200) (7a6930ec2951bf0c9a58e4bbd77de6b8) \Device\Harddisk0\DR0\Partition1
2011/09/21 17:22:39.0449 2060 Boot (0x1200) (008ead8084c0acb09c6bc4aef8e44a43) \Device\Harddisk0\DR0\Partition2
2011/09/21 17:22:39.0449 2060 ================================================================================
2011/09/21 17:22:39.0449 2060 Scan finished
2011/09/21 17:22:39.0449 2060 ================================================================================
2011/09/21 17:22:39.0464 1260 Detected object count: 0
2011/09/21 17:22:39.0464 1260 Actual detected object count: 0

Combofix.txt log

ComboFix 11-09-21.03 - Andrew 21/09/2011 17:45:47.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3033.2151 [GMT 1:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
.
.
2011-09-21 16:52 . 2011-09-21 16:53 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2011-09-21 16:52 . 2011-09-21 16:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-21 16:13 . 2011-09-21 16:13 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2513CCD-8DC0-4F33-8D2B-073C4152504C}\MpKsl152ba1fe.sys
2011-09-20 23:43 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2513CCD-8DC0-4F33-8D2B-073C4152504C}\mpengine.dll
2011-09-16 19:20 . 2011-09-16 19:20 -------- d-----w- c:\users\Andrew\AppData\Local\Safe mirror
2011-09-16 19:20 . 2011-09-16 19:20 -------- d-----w- c:\program files\Cobian Backup 10
2011-09-08 13:06 . 2011-01-31 09:48 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{06981CF7-1C04-41B3-95AD-22FAFA639D1A}\gapaengine.dll
2011-08-29 20:51 . 2011-09-15 11:02 -------- d-----w- c:\users\Andrew\AppData\Roaming\Azureus
2011-08-29 20:49 . 2011-08-29 23:44 -------- d-----w- c:\users\Andrew\AppData\Local\Conduit
2011-08-25 09:58 . 2011-08-25 09:58 -------- d-----w- c:\program files\GOG.com
2011-08-24 15:04 . 2011-07-09 04:30 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 16:00 . 2011-04-25 20:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-12 02:44 . 2011-08-11 17:39 7152464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-22 04:56 . 2011-08-11 09:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:37 . 2011-08-11 09:11 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34 . 2011-08-11 09:11 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31 . 2011-08-11 09:11 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 09:11 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 09:11 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-13 03:39 . 2011-07-28 14:35 6881616 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-07-09 02:26 . 2011-08-11 09:11 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-03 06:18 . 2011-09-10 07:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-21 8092192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 151064]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-2 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 17:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4800 Series]
2005-02-02 04:00 98304 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIADE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 11:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-09-15 22:51 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2009-05-19 22:16 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
R1 MpKsl0234e4bc;MpKsl0234e4bc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2820A464-86D7-4DE4-B54B-464E48DE1D6C}\MpKsl0234e4bc.sys [x]
R1 MpKsl0f597c54;MpKsl0f597c54;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F8E89EC7-D9C5-4BF5-8BD1-99E018C2F807}\MpKsl0f597c54.sys [x]
R1 MpKsl1c593bb0;MpKsl1c593bb0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{92066069-9D5E-479E-9A32-71D84AA75762}\MpKsl1c593bb0.sys [x]
R1 MpKsl1ce2504b;MpKsl1ce2504b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EB2DC565-0EB8-4790-B76E-B70F55A0FA62}\MpKsl1ce2504b.sys [x]
R1 MpKsl2355634d;MpKsl2355634d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9F2E34C6-1BC2-4CBF-9574-A7E71979222E}\MpKsl2355634d.sys [x]
R1 MpKsl2e60e318;MpKsl2e60e318;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2513CCD-8DC0-4F33-8D2B-073C4152504C}\MpKsl2e60e318.sys [x]
R1 MpKsl3a67c7e8;MpKsl3a67c7e8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{406D014B-4F9A-4C81-B866-A958407B3D80}\MpKsl3a67c7e8.sys [x]
R1 MpKsl42f49341;MpKsl42f49341;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E5DBCDE8-854D-4AE4-8CC7-F91781572933}\MpKsl42f49341.sys [x]
R1 MpKsl546a76bf;MpKsl546a76bf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{020FEEE3-D3F6-46CF-A00B-CF1A1BC98975}\MpKsl546a76bf.sys [x]
R1 MpKsl54dba0f2;MpKsl54dba0f2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{43B0E10B-2F18-42FB-A3BE-19DC12B013A7}\MpKsl54dba0f2.sys [x]
R1 MpKsl563bcb77;MpKsl563bcb77;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8954D872-9994-4BC6-808B-B90B8903078B}\MpKsl563bcb77.sys [x]
R1 MpKsl569bfa80;MpKsl569bfa80;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E7A9ECF-FB82-4B41-8147-6E49006FBF65}\MpKsl569bfa80.sys [x]
R1 MpKsl569dba10;MpKsl569dba10;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ED50551D-A28A-4CCF-B2D7-C962E063FC1F}\MpKsl569dba10.sys [x]
R1 MpKsl79dc79c5;MpKsl79dc79c5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0FB596DC-ACA1-4D3E-9E63-DC37C3760B00}\MpKsl79dc79c5.sys [x]
R1 MpKsl98c8a395;MpKsl98c8a395;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E4439E9D-6D2F-41AB-86EE-EBBD921532CC}\MpKsl98c8a395.sys [x]
R1 MpKsla3be6959;MpKsla3be6959;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EC5DA7C3-98F9-4111-99ED-AFA17C4D8E60}\MpKsla3be6959.sys [x]
R1 MpKslda89f528;MpKslda89f528;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{020FEEE3-D3F6-46CF-A00B-CF1A1BC98975}\MpKslda89f528.sys [x]
R1 MpKslf7c149f4;MpKslf7c149f4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{007549AA-213A-4988-B4E1-A22F5F1FA6D1}\MpKslf7c149f4.sys [x]
R1 MpKslfd9804f9;MpKslfd9804f9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E4439E9D-6D2F-41AB-86EE-EBBD921532CC}\MpKslfd9804f9.sys [x]
R1 MpKslfdcc26b2;MpKslfdcc26b2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{406D014B-4F9A-4C81-B866-A958407B3D80}\MpKslfdcc26b2.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-08 1343400]
R4 Lspnlasw;Lspnlasw; [x]
S1 MpKsl152ba1fe;MpKsl152ba1fe;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2513CCD-8DC0-4F33-8D2B-073C4152504C}\MpKsl152ba1fe.sys [2011-09-21 28752]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 122880]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 95514239
*NewlyCreated* - ASWMBR
*NewlyCreated* - MPKSL152BA1FE
*Deregistered* - 95514239
*Deregistered* - aswMBR
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\jbyai0hj.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-CLMLServer - c:\program files\CyberLink\Power2Go\CLMLSvc.exe
MSConfigStartUp-PDVD8LanguageShortcut - c:\program files\CyberLink\PowerDVD8\Language\Language.exe
MSConfigStartUp-RemoteControl8 - c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-UpdateLBPShortCut - c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdateP2GoShortCut - c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePDRShortCut - c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePPShortCut - c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePSTShortCut - c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\01\1d\142\13?"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-21 17:55:24
ComboFix-quarantined-files.txt 2011-09-21 16:55
.
Pre-Run: 13,724,192,768 bytes free
Post-Run: 16,280,330,240 bytes free
.
- - End Of File - - 57F5740E078963C65F15BCF5468E1FF4

