Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mebroot trojan


  • This topic is locked This topic is locked
14 replies to this topic

#1 Black Vodka

Black Vodka

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 18 October 2011 - 01:43 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic423903.html ~ OB

Eset smart security 5 detects mebroot trojan at startup but is unable to clean it here is the dds log.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_18
Run by Agnew at 18:04:12 on 2011-10-18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2813.1944 [GMT 1:00]
.
AV: ESET Smart Security 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"C:\Windows\system32\svchost.exe"
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\mqsvc.exe
c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Windows\system32\mqtgsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OE1FSC1STlhCRC1HTVlIRi1CU0xTUi1aNFlGRy1QRU1CUg"&"inst=NzYtOTIzNzYyNDA4LVhPMzYrMS1UQjkrMi1OMUQrMS1QTCs5LVFJWDErNC1YMjAxMCsyLVNQMSsxLVRVRyszLUNJUCsyLVNQMVMyKzEtU1AxUzMrMS1TVUQrMS1TMUkrMS1TVTMrMS1EMzgxTCs3LUREVCszNjkxMi1JMTArMS1MU0QrMi1ERDEwKzEtU1QxMEFQUCsxLVNUMTJPSSsxLUVVTEErMS1JMTIrMS1TVDEyQVBQKzE"&"prod=94"&"ver=2012.0.1831"&"mid=b066b8a189f970aa9fa1a61d3296cb9f-e6059d59138b1401c9d44a6e7bd6ef98398ee44f
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
LSP: c:\program files\iobit\advanced systemcare 3\SPICtrl.dll
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{3964BB56-315F-4810-A200-5048D3474A32} : DhcpNameServer = 194.168.4.100 194.168.8.100
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\agnew\appdata\roaming\mozilla\firefox\profiles\egyarxdf.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2011-8-4 50624]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2011-8-4 33656]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-9-14 20384]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2010-6-16 25896]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2011-8-9 163424]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-9-22 974944]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-10-8 7168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 EMebFix;EMebFix;c:\users\agnew\appdata\local\temp\eolmalikfixer\EMebFix.sys [2011-10-17 114984]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-9-14 954368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-17 22216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-17 366152]
S4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;"c:\program files\toshiba\smartlogservice\tosipcsrv.exe" --> c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [?]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-10-17 20:32:14 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-17 20:32:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-17 20:32:13 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-17 20:32:13 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-17 20:31:51 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-10-17 20:31:20 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-17 20:31:20 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-17 20:31:20 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-17 20:31:20 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-17 20:31:18 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-17 19:25:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-17 19:25:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-17 15:53:51 -------- d-----w- c:\users\agnew\appdata\roaming\ESET
2011-10-17 15:53:51 -------- d-----w- c:\users\agnew\appdata\local\ESET
2011-10-17 15:48:57 -------- d-----w- c:\program files\ESET
2011-10-04 19:30:37 -------- d-sh--w- C:\$RECYCLE.BIN
2011-10-04 19:30:35 -------- d-----w- c:\users\agnew\appdata\local\temp
2011-09-30 00:45:24 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-09-20 15:06:16 -------- d-----w- c:\program files\Rockstar Games
2011-09-20 15:04:46 749568 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iKernel.dll
2011-09-20 15:04:46 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\ctor.dll
2011-09-20 15:04:46 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\DotNetInstaller.exe
2011-09-20 15:04:46 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iscript.dll
2011-09-20 15:04:46 180224 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iuser.dll
2011-09-20 15:03:45 192644 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iGdi.dll
2011-09-20 15:03:44 323716 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\setup.dll
.
==================== Find3M ====================
.
2011-09-26 22:23:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-08 19:09:27 2048 ----a-w- c:\windows\system32\tzres.dll
2011-09-08 19:08:12 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-09-08 19:08:12 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-09-08 19:06:45 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-08 18:48:27 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-09-08 18:47:36 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-09-08 18:47:36 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-08 18:47:36 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-08 18:45:05 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-09-08 18:43:23 276992 ----a-w- c:\windows\system32\schannel.dll
2011-09-08 18:37:49 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-09-08 18:37:31 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-08 18:19:36 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-09-08 18:19:36 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-09-08 18:18:51 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-02 13:39:07 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-16 16:15:15 834048 ----a-w- c:\windows\system32\wininet.dll
2011-08-16 14:20:55 389632 ----a-w- c:\windows\system32\html.iec
2011-08-09 13:24:52 163424 ----a-w- c:\windows\system32\drivers\eamonm.sys
2011-08-04 08:20:38 50624 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2011-08-04 08:20:38 33656 ----a-w- c:\windows\system32\drivers\EpfwLWF.sys
2011-08-04 08:20:38 147480 ----a-w- c:\windows\system32\drivers\epfw.sys
2011-08-04 08:20:36 118104 ----a-w- c:\windows\system32\drivers\ehdrv.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8813FA0A]<<
_asm { MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; MOV EAX, [EBX+0x60]; MOV ECX, [EAX+0xc]; OR ECX, [EAX+0x10]; PUSH ESI; JNZ 0x94; MOV ESI, 0x200; CMP [EAX+0x4], ESI; JB 0x94; }
1 ntkrnlpa!IofCallDriver[0x82478912] -> \Device\Harddisk0\DR0[0x8570A5B0]
\Driver\disk[0x85761588] -> IRP_MJ_READ -> 0x8813FA0A
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 18:04:43.07 ===============

Attached File  Attach.txt   11.11KB   1 downloads

Attached File  ark.txt   14.03KB   0 downloads

Edited by Orange Blossom, 18 October 2011 - 10:21 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:25 PM

Posted 19 October 2011 - 09:50 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Black Vodka

Black Vodka
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 October 2011 - 12:55 PM

