Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm infected


  • This topic is locked This topic is locked
22 replies to this topic

#1 cbcnd1

cbcnd1

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 26 September 2011 - 04:10 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic420048.html ~ OB


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Owner at 16:08:47 on 2011-09-26
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.55 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\ParetoLogic\PLAV\Pareto_AV.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PhoTags Express\Photags AutoDetect.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\PLAV\PLAVservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.frontier.com/webmail/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [cdloader] "c:\documents and settings\hp_owner\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Wfatebehamic] rundll32.exe "c:\windows\dipkbdf.dll",Startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ParetoLogic Anti-Virus PLUS] "c:\program files\paretologic\plav\Pareto_AV.exe" -NM -hidesplash
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photag~1.lnk - c:\program files\photags express\Photags AutoDetect.exe
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
Trusted Zone: wowo.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://connect.parkview.com/Citrix/ICAWEB/en/ica32/ica32t.exe
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://aolsvc.aol.com/onlinegames/free-trial-nightshift-legacy-the-jaguars-eye/Nightshift2Web.1.0.0.9.cab
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {61900274-3323-4446-BDCD-91548D32AF1B} - hxxp://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175204655046
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - hxxp://www.worldwinner.com/games/v41/freecell/freecell.cab
DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} - hxxp://www.gamehouse.com/games/abxgh.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://gamenext.oberon-media.com/gameshell/games/channel--110220553/lc--en/room--1f7000eb-e001-4bc4-9c01-dceb3ef8d859/online/luxor_amun_rising/en/mjolauncher.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://zone.msn.com/binGame/ZAxRcMgr.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://gamenext.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v52/wwspades/wwspades.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E779578E-27FB-429C-9788-E58A8817E048} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-10-6 132184]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-18 321552]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-8-9 32272]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-18 22216]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
.
=============== Created Last 30 ================
.
2011-09-25 01:22:54 89088 -c--a-w- C:\mbr.exe
2011-09-18 16:48:42 -------- d-----w- c:\documents and settings\hp_owner\application data\Malwarebytes
2011-09-18 16:48:15 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-18 16:48:09 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 16:48:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-18 16:47:00 9852544 -c--a-w- C:\mbam-setup-1.51.2.1300.exe
2011-09-12 21:03:17 1266056 -c--a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-09-12 21:02:58 3038 -c--a-w- C:\fix_svchost.bat
2011-09-12 21:02:26 6216032 -c--a-w- C:\windowsupdateagent30-x86.exe
2011-09-07 21:52:16 -------- d-----w- C:\found.000
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-29 22:15:04 2592 ----a-w- c:\windows\system32\ASOROSet.bin
2011-08-29 21:58:32 -------- d-----w- c:\documents and settings\hp_owner\application data\AOL
.
==================== Find3M ====================
.
2011-09-23 00:06:00 4237365 -c----r- C:\ComboFix.exe
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 19:55:41 0 -c--a-w- c:\windows\Tbotuq.bin
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.8.11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82E3D4C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x82e448a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x82e44730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F93030]
3 CLASSPNP[0xF885FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000060[0x82F88F18]
5 ACPI[0xF87D6620] -> nt!IofCallDriver[0x804E37D5] -> [0x82F8A5D8]
\Driver\atapi[0x82ED5158] -> IRP_MJ_CREATE -> 0x82E3D4C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82E3D2E0
user & kernel MBR OK
copy of MBR has been found in sector 312575760
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:11:27.53 ===============





