Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7 malware, browser redirection


  • Please log in to reply
15 replies to this topic

#1 TheSkeward

TheSkeward

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 17 September 2011 - 04:51 PM

I tried to run GMER as I'm on Win7 32-bit. It downloaded and unzipped with no problems, but after I ran it the first time it immediately closed and refused to reopen because I need admin access. This is strange because I'm the admin account. It wouldn't let me overwrite, rename, or delete the gmer.exe file.

Here's the DDS.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.0.0
Run by TheSkeward at 16:36:30 on 2011-09-17
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3575.2134 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\835460608:4292948942.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Cobian Backup 10\cbService.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Program Files\Gizmo\gservice.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Splashtop\Splashtop Connect\BackService.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe
C:\Program Files\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\VistaSwitcher\vswitch.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\SupportSpace\Support Platform\SupportCenter.exe
C:\Program Files\Gizmo\gizmo.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [VistaSwitcher] "c:\program files\vistaswitcher\vswitch.exe" /startup
uRun: [Sysinternals Desktops] c:\users\theskeward\documents\desktops[1]\Desktops.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Google Update] "c:\users\theskeward\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SupportCenter] "c:\program files\supportspace\support platform\SupportCenter.exe" /autostart
uRun: [GizmoDriveDelegate] "c:\program files\gizmo\gizmo.exe" /RemountStartupImages
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Cobian Backup 10 Interface] "c:\program files\cobian backup 10\cbInterface.exe" -service
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZyngaGamesAgent] "c:\program files\splashtop\splashtop connect\ZyngaGamesAgent.exe"
mRun: [STCAgent] "c:\program files\splashtop\splashtop connect ie\STCAgent.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRunOnce: [EasyTuneVI] c:\program files\gigabyte\et6\ETCall.exe
StartupFolder: c:\users\theske~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gizmo.lnk - c:\program files\gizmo\gizmo.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
LSP: mswsock.dll
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3CE44AC8-BC57-4F24-9DBF-2180562B06B9} : DhcpNameServer = 192.168.1.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\theskeward\appdata\roaming\mozilla\firefox\profiles\z8dqe9k4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\users\theskeward\appdata\local\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\users\theskeward\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\theskeward\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-10 64512]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2011-9-11 18544]
R1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [2011-9-11 25488]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslde0e41e2;MpKslde0e41e2;c:\programdata\microsoft\microsoft antimalware\definition updates\{ba85cf57-f48c-4d27-ae8e-bde5b8909ee1}\MpKslde0e41e2.sys [2011-9-17 28752]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-3-9 173500]
R2 CobianBackup10;Cobian Backup 10;c:\program files\cobian backup 10\cbService.exe [2011-9-10 1125376]
R2 Gizmo Central;Gizmo Central;c:\program files\gizmo\gservice.exe [2011-9-11 31232]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-15 1352728]
R2 SCBackService;Splashtop Connect Service;c:\program files\splashtop\splashtop connect\BackService.exe [2010-11-15 467692]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 986808]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 392640]
R2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\supportspace\support platform\supportspace_tools.exe [2009-2-15 460324]
R2 WCUService_STC_FF;Splashtop Connect Firefox Software Updater Service;c:\program files\splashtop\splashtop connect firefox software updater\WCUService.exe [2011-3-23 485152]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-3-9 7770624]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-3-9 242176]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2011-9-13 24944]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2011-9-10 88176]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-9-10 41088]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S1 vsarbqea;vsarbqea;c:\windows\system32\drivers\vsarbqea.sys [2011-9-17 41680]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-9-10 2648812]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-9-10 1343400]
S3 XENfiltv;XENfiltv;c:\windows\system32\drivers\XENfiltv.sys [2009-7-31 17920]
.
=============== Created Last 30 ================
.
2011-09-17 21:36:28 41680 ----a-w- c:\windows\system32\drivers\vsarbqea.sys
2011-09-17 21:35:42 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ba85cf57-f48c-4d27-ae8e-bde5b8909ee1}\MpKslde0e41e2.sys
2011-09-17 20:00:21 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ba85cf57-f48c-4d27-ae8e-bde5b8909ee1}\mpengine.dll
2011-09-17 06:28:47 1740352 ----a-w- c:\windows\system32\FMAPO.dll
2011-09-17 06:28:34 96160 ----a-w- c:\windows\system32\AERTARen.dll
2011-09-17 06:28:34 175200 ----a-w- c:\windows\system32\AERTACap.dll
2011-09-17 06:28:23 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
2011-09-17 04:38:43 -------- d-----w- c:\users\theskeward\appdata\roaming\OpenOffice.org
2011-09-16 09:03:44 167704 ----a-w- c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
2011-09-16 09:03:39 -------- d-----w- c:\program files\Tracker Software
2011-09-16 01:37:12 -------- d-----w- c:\program files\Ventrilo
2011-09-16 01:36:47 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-09-15 11:06:20 -------- d-----w- c:\users\theskeward\appdata\roaming\Spotify
2011-09-15 11:06:20 -------- d-----w- c:\users\theskeward\appdata\local\Spotify
2011-09-15 11:06:11 -------- d-----w- c:\program files\Spotify
2011-09-15 01:31:12 -------- d-----w- c:\program files\Microsoft WSE
2011-09-15 01:31:01 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-09-14 20:25:39 -------- d-----w- C:\Python26
2011-09-13 23:33:04 -------- d-----w- c:\program files\Citrix
2011-09-13 23:32:47 72080 ----a-w- c:\users\theskeward\g2mdlhlpx.exe
2011-09-13 19:24:20 -------- d-----w- c:\program files\SupportSpace
2011-09-13 12:19:44 -------- d-----w- c:\users\theskeward\riotsGamesLogs
2011-09-13 05:40:34 -------- d-----w- c:\program files\OpenOffice.org 3
2011-09-13 05:31:10 -------- d-----w- C:\Python27
2011-09-13 05:05:11 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-09-13 05:05:04 17488 ----a-w- c:\windows\gdrv.sys
2011-09-12 22:06:32 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-09-12 01:02:42 -------- d-----w- c:\program files\Cockatrice
2011-09-11 22:40:21 368640 ----a-w- c:\program files\common files\installshield\updateservice\_isusres.dll
2011-09-11 22:40:20 81920 ----a-w- c:\program files\common files\installshield\updateservice\issch.exe
2011-09-11 22:40:20 278528 ----a-w- c:\program files\common files\installshield\updateservice\ISDM.exe
2011-09-11 22:40:17 581632 ----a-w- c:\program files\common files\installshield\updateservice\agent.exe
2011-09-11 22:37:58 -------- d-----w- c:\program files\AMD
2011-09-11 22:17:57 -------- d-----w- c:\programdata\Splashtop
2011-09-11 22:15:09 31272 ----a-w- c:\windows\system32\AppleChargerSrv.exe
2011-09-11 22:15:08 18544 ----a-w- c:\windows\system32\drivers\AppleCharger.sys
2011-09-11 22:15:08 -------- d-----w- c:\program files\GIGABYTE
2011-09-11 22:14:52 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2011-09-11 22:14:52 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2011-09-11 22:14:52 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2011-09-11 22:14:52 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2011-09-11 22:14:52 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2011-09-11 22:14:52 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2011-09-11 22:14:52 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2011-09-11 22:13:11 -------- d--h--w- c:\programdata\{8533ADFA-85F0-4dc1-946A-2A0BA58E78E3}
2011-09-11 22:13:09 -------- d-----w- c:\users\theskeward\appdata\roaming\Splashtop
2011-09-11 22:12:56 -------- d-----w- c:\program files\Splashtop
2011-09-11 21:50:07 -------- d-----w- c:\program files\common files\ATI Technologies
2011-09-11 21:49:45 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-09-11 21:48:10 -------- d-----w- c:\users\theskeward\appdata\local\LogMeIn Hamachi
2011-09-11 21:47:47 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-09-11 21:45:14 -------- d-----w- c:\users\theskeward\appdata\local\ATI
2011-09-11 21:45:11 -------- d-----w- c:\program files\AMD APP
2011-09-11 21:43:39 -------- d-----w- c:\program files\ATI Technologies
2011-09-11 21:43:36 -------- d-----w- c:\program files\ATI
2011-09-11 21:37:03 -------- d-----w- c:\users\theskeward\appdata\roaming\.minecraft
2011-09-11 20:48:11 -------- d-----w- c:\users\theskeward\appdata\local\Google
2011-09-11 08:44:36 -------- d-----w- c:\users\theskeward\appdata\local\dxhr
2011-09-11 08:43:45 -------- d-----w- c:\users\theskeward\appdata\local\28050
2011-09-11 08:36:13 -------- d-----w- c:\users\theskeward\appdata\roaming\LolClient
2011-09-11 08:28:39 -------- d-----w- c:\program files\Square Enix