Here is the comofix log

ComboFix 11-10-19.04 - Agnew 19/10/2011 18:37:15.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2813.1967 [GMT 1:00]
Running from: c:\users\Agnew\Downloads\ComboFix.exe
AV: ESET Smart Security 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
.
.
2011-10-19 17:43 . 2011-10-19 17:43 -------- d-----w- c:\users\Agnew\AppData\Local\temp
2011-10-19 17:43 . 2011-10-19 17:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-10-19 17:43 . 2011-10-19 17:43 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-10-19 17:43 . 2011-10-19 17:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-17 20:32 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-17 20:32 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-17 20:32 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-17 20:32 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-17 20:31 . 2011-09-14 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-10-17 20:31 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-17 20:31 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-17 20:31 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-17 20:31 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-17 20:31 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-17 19:25 . 2011-10-17 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-17 19:25 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-17 15:53 . 2011-10-17 15:53 -------- d-----w- c:\users\Agnew\AppData\Local\ESET
2011-10-17 15:48 . 2011-10-17 15:48 -------- d-----w- c:\program files\ESET
2011-09-30 00:45 . 2011-09-30 07:16 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-09-20 15:06 . 2011-09-20 15:06 -------- d-----w- c:\program files\Rockstar Games
2011-09-20 15:04 . 2004-10-22 01:18 749568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iKernel.dll
2011-09-20 15:04 . 2004-10-22 01:17 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ctor.dll
2011-09-20 15:04 . 2004-10-22 01:17 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iscript.dll
2011-09-20 15:04 . 2004-10-22 01:16 180224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iuser.dll
2011-09-20 15:04 . 2004-10-22 01:16 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe
2011-09-20 15:03 . 2011-09-20 15:03 192644 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll
2011-09-20 15:03 . 2011-09-20 15:03 323716 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 22:23 . 2011-05-14 09:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-08 19:09 . 2011-09-08 19:09 2048 ----a-w- c:\windows\system32\tzres.dll
2011-09-08 19:08 . 2011-09-08 19:08 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-09-08 19:08 . 2011-09-08 19:08 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-09-08 19:06 . 2011-09-08 19:06 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-08 18:48 . 2011-09-08 18:48 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-09-08 18:47 . 2011-09-08 18:47 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-09-08 18:47 . 2011-09-08 18:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-08 18:47 . 2011-09-08 18:47 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-08 18:45 . 2011-09-08 18:45 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-09-08 18:43 . 2011-09-08 18:43 276992 ----a-w- c:\windows\system32\schannel.dll
2011-09-08 18:37 . 2011-09-08 18:37 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-09-08 18:37 . 2011-09-08 18:37 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-08 18:19 . 2011-09-08 18:19 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-09-08 18:19 . 2011-09-08 18:19 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-09-08 18:18 . 2011-09-08 18:18 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-06 09:01 . 2011-08-26 19:21 0 ----a-w- c:\users\Agnew\AppData\Local\Lvujilucipihaxi.bin
2011-08-09 13:24 . 2011-08-09 13:24 163424 ----a-w- c:\windows\system32\drivers\eamonm.sys
2011-08-04 08:20 . 2011-08-04 08:20 50624 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2011-08-04 08:20 . 2011-08-04 08:20 33656 ----a-w- c:\windows\system32\drivers\EpfwLWF.sys
2011-08-04 08:20 . 2011-08-04 08:20 147480 ----a-w- c:\windows\system32\drivers\epfw.sys
2011-08-04 08:20 . 2011-08-04 08:20 118104 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2011-09-30 17:22 . 2011-09-26 22:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-06-05 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OE1FSC1STlhCRC1HTVlIRi1CU0xTUi1aNFlGRy1QRU1CUg&inst=NzYtOTIzNzYyNDA4LVhPMzYrMS1UQjkrMi1OMUQrMS1QTCs5LVFJWDErNC1YMjAxMCsyLVNQMSsxLVRVRyszLUNJUCsyLVNQMVMyKzEtU1AxUzMrMS1TVUQrMS1TMUkrMS1TVTMrMS1EMzgxTCs3LUREVCszNjkxMi1JMTArMS1MU0QrMi1ERDEwKzEtU1QxMEFQUCsxLVNUMTJPSSsxLUVVTEErMS1JMTIrMS1TVDEyQVBQKzE&prod=94&ver=2012.0.1831&mid=b066b8a189f970aa9fa1a61d3296cb9f-e6059d59138b1401c9d44a6e7bd6ef98398ee44f" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-10-28 257440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-06 11:55 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-04-08 13:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 16:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 11:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-08-14 09:40 1348904 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-06-05 19:23 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EMebFix;EMebFix;c:\users\Agnew\AppData\Local\Temp\EOlmalikFixer\EMebFix.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-25 685816]
R4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2011-08-04 50624]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-04 118104]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2011-08-04 33656]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-16 40960]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 163424]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2011-09-22 974944]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\IObit\Advanced SystemCare 3\SPICtrl.dll
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\users\Agnew\AppData\Roaming\Mozilla\Firefox\Profiles\egyarxdf.default\
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-19 18:43
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
c:\program files\Internet Explorer\iexplore.exe [4080] 0x85155D08
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-19 18:46:18
ComboFix-quarantined-files.txt 2011-10-19 17:46
ComboFix2.txt 2011-10-04 19:30
ComboFix3.txt 2010-06-29 13:28
.
Pre-Run: 52,576,608,256 bytes free
Post-Run: 53,147,291,648 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9AA57A512919308E3EA7904DA86E0CA3

there were two windows error messages saying they had to shutdown certain programs, laptop is doing fine.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:25 PM

Posted 19 October 2011 - 12:58 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Black Vodka

Black Vodka
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 October 2011 - 01:53 PM