.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/16/2006 10:16:33 PM
System Uptime: 9/26/2011 3:48:18 PM (1 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Guppy
Processor: Intel® Celeron® CPU 2.93GHz | PGA 478 | 2933/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 141 GiB total, 108.866 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is FIXED (FAT32) - 8 GiB total, 2.153 GiB free.
I: is CDROM ()
J: is CDROM ()
K: is CDROM (CDFS)
L: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
1600
1600_Help
1600Trb
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.5
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
Anti-Spyware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
Authentium
Bonjour
BufferChm
CA Pest Patrol Realtime Protection
CameraDrivers
CCleaner
Citrix ICA Web Client
Citrix XenApp Web Plugin
Copy
Coupon Printer for Windows
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
Disney Pix 2.0 Photo
Disney Pix Max Downloader
DocProc
DocumentViewer
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
Fax
FrostWire 4.21.8
getPlus®_ocx
Google Update Helper
Help and Support Additions
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet Preloaded Printer Drivers
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Image Zone Plus 4.5.3
HP Organize
HP Photosmart Cameras 4.0
HP Product Assistant
HP Product Detection
HP PSC & OfficeJet 4.7
HP Software Update
HPIZplus450
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java™ 6 Update 22
Java™ SE Runtime Environment 6 Update 1
magicJack
Malwarebytes' Anti-Malware version 1.51.2.1300
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mirar
MobileMe Control Panel
Move Media Player
MSN
MSXML 4.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 3.5 magicMoments - HPD
OpenOffice.org 3.3
PanoStandAlone
ParetoLogic Anti-Virus PLUS
PC-Doctor for Windows
PhoTags Express
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
PokerStars
PrintScreen
ProductContext
PS2
PSPrinters06
QFolder
QuickProjects
QuickTime
Readme
RealPlayer
RealUpgrade 1.1
RegSupreme
Safari
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
SkinsHP1
Sonic Express Labeler
Sonic RecordNow!
System Requirements Lab for Intel
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Verizon Help and Support Tool
Verizon PC Security Checkup
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 8.0 CRT (x86) WinSXS MSM
VoiceOver Kit
vShare Plugin
Vz In Home Agent
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Xvid 1.2.1 final uninstall
Yahoo! Messenger
Zylom Games Player Plugin
.
==== Event Viewer Messages From Past Week ========
.
9/24/2011 9:33:51 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/24/2011 9:33:47 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/23/2011 6:02:04 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
9/23/2011 4:13:23 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 7:32:59 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
9/22/2011 4:42:14 PM, error: Service Control Manager [7034] - The PLAVService service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:42:06 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:41:54 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/22/2011 4:41:51 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:38:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
9/22/2011 4:38:05 PM, error: Service Control Manager [7000] - The Zune Bus Enumerator Driver service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 4:38:05 PM, error: Service Control Manager [7000] - The dvpapi service failed to start due to the following error: The system cannot find the path specified.
9/22/2011 4:38:05 PM, error: Service Control Manager [7000] - The CSS DVP service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 4:38:05 PM, error: Service Control Manager [7000] - The CA Pest Patrol Realtime Protection Service service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 4:38:05 PM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The system cannot find the path specified.
9/22/2011 4:20:12 PM, error: Service Control Manager [7034] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:20:12 PM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:20:12 PM, error: Service Control Manager [7034] - The System Restore Service service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:20:12 PM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:20:12 PM, error: Service Control Manager [7034] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:20:12 PM, error: Service Control Manager [7034] - The Secondary Logon service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:20:12 PM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 4:20:12 PM, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
9/21/2011 5:57:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
9/21/2011 4:53:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/21/2011 4:46:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec KLIF Lbd MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
9/21/2011 4:46:42 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/21/2011 4:46:42 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/21/2011 4:46:42 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/21/2011 4:46:42 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/21/2011 4:46:42 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/21/2011 4:46:42 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/21/2011 10:42:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: gagp30kx IntelIde Lbd
9/21/2011 10:41:49 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
9/21/2011 10:40:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/20/2011 9:16:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Pml Driver HPZ12 service to connect.
9/20/2011 9:16:16 PM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/20/2011 3:49:22 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
9/20/2011 3:49:00 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
9/20/2011 3:49:00 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
9/19/2011 10:35:41 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
.
==== End Of File ===========================











GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-26 17:04:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3160021A rev.8.11
Running: gmer.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\kxldqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xEC1058D4]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwClose [0xEC106168]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwConnectPort [0xEC1064C4]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateEvent [0xEC106A36]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateFile [0xEC10BEF8]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateKey [0xEC10477E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateMutant [0xEC10690E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateNamedPipeFile [0xEC1054DA]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreatePort [0xEC1067CA]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateSection [0xEC105696]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateSemaphore [0xEC106B68]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xEC1087AA]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateThread [0xEC105E06]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwCreateWaitablePort [0xEC10686C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwDebugActiveProcess [0xEC10819C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwDeleteKey [0xEC104D42]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwDeleteValueKey [0xEC1050D0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwDeviceIoControlFile [0xEC1063DE]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwDuplicateObject [0xEC10916C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwEnumerateKey [0xEC105212]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwEnumerateValueKey [0xEC1052BC]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwFsControlFile [0xEC1061EA]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwLoadDriver [0xEC10822E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwLoadKey [0xEC10475A]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwLoadKey2 [0xEC10476C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwMapViewOfSection [0xEC10885E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwNotifyChangeKey [0xEC105408]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwOpenEvent [0xEC106AD8]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwOpenFile [0xEC10BC98]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwOpenKey [0xEC104924]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwOpenMutant [0xEC1069A6]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwOpenProcess [0xEC105AEE]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwOpenSection [0xEC1087D4]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwOpenSemaphore [0xEC106C0A]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwOpenThread [0xEC105A12]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwQueryKey [0xEC105366]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwQueryMultipleValueKey [0xEC104F8E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwQuerySection [0xEC108B76]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwQueryValueKey [0xEC104BDE]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwQueueApcThread [0xEC1084C4]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwRenameKey [0xEC104E56]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwReplaceKey [0xEC1045F8]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwReplyPort [0xEC106F94]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwReplyWaitReceivePort [0xEC106E5A]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwRequestWaitReplyPort [0xEC107F3C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwRestoreKey [0xEC10BA6A]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwResumeThread [0xEC10904E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSaveKey [0xEC104590]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSecureConnectPort [0xEC10C18A]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSetContextThread [0xEC106024]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSetInformationToken [0xEC1077EC]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSetSecurityObject [0xEC108328]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSetSystemInformation [0xEC108CB6]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSetValueKey [0xEC104A66]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSuspendProcess [0xEC108D9A]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSuspendThread [0xEC108EC2]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwSystemDebugControl [0xEC1080C8]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwTerminateProcess [0xEC105C66]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwTerminateThread [0xEC105BBC]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwUnmapViewOfSection [0xEC108A2C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) ZwWriteVirtualMemory [0xEC105D46]

