Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects


  • This topic is locked This topic is locked
16 replies to this topic

#1 CellsReinvent

CellsReinvent

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 27 October 2011 - 10:46 AM

Google search results are being redirected to random sites in IE, Chrome and FF. If using IE the window closes itself periodically too.

MBAM is reporting svchost.exe being blocked from accessing potentially malicious web sites on 208.73.210.29 and 64.120.141.165 several times a day.

MBAM, Spybot S&D, SUPERAntiSpyware, Symantec Endpoint Protection scans all report nothing found (except a few tracking cookies - usually to doubleclick)

SysInternals Process Explorer shows an iexplore.exe running under the [svchost -k DcomLaunch] process, with a command line of [C:\Program Files\Internet Explorer\iexplore.exe -Embedded]. If I kill this process it restarts after a while.

Can anyone help?

Here's the DDS log, the Attach.txt is attached.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 12:22:28 on 2011-10-27
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3061.2172 [GMT 1:00]
.
AV: PC Cleaners *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://server
uDefault_Page_URL = hxxp://server
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://server/Reports_SQLEXPRESS/Reserved.ReportViewerWebControl.axd?ReportSession=bfuvwc555aozov45ffjwlv45&ControlID=ae2ec9e224b749a5adffa4420ba11dfa&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab&Arch=X86
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260281083779
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.10.1.2
TCP: Interfaces\{373F4763-7CB4-498B-8666-823DAF98251C} : DhcpNameServer = 10.10.1.2
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.schofields\application data\mozilla\firefox\profiles\5v9dopcf.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-8-11 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-8-11 108392]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-29 366152]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-7-28 576024]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-10-26 439632]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-8-11 1839776]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-29 22216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111026.025\NAVENG.SYS [2011-10-27 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111026.025\NAVEX15.SYS [2011-10-27 1576312]
.
=============== Created Last 30 ================
.
2011-10-27 07:54:35 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{9250e94f-f447-4c4d-a05a-2d57b3e84a4c}\offreg.dll
2011-10-26 19:51:08 -------- d-----w- C:\ComboFix
2011-10-26 18:51:44 -------- d-sha-r- C:\cmdcons
2011-10-26 18:44:40 98816 ----a-w- c:\windows\sed.exe
2011-10-26 18:44:40 518144 ----a-w- c:\windows\SWREG.exe
2011-10-26 18:44:40 256000 ----a-w- c:\windows\PEV.exe
2011-10-26 18:44:40 208896 ----a-w- c:\windows\MBR.exe
2011-10-26 17:44:14 -------- d-----w- c:\documents and settings\administrator.schofields\local settings\application data\Adobe
2011-10-26 15:16:42 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro
2011-10-26 15:06:32 -------- d-----w- c:\program files\WinPcap
2011-10-26 14:08:23 -------- d-----w- c:\windows\pss
2011-10-26 14:03:37 388096 ----a-r- c:\documents and settings\administrator.schofields\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-26 14:03:36 -------- d-----w- c:\program files\Trend Micro
2011-10-26 11:51:37 -------- d-----w- c:\documents and settings\administrator.schofields\application data\SUPERAntiSpyware.com
2011-10-26 11:51:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-26 11:51:02 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-26 11:45:47 -------- d-----w- c:\documents and settings\administrator.schofields\application data\Malwarebytes
2011-10-26 11:44:24 -------- d-----w- c:\documents and settings\administrator.schofields\local settings\application data\Mozilla
2011-10-26 11:25:10 -------- d-----w- c:\documents and settings\all users\application data\Ask
2011-10-26 11:18:10 -------- d-sh--w- c:\documents and settings\administrator.schofields\PrivacIE
2011-10-26 11:18:00 293888 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HP1006S.DLL
2011-10-25 12:42:15 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{9250e94f-f447-4c4d-a05a-2d57b3e84a4c}\mpengine.dll
2011-10-13 10:42:32 -------- d-----w- c:\documents and settings\all users\application data\PC1Data
2011-10-10 14:02:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-10 14:02:05 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-09-29 15:27:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-29 15:27:49 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-09-29 15:27:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
==================== Find3M ====================
.
2011-10-21 07:44:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-13 10:42:18 5356304 ----a-w- c:\windows\uninst.exe
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-11 10:44:46 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-11 10:44:46 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-08-11 09:34:06 87408 ----a-w- c:\windows\system32\FwsVpn.dll
2011-08-11 09:34:06 625032 ----a-w- c:\windows\system32\SymNeti.dll
2011-08-11 09:34:06 242056 ----a-w- c:\windows\system32\SymRedir.dll
2011-08-11 09:34:06 107888 ----a-w- c:\windows\system32\SymVPN.dll
2011-08-11 09:34:04 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2011-08-11 09:34:04 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys
2011-08-11 09:34:04 284720 ----a-w- c:\windows\system32\drivers\srtsp.sys
2011-08-11 09:33:58 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2011-08-11 09:33:58 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2011-08-11 09:33:58 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2011-08-11 09:33:58 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2011-08-11 09:33:58 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2011-08-11 09:33:58 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2011-08-11 09:33:58 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
.
============= FINISH: 12:28:29.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:25 PM

Posted 29 October 2011 - 10:40 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 CellsReinvent

CellsReinvent
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 31 October 2011 - 08:26 AM

Hi Gringo. Thanks for the help. I have no access to the affected system today, but will be able to get to it tomorrow (Tuesday AM) to run the steps you've outlined. Is that OK?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:25 PM

Posted 31 October 2011 - 11:15 AM

that is fine


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 CellsReinvent

CellsReinvent
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 01 November 2011 - 06:59 AM

Combofix ran without any problems - took about 30 minutes to run to completion.