Here's the TDSSKiller log

19:42:45.0363 3264 TDSS rootkit removing tool 2.6.11.0 Oct 19 2011 13:50:27
19:42:45.0630 3264 ============================================================
19:42:45.0630 3264 Current date / time: 2011/10/19 19:42:45.0630
19:42:45.0630 3264 SystemInfo:
19:42:45.0630 3264
19:42:45.0631 3264 OS Version: 6.0.6002 ServicePack: 2.0
19:42:45.0631 3264 Product type: Workstation
19:42:45.0631 3264 ComputerName: AGNEWSLAPTOP
19:42:45.0631 3264 UserName: Agnew
19:42:45.0631 3264 Windows directory: C:\Windows
19:42:45.0631 3264 System windows directory: C:\Windows
19:42:45.0632 3264 Processor architecture: Intel x86
19:42:45.0632 3264 Number of processors: 2
19:42:45.0632 3264 Page size: 0x1000
19:42:45.0632 3264 Boot type: Normal boot
19:42:45.0632 3264 ============================================================
19:42:47.0533 3264 Initialize success
19:43:15.0508 2316 ============================================================
19:43:15.0509 2316 Scan started
19:43:15.0509 2316 Mode: Manual;
19:43:15.0509 2316 ============================================================
19:43:16.0395 2316 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
19:43:16.0404 2316 ACPI - ok
19:43:16.0710 2316 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
19:43:16.0765 2316 adp94xx - ok
19:43:17.0222 2316 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
19:43:17.0243 2316 adpahci - ok
19:43:17.0397 2316 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
19:43:17.0417 2316 adpu160m - ok
19:43:17.0676 2316 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
19:43:17.0697 2316 adpu320 - ok
19:43:18.0194 2316 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
19:43:18.0215 2316 AFD - ok
19:43:18.0477 2316 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
19:43:18.0504 2316 AgereSoftModem - ok
19:43:18.0982 2316 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
19:43:19.0001 2316 agp440 - ok
19:43:19.0425 2316 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
19:43:19.0446 2316 aic78xx - ok
19:43:19.0629 2316 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
19:43:19.0648 2316 aliide - ok
19:43:19.0853 2316 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
19:43:19.0887 2316 amdagp - ok
19:43:20.0227 2316 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
19:43:20.0245 2316 amdide - ok
19:43:20.0476 2316 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
19:43:20.0496 2316 AmdK7 - ok
19:43:20.0854 2316 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
19:43:20.0872 2316 AmdK8 - ok
19:43:21.0102 2316 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
19:43:21.0121 2316 arc - ok
19:43:21.0399 2316 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
19:43:21.0419 2316 arcsas - ok
19:43:21.0616 2316 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
19:43:21.0636 2316 AsyncMac - ok
19:43:21.0908 2316 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
19:43:21.0909 2316 atapi - ok
19:43:22.0444 2316 athr (d59e7a5daa08c91172e95b4f1ca6d8c3) C:\Windows\system32\DRIVERS\athr.sys
19:43:22.0490 2316 athr - ok
19:43:23.0034 2316 atikmdag (a2b6478963451a99c28da8133b648142) C:\Windows\system32\DRIVERS\atikmdag.sys
19:43:23.0080 2316 atikmdag - ok
19:43:23.0263 2316 AtiPcie (4aa1eb65481c392955939e735d27118b) C:\Windows\system32\DRIVERS\AtiPcie.sys
19:43:23.0285 2316 AtiPcie - ok
19:43:23.0440 2316 atksgt (f9c24d25d9ff29f894995a64812b4d85) C:\Windows\system32\DRIVERS\atksgt.sys
19:43:23.0461 2316 atksgt - ok
19:43:23.0824 2316 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
19:43:23.0843 2316 Beep - ok
19:43:24.0026 2316 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
19:43:24.0061 2316 blbdrive - ok
19:43:24.0236 2316 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
19:43:24.0278 2316 bowser - ok
19:43:24.0432 2316 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
19:43:24.0435 2316 BrFiltLo - ok
19:43:24.0677 2316 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
19:43:24.0680 2316 BrFiltUp - ok
19:43:24.0963 2316 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
19:43:24.0968 2316 Brserid - ok
19:43:25.0305 2316 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
19:43:25.0309 2316 BrSerWdm - ok
19:43:25.0493 2316 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
19:43:25.0496 2316 BrUsbMdm - ok
19:43:25.0645 2316 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
19:43:25.0648 2316 BrUsbSer - ok
19:43:25.0983 2316 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
19:43:26.0002 2316 BTHMODEM - ok
19:43:26.0092 2316 catchme - ok
19:43:26.0279 2316 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
19:43:26.0299 2316 cdfs - ok
19:43:26.0462 2316 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
19:43:26.0499 2316 cdrom - ok
19:43:26.0676 2316 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
19:43:26.0711 2316 circlass - ok
19:43:26.0885 2316 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
19:43:26.0893 2316 CLFS - ok
19:43:27.0246 2316 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
19:43:27.0249 2316 CmBatt - ok
19:43:27.0385 2316 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
19:43:27.0403 2316 cmdide - ok
19:43:27.0554 2316 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
19:43:27.0558 2316 Compbatt - ok
19:43:27.0846 2316 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
19:43:27.0873 2316 crcdisk - ok
19:43:28.0061 2316 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
19:43:28.0080 2316 Crusoe - ok
19:43:28.0351 2316 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
19:43:28.0372 2316 DfsC - ok
19:43:28.0631 2316 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
19:43:28.0651 2316 disk - ok
19:43:28.0801 2316 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
19:43:28.0821 2316 drmkaud - ok
19:43:29.0067 2316 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
19:43:29.0082 2316 DXGKrnl - ok
19:43:29.0264 2316 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
19:43:29.0269 2316 E1G60 - ok
19:43:29.0573 2316 eamonm (04238864710460c5682e260207d06192) C:\Windows\system32\DRIVERS\eamonm.sys
19:43:29.0599 2316 eamonm - ok
19:43:30.0131 2316 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
19:43:30.0137 2316 Ecache - ok
19:43:30.0377 2316 ehdrv (deff87f04ab5f6dd5edf2b80853bbe10) C:\Windows\system32\DRIVERS\ehdrv.sys
19:43:30.0401 2316 ehdrv - ok
19:43:30.0759 2316 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
19:43:30.0781 2316 elxstor - ok
19:43:30.0864 2316 EMebFix - ok
19:43:31.0117 2316 epfw (5ba193ca0ae31209aaa39939ce6736b2) C:\Windows\system32\DRIVERS\epfw.sys
19:43:31.0140 2316 epfw - ok
19:43:31.0307 2316 EpfwLWF (9cefd59c8e5ebfb48165aef54617f539) C:\Windows\system32\DRIVERS\EpfwLWF.sys
19:43:31.0341 2316 EpfwLWF - ok
19:43:31.0471 2316 epfwwfp (7144a06ac105a2a7302944602e415ec1) C:\Windows\system32\DRIVERS\epfwwfp.sys
19:43:31.0491 2316 epfwwfp - ok
19:43:31.0691 2316 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
19:43:31.0723 2316 ErrDev - ok
19:43:32.0026 2316 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
19:43:32.0069 2316 exfat - ok
19:43:32.0217 2316 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
19:43:32.0236 2316 fastfat - ok
19:43:32.0476 2316 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