2011-09-11 08:23:02 -------- d-----w- c:\users\theskeward\appdata\roaming\Gizmo
2011-09-11 08:23:00 25488 ----a-w- c:\windows\system32\drivers\gizmodrv.sys
2011-09-11 08:22:53 -------- d-----w- c:\program files\Gizmo
2011-09-11 06:42:27 -------- d-----w- c:\users\theskeward\appdata\roaming\Outertech
2011-09-11 06:42:15 -------- d-----w- c:\program files\GetDiz
2011-09-11 04:33:24 -------- d-----w- c:\windows\system32\Wat
2011-09-11 04:33:00 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-09-11 04:33:00 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-09-11 04:33:00 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-09-11 04:21:56 -------- d-----w- c:\program files\Realtek
2011-09-11 04:21:54 1698408 ----a-w- c:\windows\RtlExUpd.dll
2011-09-11 04:21:54 -------- d--h--w- c:\program files\Temp
2011-09-11 04:21:53 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
2011-09-11 04:21:53 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
2011-09-11 04:21:53 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2011-09-11 04:21:53 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
2011-09-11 04:21:53 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
2011-09-11 04:21:52 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
2011-09-11 04:21:52 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
2011-09-11 04:09:38 0 ----a-w- c:\windows\ativpsrm.bin
2011-09-11 04:02:20 8192 ----a-w- c:\windows\system32\drivers\IntelMEFWVer.dll
2011-09-11 04:02:15 -------- d-----w- c:\program files\common files\postureAgent
2011-09-11 04:02:00 41088 ----a-w- c:\windows\system32\drivers\HECI.sys
2011-09-11 03:59:37 53248 ----a-r- c:\windows\system32\CSVer.dll
2011-09-11 03:57:14 -------- d-----w- c:\program files\Etron Technology
2011-09-11 03:55:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2011-09-11 03:55:41 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2011-09-11 03:55:41 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2011-09-11 03:55:41 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2011-09-11 03:55:41 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2011-09-11 03:52:04 -------- d-----w- C:\Riot Games
2011-09-11 03:51:39 -------- d-----w- c:\program files\Magic Workstation
2011-09-11 03:22:36 -------- d-----w- c:\users\theskeward\appdata\roaming\X-Chat 2
2011-09-11 03:22:06 -------- d-----w- c:\program files\X-Chat 2
2011-09-11 03:04:26 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{cb814cf1-4bd5-46c8-a282-fa29d5b0673e}\gapaengine.dll
2011-09-11 03:00:21 -------- d-----w- c:\program files\Pando Networks
2011-09-11 02:59:34 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-11 02:59:08 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-09-11 02:44:08 -------- d-----w- c:\users\theskeward\appdata\local\Mozilla
2011-09-11 01:49:48 74752 ----a-w- c:\windows\system32\ff_vfw.dll
2011-09-11 01:49:47 -------- d-----w- c:\program files\ffdshow
2011-09-11 01:46:42 -------- d-----w- C:\c6c21881b4663443d147317ac8dd78
2011-09-11 01:45:32 -------- d-----r- c:\program files\Skype
2011-09-11 01:45:21 -------- d-----w- c:\program files\VideoLAN
2011-09-11 01:45:17 -------- d-----w- c:\program files\common files\Steam
2011-09-11 01:45:16 -------- d-----w- c:\program files\Steam
2011-09-11 01:42:38 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-09-11 01:40:42 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-09-11 01:40:42 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-09-11 01:40:42 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-09-11 01:40:42 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-09-11 01:40:42 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-09-11 01:36:41 -------- d-----w- c:\users\theskeward\appdata\roaming\Auslogics
2011-09-11 01:36:38 -------- d-----w- c:\program files\Auslogics
2011-09-11 01:33:16 -------- d-----w- c:\program files\VistaSwitcher
2011-09-11 01:31:07 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-09-11 01:29:58 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-09-11 01:28:38 369152 ----a-w- c:\windows\system32\secproc.dll
2011-09-11 01:28:38 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2011-09-11 01:28:37 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-09-11 01:28:37 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-09-11 01:28:37 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-09-11 01:28:37 320512 ----a-w- c:\windows\system32\RMActivate.exe
2011-09-11 01:28:37 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-09-11 01:28:37 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-09-11 01:28:12 759296 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2011-09-11 01:28:02 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-09-11 01:28:00 738816 ----a-w- c:\windows\system32\wmpmde.dll
2011-09-11 01:27:59 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-09-11 01:27:54 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2011-09-11 01:27:54 101760 ----a-w- c:\windows\system32\consent.exe
2011-09-11 01:27:52 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-09-11 01:27:51 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-09-11 01:27:50 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-09-11 01:27:36 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-09-11 01:27:36 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-09-11 01:27:36 107520 ----a-w- c:\windows\system32\cdd.dll
2011-09-11 01:22:38 132608 ----a-w- c:\windows\system32\cabview.dll
2011-09-11 01:21:27 -------- d-----w- c:\users\theskeward\appdata\local\WindowsUpdate
2011-09-11 01:19:46 -------- d-----w- c:\users\theskeward\appdata\local\Secunia PSI
2011-09-11 01:19:41 -------- d-----w- c:\program files\Secunia
2011-09-11 01:16:28 -------- d-----w- c:\program files\uTorrent
2011-09-11 01:15:53 -------- d-----w- c:\users\theskeward\appdata\roaming\uTorrent
2011-09-11 01:15:53 -------- d-----w- c:\users\theskeward\appdata\local\uTorrent
2011-09-11 01:10:19 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-11 01:08:33 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-11 01:08:25 -------- d-----w- c:\program files\Lavasoft
2011-09-11 01:02:10 -------- d-----w- c:\program files\WinDirStat
2011-09-11 01:00:03 -------- d-----w- c:\users\theskeward\appdata\local\Safe mirror
2011-09-11 00:59:35 -------- d-----w- c:\program files\Cobian Backup 10
2011-09-11 00:57:50 -------- d-----w- c:\users\theskeward\appdata\roaming\Executor
2011-09-11 00:55:14 -------- d-----w- c:\program files\VS Revo Group
2011-09-11 00:53:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-11 00:38:27 -------- d-----w- c:\users\theskeward\appdata\roaming\Malwarebytes
2011-09-11 00:37:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-11 00:37:27 -------- d-----w- c:\programdata\Malwarebytes
2011-09-11 00:37:24 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 00:37:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 00:21:11 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-09-11 00:21:06 -------- d-----w- c:\windows\PCHEALTH
2011-09-10 23:53:30 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{09d3b7d8-bdbd-45b6-bdbb-b189327ac2ae}\mpengine.dll
2011-09-10 23:53:29 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-09-10 23:33:56 -------- d-----w- c:\windows\system32\Atheros_L1e
2011-09-10 23:33:00 -------- d-----w- c:\users\theskeward\appdata\local\ElevatedDiagnostics
2011-09-10 23:27:31 -------- d-----w- C:\Intel
2011-09-10 23:24:15 88176 ----a-w- c:\windows\system32\drivers\L1C62x86.sys
2011-09-10 22:46:11 -------- d-sh--w- c:\windows\Installer
2011-09-09 20:31:10 -------- d-----w- c:\users\theskeward\appdata\local\Diagnostics
2011-09-09 20:22:08 -------- d-----w- c:\windows\system32\wbem\Performance
2011-09-09 20:20:56 -------- d-sh--w- C:\Recovery
2011-09-09 11:01:16 -------- d-----w- c:\windows\Panther
2011-09-09 11:00:54 -------- d-----w- c:\windows\system32\oem
.
==================== Find3M ====================
.
2011-09-11 01:44:19 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 22:28:48 3659240 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2011-08-30 18:37:44 2269288 ----a-w- c:\windows\system32\RtkPgExt.dll
2011-08-24 18:30:06 4229736 ----a-w- c:\windows\system32\RtkAPO.dll
2011-08-23 17:06:12 80488 ----a-w- c:\windows\system32\RtkCoInst.dll
2011-08-20 02:10:22 53848 ----a-w- c:\windows\system32\MBppld32.dll
2011-08-20 02:10:14 746072 ----a-w- c:\windows\system32\MBAPO32.dll
2011-08-19 19:54:12 1313384 ----a-w- c:\windows\system32\RtkApoApi.dll
2011-08-01 20:56:42 40936 ----a-w- c:\windows\system32\drivers\point32.sys
2011-08-01 20:56:42 21784 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2011-07-28 05:54:38 1836376 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-12 02:22:20 4186216 ----a-w- c:\windows\system32\RtkHDMI.dll
2011-07-12 02:22:20 2190440 ----a-w- c:\windows\system32\RHDMIExt.dll
2011-07-09 04:30:52 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-09 02:26:10 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-06 10:12:48 328552 ----a-w- c:\windows\system32\drivers\RtHDMIV.sys
2011-07-06 05:27:00 76392 ----a-w- c:\windows\system32\RHCoInst.dll
2011-06-30 21:14:54 1497704 ----a-w- c:\windows\system32\RTSndMgr.cpl
2011-06-23 04:38:05 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-23 04:38:04 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-21 05:39:53 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-21 05:36:36 981504 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 05:35:05 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-21 04:26:02 386048 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 16:37:36.95 ===============