Code \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 114 804E2780 16 Bytes [96, 56, 10, EC, 68, 6B, 10, ...] {XCHG ESI, EAX; PUSH ESI; ADC AH, CH; PUSH 0xaaec106b; XCHG [EAX], EDX; IN AL, DX ; PUSH ES; POP ESI; ADC AH, CH}
.text ntoskrnl.exe!_abnormal_termination + 19C 804E2808 4 Bytes [EA, 61, 10, EC]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [2E, 82, 10, EC, 5A, 47, 10, ...] {ADC BYTE CS:[EAX], -0x14; POP EDX; INC EDI; ADC AH, CH; INSB ; INC EDI; ADC AH, CH}
.text ntoskrnl.exe!_abnormal_termination + 34C 804E29B8 16 Bytes [56, 4E, 10, EC, F8, 45, 10, ...] {PUSH ESI; DEC ESI; ADC AH, CH; CLC ; INC EBP; ADC AH, CH; XCHG ESP, EAX; OUTSD ; ADC AH, CH; POP EDX; OUTSB ; ADC AH, CH}
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [9A, 8D, 10, EC, C2, 8E, 10, ...] {CALL FAR 0x108e:0xc2ec108d; IN AL, DX ; ENTER 0x1080, 0xec}
.text ntoskrnl.exe!IoIsOperationSynchronous 804E876A 5 Bytes JMP EC0FAC00 \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512959 5 Bytes JMP EC0FA826 \SystemRoot\System32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86_noagava]/Kaspersky Lab)
? C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[512] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 00A2000C
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1796] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\program files\real\realplayer\update\realsched.exe[3176] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0096000C
.text C:\WINDOWS\System32\svchost.exe[3736] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02DB000A
.text C:\WINDOWS\System32\svchost.exe[3736] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 02DC000A
.text C:\WINDOWS\System32\svchost.exe[3736] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 02DF000A
.text C:\WINDOWS\System32\svchost.exe[3736] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00D7000A
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3800] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 82E3D2E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82E3D2E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 82E3D2E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82E3D2E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 82E3D2E0
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 312575763
Disk \Device\Harddisk0\DR0 PE file @ sector 312575785
Disk \Device\Harddisk0\DR0 MBRoot/Sinowal@MBR code has been found <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

As requested

Edited by Orange Blossom, 26 September 2011 - 11:54 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 29 September 2011 - 03:13 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 cbcnd1

cbcnd1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 29 September 2011 - 05:09 PM

ComboFix 11-09-29.06 - HP_Owner 09/29/2011 17:12:08.35.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.280 [GMT -4:00]
Running from: C:\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-29 )))))))))))))))))))))))))))))))
.
.
2011-09-28 21:14 . 2011-09-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-28 21:14 . 2011-09-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-09-25 01:22 . 2011-09-25 01:25 89088 -c--a-w- C:\mbr.exe
2011-09-21 20:53 . 2011-09-21 20:53 -------- d-----w- c:\documents and settings\Administrator.BRUCE\Application Data\Malwarebytes
2011-09-18 16:48 . 2011-09-18 16:48 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2011-09-18 16:48 . 2011-09-18 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-18 16:48 . 2011-09-23 20:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-18 16:48 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 16:47 . 2011-09-18 16:47 9852544 -c--a-w- C:\mbam-setup-1.51.2.1300.exe
2011-09-12 21:03 . 2011-09-12 21:03 1266056 -c--a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-09-12 21:02 . 2011-09-12 21:02 3038 -c--a-w- C:\fix_svchost.bat
2011-09-12 21:02 . 2011-09-12 21:02 6216032 -c--a-w- C:\windowsupdateagent30-x86.exe
2011-09-07 21:52 . 2011-09-07 21:52 -------- d-----w- C:\found.000
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-29 21:08 . 2010-08-13 18:12 4234747 -c----r- C:\ComboFix.exe
2011-09-03 10:17 . 2004-08-04 18:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2005-02-15 18:17 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-02-15 11:17 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-31_20.28.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-29 19:52 . 2011-09-29 19:52 16384 c:\windows\temp\Perflib_Perfdata_334.dat
+ 2010-10-06 21:38 . 2011-09-17 13:13 97961 c:\windows\system32\drivers\klick.dat
- 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
+ 2004-08-04 18:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
+ 2004-10-15 17:38 . 2011-09-09 18:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-10-15 17:38 . 2010-02-26 00:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-10-15 10:30 . 2011-09-09 18:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-10-15 10:30 . 2010-02-26 00:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-09-10 18:41 . 2011-09-10 18:41 22016 c:\windows\Installer\15a1cc.msi
+ 2011-06-06 16:55 . 2011-06-06 16:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2005-07-20 02:06 . 2011-09-05 23:57 68965 c:\windows\hpoins05.dat
- 2005-07-20 02:06 . 2006-10-04 00:05 68965 c:\windows\hpoins05.dat
+ 2006-05-13 23:08 . 2011-09-22 20:36 896392 c:\windows\system32\Restore\rstrlog.dat
- 2010-10-06 21:38 . 2011-05-28 18:51 115369 c:\windows\system32\drivers\klin.dat
+ 2010-10-06 21:38 . 2011-09-17 13:13 115369 c:\windows\system32\drivers\klin.dat
+ 2011-06-06 16:55 . 2011-06-06 16:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2011-09-25 01:37 . 2011-09-25 01:37 2295808 c:\windows\Installer\11881d.msi
+ 2011-06-06 16:55 . 2011-06-06 16:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2007-04-03 02:33 . 2011-09-15 21:33 46249416 c:\windows\system32\MRT.exe
+ 2011-06-07 00:00 . 2011-06-07 00:00 48470016 c:\windows\Installer\504fe0.msi
+ 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\11881e.msp
+ 2011-06-06 16:55 . 2011-06-06 16:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
"Wfatebehamic"="c:\windows\dipkbdf.dll" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\PLAV\Pareto_AV.exe" [2010-09-08 4547864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-03-06 273544]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]
Photags AutoDetect.lnk - c:\program files\PhoTags Express\Photags AutoDetect.exe [2009-5-2 368640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1149999531\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Server
.
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [8/9/2010 1:57 PM 32272]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/18/2011 12:48 PM 22216]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/18/2010 9:32 PM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/18/2011 12:48 PM 366152]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/18/2010 9:32 PM 135664]
S3 PLAVService;PLAVService;c:\program files\Common Files\PLAV\plavservice.exe [9/8/2010 1:32 PM 599384]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 01:32]
.
2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 01:32]
.
2011-09-13 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]
.
2011-09-26 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]
.
2011-09-11 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_sch_2FB94364-D257-11DF-9AD8-00038A000015.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]
.
2011-09-26 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-09-08 17:31]
.
2011-09-29 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2010-09-08 17:31]
.
2011-09-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2430400791-1619666043-2941703551-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-09-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2430400791-1619666043-2941703551-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-09-29 c:\windows\Tasks\User_Feed_Synchronization-{14389F0B-25FC-4696-BAF6-75C365CBB49B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.frontier.com/webmail/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
Trusted Zone: wowo.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://aolsvc.aol.com/onlinegames/free-trial-nightshift-legacy-the-jaguars-eye/Nightshift2Web.1.0.0.9.cab
DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} - hxxp://www.gamehouse.com/games/abxgh.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-29 17:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.8.11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82E472E0
user & kernel MBR OK
copy of MBR has been found in sector 312575760
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3476)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-29 17:46:04
ComboFix-quarantined-files.txt 2011-09-29 21:45
ComboFix2.txt 2011-09-23 00:37
ComboFix3.txt 2011-09-20 20:34
ComboFix4.txt 2011-09-13 20:56
ComboFix5.txt 2011-09-29 21:10
.
Pre-Run: 116,367,683,584 bytes free
Post-Run: 117,639,688,192 bytes free
.
- - End Of File - - D5BF0DDE66B80B203AD081FD46A972EB