19:43:32.0510 2316 fdc - ok
19:43:32.0657 2316 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
19:43:32.0692 2316 FileInfo - ok
19:43:32.0823 2316 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
19:43:32.0843 2316 Filetrace - ok
19:43:33.0153 2316 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
19:43:33.0172 2316 flpydisk - ok
19:43:33.0386 2316 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
19:43:33.0425 2316 FltMgr - ok
19:43:33.0710 2316 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
19:43:33.0729 2316 Fs_Rec - ok
19:43:34.0144 2316 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys
19:43:34.0163 2316 FwLnk - ok
19:43:34.0418 2316 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
19:43:34.0439 2316 gagp30kx - ok
19:43:34.0533 2316 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
19:43:34.0538 2316 GEARAspiWDM - ok
19:43:34.0800 2316 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
19:43:34.0807 2316 HdAudAddService - ok
19:43:35.0101 2316 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
19:43:35.0129 2316 HDAudBus - ok
19:43:35.0293 2316 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
19:43:36.0580 2316 HidBth - ok
19:43:36.0887 2316 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
19:43:36.0907 2316 HidIr - ok
19:43:37.0102 2316 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
19:43:37.0120 2316 HidUsb - ok
19:43:37.0372 2316 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
19:43:37.0408 2316 HpCISSs - ok
19:43:37.0752 2316 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
19:43:37.0789 2316 HSFHWAZL - ok
19:43:38.0213 2316 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
19:43:38.0224 2316 HSF_DPV - ok
19:43:38.0499 2316 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
19:43:38.0524 2316 HTTP - ok
19:43:38.0662 2316 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
19:43:38.0697 2316 i2omp - ok
19:43:39.0023 2316 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
19:43:39.0046 2316 i8042prt - ok
19:43:39.0229 2316 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
19:43:39.0234 2316 iaStorV - ok
19:43:39.0564 2316 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
19:43:39.0584 2316 iirsp - ok
19:43:40.0329 2316 IntcAzAudAddService (b9cbd3dea7ca02868621173bf7a2af9f) C:\Windows\system32\drivers\RTKVHDA.sys
19:43:40.0363 2316 IntcAzAudAddService - ok
19:43:40.0505 2316 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
19:43:40.0524 2316 intelide - ok
19:43:40.0701 2316 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
19:43:40.0720 2316 intelppm - ok
19:43:41.0172 2316 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
19:43:41.0191 2316 IpFilterDriver - ok
19:43:41.0475 2316 IpInIp - ok
19:43:41.0683 2316 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
19:43:41.0719 2316 IPMIDRV - ok
19:43:42.0256 2316 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
19:43:42.0276 2316 IPNAT - ok
19:43:42.0513 2316 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
19:43:42.0538 2316 IRENUM - ok
19:43:43.0087 2316 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
19:43:43.0107 2316 isapnp - ok
19:43:43.0320 2316 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
19:43:43.0343 2316 iScsiPrt - ok
19:43:43.0491 2316 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
19:43:43.0525 2316 iteatapi - ok
19:43:43.0658 2316 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
19:43:43.0692 2316 iteraid - ok
19:43:44.0103 2316 jswpslwf (11ad410f41af42ba12e63187e3ec141a) C:\Windows\system32\DRIVERS\jswpslwf.sys
19:43:44.0121 2316 jswpslwf - ok
19:43:44.0445 2316 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
19:43:44.0480 2316 kbdclass - ok
19:43:45.0036 2316 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
19:43:45.0054 2316 kbdhid - ok
19:43:45.0469 2316 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
19:43:45.0482 2316 KSecDD - ok
19:43:45.0774 2316 lirsgt (8ccf9ed46d52af1375875f74a91ffacf) C:\Windows\system32\DRIVERS\lirsgt.sys
19:43:45.0793 2316 lirsgt - ok
19:43:46.0277 2316 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
19:43:46.0299 2316 lltdio - ok
19:43:46.0475 2316 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
19:43:46.0497 2316 LSI_FC - ok
19:43:47.0097 2316 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
19:43:47.0117 2316 LSI_SAS - ok
19:43:47.0628 2316 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
19:43:47.0648 2316 LSI_SCSI - ok
19:43:48.0263 2316 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
19:43:48.0284 2316 luafv - ok
19:43:48.0543 2316 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\Windows\system32\drivers\mbam.sys
19:43:48.0548 2316 MBAMProtector - ok
19:43:48.0860 2316 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
19:43:48.0881 2316 megasas - ok
19:43:49.0196 2316 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
19:43:49.0218 2316 MegaSR - ok
19:43:49.0527 2316 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
19:43:49.0546 2316 Modem - ok
19:43:49.0733 2316 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
19:43:49.0754 2316 monitor - ok
19:43:49.0900 2316 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
19:43:49.0920 2316 mouclass - ok
19:43:50.0096 2316 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\drivers\mouhid.sys
19:43:50.0114 2316 mouhid - ok
19:43:50.0278 2316 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
19:43:50.0300 2316 MountMgr - ok
19:43:50.0483 2316 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
19:43:50.0503 2316 mpio - ok
19:43:50.0747 2316 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
19:43:50.0799 2316 mpsdrv - ok
19:43:51.0029 2316 MQAC (4116cde6c8c97e2f4492f2755810019f) C:\Windows\system32\drivers\mqac.sys
19:43:51.0034 2316 MQAC - ok
19:43:51.0257 2316 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
19:43:51.0278 2316 Mraid35x - ok
19:43:51.0521 2316 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
19:43:51.0550 2316 MRxDAV - ok
19:43:51.0802 2316 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
19:43:51.0822 2316 mrxsmb - ok
19:43:52.0462 2316 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
19:43:52.0582 2316 mrxsmb10 - ok
19:43:53.0006 2316 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
19:43:53.0027 2316 mrxsmb20 - ok
19:43:53.0266 2316 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
19:43:53.0285 2316 msahci - ok
19:43:53.0483 2316 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
19:43:53.0513 2316 msdsm - ok
19:43:53.0851 2316 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
19:43:53.0871 2316 Msfs - ok
19:43:54.0319 2316 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
19:43:54.0345 2316 msisadrv - ok
19:43:54.0522 2316 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
19:43:54.0542 2316 MSKSSRV - ok
19:43:54.0739 2316 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
19:43:54.0742 2316 MSPCLOCK - ok
19:43:55.0108 2316 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
19:43:55.0111 2316 MSPQM - ok
19:43:55.0471 2316 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
19:43:55.0476 2316 MsRPC - ok
19:43:55.0925 2316 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
19:43:55.0949 2316 mssmbios - ok