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:36 AM

Posted 20 September 2011 - 07:36 PM

TheSkeward,

The information provided shows the characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\Windows\835460608:4292948942.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip:
http://download.bleepingcomputer.com/farbar/DummyCreator.zip

Unzip the folder:
•Right-click and select: Extract all…
•Follow the prompts to extract

Open the new folder that appears on the Desktop:
•Right-click DummyCreator/DummyMaker and select: 'Run as Administrator' to run the tool.

•Now, copy/paste the following into the blank area:

C:\Windows\835460608

•Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of making repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Edited by Aaflac, 20 September 2011 - 07:41 PM.

Old duck...


#3 TheSkeward

TheSkeward
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 20 September 2011 - 07:39 PM

Here are the results, restarting and awaiting further instructions.

DummyCreator by Farbar
Ran by TheSkeward (administrator) on 20-09-2011 at 19:38:55
**************************************************************

C:\Windows\835460608 [20-09-2011 19:38:55]

== End of log ==

#4 TheSkeward

TheSkeward
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 20 September 2011 - 07:45 PM

I've restarted now.

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:36 AM

Posted 20 September 2011 - 07:50 PM

That is the result we want. :thumbup2:


Please do the following, running ComboFix first, and the program that follows next. If ComboFix does not run, press on to run TDSSKiller:


If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version.

Download ComboFix

Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications, usually via a right clicking on the System Tray icon. They may interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link


Right-click on ComboFix.exe and select: 'Run as Administrator'


Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



~~~~
Please remove any previous download of TDSSKiller (if used) and download the latest version: TDSSKiller.exe

Save the file to your Desktop!!

Execute the file:
Right-click TDSSKiller and select: 'Run as Administrator'

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply.



Need to see the following in your reply:
**The ComboFix log
**The TDSSKiller log
**Whether TDSSKiller needed a reboot


Need to go out for a while, but will be back later this evening.

Edited by Aaflac, 20 September 2011 - 07:53 PM.

Old duck...


#6 TheSkeward

TheSkeward
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 20 September 2011 - 08:00 PM

ComboFix stopped midscan and refused to let me open the file afterwards, similar to the GMER tool. It did not leave a log behind. TDSSKiller did run and required a reboot. Here is the log.

2011/09/20 19:54:45.0462 2704 TDSS rootkit removing tool 2.5.23.0 Sep 20 2011 08:53:10
2011/09/20 19:54:45.0824 2704 ================================================================================
2011/09/20 19:54:45.0824 2704 SystemInfo:
2011/09/20 19:54:45.0824 2704
2011/09/20 19:54:45.0824 2704 OS Version: 6.1.7600 ServicePack: 0.0
2011/09/20 19:54:45.0824 2704 Product type: Workstation
2011/09/20 19:54:45.0824 2704 ComputerName: COMSKEWTER
2011/09/20 19:54:45.0824 2704 UserName: TheSkeward
2011/09/20 19:54:45.0824 2704 Windows directory: C:\Windows
2011/09/20 19:54:45.0824 2704 System windows directory: C:\Windows
2011/09/20 19:54:45.0824 2704 Processor architecture: Intel x86
2011/09/20 19:54:45.0824 2704 Number of processors: 2
2011/09/20 19:54:45.0824 2704 Page size: 0x1000
2011/09/20 19:54:45.0825 2704 Boot type: Normal boot
2011/09/20 19:54:45.0825 2704 ================================================================================
2011/09/20 19:54:46.0509 2704 Initialize success
2011/09/20 19:54:53.0617 3536 ================================================================================
2011/09/20 19:54:53.0617 3536 Scan started
2011/09/20 19:54:53.0617 3536 Mode: Manual;
2011/09/20 19:54:53.0617 3536 ================================================================================
2011/09/20 19:54:54.0178 3536 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/09/20 19:54:54.0231 3536 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2011/09/20 19:54:54.0253 3536 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/09/20 19:54:54.0277 3536 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/09/20 19:54:54.0292 3536 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/09/20 19:54:54.0306 3536 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/09/20 19:54:54.0344 3536 AFD (0db7a48388d54d154ebec120461a0fcd) C:\Windows\system32\drivers\afd.sys
2011/09/20 19:54:54.0367 3536 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2011/09/20 19:54:54.0380 3536 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/09/20 19:54:54.0408 3536 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2011/09/20 19:54:54.0425 3536 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2011/09/20 19:54:54.0444 3536 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2011/09/20 19:54:54.0475 3536 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/09/20 19:54:54.0626 3536 amdkmdag (f89643a2ca001b1162061e306f8bf267) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/09/20 19:54:54.0760 3536 amdkmdap (fb68e1b9cec598f0f69503f3aebb45dd) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/09/20 19:54:54.0770 3536 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/09/20 19:54:54.0799 3536 amdsata (19ce906b4cdc11fc4fef5745f33a63b6) C:\Windows\system32\drivers\amdsata.sys
2011/09/20 19:54:54.0810 3536 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/09/20 19:54:54.0829 3536 amdxata (869e67d66be326a5a9159fba8746fa70) C:\Windows\system32\drivers\amdxata.sys
2011/09/20 19:54:54.0856 3536 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2011/09/20 19:54:54.0883 3536 AppleCharger (e592751036c1d0a74ec3e57302a03745) C:\Windows\system32\DRIVERS\AppleCharger.sys
2011/09/20 19:54:54.0898 3536 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/09/20 19:54:54.0910 3536 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/09/20 19:54:54.0958 3536 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/09/20 19:54:54.0981 3536 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2011/09/20 19:54:55.0015 3536 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/09/20 19:54:55.0054 3536 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/09/20 19:54:55.0076 3536 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/09/20 19:54:55.0108 3536 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/09/20 19:54:55.0131 3536 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\Windows\system32\DRIVERS\bowser.sys
2011/09/20 19:54:55.0141 3536 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/09/20 19:54:55.0153 3536 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/09/20 19:54:55.0171 3536 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/09/20 19:54:55.0196 3536 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/09/20 19:54:55.0206 3536 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/09/20 19:54:55.0217 3536 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/09/20 19:54:55.0239 3536 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/09/20 19:54:55.0282 3536 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/09/20 19:54:55.0295 3536 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2011/09/20 19:54:55.0316 3536 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/09/20 19:54:55.0370 3536 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/09/20 19:54:55.0395 3536 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/09/20 19:54:55.0411 3536 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2011/09/20 19:54:55.0431 3536 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/09/20 19:54:55.0461 3536 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/09/20 19:54:55.0478 3536 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/09/20 19:54:55.0495 3536 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/09/20 19:54:55.0527 3536 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
2011/09/20 19:54:55.0561 3536 dc3d (7caaf4af453ef3582fef65dd72caa0aa) C:\Windows\system32\DRIVERS\dc3d.sys
2011/09/20 19:54:55.0600 3536 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\Windows\system32\Drivers\dfsc.sys
2011/09/20 19:54:55.0618 3536 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/09/20 19:54:55.0639 3536 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/09/20 19:54:55.0673 3536 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/09/20 19:54:55.0730 3536 DXGKrnl (1679a4669326cb1a67cc95658d273234) C:\Windows\System32\drivers\dxgkrnl.sys
2011/09/20 19:54:55.0792 3536 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/09/20 19:54:55.0867 3536 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/09/20 19:54:55.0883 3536 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2011/09/20 19:54:55.0932 3536 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/09/20 19:54:55.0950 3536 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/09/20 19:54:55.0963 3536 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/09/20 19:54:56.0014 3536 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/09/20 19:54:56.0037 3536 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/09/20 19:54:56.0051 3536 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/09/20 19:54:56.0085 3536 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/09/20 19:54:56.0110 3536 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/09/20 19:54:56.0129 3536 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/09/20 19:54:56.0157 3536 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
2011/09/20 19:54:56.0174 3536 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/09/20 19:54:56.0207 3536 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\Windows\gdrv.sys
2011/09/20 19:54:56.0244 3536 GizmoDrv (e48da656df32eda6e5b9d06e3d410b49) C:\Windows\system32\drivers\GizmoDrv.sys
2011/09/20 19:54:56.0286 3536 GVTDrv (689a8eef2a2d62b28a0a578a6196531c) C:\Windows\system32\Drivers\GVTDrv.sys
2011/09/20 19:54:56.0319 3536 hamachi (833051c6c6c42117191935f734cfbd97) C:\Windows\system32\DRIVERS\hamachi.sys
2011/09/20 19:54:56.0337 3536 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/09/20 19:54:56.0372 3536 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
2011/09/20 19:54:56.0398 3536 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/09/20 19:54:56.0418 3536 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/09/20 19:54:56.0439 3536 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/09/20 19:54:56.0471 3536 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/09/20 19:54:56.0493 3536 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2011/09/20 19:54:56.0515 3536 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/09/20 19:54:56.0544 3536 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2011/09/20 19:54:56.0566 3536 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2011/09/20 19:54:56.0601 3536 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/09/20 19:54:56.0623 3536 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\drivers\iaStorV.sys
2011/09/20 19:54:56.0644 3536 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/09/20 19:54:56.0749 3536 IntcAzAudAddService (d4394a481b845cc1df361a85751c071a) C:\Windows\system32\drivers\RTKVHDA.sys
2011/09/20 19:54:56.0801 3536 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2011/09/20 19:54:56.0821 3536 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/09/20 19:54:56.0843 3536 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/09/20 19:54:56.0861 3536 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/09/20 19:54:56.0885 3536 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/09/20 19:54:56.0904 3536 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/09/20 19:54:56.0915 3536 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2011/09/20 19:54:56.0945 3536 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/09/20 19:54:56.0966 3536 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/09/20 19:54:56.0986 3536 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/09/20 19:54:57.0000 3536 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2011/09/20 19:54:57.0028 3536 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