Had no problems. Still have svchost.exe hogging CPU.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 29 September 2011 - 08:31 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 cbcnd1

cbcnd1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 30 September 2011 - 11:58 AM

12:11:07.0500 0164 TDSS rootkit removing tool 2.6.2.0 Sep 26 2011 18:56:43
12:11:07.0796 0164 ============================================================
12:11:07.0796 0164 Current date / time: 2011/09/30 12:11:07.0796
12:11:07.0796 0164 SystemInfo:
12:11:07.0796 0164
12:11:07.0796 0164 OS Version: 5.1.2600 ServicePack: 3.0
12:11:07.0796 0164 Product type: Workstation
12:11:07.0796 0164 ComputerName: BRUCE
12:11:07.0796 0164 UserName: HP_Owner
12:11:07.0796 0164 Windows directory: C:\WINDOWS
12:11:07.0796 0164 System windows directory: C:\WINDOWS
12:11:07.0796 0164 Processor architecture: Intel x86
12:11:07.0796 0164 Number of processors: 1
12:11:07.0796 0164 Page size: 0x1000
12:11:07.0796 0164 Boot type: Normal boot
12:11:07.0796 0164 ============================================================
12:11:09.0406 0164 Initialize success
12:11:17.0203 2392 ============================================================
12:11:17.0203 2392 Scan started
12:11:17.0203 2392 Mode: Manual;
12:11:17.0203 2392 ============================================================
12:11:18.0859 2392 Abiosdsk - ok
12:11:18.0968 2392 abp480n5 - ok
12:11:19.0140 2392 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:11:19.0156 2392 ACPI - ok
12:11:19.0281 2392 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:11:19.0281 2392 ACPIEC - ok
12:11:19.0406 2392 adpu160m - ok
12:11:19.0562 2392 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:11:19.0562 2392 aec - ok
12:11:19.0703 2392 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
12:11:19.0718 2392 Afc - ok
12:11:19.0843 2392 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
12:11:19.0843 2392 AFD - ok
12:11:20.0015 2392 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
12:11:20.0046 2392 AgereSoftModem - ok
12:11:20.0203 2392 Aha154x - ok
12:11:20.0328 2392 aic78u2 - ok
12:11:20.0421 2392 aic78xx - ok
12:11:20.0625 2392 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
12:11:20.0687 2392 ALCXWDM - ok
12:11:20.0812 2392 AliIde - ok
12:11:20.0921 2392 amsint - ok
12:11:21.0062 2392 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:11:21.0078 2392 Arp1394 - ok
12:11:21.0218 2392 asc - ok
12:11:21.0312 2392 asc3350p - ok
12:11:21.0421 2392 asc3550 - ok
12:11:21.0593 2392 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:11:21.0593 2392 AsyncMac - ok
12:11:21.0734 2392 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:11:21.0734 2392 atapi - ok
12:11:21.0843 2392 Atdisk - ok
12:11:21.0984 2392 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:11:21.0984 2392 Atmarpc - ok
12:11:22.0109 2392 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:11:22.0109 2392 audstub - ok
12:11:22.0312 2392 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:11:22.0312 2392 Beep - ok
12:11:22.0468 2392 catchme - ok
12:11:22.0609 2392 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:11:22.0609 2392 cbidf2k - ok
12:11:22.0718 2392 cd20xrnt - ok
12:11:22.0843 2392 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:11:22.0843 2392 Cdaudio - ok
12:11:22.0984 2392 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:11:22.0984 2392 Cdfs - ok
12:11:23.0109 2392 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:11:23.0109 2392 Cdrom - ok
12:11:23.0265 2392 Changer - ok
12:11:23.0390 2392 CmdIde - ok
12:11:23.0500 2392 Cpqarray - ok
12:11:23.0562 2392 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
12:11:23.0562 2392 cpudrv - ok
12:11:23.0687 2392 CSS DVP - ok
12:11:23.0781 2392 dac2w2k - ok
12:11:23.0890 2392 dac960nt - ok
12:11:24.0031 2392 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:11:24.0031 2392 Disk - ok
12:11:24.0203 2392 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:11:24.0265 2392 dmboot - ok
12:11:24.0406 2392 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:11:24.0437 2392 dmio - ok
12:11:24.0578 2392 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:11:24.0578 2392 dmload - ok
12:11:24.0734 2392 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:11:24.0734 2392 DMusic - ok
12:11:24.0875 2392 dpti2o - ok
12:11:25.0000 2392 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:11:25.0000 2392 drmkaud - ok
12:11:25.0171 2392 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:11:25.0171 2392 Fastfat - ok
12:11:25.0343 2392 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:11:25.0343 2392 Fdc - ok
12:11:25.0484 2392 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:11:25.0484 2392 Fips - ok
12:11:25.0625 2392 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:11:25.0625 2392 Flpydisk - ok
12:11:25.0734 2392 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:11:25.0750 2392 FltMgr - ok
12:11:25.0890 2392 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:11:25.0890 2392 Fs_Rec - ok