19:43:56.0187 2316 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
19:43:56.0206 2316 MSTEE - ok
19:43:56.0545 2316 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
19:43:56.0566 2316 Mup - ok
19:43:56.0883 2316 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
19:43:56.0927 2316 NativeWifiP - ok
19:43:57.0203 2316 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
19:43:57.0234 2316 NDIS - ok
19:43:57.0398 2316 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
19:43:57.0401 2316 NdisTapi - ok
19:43:58.0021 2316 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
19:43:58.0058 2316 Ndisuio - ok
19:43:58.0307 2316 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
19:43:58.0334 2316 NdisWan - ok
19:43:58.0499 2316 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
19:43:58.0534 2316 NDProxy - ok
19:43:58.0860 2316 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
19:43:58.0882 2316 NetBIOS - ok
19:43:59.0146 2316 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
19:43:59.0169 2316 netbt - ok
19:43:59.0372 2316 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
19:43:59.0391 2316 nfrd960 - ok
19:43:59.0506 2316 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
19:43:59.0525 2316 Npfs - ok
19:43:59.0642 2316 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
19:43:59.0661 2316 nsiproxy - ok
19:44:00.0148 2316 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
19:44:00.0219 2316 Ntfs - ok
19:44:00.0461 2316 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
19:44:00.0480 2316 ntrigdigi - ok
19:44:00.0683 2316 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
19:44:00.0701 2316 Null - ok
19:44:01.0143 2316 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
19:44:01.0179 2316 nvraid - ok
19:44:01.0434 2316 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
19:44:01.0456 2316 nvstor - ok
19:44:02.0129 2316 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
19:44:02.0166 2316 nv_agp - ok
19:44:02.0370 2316 NwlnkFlt - ok
19:44:02.0492 2316 NwlnkFwd - ok
19:44:02.0725 2316 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
19:44:02.0748 2316 ohci1394 - ok
19:44:03.0105 2316 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
19:44:03.0132 2316 Parport - ok
19:44:03.0504 2316 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
19:44:03.0525 2316 partmgr - ok
19:44:03.0664 2316 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
19:44:03.0682 2316 Parvdm - ok
19:44:03.0964 2316 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
19:44:03.0989 2316 pci - ok
19:44:04.0180 2316 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
19:44:04.0202 2316 pciide - ok
19:44:04.0398 2316 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
19:44:04.0419 2316 pcmcia - ok
19:44:04.0759 2316 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
19:44:04.0792 2316 PEAUTH - ok
19:44:05.0060 2316 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
19:44:05.0080 2316 PptpMiniport - ok
19:44:05.0243 2316 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\DRIVERS\processr.sys
19:44:05.0262 2316 Processor - ok
19:44:05.0602 2316 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
19:44:05.0604 2316 PSched - ok
19:44:05.0909 2316 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
19:44:05.0951 2316 ql2300 - ok
19:44:06.0256 2316 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
19:44:06.0279 2316 ql40xx - ok
19:44:06.0614 2316 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
19:44:06.0615 2316 QWAVEdrv - ok
19:44:08.0092 2316 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
19:44:08.0118 2316 RasAcd - ok
19:44:08.0362 2316 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
19:44:08.0402 2316 Rasl2tp - ok
19:44:08.0593 2316 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
19:44:08.0618 2316 RasPppoe - ok
19:44:08.0897 2316 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
19:44:08.0917 2316 RasSstp - ok
19:44:09.0161 2316 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
19:44:09.0169 2316 rdbss - ok
19:44:09.0362 2316 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
19:44:09.0384 2316 RDPCDD - ok
19:44:09.0669 2316 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
19:44:09.0690 2316 rdpdr - ok
19:44:09.0848 2316 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
19:44:09.0869 2316 RDPENCDD - ok
19:44:10.0140 2316 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
19:44:10.0161 2316 RDPWD - ok
19:44:10.0440 2316 RimUsb - ok
19:44:10.0632 2316 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
19:44:10.0635 2316 RimVSerPort - ok
19:44:10.0816 2316 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
19:44:10.0834 2316 ROOTMODEM - ok
19:44:11.0100 2316 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
19:44:11.0121 2316 rspndr - ok
19:44:11.0310 2316 RTHDMIAzAudService (c853ae16ccf5033c0cba0855390f5c7f) C:\Windows\system32\drivers\RtHDMIV.sys
19:44:11.0330 2316 RTHDMIAzAudService - ok
19:44:11.0501 2316 RTL8169 (2d19a7469ea19993d0c12e627f4530bc) C:\Windows\system32\DRIVERS\Rtlh86.sys
19:44:11.0538 2316 RTL8169 - ok
19:44:11.0974 2316 RtlProt (0d60b8c10a2c5e8dd620b3fdeb1cda64) C:\Windows\system32\DRIVERS\rtlprot.sys
19:44:11.0993 2316 RtlProt - ok
19:44:12.0210 2316 RTSTOR (9ff7d9cf3a5f296613588b0e8db83afe) C:\Windows\system32\drivers\RTSTOR.SYS
19:44:12.0229 2316 RTSTOR - ok
19:44:12.0438 2316 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
19:44:12.0458 2316 sbp2port - ok
19:44:12.0698 2316 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
19:44:12.0717 2316 secdrv - ok
19:44:12.0892 2316 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
19:44:12.0911 2316 Serenum - ok
19:44:13.0241 2316 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
19:44:13.0265 2316 Serial - ok
19:44:13.0520 2316 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
19:44:13.0539 2316 sermouse - ok
19:44:13.0716 2316 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
19:44:13.0735 2316 sffdisk - ok
19:44:13.0918 2316 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
19:44:13.0937 2316 sffp_mmc - ok
19:44:14.0262 2316 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
19:44:14.0280 2316 sffp_sd - ok
19:44:14.0387 2316 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
19:44:14.0406 2316 sfloppy - ok
19:44:14.0552 2316 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
19:44:14.0587 2316 sisagp - ok
19:44:14.0705 2316 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
19:44:14.0725 2316 SiSRaid2 - ok
19:44:14.0830 2316 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
19:44:14.0865 2316 SiSRaid4 - ok
19:44:14.0973 2316 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
19:44:14.0993 2316 Smb - ok
19:44:15.0090 2316 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
19:44:15.0113 2316 spldr - ok
19:44:15.0282 2316 sptd (d390675b8ce45e5fb359338e5e649329) C:\Windows\System32\Drivers\sptd.sys
19:44:15.0291 2316 sptd - ok
19:44:15.0402 2316 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
19:44:15.0438 2316 srv - ok
19:44:15.0555 2316 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
19:44:15.0576 2316 srv2 - ok
19:44:15.0680 2316 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
19:44:15.0700 2316 srvnet - ok
19:44:15.0820 2316 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