2011/09/20 19:54:57.0062 3536 L1C (25046613dfa30a7361996f15901ca0de) C:\Windows\system32\DRIVERS\L1C62x86.sys
2011/09/20 19:54:57.0095 3536 Lbd (336abe8721cbc3110f1c6426da633417) C:\Windows\system32\DRIVERS\Lbd.sys
2011/09/20 19:54:57.0119 3536 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/09/20 19:54:57.0142 3536 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/09/20 19:54:57.0153 3536 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/09/20 19:54:57.0165 3536 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/09/20 19:54:57.0176 3536 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/09/20 19:54:57.0188 3536 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/09/20 19:54:57.0251 3536 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/09/20 19:54:57.0278 3536 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/09/20 19:54:57.0308 3536 MEI (cfcb18986426a2d8e66f1992636221d0) C:\Windows\system32\DRIVERS\HECI.sys
2011/09/20 19:54:57.0330 3536 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/09/20 19:54:57.0349 3536 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/09/20 19:54:57.0368 3536 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2011/09/20 19:54:57.0386 3536 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/09/20 19:54:57.0406 3536 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2011/09/20 19:54:57.0424 3536 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2011/09/20 19:54:57.0500 3536 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/09/20 19:54:57.0532 3536 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2011/09/20 19:54:57.0580 3536 mrxsmb (ca7570e42522e24324a12161db14ec02) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/09/20 19:54:57.0609 3536 mrxsmb10 (f965c3ab2b2ae5c378f4562486e35051) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/09/20 19:54:57.0624 3536 mrxsmb20 (25c38264a3c72594dd21d355d70d7a5d) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/09/20 19:54:57.0636 3536 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
2011/09/20 19:54:57.0667 3536 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2011/09/20 19:54:57.0699 3536 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/09/20 19:54:57.0712 3536 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/09/20 19:54:57.0724 3536 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/09/20 19:54:57.0761 3536 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/09/20 19:54:57.0772 3536 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/09/20 19:54:57.0784 3536 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/09/20 19:54:57.0802 3536 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/09/20 19:54:57.0816 3536 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/09/20 19:54:57.0827 3536 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/09/20 19:54:57.0838 3536 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/09/20 19:54:57.0850 3536 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/09/20 19:54:57.0878 3536 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/09/20 19:54:57.0907 3536 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
2011/09/20 19:54:57.0927 3536 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/09/20 19:54:57.0942 3536 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/09/20 19:54:57.0962 3536 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/09/20 19:54:57.0972 3536 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/09/20 19:54:57.0984 3536 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2011/09/20 19:54:58.0003 3536 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/09/20 19:54:58.0020 3536 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2011/09/20 19:54:58.0053 3536 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/09/20 19:54:58.0074 3536 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/09/20 19:54:58.0094 3536 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/09/20 19:54:58.0145 3536 Ntfs (187002ce05693c306f43c873f821381f) C:\Windows\system32\drivers\Ntfs.sys
2011/09/20 19:54:58.0213 3536 NuidFltr (37be10ff10a92031fc5a01e8363925cc) C:\Windows\system32\DRIVERS\NuidFltr.sys
2011/09/20 19:54:58.0245 3536 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/09/20 19:54:58.0278 3536 nvraid (f1b0bed906f97e16f6d0c3629d2f21c6) C:\Windows\system32\drivers\nvraid.sys
2011/09/20 19:54:58.0313 3536 nvstor (4520b63899e867f354ee012d34e11536) C:\Windows\system32\drivers\nvstor.sys
2011/09/20 19:54:58.0336 3536 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/09/20 19:54:58.0355 3536 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/09/20 19:54:58.0378 3536 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/09/20 19:54:58.0390 3536 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2011/09/20 19:54:58.0410 3536 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/09/20 19:54:58.0474 3536 pbfilter (2f6e885c432927a186c2e352c8a1cbf4) C:\Program Files\PeerBlock\pbfilter.sys
2011/09/20 19:54:58.0513 3536 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2011/09/20 19:54:58.0535 3536 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2011/09/20 19:54:58.0563 3536 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/09/20 19:54:58.0574 3536 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/09/20 19:54:58.0599 3536 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/09/20 19:54:58.0641 3536 Point32 (896d916de06f5502d301e8c4dc442ae8) C:\Windows\system32\DRIVERS\point32.sys
2011/09/20 19:54:58.0665 3536 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/09/20 19:54:58.0675 3536 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/09/20 19:54:58.0705 3536 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/09/20 19:54:58.0726 3536 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\Windows\system32\DRIVERS\psi_mf.sys
2011/09/20 19:54:58.0757 3536 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/09/20 19:54:58.0793 3536 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/09/20 19:54:58.0811 3536 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/09/20 19:54:58.0827 3536 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/09/20 19:54:58.0856 3536 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/09/20 19:54:58.0870 3536 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/09/20 19:54:58.0888 3536 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/09/20 19:54:58.0899 3536 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/09/20 19:54:58.0912 3536 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2011/09/20 19:54:58.0933 3536 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/09/20 19:54:58.0946 3536 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/09/20 19:54:58.0976 3536 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
2011/09/20 19:54:58.0992 3536 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/09/20 19:54:59.0014 3536 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/09/20 19:54:59.0047 3536 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2011/09/20 19:54:59.0070 3536 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2011/09/20 19:54:59.0110 3536 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/09/20 19:54:59.0149 3536 RTHDMIAzAudService (2c358271f0a50167ba3dfb6a2c35607a) C:\Windows\system32\drivers\RtHDMIV.sys
2011/09/20 19:54:59.0173 3536 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
2011/09/20 19:54:59.0194 3536 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/09/20 19:54:59.0232 3536 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2011/09/20 19:54:59.0275 3536 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/09/20 19:54:59.0326 3536 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/09/20 19:54:59.0336 3536 Serial (8b01a466a3816d034f16e127bcce49b2) C:\Windows\system32\DRIVERS\serial.sys
2011/09/20 19:54:59.0336 3536 Suspicious file (Forged): C:\Windows\system32\DRIVERS\serial.sys. Real md5: 8b01a466a3816d034f16e127bcce49b2, Fake md5: 5fb7fcea0490d821f26f39cc5ea3d1e2
2011/09/20 19:54:59.0341 3536 Serial - detected Rootkit.Win32.ZAccess.g (0)
2011/09/20 19:54:59.0375 3536 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/09/20 19:54:59.0396 3536 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/09/20 19:54:59.0408 3536 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/09/20 19:54:59.0425 3536 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/09/20 19:54:59.0435 3536 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/09/20 19:54:59.0459 3536 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2011/09/20 19:54:59.0470 3536 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/09/20 19:54:59.0482 3536 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/09/20 19:54:59.0497 3536 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/09/20 19:54:59.0517 3536 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/09/20 19:54:59.0543 3536 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\Windows\system32\DRIVERS\srv.sys
2011/09/20 19:54:59.0565 3536 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\Windows\system32\DRIVERS\srv2.sys
2011/09/20 19:54:59.0585 3536 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\Windows\system32\DRIVERS\srvnet.sys
2011/09/20 19:54:59.0606 3536 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/09/20 19:54:59.0630 3536 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
2011/09/20 19:54:59.0646 3536 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
2011/09/20 19:54:59.0669 3536 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2011/09/20 19:54:59.0735 3536 Tcpip (c2daaeb48f3a47c410b041a0d2382ee1) C:\Windows\system32\drivers\tcpip.sys
2011/09/20 19:54:59.0793 3536 TCPIP6 (c2daaeb48f3a47c410b041a0d2382ee1) C:\Windows\system32\DRIVERS\tcpip.sys