12:11:26.0031 2392 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:11:26.0031 2392 Ftdisk - ok
12:11:26.0171 2392 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
12:11:26.0171 2392 gagp30kx - ok
12:11:26.0343 2392 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
12:11:26.0343 2392 GEARAspiWDM - ok
12:11:26.0468 2392 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:11:26.0468 2392 Gpc - ok
12:11:26.0640 2392 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:11:26.0640 2392 HidUsb - ok
12:11:26.0750 2392 hpn - ok
12:11:26.0875 2392 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:11:26.0890 2392 HPZid412 - ok
12:11:27.0015 2392 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:11:27.0031 2392 HPZipr12 - ok
12:11:27.0140 2392 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:11:27.0156 2392 HPZius12 - ok
12:11:27.0250 2392 HSFHWBS2 - ok
12:11:27.0359 2392 HSF_DP - ok
12:11:27.0484 2392 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:11:27.0484 2392 HTTP - ok
12:11:27.0609 2392 i2omgmt - ok
12:11:27.0703 2392 i2omp - ok
12:11:27.0843 2392 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:11:27.0859 2392 i8042prt - ok
12:11:28.0000 2392 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
12:11:28.0031 2392 ialm - ok
12:11:28.0171 2392 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:11:28.0171 2392 Imapi - ok
12:11:28.0312 2392 ini910u - ok
12:11:28.0453 2392 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:11:28.0453 2392 IntelIde - ok
12:11:28.0609 2392 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:11:28.0609 2392 intelppm - ok
12:11:28.0734 2392 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:11:28.0734 2392 Ip6Fw - ok
12:11:28.0890 2392 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:11:28.0890 2392 IpFilterDriver - ok
12:11:29.0015 2392 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:11:29.0031 2392 IpInIp - ok
12:11:29.0156 2392 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:11:29.0171 2392 IpNat - ok
12:11:29.0328 2392 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:11:29.0343 2392 IPSec - ok
12:11:29.0453 2392 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:11:29.0453 2392 IRENUM - ok
12:11:29.0593 2392 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:11:29.0593 2392 isapnp - ok
12:11:29.0734 2392 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
12:11:29.0734 2392 Iviaspi - ok
12:11:29.0890 2392 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:11:29.0890 2392 Kbdclass - ok
12:11:30.0031 2392 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:11:30.0031 2392 kbdhid - ok
12:11:30.0156 2392 kl1 (47f4320cff5bd3de472bb300a32a879e) C:\WINDOWS\system32\DRIVERS\kl1.sys
12:11:30.0156 2392 kl1 - ok
12:11:30.0312 2392 KLIF (2eaca1e0cc5d49ded5659b43a41c60a8) C:\WINDOWS\system32\DRIVERS\klif.sys
12:11:30.0312 2392 KLIF - ok
12:11:30.0437 2392 klim5 (fbdc2034b58d2135d25fe99eb8b747c3) C:\WINDOWS\system32\DRIVERS\klim5.sys
12:11:30.0437 2392 klim5 - ok
12:11:30.0578 2392 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:11:30.0593 2392 kmixer - ok
12:11:30.0734 2392 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:11:30.0734 2392 KSecDD - ok
12:11:30.0859 2392 Lbd - ok
12:11:30.0906 2392 lbrtfdc - ok
12:11:31.0015 2392 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
12:11:31.0031 2392 MBAMProtector - ok
12:11:31.0171 2392 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:11:31.0187 2392 mnmdd - ok
12:11:31.0343 2392 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:11:31.0343 2392 Modem - ok
12:11:31.0484 2392 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
12:11:31.0500 2392 MODEMCSA - ok
12:11:31.0562 2392 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:11:31.0562 2392 Mouclass - ok
12:11:31.0703 2392 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:11:31.0703 2392 mouhid - ok
12:11:31.0843 2392 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:11:31.0843 2392 MountMgr - ok
12:11:31.0968 2392 mraid35x - ok
12:11:32.0062 2392 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
12:11:32.0062 2392 MREMP50 - ok
12:11:32.0093 2392 MREMP50a64 - ok
12:11:32.0125 2392 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
12:11:32.0125 2392 MREMPR5 - ok
12:11:32.0218 2392 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
12:11:32.0218 2392 MRENDIS5 - ok
12:11:32.0328 2392 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
12:11:32.0328 2392 MRESP50 - ok
12:11:32.0390 2392 MRESP50a64 - ok
12:11:32.0562 2392 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:11:32.0562 2392 MRxDAV - ok
12:11:32.0734 2392 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:11:32.0750 2392 MRxSmb - ok
12:11:32.0890 2392 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:11:32.0890 2392 Msfs - ok
12:11:33.0046 2392 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:11:33.0046 2392 MSKSSRV - ok
12:11:33.0187 2392 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:11:33.0203 2392 MSPCLOCK - ok