Attached Files

  • Attached File  MBR.zip   524bytes   0 downloads


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:01 PM

Posted 21 September 2011 - 05:47 PM

Now run the aswMBR.exe tool. Select the FixMBR button.

Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.

When you see the message restart the computer normally.

Post the log.
===

Open notepad and copy/paste the text in the quote box below into it:


Driver::
MpKsl0234e4bc
MpKsl0f597c54
MpKsl1c593bb0
MpKsl1ce2504b
MpKsl2355634d
MpKsl2e60e318
MpKsl3a67c7e8
MpKsl42f49341
MpKsl546a76bf
MpKsl54dba0f2
MpKsl563bcb77
MpKsl569bfa80
MpKsl569dba10
MpKsl79dc79c5
MpKsl98c8a395
MpKsla3be6959
MpKslda89f528
MpKslf7c149f4
MpKslfd9804f9
MpKslfdcc26b2
Lspnlasw



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

Post the logs and let me know what problem persists

#5 AndrewSFTSN

AndrewSFTSN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 21 September 2011 - 05:57 PM

After running the FixMBR button the message is "Disk 0 Windows 601 Fixed Succesfully" It doesn't seem to have done anything else. Should I reboot?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:01 PM

Posted 21 September 2011 - 06:31 PM

No problems if you do.

Continue with the rest of the ComboFix Script.

#7 AndrewSFTSN

AndrewSFTSN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 21 September 2011 - 06:44 PM

Ok, have done now.

asmMBR Log:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-21 23:53:28
-----------------------------
23:53:28.737 OS Version: Windows 6.1.7600
23:53:28.737 Number of processors: 2 586 0x170A
23:53:28.739 ComputerName: ANDREW18091984 UserName: Andrew
23:53:29.241 Initialize success
23:54:14.827 Verifying
23:54:24.841 Disk 0 Windows 601 MBR fixed successfully
00:00:44.446 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
00:00:44.447 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR2.txt"




Combofix Log:

ComboFix 11-09-21.04 - Andrew 22/09/2011 0:17.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3033.1981 [GMT 1:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL0234E4BC
-------\Legacy_MPKSL0F597C54
-------\Legacy_MPKSL1C593BB0
-------\Legacy_MPKSL1CE2504B
-------\Legacy_MPKSL2355634D
-------\Legacy_MPKSL2E60E318
-------\Legacy_MPKSL3A67C7E8
-------\Legacy_MPKSL42F49341
-------\Legacy_MPKSL546A76BF
-------\Legacy_MPKSL54DBA0F2
-------\Legacy_MPKSL563BCB77
-------\Legacy_MPKSL569BFA80
-------\Legacy_MPKSL569DBA10
-------\Legacy_MPKSL79DC79C5
-------\Legacy_MPKSL98C8A395
-------\Legacy_MPKSLA3BE6959
-------\Legacy_MPKSLDA89F528
-------\Legacy_MPKSLF7C149F4
-------\Legacy_MPKSLFD9804F9
-------\Legacy_MPKSLFDCC26B2
-------\Service_Lspnlasw
-------\Service_MpKsl0234e4bc
-------\Service_MpKsl0f597c54
-------\Service_MpKsl1c593bb0
-------\Service_MpKsl1ce2504b
-------\Service_MpKsl2355634d
-------\Service_MpKsl2e60e318
-------\Service_MpKsl3a67c7e8
-------\Service_MpKsl42f49341
-------\Service_MpKsl546a76bf
-------\Service_MpKsl54dba0f2
-------\Service_MpKsl563bcb77
-------\Service_MpKsl569bfa80
-------\Service_MpKsl569dba10
-------\Service_MpKsl79dc79c5
-------\Service_MpKsl98c8a395
-------\Service_MpKsla3be6959
-------\Service_MpKslda89f528
-------\Service_MpKslf7c149f4
-------\Service_MpKslfd9804f9
-------\Service_MpKslfdcc26b2
.
.
((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
.
.
2011-09-21 23:26 . 2011-09-21 23:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-21 23:26 . 2011-09-21 23:26 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-09-21 23:12 . 2011-09-21 23:12 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A954654E-BC82-4272-9393-213835B58D2D}\MpKsl78adfaba.sys
2011-09-21 16:56 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A954654E-BC82-4272-9393-213835B58D2D}\mpengine.dll
2011-09-21 16:55 . 2011-09-21 23:28 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2011-09-16 19:20 . 2011-09-16 19:20 -------- d-----w- c:\users\Andrew\AppData\Local\Safe mirror
2011-09-16 19:20 . 2011-09-16 19:20 -------- d-----w- c:\program files\Cobian Backup 10
2011-09-08 13:06 . 2011-01-31 09:48 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{06981CF7-1C04-41B3-95AD-22FAFA639D1A}\gapaengine.dll
2011-08-29 20:51 . 2011-09-15 11:02 -------- d-----w- c:\users\Andrew\AppData\Roaming\Azureus
2011-08-29 20:49 . 2011-08-29 23:44 -------- d-----w- c:\users\Andrew\AppData\Local\Conduit
2011-08-25 09:58 . 2011-08-25 09:58 -------- d-----w- c:\program files\GOG.com
2011-08-24 15:04 . 2011-07-09 04:30 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 16:00 . 2011-04-25 20:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-12 02:44 . 2011-08-11 17:39 7152464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-22 04:56 . 2011-08-11 09:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:37 . 2011-08-11 09:11 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34 . 2011-08-11 09:11 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31 . 2011-08-11 09:11 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 09:11 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 09:11 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 09:11 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 09:11 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-13 03:39 . 2011-07-28 14:35 6881616 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-07-09 02:26 . 2011-08-11 09:11 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-03 06:18 . 2011-09-10 07:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-21 8092192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 151064]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-2 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 17:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4800 Series]
2005-02-02 04:00 98304 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIADE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 11:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-09-15 22:51 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2009-05-19 22:16 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-08 1343400]
S1 MpKsl78adfaba;MpKsl78adfaba;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A954654E-BC82-4272-9393-213835B58D2D}\MpKsl78adfaba.sys [2011-09-21 28752]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 122880]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\jbyai0hj.default\
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\01\1d\142\13?"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\taskhost.exe
c:\program files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
c:\program files\Samsung\Samsung Support Center\SSCKbdHk.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-09-22 00:36:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-21 23:36
ComboFix2.txt 2011-09-21 16:55
.
Pre-Run: 16,481,808,384 bytes free
Post-Run: 16,130,469,888 bytes free
.
- - End Of File - - 91D69F569B335940E0CAF459D7C5D1C8

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:01 PM

Posted 22 September 2011 - 06:43 AM

Looking good.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Any remaining issues?

#9 AndrewSFTSN

AndrewSFTSN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 22 September 2011 - 06:52 AM

Results of screen317's Security Check version 0.99.18
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 23
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 10.1.102.64
Mozilla Firefox (x86 en-GB..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````

#10 AndrewSFTSN

AndrewSFTSN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 22 September 2011 - 06:53 AM

Everything seems to be running alright. Any suggestions on how to avoid a repeat performance, ways to check downloaded programs for safety etc?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:01 PM

Posted 22 September 2011 - 07:29 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 23

===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Flash Player 10.3.183.10 ... Flash Player for Android update to Adobe Flash Player for Android 10.3.186.7

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

When all is well.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used to clean this computer.

Surf Safely, and Think Prevention!
===

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:01 PM

Posted 24 September 2011 - 09:16 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:01 PM

Posted 24 September 2011 - 09:50 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users