19:44:15.0824 2316 swenum - ok
19:44:15.0927 2316 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
19:44:15.0954 2316 Symc8xx - ok
19:44:16.0055 2316 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
19:44:16.0074 2316 Sym_hi - ok
19:44:16.0171 2316 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
19:44:16.0194 2316 Sym_u3 - ok
19:44:16.0294 2316 SynTP (70534d1e4f9ac990536d5fb5b550b3de) C:\Windows\system32\DRIVERS\SynTP.sys
19:44:16.0315 2316 SynTP - ok
19:44:16.0485 2316 Tcpip (2756186e287139310997090797e0182b) C:\Windows\system32\drivers\tcpip.sys
19:44:16.0496 2316 Tcpip - ok
19:44:16.0619 2316 Tcpip6 (2756186e287139310997090797e0182b) C:\Windows\system32\DRIVERS\tcpip.sys
19:44:16.0626 2316 Tcpip6 - ok
19:44:16.0734 2316 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
19:44:16.0753 2316 tcpipreg - ok
19:44:16.0833 2316 tdcmdpst (1825bceb47bf41c5a9f0e44de82fc27a) C:\Windows\system32\DRIVERS\tdcmdpst.sys
19:44:16.0844 2316 tdcmdpst - ok
19:44:16.0934 2316 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
19:44:16.0954 2316 TDPIPE - ok
19:44:17.0054 2316 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
19:44:17.0090 2316 TDTCP - ok
19:44:17.0193 2316 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
19:44:17.0216 2316 tdx - ok
19:44:17.0324 2316 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
19:44:17.0348 2316 TermDD - ok
19:44:17.0508 2316 tos_sps32 (1ea5f27c29405bf49799feca77186da9) C:\Windows\system32\DRIVERS\tos_sps32.sys
19:44:17.0548 2316 tos_sps32 - ok
19:44:17.0663 2316 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
19:44:17.0682 2316 tssecsrv - ok
19:44:17.0771 2316 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
19:44:17.0790 2316 tunmp - ok
19:44:17.0880 2316 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
19:44:17.0918 2316 tunnel - ok
19:44:18.0010 2316 TVALZ (792a8b80f8188aba4b2be271583f3e46) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
19:44:18.0029 2316 TVALZ - ok
19:44:18.0129 2316 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
19:44:18.0150 2316 uagp35 - ok
19:44:18.0251 2316 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
19:44:18.0273 2316 udfs - ok
19:44:18.0389 2316 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
19:44:18.0411 2316 uliagpkx - ok
19:44:18.0527 2316 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
19:44:18.0570 2316 uliahci - ok
19:44:18.0682 2316 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
19:44:18.0725 2316 UlSata - ok
19:44:18.0837 2316 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
19:44:18.0856 2316 ulsata2 - ok
19:44:18.0959 2316 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
19:44:18.0963 2316 umbus - ok
19:44:19.0076 2316 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
19:44:19.0094 2316 UMPass - ok
19:44:19.0232 2316 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
19:44:19.0237 2316 usbaudio - ok
19:44:19.0351 2316 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
19:44:19.0371 2316 usbccgp - ok
19:44:19.0474 2316 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
19:44:19.0493 2316 usbcir - ok
19:44:19.0591 2316 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
19:44:19.0612 2316 usbehci - ok
19:44:19.0717 2316 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
19:44:19.0739 2316 usbhub - ok
19:44:19.0830 2316 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
19:44:19.0850 2316 usbohci - ok
19:44:19.0944 2316 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
19:44:19.0963 2316 usbprint - ok
19:44:20.0062 2316 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
19:44:20.0083 2316 USBSTOR - ok
19:44:20.0187 2316 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
19:44:20.0205 2316 usbuhci - ok
19:44:20.0334 2316 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
19:44:20.0339 2316 usbvideo - ok
19:44:20.0471 2316 UVCFTR (237c444fbd1c697a2e3fa60f02c61f22) C:\Windows\system32\Drivers\UVCFTR_S.SYS
19:44:20.0490 2316 UVCFTR - ok
19:44:20.0611 2316 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
19:44:20.0630 2316 vga - ok
19:44:20.0727 2316 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
19:44:20.0761 2316 VgaSave - ok
19:44:20.0864 2316 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
19:44:20.0883 2316 viaagp - ok
19:44:20.0987 2316 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
19:44:21.0006 2316 ViaC7 - ok
19:44:21.0111 2316 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
19:44:21.0130 2316 viaide - ok
19:44:21.0237 2316 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
19:44:21.0257 2316 volmgr - ok
19:44:21.0373 2316 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
19:44:21.0397 2316 volmgrx - ok
19:44:21.0516 2316 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
19:44:21.0541 2316 volsnap - ok
19:44:21.0651 2316 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
19:44:21.0672 2316 vsmraid - ok
19:44:21.0789 2316 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
19:44:21.0808 2316 WacomPen - ok
19:44:21.0907 2316 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
19:44:21.0946 2316 Wanarp - ok
19:44:21.0956 2316 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
19:44:21.0957 2316 Wanarpv6 - ok
19:44:22.0064 2316 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
19:44:22.0083 2316 Wd - ok
19:44:22.0196 2316 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
19:44:22.0250 2316 Wdf01000 - ok
19:44:22.0401 2316 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
19:44:22.0428 2316 winachsf - ok
19:44:22.0564 2316 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
19:44:22.0582 2316 WmiAcpi - ok
19:44:22.0707 2316 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
19:44:22.0727 2316 WpdUsb - ok
19:44:22.0836 2316 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
19:44:22.0856 2316 ws2ifsl - ok
19:44:22.0973 2316 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
19:44:22.0978 2316 WUDFRd - ok
19:44:23.0119 2316 xusb21 (a640c90b007762939507c28a021be3b3) C:\Windows\system32\DRIVERS\xusb21.sys
19:44:23.0123 2316 xusb21 - ok
19:44:23.0172 2316 MBR (0x1B8) (9c603bc3977968c891de319283e1e7af) \Device\Harddisk0\DR0
19:44:23.0212 2316 \Device\Harddisk0\DR0 ( Trojan-Clicker.Win32.Wistler.c ) - infected
19:44:23.0212 2316 \Device\Harddisk0\DR0 - detected Trojan-Clicker.Win32.Wistler.c (0)
19:44:23.0248 2316 Boot (0x1200) (13fda8549f20f09cefc0094a1a89fe48) \Device\Harddisk0\DR0\Partition0
19:44:23.0249 2316 \Device\Harddisk0\DR0\Partition0 - ok
19:44:23.0277 2316 Boot (0x1200) (668540ad0e51b853dbff76e8f1e79e31) \Device\Harddisk0\DR0\Partition1
19:44:23.0278 2316 \Device\Harddisk0\DR0\Partition1 - ok
19:44:23.0279 2316 ============================================================
19:44:23.0279 2316 Scan finished
19:44:23.0279 2316 ============================================================
19:44:23.0293 1988 Detected object count: 1
19:44:23.0293 1988 Actual detected object count: 1
19:46:03.0566 1988 \Device\Harddisk0\DR0 ( Trojan-Clicker.Win32.Wistler.c ) - will be cured on reboot
19:46:03.0566 1988 \Device\Harddisk0\DR0 - ok
19:46:03.0566 1988 \Device\Harddisk0\DR0 ( Trojan-Clicker.Win32.Wistler.c ) - User select action: Cure
19:46:17.0282 3808 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:25 PM