12:11:33.0359 2392 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:11:33.0359 2392 MSPQM - ok
12:11:33.0500 2392 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:11:33.0500 2392 mssmbios - ok
12:11:33.0640 2392 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:11:33.0640 2392 Mup - ok
12:11:33.0781 2392 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:11:33.0781 2392 NDIS - ok
12:11:33.0906 2392 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:11:33.0906 2392 NdisTapi - ok
12:11:34.0062 2392 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:11:34.0062 2392 Ndisuio - ok
12:11:34.0203 2392 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:11:34.0203 2392 NdisWan - ok
12:11:34.0390 2392 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:11:34.0390 2392 NDProxy - ok
12:11:34.0531 2392 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:11:34.0531 2392 NetBIOS - ok
12:11:34.0656 2392 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:11:34.0656 2392 NetBT - ok
12:11:34.0812 2392 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:11:34.0828 2392 NIC1394 - ok
12:11:34.0984 2392 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:11:34.0984 2392 Npfs - ok
12:11:35.0140 2392 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:11:35.0171 2392 Ntfs - ok
12:11:35.0328 2392 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:11:35.0343 2392 Null - ok
12:11:35.0468 2392 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:11:35.0468 2392 NwlnkFlt - ok
12:11:35.0593 2392 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:11:35.0609 2392 NwlnkFwd - ok
12:11:35.0734 2392 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:11:35.0734 2392 ohci1394 - ok
12:11:35.0875 2392 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:11:35.0875 2392 Parport - ok
12:11:36.0015 2392 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:11:36.0015 2392 PartMgr - ok
12:11:36.0390 2392 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:11:36.0437 2392 ParVdm - ok
12:11:36.0625 2392 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:11:36.0640 2392 PCI - ok
12:11:36.0765 2392 PCIDump - ok
12:11:36.0890 2392 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:11:36.0890 2392 PCIIde - ok
12:11:37.0031 2392 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:11:37.0031 2392 Pcmcia - ok
12:11:37.0125 2392 PDCOMP - ok
12:11:37.0218 2392 PDFRAME - ok
12:11:37.0328 2392 PDRELI - ok
12:11:37.0453 2392 PDRFRAME - ok
12:11:37.0562 2392 perc2 - ok
12:11:37.0656 2392 perc2hib - ok
12:11:37.0796 2392 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
12:11:37.0812 2392 Pfc - ok
12:11:38.0000 2392 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:11:38.0000 2392 PptpMiniport - ok
12:11:38.0140 2392 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
12:11:38.0140 2392 Processor - ok
12:11:38.0296 2392 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
12:11:38.0296 2392 Ps2 - ok
12:11:38.0421 2392 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:11:38.0437 2392 PSched - ok
12:11:38.0578 2392 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:11:38.0593 2392 Ptilink - ok
12:11:38.0718 2392 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
12:11:38.0718 2392 PxHelp20 - ok
12:11:38.0828 2392 ql1080 - ok
12:11:38.0953 2392 Ql10wnt - ok
12:11:39.0078 2392 ql12160 - ok
12:11:39.0203 2392 ql1240 - ok
12:11:39.0328 2392 ql1280 - ok
12:11:39.0484 2392 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:11:39.0484 2392 RasAcd - ok
12:11:39.0640 2392 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:11:39.0640 2392 Rasl2tp - ok
12:11:39.0796 2392 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:11:39.0796 2392 RasPppoe - ok
12:11:39.0937 2392 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:11:39.0937 2392 Raspti - ok
12:11:40.0093 2392 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:11:40.0093 2392 Rdbss - ok
12:11:40.0250 2392 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:11:40.0265 2392 RDPCDD - ok
12:11:40.0390 2392 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
12:11:40.0390 2392 RDPWD - ok
12:11:40.0531 2392 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:11:40.0531 2392 redbook - ok
12:11:40.0703 2392 RTL8023xp (3529828ec571fb2f64f6b142f9109993) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
12:11:40.0703 2392 RTL8023xp - ok
12:11:40.0859 2392 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
12:11:40.0859 2392 rtl8139 - ok
12:11:41.0015 2392 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:11:41.0015 2392 Secdrv - ok
12:11:41.0156 2392 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:11:41.0156 2392 Serenum - ok
12:11:41.0296 2392 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:11:41.0296 2392 Serial - ok
12:11:41.0437 2392 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:11:41.0453 2392 Sfloppy - ok
12:11:41.0562 2392 Simbad - ok
12:11:41.0687 2392 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
12:11:41.0687 2392 SISNIC - ok
12:11:41.0812 2392 smbusp (64dce11279fde28f0abf6f04aa6a073a) C:\WINDOWS\system32\DRIVERS\intelsmb.sys