2011/09/20 19:54:59.0824 3536 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2011/09/20 19:54:59.0845 3536 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2011/09/20 19:54:59.0855 3536 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2011/09/20 19:54:59.0867 3536 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2011/09/20 19:54:59.0879 3536 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2011/09/20 19:54:59.0910 3536 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/09/20 19:54:59.0934 3536 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2011/09/20 19:54:59.0950 3536 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/09/20 19:54:59.0962 3536 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
2011/09/20 19:54:59.0997 3536 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/09/20 19:55:00.0008 3536 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2011/09/20 19:55:00.0023 3536 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/09/20 19:55:00.0059 3536 usbaudio (2436a42aab4ad48a9b714e5b0f344627) C:\Windows\system32\drivers\usbaudio.sys
2011/09/20 19:55:00.0089 3536 usbccgp (c31ae588e403042632dc796cf09e30b0) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/09/20 19:55:00.0118 3536 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2011/09/20 19:55:00.0134 3536 usbehci (e4c436d914768ce965d5e659ba7eebd8) C:\Windows\system32\drivers\usbehci.sys
2011/09/20 19:55:00.0157 3536 usbhub (bdcd7156ec37448f08633fd899823620) C:\Windows\system32\DRIVERS\usbhub.sys
2011/09/20 19:55:00.0182 3536 usbohci (eb2d819a639015253c871cda09d91d58) C:\Windows\system32\drivers\usbohci.sys
2011/09/20 19:55:00.0203 3536 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/09/20 19:55:00.0224 3536 USBSTOR (1c4287739a93594e57e2a9e6a3ed7353) C:\Windows\system32\drivers\USBSTOR.SYS
2011/09/20 19:55:00.0246 3536 usbuhci (22480bf4e5a09192e5e30ba4dde79fa4) C:\Windows\system32\drivers\usbuhci.sys
2011/09/20 19:55:00.0273 3536 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/09/20 19:55:00.0291 3536 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/09/20 19:55:00.0312 3536 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/09/20 19:55:00.0327 3536 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/09/20 19:55:00.0339 3536 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2011/09/20 19:55:00.0356 3536 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/09/20 19:55:00.0371 3536 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2011/09/20 19:55:00.0394 3536 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
2011/09/20 19:55:00.0415 3536 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
2011/09/20 19:55:00.0430 3536 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/09/20 19:55:00.0443 3536 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/09/20 19:55:00.0456 3536 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2011/09/20 19:55:00.0469 3536 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/09/20 19:55:00.0487 3536 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2011/09/20 19:55:00.0512 3536 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/09/20 19:55:00.0527 3536 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/09/20 19:55:00.0535 3536 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/09/20 19:55:00.0562 3536 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/09/20 19:55:00.0577 3536 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/09/20 19:55:00.0703 3536 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/09/20 19:55:00.0727 3536 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/09/20 19:55:00.0764 3536 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/09/20 19:55:00.0796 3536 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/09/20 19:55:00.0826 3536 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2011/09/20 19:55:00.0858 3536 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/09/20 19:55:00.0901 3536 XENfiltv (abc8bbea8f643e200508c3a2a8e475a9) C:\Windows\system32\drivers\XENfiltv.sys
2011/09/20 19:55:00.0927 3536 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/09/20 19:55:00.0940 3536 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
2011/09/20 19:55:00.0948 3536 Boot (0x1200) (cea98edb5addf491f5e387f7c5348d36) \Device\Harddisk0\DR0\Partition0
2011/09/20 19:55:00.0961 3536 Boot (0x1200) (2732040c2e0ef4acc744ee6102d1c8cf) \Device\Harddisk0\DR0\Partition1
2011/09/20 19:55:00.0967 3536 Boot (0x1200) (db946179fdc01ada4bcb1261c9b4f08d) \Device\Harddisk1\DR1\Partition0
2011/09/20 19:55:00.0972 3536 ================================================================================
2011/09/20 19:55:00.0972 3536 Scan finished
2011/09/20 19:55:00.0972 3536 ================================================================================
2011/09/20 19:55:00.0979 5452 Detected object count: 1
2011/09/20 19:55:00.0979 5452 Actual detected object count: 1
2011/09/20 19:55:05.0424 5452 Serial (8b01a466a3816d034f16e127bcce49b2) C:\Windows\system32\DRIVERS\serial.sys
2011/09/20 19:55:05.0424 5452 Suspicious file (Forged): C:\Windows\system32\DRIVERS\serial.sys. Real md5: 8b01a466a3816d034f16e127bcce49b2, Fake md5: 5fb7fcea0490d821f26f39cc5ea3d1e2
2011/09/20 19:55:06.0000 5452 Backup copy found, using it..
2011/09/20 19:55:06.0007 5452 C:\Windows\system32\DRIVERS\serial.sys - will be cured after reboot
2011/09/20 19:55:06.0007 5452 Rootkit.Win32.ZAccess.g(Serial) - User select action: Cure
2011/09/20 19:56:20.0589 2780 Deinitialize success

#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:36 AM

Posted 20 September 2011 - 08:47 PM

Try running ComboFix now, per the previous instructions.

If it does not run in normal mode, restart the computer in Safe Mode with Networking, and then run it.

Safe Mode with Networking:
Tap F8 key while PC boots
Select SMwN from the Advanced Options menu.
Press: Enter

Old duck...


#8 TheSkeward

TheSkeward
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 20 September 2011 - 09:37 PM

Ran ComboFix, here is the log.

ComboFix 11-09-20.04 - TheSkeward 09/20/2011 21:19:29.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3575.2647 [GMT -5:00]
Running from: c:\users\TheSkeward\Downloads\comfix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\TheSkeward\g2mdlhlpx.exe
c:\windows\$NtUninstallKB13264$
c:\windows\$NtUninstallKB13264$\1844082882
c:\windows\$NtUninstallKB13264$\2018353\@
c:\windows\$NtUninstallKB13264$\2018353\click.tlb
c:\windows\$NtUninstallKB13264$\2018353\L\xadqgnnk
c:\windows\$NtUninstallKB13264$\2018353\loader.tlb
c:\windows\$NtUninstallKB13264$\2018353\U\@00000001
c:\windows\$NtUninstallKB13264$\2018353\U\@000000c0
c:\windows\$NtUninstallKB13264$\2018353\U\@000000cb
c:\windows\$NtUninstallKB13264$\2018353\U\@000000cf
c:\windows\$NtUninstallKB13264$\2018353\U\@80000000
c:\windows\$NtUninstallKB13264$\2018353\U\@800000c0
c:\windows\$NtUninstallKB13264$\2018353\U\@800000cb
c:\windows\$NtUninstallKB13264$\2018353\U\@800000cf
c:\windows\835460608
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\Downloaded Program Files\x64
c:\windows\Downloaded Program Files\x64\racodec.ax
c:\windows\Downloaded Program Files\x86
c:\windows\Downloaded Program Files\x86\racodec.ax
c:\windows\system32\
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1ecc31
.
.
((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
.
.
2011-09-21 02:23 . 2011-09-21 02:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-21 00:15 . 2011-08-16 13:48 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA71581F-305B-4EA7-98AD-1BDAFA71C5F0}\mpengine.dll
2011-09-20 07:54 . 2011-09-20 18:01 -------- d-----w- c:\program files\PeerBlock
2011-09-19 11:36 . 2011-09-19 11:38 -------- d-----w- c:\programdata\Xfire
2011-09-19 11:36 . 2011-09-19 11:36 -------- d-----w- c:\program files\Xfire
2011-09-18 21:07 . 2011-09-18 21:07 -------- d--h--w- c:\programdata\Common Files
2011-09-18 21:06 . 2011-09-18 21:07 -------- d-----w- c:\programdata\MFAData
2011-09-18 18:52 . 2011-09-18 18:52 -------- d-----w- c:\windows\system32\SPReview
2011-09-18 18:51 . 2011-09-18 18:51 -------- d-----w- c:\windows\system32\EventProviders
2011-09-18 18:39 . 2011-09-18 18:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-09-18 18:39 . 2011-09-18 18:39 -------- d-----w- c:\programdata\Hitman Pro
2011-09-18 01:23 . 2011-09-18 01:23 -------- d-----w- c:\users\SFG
2011-09-17 06:28 . 2011-05-05 20:24 1740352 ----a-w- c:\windows\system32\FMAPO.dll
2011-09-17 06:28 . 2010-07-22 21:37 175200 ----a-w- c:\windows\system32\AERTACap.dll
2011-09-17 06:28 . 2009-11-17 23:13 96160 ----a-w- c:\windows\system32\AERTARen.dll
2011-09-16 09:03 . 2011-09-16 09:03 -------- d-----w- c:\program files\Tracker Software
2011-09-16 01:37 . 2011-09-16 01:37 -------- d-----w- c:\program files\Ventrilo
2011-09-16 01:36 . 2011-09-16 01:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-09-15 11:06 . 2011-09-15 19:40 -------- d-----w- c:\program files\Spotify
2011-09-15 01:31 . 2011-09-15 01:31 -------- d-----w- c:\program files\Microsoft WSE
2011-09-15 01:31 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-09-15 01:25 . 2011-09-15 02:11 -------- d-----w- c:\program files\Electronic Arts
2011-09-14 20:25 . 2011-09-14 20:26 -------- d-----w- C:\Python26
2011-09-13 23:33 . 2011-09-17 19:51 -------- d-----w- c:\program files\Citrix
2011-09-13 19:24 . 2011-09-13 19:24 -------- d-----w- c:\program files\SupportSpace
2011-09-13 05:40 . 2011-09-13 05:40 -------- d-----w- c:\program files\OpenOffice.org 3
2011-09-13 05:31 . 2011-09-13 05:31 -------- d-----w- C:\Python27
2011-09-13 05:05 . 2011-09-13 05:05 -------- d-----w- c:\programdata\InstallShield
2011-09-13 05:05 . 2011-09-21 02:25 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-09-13 05:05 . 2011-09-21 02:25 17488 ----a-w- c:\windows\gdrv.sys
2011-09-12 01:02 . 2011-09-12 01:20 -------- d-----w- c:\program files\Cockatrice
2011-09-11 22:17 . 2011-09-13 05:08 -------- d-----w- c:\programdata\Splashtop
2011-09-11 22:15 . 2010-04-06 21:30 31272 ----a-w- c:\windows\system32\AppleChargerSrv.exe
2011-09-11 22:15 . 2011-09-13 05:21 -------- d-----w- c:\program files\GIGABYTE
2011-09-11 22:15 . 2011-01-10 23:16 18544 ----a-w- c:\windows\system32\drivers\AppleCharger.sys
2011-09-11 22:13 . 2011-09-11 22:13 -------- d--h--w- c:\programdata\{8533ADFA-85F0-4dc1-946A-2A0BA58E78E3}