Posted 19 October 2011 - 04:24 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Black Vodka

Black Vodka
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 October 2011 - 05:38 PM

Combofix log

ComboFix 11-10-19.06 - Agnew 19/10/2011 23:21:34.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2813.1908 [GMT 1:00]
Running from: c:\users\Agnew\Downloads\ComboFix.exe
Command switches used :: c:\users\Agnew\Desktop\CFScript - Shortcut.lnk
AV: ESET Smart Security 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
.
.
2011-10-19 22:27 . 2011-10-19 22:27 -------- d-----w- c:\users\Agnew\AppData\Local\temp
2011-10-19 22:27 . 2011-10-19 22:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-10-19 22:27 . 2011-10-19 22:27 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-10-19 22:27 . 2011-10-19 22:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-17 20:32 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-17 20:32 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-17 20:32 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-17 20:32 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-17 20:31 . 2011-09-14 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-10-17 20:31 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-17 20:31 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-17 20:31 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-17 20:31 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-17 20:31 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-17 19:25 . 2011-10-17 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-17 19:25 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-17 15:53 . 2011-10-17 15:53 -------- d-----w- c:\users\Agnew\AppData\Local\ESET
2011-10-17 15:48 . 2011-10-17 15:48 -------- d-----w- c:\program files\ESET
2011-09-30 00:45 . 2011-09-30 07:16 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-09-20 15:06 . 2011-09-20 15:06 -------- d-----w- c:\program files\Rockstar Games
2011-09-20 15:04 . 2004-10-22 01:18 749568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iKernel.dll
2011-09-20 15:04 . 2004-10-22 01:17 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ctor.dll
2011-09-20 15:04 . 2004-10-22 01:17 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iscript.dll
2011-09-20 15:04 . 2004-10-22 01:16 180224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iuser.dll
2011-09-20 15:04 . 2004-10-22 01:16 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe
2011-09-20 15:03 . 2011-09-20 15:03 192644 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll
2011-09-20 15:03 . 2011-09-20 15:03 323716 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 22:23 . 2011-05-14 09:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-08 19:09 . 2011-09-08 19:09 2048 ----a-w- c:\windows\system32\tzres.dll
2011-09-08 19:08 . 2011-09-08 19:08 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-09-08 19:08 . 2011-09-08 19:08 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-09-08 19:06 . 2011-09-08 19:06 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-08 18:48 . 2011-09-08 18:48 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-09-08 18:47 . 2011-09-08 18:47 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-09-08 18:47 . 2011-09-08 18:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-08 18:47 . 2011-09-08 18:47 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-08 18:45 . 2011-09-08 18:45 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-09-08 18:43 . 2011-09-08 18:43 276992 ----a-w- c:\windows\system32\schannel.dll
2011-09-08 18:37 . 2011-09-08 18:37 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-09-08 18:37 . 2011-09-08 18:37 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-08 18:19 . 2011-09-08 18:19 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-09-08 18:19 . 2011-09-08 18:19 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-09-08 18:18 . 2011-09-08 18:18 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-06 09:01 . 2011-08-26 19:21 0 ----a-w- c:\users\Agnew\AppData\Local\Lvujilucipihaxi.bin
2011-08-09 13:24 . 2011-08-09 13:24 163424 ----a-w- c:\windows\system32\drivers\eamonm.sys
2011-08-04 08:20 . 2011-08-04 08:20 50624 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2011-08-04 08:20 . 2011-08-04 08:20 33656 ----a-w- c:\windows\system32\drivers\EpfwLWF.sys
2011-08-04 08:20 . 2011-08-04 08:20 147480 ----a-w- c:\windows\system32\drivers\epfw.sys
2011-08-04 08:20 . 2011-08-04 08:20 118104 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2011-09-30 17:22 . 2011-09-26 22:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-06-05 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OE1FSC1STlhCRC1HTVlIRi1CU0xTUi1aNFlGRy1QRU1CUg&inst=NzYtOTIzNzYyNDA4LVhPMzYrMS1UQjkrMi1OMUQrMS1QTCs5LVFJWDErNC1YMjAxMCsyLVNQMSsxLVRVRyszLUNJUCsyLVNQMVMyKzEtU1AxUzMrMS1TVUQrMS1TMUkrMS1TVTMrMS1EMzgxTCs3LUREVCszNjkxMi1JMTArMS1MU0QrMi1ERDEwKzEtU1QxMEFQUCsxLVNUMTJPSSsxLUVVTEErMS1JMTIrMS1TVDEyQVBQKzE&prod=94&ver=2012.0.1831&mid=b066b8a189f970aa9fa1a61d3296cb9f-e6059d59138b1401c9d44a6e7bd6ef98398ee44f" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-10-28 257440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-06 11:55 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-04-08 13:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 16:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 11:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-08-14 09:40 1348904 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-06-05 19:23 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EMebFix;EMebFix;c:\users\Agnew\AppData\Local\Temp\EOlmalikFixer\EMebFix.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-25 685816]
R4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2011-08-04 50624]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-04 118104]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2011-08-04 33656]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-16 40960]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 163424]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2011-09-22 974944]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\IObit\Advanced SystemCare 3\SPICtrl.dll
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\users\Agnew\AppData\Roaming\Mozilla\Firefox\Profiles\egyarxdf.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-19 23:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-19 23:29:15
ComboFix-quarantined-files.txt 2011-10-19 22:29
ComboFix2.txt 2011-10-19 17:46
ComboFix3.txt 2011-10-04 19:30
ComboFix4.txt 2010-06-29 13:28
.
Pre-Run: 53,998,182,400 bytes free
Post-Run: 56,128,507,904 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BCB2B71289CA65179FB7DF6E3998CF75