12:11:41.0812 2392 smbusp - ok
12:11:41.0921 2392 smserial - ok
12:11:42.0031 2392 Sparrow - ok
12:11:42.0140 2392 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:11:42.0156 2392 splitter - ok
12:11:42.0312 2392 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:11:42.0312 2392 sr - ok
12:11:42.0453 2392 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:11:42.0468 2392 Srv - ok
12:11:42.0609 2392 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:11:42.0609 2392 swenum - ok
12:11:42.0750 2392 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:11:42.0750 2392 swmidi - ok
12:11:42.0890 2392 symc810 - ok
12:11:42.0937 2392 symc8xx - ok
12:11:42.0968 2392 sym_hi - ok
12:11:43.0000 2392 sym_u3 - ok
12:11:43.0062 2392 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:11:43.0062 2392 sysaudio - ok
12:11:43.0234 2392 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:11:43.0250 2392 Tcpip - ok
12:11:43.0375 2392 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:11:43.0375 2392 TDPIPE - ok
12:11:43.0531 2392 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:11:43.0531 2392 TDTCP - ok
12:11:43.0671 2392 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:11:43.0671 2392 TermDD - ok
12:11:43.0812 2392 TosIde - ok
12:11:43.0937 2392 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:11:43.0953 2392 Udfs - ok
12:11:44.0078 2392 ultra - ok
12:11:44.0234 2392 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:11:44.0281 2392 Update - ok
12:11:44.0437 2392 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
12:11:44.0453 2392 USBAAPL - ok
12:11:44.0593 2392 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
12:11:44.0593 2392 usbaudio - ok
12:11:44.0734 2392 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:11:44.0734 2392 usbccgp - ok
12:11:44.0906 2392 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:11:44.0906 2392 usbehci - ok
12:11:45.0046 2392 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:11:45.0046 2392 usbhub - ok
12:11:45.0187 2392 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
12:11:45.0203 2392 usbohci - ok
12:11:45.0312 2392 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:11:45.0312 2392 usbprint - ok
12:11:45.0437 2392 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:11:45.0437 2392 usbscan - ok
12:11:45.0609 2392 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:11:45.0609 2392 USBSTOR - ok
12:11:45.0750 2392 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:11:45.0750 2392 usbuhci - ok
12:11:45.0921 2392 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:11:45.0921 2392 VgaSave - ok
12:11:46.0093 2392 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
12:11:46.0093 2392 ViaIde - ok
12:11:46.0421 2392 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:11:46.0437 2392 VolSnap - ok
12:11:46.0671 2392 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:11:46.0687 2392 Wanarp - ok
12:11:46.0984 2392 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
12:11:46.0984 2392 wanatw - ok
12:11:47.0406 2392 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
12:11:47.0656 2392 Wdf01000 - ok
12:11:47.0921 2392 WDICA - ok
12:11:48.0218 2392 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:11:48.0234 2392 wdmaud - ok
12:11:48.0468 2392 winachsf - ok
12:11:48.0875 2392 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
12:11:48.0890 2392 WpdUsb - ok
12:11:49.0218 2392 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:11:49.0250 2392 WudfPf - ok
12:11:49.0578 2392 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:11:49.0593 2392 WudfRd - ok
12:11:49.0843 2392 zumbus - ok
12:11:49.0875 2392 MBR (0x1B8) (e71647ab5c9345c538bd4c425eeafcd3) \Device\Harddisk0\DR0
12:11:49.0890 2392 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - infected
12:11:49.0890 2392 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
12:11:49.0937 2392 MBR (0x1B8) (37c1d3c7e54f7b43e91a54faa528fae7) \Device\Harddisk5\DR7
12:11:50.0421 2392 \Device\Harddisk5\DR7 - ok
12:11:50.0453 2392 Boot (0x1200) (e3e08691c039930be2a9692193f6b0aa) \Device\Harddisk0\DR0\Partition0
12:11:50.0453 2392 \Device\Harddisk0\DR0\Partition0 - ok
12:11:50.0468 2392 Boot (0x1200) (79698c534c76f51cbc316d19b2396411) \Device\Harddisk0\DR0\Partition1
12:11:50.0484 2392 \Device\Harddisk0\DR0\Partition1 - ok
12:11:50.0484 2392 ============================================================
12:11:50.0484 2392 Scan finished
12:11:50.0484 2392 ============================================================
12:11:50.0515 1428 Detected object count: 1
12:11:50.0515 1428 Actual detected object count: 1
12:12:12.0765 1428 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - will be cured on reboot
12:12:12.0765 1428 \Device\Harddisk0\DR0 - ok
12:12:12.0765 1428 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - User select action: Cure
12:12:24.0265 2224 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 30 September 2011 - 12:07 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 cbcnd1