2011-09-11 22:12 . 2011-09-13 05:09 -------- d-----w- c:\program files\Splashtop
2011-09-11 21:51 . 2011-09-11 21:51 -------- d-----w- c:\programdata\ATI
2011-09-11 21:50 . 2011-09-11 21:50 -------- d-----w- c:\program files\Common Files\ATI Technologies
2011-09-11 21:49 . 2011-04-20 07:05 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-09-11 21:47 . 2011-09-17 08:25 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-09-11 21:45 . 2011-09-11 21:45 -------- d-----w- c:\program files\AMD APP
2011-09-11 21:43 . 2011-09-11 21:51 -------- d-----w- c:\program files\ATI Technologies
2011-09-11 21:43 . 2011-09-11 21:43 -------- d-----w- c:\program files\ATI
2011-09-11 08:28 . 2011-09-18 16:51 -------- d-----w- c:\program files\Square Enix
2011-09-11 08:23 . 2011-09-11 08:23 25488 ----a-w- c:\windows\system32\drivers\gizmodrv.sys
2011-09-11 08:22 . 2011-09-17 08:25 -------- d-----w- c:\program files\Gizmo
2011-09-11 06:42 . 2011-09-11 06:42 -------- d-----w- c:\program files\GetDiz
2011-09-11 04:33 . 2011-09-11 04:33 -------- d-----w- c:\windows\system32\Wat
2011-09-11 04:33 . 2011-02-19 05:33 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-09-11 04:33 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-09-11 04:33 . 2011-02-19 05:32 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-09-11 04:21 . 2011-09-11 04:21 -------- d-----w- c:\program files\Realtek
2011-09-11 04:21 . 2011-09-17 06:30 -------- d--h--w- c:\program files\Temp
2011-09-11 04:21 . 2011-09-01 00:12 1698408 ----a-w- c:\windows\RtlExUpd.dll
2011-09-11 04:21 . 2011-09-11 22:40 -------- d-----w- c:\program files\Common Files\InstallShield
2011-09-11 04:09 . 2011-09-11 04:09 0 ----a-w- c:\windows\ativpsrm.bin
2011-09-11 04:02 . 2010-10-06 01:50 8192 ----a-w- c:\windows\system32\drivers\IntelMEFWVer.dll
2011-09-11 04:02 . 2011-09-11 04:02 -------- d-----w- c:\program files\Common Files\postureAgent
2011-09-11 04:02 . 2010-09-21 14:59 41088 ----a-w- c:\windows\system32\drivers\HECI.sys
2011-09-11 03:59 . 2010-12-23 03:09 53248 ----a-r- c:\windows\system32\CSVer.dll
2011-09-11 03:57 . 2011-09-11 03:57 -------- d-----w- c:\program files\Etron Technology
2011-09-11 03:55 . 2008-07-31 15:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2011-09-11 03:55 . 2008-07-31 15:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2011-09-11 03:55 . 2008-07-12 13:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2011-09-11 03:55 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2011-09-11 03:55 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2011-09-11 03:52 . 2011-09-11 03:52 -------- d-----w- C:\Riot Games
2011-09-11 03:51 . 2011-09-11 03:53 -------- d-----w- c:\program files\Magic Workstation
2011-09-11 03:22 . 2011-09-11 03:22 -------- d-----w- c:\program files\X-Chat 2
2011-09-11 03:00 . 2011-09-13 05:29 -------- d-----w- c:\program files\Pando Networks
2011-09-11 02:59 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-09-11 01:49 . 2011-06-24 17:48 74752 ----a-w- c:\windows\system32\ff_vfw.dll
2011-09-11 01:49 . 2011-09-11 01:49 -------- d-----w- c:\program files\ffdshow
2011-09-11 01:46 . 2011-09-11 01:53 -------- d-----w- C:\c6c21881b4663443d147317ac8dd78
2011-09-11 01:45 . 2011-09-11 01:45 -------- d-----r- c:\program files\Skype
2011-09-11 01:45 . 2011-09-11 01:45 -------- d-----w- c:\programdata\Skype
2011-09-11 01:45 . 2011-09-11 01:45 -------- d-----w- c:\program files\VideoLAN
2011-09-11 01:45 . 2011-09-11 01:45 -------- d-----w- c:\program files\Notepad++
2011-09-11 01:45 . 2011-09-11 01:45 -------- d-----w- c:\program files\PuTTY
2011-09-11 01:45 . 2011-09-17 08:25 -------- d-----w- c:\program files\Common Files\Steam
2011-09-11 01:45 . 2011-09-21 02:25 -------- d-----w- c:\program files\Steam
2011-09-11 01:45 . 2011-09-11 01:45 -------- d-----w- c:\program files\7-Zip
2011-09-11 01:44 . 2011-09-11 01:44 -------- d-----w- c:\windows\system32\Adobe
2011-09-11 01:44 . 2011-09-11 01:44 -------- d-----w- c:\program files\Common Files\Java
2011-09-11 01:44 . 2011-09-11 01:44 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-11 01:44 . 2011-09-13 05:39 -------- d-----w- c:\program files\Java
2011-09-11 01:42 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-09-11 01:40 . 2009-11-25 17:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-09-11 01:40 . 2009-11-25 17:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-09-11 01:40 . 2009-11-25 17:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-09-11 01:40 . 2009-11-25 17:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-09-11 01:40 . 2009-11-25 17:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-09-11 01:36 . 2011-09-11 01:36 -------- d-----w- c:\program files\Auslogics
2011-09-11 01:33 . 2011-09-11 01:33 -------- d-----w- c:\program files\VistaSwitcher
2011-09-11 01:31 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-09-11 01:29 . 2011-05-04 04:53 1553920 ----a-w- c:\windows\system32\tquery.dll
2011-09-11 01:28 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2011-09-11 01:28 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
2011-09-11 01:28 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-09-11 01:28 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-09-11 01:28 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-09-11 01:28 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-09-11 01:28 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
2011-09-11 01:28 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-09-11 01:28 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-09-11 01:28 . 2010-08-21 05:36 738816 ----a-w- c:\windows\system32\wmpmde.dll
2011-09-11 01:27 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-09-11 01:27 . 2010-10-16 04:41 101760 ----a-w- c:\windows\system32\consent.exe
2011-09-11 01:27 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2011-09-11 01:27 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-09-11 01:27 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-09-11 01:27 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-09-11 01:27 . 2010-11-02 04:46 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-09-11 01:27 . 2010-11-02 04:23 107520 ----a-w- c:\windows\system32\cdd.dll
2011-09-11 01:22 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2011-09-11 01:19 . 2011-09-11 01:19 -------- d-----w- c:\program files\Secunia
2011-09-11 01:16 . 2011-09-11 01:16 -------- d-----w- c:\program files\uTorrent
2011-09-11 01:10 . 2011-09-11 01:10 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-11 01:08 . 2011-09-11 01:08 -------- dc----w- c:\windows\system32\DRVSTORE
2011-09-11 01:08 . 2011-08-18 20:25 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-11 01:08 . 2011-09-18 21:04 -------- d-----w- c:\programdata\Lavasoft
2011-09-11 01:08 . 2011-09-11 01:08 -------- d-----w- c:\program files\Lavasoft
2011-09-11 01:02 . 2011-09-11 01:02 -------- d-----w- c:\program files\WinDirStat
2011-09-11 00:59 . 2011-09-11 01:00 -------- d-----w- c:\program files\Cobian Backup 10
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-21 00:57 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\serial.sys
2011-08-01 20:56 . 2011-08-01 20:56 40936 ----a-w- c:\windows\system32\drivers\point32.sys
2011-08-01 20:56 . 2011-08-01 20:56 21784 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2011-09-03 06:01 . 2011-09-11 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaSwitcher"="c:\program files\VistaSwitcher\vswitch.exe" [2010-11-24 204296]
"Steam"="c:\program files\Steam\Steam.exe" [2011-09-11 1242448]
"SupportCenter"="c:\program files\SupportSpace\Support Platform\SupportCenter.exe" [2009-02-15 1414384]
"GizmoDriveDelegate"="c:\program files\Gizmo\gizmo.exe" [2011-09-11 223640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Cobian Backup 10 Interface"="c:\program files\Cobian Backup 10\cbInterface.exe" [2010-09-23 3154432]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-15 1955208]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-10 336384]
"ZyngaGamesAgent"="c:\program files\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe" [2010-11-15 841544]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-08-26 10828392]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETCall.exe" [2007-07-26 20480]
.
c:\users\TheSkeward\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Gizmo.lnk - c:\program files\Gizmo\gizmo.exe [2011-9-11 223640]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R1 MpKsl1f88abae;MpKsl1f88abae;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F63A81BC-A9C9-4A2F-AC22-4E590CBBD802}\MpKsl1f88abae.sys [x]
R1 MpKsl389446d3;MpKsl389446d3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BA85CF57-F48C-4D27-AE8E-BDE5B8909EE1}\MpKsl389446d3.sys [x]
R1 MpKsl6c850350;MpKsl6c850350;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F63A81BC-A9C9-4A2F-AC22-4E590CBBD802}\MpKsl6c850350.sys [x]
R1 MpKslb169391d;MpKslb169391d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BA85CF57-F48C-4D27-AE8E-BDE5B8909EE1}\MpKslb169391d.sys [x]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-10-06 2648812]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [x]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 20080]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-11 1343400]
R3 XENfiltv;XENfiltv;c:\windows\system32\drivers\XENfiltv.sys [2009-07-31 17920]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-08-18 64512]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2011-01-10 18544]
S1 GizmoDrv;Gizmo Device Driver; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 173500]
S2 CobianBackup10;Cobian Backup 10;c:\program files\Cobian Backup 10\cbService.exe [2010-09-23 1125376]
S2 Gizmo Central;Gizmo Central;c:\program files\Gizmo\gservice.exe [2011-09-11 31232]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-08-15 1352728]
S2 SCBackService;Splashtop Connect Service;c:\program files\Splashtop\Splashtop Connect\BackService.exe [2010-11-15 467692]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-04-19 986808]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-04-19 392640]
S2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\SupportSpace\Support Platform\supportspace_tools.exe [2009-02-15 460324]