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:25 PM

Posted 19 October 2011 - 09:52 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java™ 6 Update 3
Java™ 6 Update 7


and click on remove

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Black Vodka

Black Vodka
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 October 2011 - 10:47 PM

MBAM log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7985

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

20/10/2011 04:33:08
mbam-log-2011-10-20 (04-33-08).txt

Scan type: Quick scan
Objects scanned: 175663
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HighJackThis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 04:42:44, on 20/10/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.daemon-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OE1FSC1STlhCRC1HTVlIRi1CU0xTUi1aNFlGRy1QRU1CUg"&"inst=NzYtOTIzNzYyNDA4LVhPMzYrMS1UQjkrMi1OMUQrMS1QTCs5LVFJWDErNC1YMjAxMCsyLVNQMSsxLVRVRyszLUNJUCsyLVNQMVMyKzEtU1AxUzMrMS1TVUQrMS1TMUkrMS1TVTMrMS1EMzgxTCs3LUREVCszNjkxMi1JMTArMS1MU0QrMi1ERDEwKzEtU1QxMEFQUCsxLVNUMTJPSSsxLUVVTEErMS1JMTIrMS1TVDEyQVBQKzE"&"prod=94"&"ver=2012.0.1831"&"mid=b066b8a189f970aa9fa1a61d3296cb9f-e6059d59138b1401c9d44a6e7bd6ef98398ee44f
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\iobit\advanced systemcare 3\spictrl.dll
O10 - Unknown file in Winsock LSP: c:\program files\iobit\advanced systemcare 3\spictrl.dll
O10 - Unknown file in Winsock LSP: c:\program files\iobit\advanced systemcare 3\spictrl.dll
O10 - Unknown file in Winsock LSP: c:\program files\iobit\advanced systemcare 3\spictrl.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

--
End of file - 4162 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:25 PM

Posted 20 October 2011 - 12:36 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.




If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo

Edited by gringo_pr, 20 October 2011 - 12:36 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Black Vodka

Black Vodka
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 20 October 2011 - 01:59 PM

Eset Online Scanner log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=c239995e3d5f3a44bd11bc683fdcb905
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-20 06:53:18
# local_time=2011-10-20 07:53:18 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 49210 49210 0 0
# compatibility_mode=5892 16776574 100 100 57122674 156663878 0 0
# compatibility_mode=8206 22379965 100 88 1838 2441916 0 0
# scanned=132975
# found=1
# cleaned=0
# scan_time=5647
# nod_component=V3 Build:0x30000000
C:\Users\Agnew\Downloads\ESET.Smart.Security.5.&.ESET.NOD32.AntiVirus.5.Incl.Crack(32.and.64.Bit)\Crack\ESET.PureFix.V2b.exe Win32/HackAV.HP application (unable to clean) 00000000000000000000000000000000 I

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:25 PM

Posted 20 October 2011 - 02:24 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Users\Agnew\Downloads\ESET.Smart.Security.5.&.ESET.NOD32.AntiVirus.5.Incl.Crack(32.and.64.Bit)\Crack\ESET.PureFix.V2b.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Black Vodka

Black Vodka
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 20 October 2011 - 03:16 PM

All seems good havn't had any warning since your help thanks much appreciated.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:25 PM

Posted 20 October 2011 - 04:09 PM

You are most welcome


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:25 PM

Posted 23 October 2011 - 01:51 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users