cbcnd1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 30 September 2011 - 05:06 PM

ComboFix 11-09-30.05 - HP_Owner 09/30/2011 16:13:04.36.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.295 [GMT -4:00]
Running from: C:\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-30 )))))))))))))))))))))))))))))))
.
.
2011-09-28 21:14 . 2011-09-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-28 21:14 . 2011-09-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-09-25 01:22 . 2011-09-25 01:25 89088 -c--a-w- C:\mbr.exe
2011-09-21 20:53 . 2011-09-21 20:53 -------- d-----w- c:\documents and settings\Administrator.BRUCE\Application Data\Malwarebytes
2011-09-18 16:48 . 2011-09-18 16:48 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2011-09-18 16:48 . 2011-09-18 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-18 16:48 . 2011-09-23 20:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-18 16:48 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 16:47 . 2011-09-18 16:47 9852544 -c--a-w- C:\mbam-setup-1.51.2.1300.exe
2011-09-12 21:03 . 2011-09-12 21:03 1266056 -c--a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-09-12 21:02 . 2011-09-12 21:02 3038 -c--a-w- C:\fix_svchost.bat
2011-09-12 21:02 . 2011-09-12 21:02 6216032 -c--a-w- C:\windowsupdateagent30-x86.exe
2011-09-07 21:52 . 2011-09-07 21:52 -------- d-----w- C:\found.000
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-30 20:09 . 2010-08-13 18:12 4237173 -c----r- C:\ComboFix.exe
2011-09-03 10:17 . 2004-08-04 18:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2005-02-15 18:17 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-02-15 11:17 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-31_20.28.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-30 19:29 . 2011-09-30 19:29 16384 c:\windows\temp\Perflib_Perfdata_73c.dat
+ 2010-10-06 21:38 . 2011-09-17 13:13 97961 c:\windows\system32\drivers\klick.dat
- 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
+ 2004-08-04 18:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
+ 2004-10-15 17:38 . 2011-09-09 18:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-10-15 17:38 . 2010-02-26 00:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-10-15 10:30 . 2011-09-09 18:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-10-15 10:30 . 2010-02-26 00:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-09-10 18:41 . 2011-09-10 18:41 22016 c:\windows\Installer\15a1cc.msi
+ 2011-06-06 16:55 . 2011-06-06 16:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2005-07-20 02:06 . 2011-09-05 23:57 68965 c:\windows\hpoins05.dat
- 2005-07-20 02:06 . 2006-10-04 00:05 68965 c:\windows\hpoins05.dat
+ 2006-05-13 23:08 . 2011-09-22 20:36 896392 c:\windows\system32\Restore\rstrlog.dat
- 2010-10-06 21:38 . 2011-05-28 18:51 115369 c:\windows\system32\drivers\klin.dat
+ 2010-10-06 21:38 . 2011-09-17 13:13 115369 c:\windows\system32\drivers\klin.dat
+ 2011-06-06 16:55 . 2011-06-06 16:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2011-09-25 01:37 . 2011-09-25 01:37 2295808 c:\windows\Installer\11881d.msi
+ 2011-06-06 16:55 . 2011-06-06 16:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2007-04-03 02:33 . 2011-09-15 21:33 46249416 c:\windows\system32\MRT.exe
+ 2011-06-07 00:00 . 2011-06-07 00:00 48470016 c:\windows\Installer\504fe0.msi
+ 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\11881e.msp
+ 2011-06-06 16:55 . 2011-06-06 16:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
"Wfatebehamic"="c:\windows\dipkbdf.dll" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\PLAV\Pareto_AV.exe" [2010-09-08 4547864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-03-06 273544]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]
Photags AutoDetect.lnk - c:\program files\PhoTags Express\Photags AutoDetect.exe [2009-5-2 368640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1149999531\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Server
.
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [8/9/2010 1:57 PM 32272]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/18/2011 12:48 PM 22216]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/18/2010 9:32 PM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/18/2011 12:48 PM 366152]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/18/2010 9:32 PM 135664]
S3 PLAVService;PLAVService;c:\program files\Common Files\PLAV\plavservice.exe [9/8/2010 1:32 PM 599384]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 01:32]
.
2011-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 01:32]
.
2011-09-13 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]
.
2011-09-29 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]
.
2011-09-11 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_sch_2FB94364-D257-11DF-9AD8-00038A000015.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]
.
2011-09-29 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-09-08 17:31]
.
2011-09-30 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2010-09-08 17:31]
.
2011-09-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2430400791-1619666043-2941703551-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-09-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2430400791-1619666043-2941703551-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-09-30 c:\windows\Tasks\User_Feed_Synchronization-{14389F0B-25FC-4696-BAF6-75C365CBB49B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.frontier.com/webmail/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
Trusted Zone: wowo.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://aolsvc.aol.com/onlinegames/free-trial-nightshift-legacy-the-jaguars-eye/Nightshift2Web.1.0.0.9.cab
DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} - hxxp://www.gamehouse.com/games/abxgh.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-30 16:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(180)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-30 16:36:51
ComboFix-quarantined-files.txt 2011-09-30 20:36
ComboFix2.txt 2011-09-29 21:46
ComboFix3.txt 2011-09-23 00:37
ComboFix4.txt 2011-09-20 20:34
ComboFix5.txt 2011-09-30 20:10
.
Pre-Run: 117,411,586,048 bytes free
Post-Run: 117,621,334,016 bytes free
.
- - End Of File - - 949E120B5DD2343F1F0CB5CCB1E2B82C


Had no problems. Running better. SVCHOST.EXE not hogging cpu, but still seems to not be 100%.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 30 September 2011 - 09:06 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 22
Java™ SE Runtime Environment 6 Update 1
Mirar
PokerStars
Viewpoint Media Player


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 03 October 2011 - 01:17 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 cbcnd1

cbcnd1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 04 October 2011 - 06:12 AM

Sorry. Been busy. Will get back on it tonight.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 04 October 2011 - 11:19 AM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 cbcnd1

cbcnd1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 05 October 2011 - 06:16 AM

got half way through last night. then had to run kids around. may not be able to work on it tonight. kids again.....

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 05 October 2011 - 07:56 AM

no problem I will check on you in a couple of days


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 cbcnd1

cbcnd1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 06 October 2011 - 02:59 PM

Said Mirar could not be found. Asked if I wanted to run a registry scan. I said no and exited.

Had no Java in Control Panel. Downloaded Java. Sorry, I forgot about you telling me not to download anything.

TFC does nothing. Says it's shutting down running processes and never goes any further. I left it on over night and still nothing.

Didn't do anything else at this time. Wanted to see what, if anything else, you want me to do before I continue.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 06 October 2011 - 03:09 PM

that is minor so go ahead and continue with the rest


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users