S2 WCUService_STC_FF;Splashtop Connect Firefox Software Updater Service;c:\program files\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe [2011-03-24 485152]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
S3 GVTDrv;GVTDrv;c:\windows\system32\Drivers\GVTDrv.sys [2011-09-21 24944]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2011-08-11 88176]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-09-21 41088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3625982434-837466342-4122245402-1000Core.job
- c:\users\TheSkeward\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-11 20:48]
.
2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3625982434-837466342-4122245402-1000UA.job
- c:\users\TheSkeward\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-11 20:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\TheSkeward\AppData\Roaming\Mozilla\Firefox\Profiles\z8dqe9k4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Sysinternals Desktops - c:\users\TheSkeward\Documents\Desktops[1]\Desktops.exe
HKLM-Run-STCAgent - c:\program files\Splashtop\Splashtop Connect IE\STCAgent.exe
SafeBoot-32560297.sys
SafeBoot-Lavasoft Ad-Aware Service
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4776)
c:\program files\Gizmo\ghook.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\GIGABYTE\ET6\GUI.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Steam\SteamService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2011-09-20 21:27:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-21 02:27
.
Pre-Run: 844,543,393,792 bytes free
Post-Run: 844,579,901,440 bytes free
.
- - End Of File - - 570ECE81ACFDF5FBE1155DFD9F173AB5

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:36 AM

Posted 20 September 2011 - 10:09 PM

:thumbup2: Good job!!

Let's run the ESET Online Scanner:

Continue to disable your AntiVirus program and any AntiSpyware programs while performing the scan. It will preclude conflicts, and will speed up scan time.

Since you are using Windows Seven to perform this scan, go to Start button, look for the Internet Explorer browser icon, right-click it and select: 'Run as administrator.

In the browser address bar, copy paste the following:
http://www.eset.com/us/online-scanner
Press the ESET Online Scanner button
  • In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
  • Allow the ActiveX to download, and click: 'Install'
  • In the next screen, make sure the option Remove found threats is unchecked, and press the Start button again.
  • ESET downloads its updates, installs, and begins scanning your computer. Scan Screenshots
  • When the scan is done, press the List of Found Threats
  • Next, press: Export to Text File, and save the file to your desktop as: ESET Scan
  • Press: Back button.
  • Press: Finish

Please provide the contents of the ESET Scan report in your reply.

Thanks.

Old duck...


#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:36 AM

Posted 20 September 2011 - 10:10 PM

The ESET Scan will take a while.

Signing off for tonight.

Will be back tomorrow AM.

Old duck...


#11 TheSkeward

TheSkeward
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 21 September 2011 - 12:32 AM

Here are the results of the ESET Scan.

C:\Documents and Settings\TheSkeward\Downloads\cnet_32bit_Vista_Win7_R265_exe.exe a variant of Win32/InstallCore.C application
C:\Users\TheSkeward\Downloads\cnet_32bit_Vista_Win7_R265_exe.exe a variant of Win32/InstallCore.C application

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:36 AM

Posted 21 September 2011 - 09:57 AM

:thumbup2: Good job!!

1. Please search for and remove the two entries found by ESET.


2. Next, download TFC to your Desktop.
  • Save any work in progress!! TFC closes open applications and removes unsaved work!.
  • Right-click TFC.exe and select: Run as Administrator
  • If prompted, click "Yes" to reboot.


3. Download Security Check
Save it to the Desktop.
Right-click SecurityCheck.exe and select: Run as Administrator
Follow the on-screen instructions (on the black screen)
When done, a Notepad document opens automatically: [i]checkup.txt[i]

Please post the contents of checkup.txt in your reply.


4. On GMER...

Please remove any previous version of the program, and download a new copy of GMER:
http://gmer.net/download.php
[Downloads a randomly named file. (Recommended)]

If you cannot remove your previous copy of GMER, do not attempt to run it, and post any error message received.

If the old copy deletes, then...
Close all browsers, and all running programs.

Temporarily disable any real-time active protection so your security programs do not conflict with GMER's driver. Info:
http://www.bleepingcomputer.com/forums/topic114351.html

XP - Double-click on the randomly named GMER file (i.e. n7gmo46c.exe)
Vista/Windows 7 - Right click and select: Run as Administrator

Allow the gmer.sys driver to load...

GMER opens to the Rootkit/Malware tab and performs an automatic quick scan when first run. (Please do not use the computer while the scan is in progress.)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO

Now, click the Scan button.
If you see a rootkit warning window, click OK.

When the scan finishes, click the 'Save...' button to save the scan results to your Desktop.
Save the file as GMER.log

Click the Copy button and Paste the results of the GMER.log in your reply.

Notes:
-Please, do not take action on any of the information on the GMER report!!
-If you encounter any problems, try running GMER in Safe Mode:
http://www.computerhope.com/issues/chsafe.htm
-If GMER crashes or keeps resulting in a BSODs, uncheck 'Devices' (on the right side) before scanning.


Also, please update on whether you are still having malware problems.

Old duck...


#13 TheSkeward

TheSkeward
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 21 September 2011 - 06:40 PM

I couldn't find C:/Documents and Settings, but I deleted the other file found by ESET. I ran TFC. I ran Security Check, but the checkup.txt didn't appear to save. The first time I ran GMER, it BSOD'd, so I ran it in safe mode. Here is the GMER.log. Afterwards, I ran Security Check again, and here is the checkup.txt.

I am no longer experiencing browser redirects and the like.

----

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-21 18:28:33
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST31000524AS rev.JC4B
Running: gscmojco.exe; Driver: C:\Users\THESKE~1\AppData\Local\Temp\uwloyuoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82494539 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 824B9092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


----

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 22
Java™ 7
Adobe Flash Player 10.3.183.7
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Edited by TheSkeward, 21 September 2011 - 06:41 PM.


#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:36 AM

Posted 21 September 2011 - 08:11 PM

Glad you are not experiencing redirections any longer! :thumbup2:

Let's scan the system with a special tool and see if the ZeroAccess RootKit blocked and locked any programs or system files by altering the permissions on them.
  • Please download Junction.zip and save it.
    Unzip it and place the junction.exe file in the Windows directory (C:\Windows). (No need to run it.)
  • Go to Start > Run (Windows key > 'R'), and copy/paste the following command in the Open box and click OK:
    cmd /c junction -s >log.txt&log.txt
    A command window opens and scans the system.
    Next, a log file opens in Notepad.
    Please copy the contents of log.txt, and provide it in your reply.

Old duck...


#15 TheSkeward

TheSkeward
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 21 September 2011 - 08:31 PM

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

\\?\C:\Users\TheSkeward\Application Data: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Roaming
Substitute Name: C:\Users\TheSkeward\AppData\Roaming

\\?\C:\Users\TheSkeward\Cookies: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Cookies

\\?\C:\Users\TheSkeward\Local Settings: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Local
Substitute Name: C:\Users\TheSkeward\AppData\Local

\\?\C:\Users\TheSkeward\My Documents: JUNCTION
Print Name : C:\Users\TheSkeward\Documents
Substitute Name: C:\Users\TheSkeward\Documents

\\?\C:\Users\TheSkeward\NetHood: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\C:\Users\TheSkeward\PrintHood: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\C:\Users\TheSkeward\Recent: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Recent

\\?\C:\Users\TheSkeward\SendTo: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\SendTo

\\?\C:\Users\TheSkeward\Start Menu: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\C:\Users\TheSkeward\Templates: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\TheSkeward\AppData\Roaming\Microsoft\Windows\Templates

\\?\C:\Users\TheSkeward\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Local
Substitute Name: C:\Users\TheSkeward\AppData\Local


Failed to open \\?\C:\Users\TheSkeward\AppData\Local\ElevatedDiagnostics: Access is denied.


\\?\C:\Users\TheSkeward\AppData\Local\History: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\TheSkeward\AppData\Local\Microsoft\Windows\History

\\?\C:\Users\TheSkeward\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\TheSkeward\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\TheSkeward\AppData\Local\Microsoft\Windows\Temporary Internet Files

...

...

...

\\?\C:\Users\TheSkeward\Documents\My Music: JUNCTION
Print Name : C:\Users\TheSkeward\Music
Substitute Name: C:\Users\TheSkeward\Music

\\?\C:\Users\TheSkeward\Documents\My Pictures: JUNCTION
Print Name : C:\Users\TheSkeward\Pictures
Substitute Name: C:\Users\TheSkeward\Pictures

\\?\C:\Users\TheSkeward\Documents\My Videos: JUNCTION
Print Name : C:\Users\TheSkeward\Videos
Substitute Name: C:\Users\TheSkeward\Videos


Failed to open \\?\C:\Users\TheSkeward\Downloads\ComboFix(1).exe: Access is denied.



Failed to open \\?\C:\Users\TheSkeward\Downloads\ComboFix.exe: Access is denied.



Failed to open \\?\C:\Users\TheSkeward\Downloads\gmer.exe: Access is denied.


...

...

...

...

...

.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users