All browsers still redirecting Google search results. I've had IE running for over an hour and the window hasn't closed itself yet (though this was intermittent so it may do it later).

Here's the Combofix log:


ComboFix 11-11-01.02 - Administrator 01/11/2011 10:21:23.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3061.2276 [GMT 0:00]
Running from: c:\documents and settings\Administrator.SCHOFIELDS\Desktop\Tools\ComboFix.exe
AV: PC Cleaners *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-10-01 to 2011-11-01 )))))))))))))))))))))))))))))))
.
.
2011-11-01 08:46 . 2011-11-01 08:46 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{08EF56E7-9871-40A0-9C9B-EF0EDA9F298E}\offreg.dll
2011-11-01 08:46 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{08EF56E7-9871-40A0-9C9B-EF0EDA9F298E}\mpengine.dll
2011-10-26 15:16 . 2011-10-26 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-10-26 15:06 . 2011-10-26 15:06 -------- d-----w- c:\program files\WinPcap
2011-10-26 14:03 . 2011-10-26 15:06 -------- d-----w- c:\program files\Trend Micro
2011-10-26 11:51 . 2011-10-26 11:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-26 11:51 . 2011-10-26 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-26 11:25 . 2011-10-26 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Ask
2011-10-26 11:18 . 2009-09-22 10:50 293888 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HP1006S.DLL
2011-10-26 11:17 . 2011-11-01 10:09 -------- d-----w- c:\documents and settings\Administrator.SCHOFIELDS
2011-10-13 10:42 . 2011-10-13 10:42 -------- d-----w- c:\documents and settings\JSchofield\Application Data\PC Cleaners
2011-10-13 10:42 . 2011-10-13 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC1Data
2011-10-13 10:38 . 2011-10-13 10:38 -------- d-----w- c:\documents and settings\JSchofield\Application Data\ElevatedDiagnostics
2011-10-10 14:02 . 2011-10-10 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-10 14:02 . 2011-10-10 14:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-21 07:44 . 2011-05-16 07:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-13 10:42 . 2009-10-08 12:36 5356304 ----a-w- c:\windows\uninst.exe
2011-10-07 03:48 . 2009-10-08 08:04 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-03 04:06 . 2011-09-29 15:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 01:37 . 2011-09-29 15:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 10:41 . 2008-07-29 19:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2008-04-14 01:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2008-04-14 01:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2008-04-14 01:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 01:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 16:00 . 2009-10-29 12:17 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2008-04-14 01:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-14 01:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-04-14 01:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-04-14 01:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-04-14 01:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-11 10:44 . 2010-01-29 13:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-11 10:44 . 2010-01-29 13:54 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-08-11 09:34 . 2011-08-11 09:34 87408 ----a-w- c:\windows\system32\FwsVpn.dll
2011-08-11 09:34 . 2011-08-11 09:34 625032 ----a-w- c:\windows\system32\SymNeti.dll
2011-08-11 09:34 . 2011-08-11 09:34 242056 ----a-w- c:\windows\system32\SymRedir.dll
2011-08-11 09:34 . 2011-08-11 09:34 107888 ----a-w- c:\windows\system32\SymVPN.dll
2011-08-11 09:34 . 2011-08-11 09:34 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2011-08-11 09:34 . 2011-08-11 09:34 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys
2011-08-11 09:34 . 2011-08-11 09:34 284720 ----a-w- c:\windows\system32\drivers\srtsp.sys
2011-08-11 09:33 . 2011-08-11 09:33 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2011-08-11 09:33 . 2011-08-11 09:33 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2011-08-11 09:33 . 2011-08-11 09:33 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2011-08-11 09:33 . 2011-08-11 09:33 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2011-08-11 09:33 . 2011-08-11 09:33 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2011-08-11 09:33 . 2011-08-11 09:33 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2011-08-11 09:33 . 2011-08-11 09:33 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2011-09-08 07:55 . 2011-06-23 08:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-26_20.31.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-01 08:42 . 2011-11-01 08:42 16384 c:\windows\Temp\Perflib_Perfdata_84.dat
+ 2009-04-06 06:51 . 2011-10-31 08:41 72848 c:\windows\system32\perfc009.dat
+ 2009-10-07 03:51 . 2011-10-28 10:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-07 03:51 . 2011-10-21 09:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-07 03:51 . 2011-10-21 09:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-07 03:51 . 2011-10-28 10:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-07 03:51 . 2011-10-21 09:14 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-10-28 10:16 . 2011-10-28 10:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-07 12:45 . 2011-10-27 07:50 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-04-06 06:51 . 2011-10-31 08:41 445290 c:\windows\system32\perfh009.dat
- 2009-10-07 12:45 . 2011-10-13 14:32 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-17 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-08-11 115560]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\JSchofield\Start Menu\Programs\Startup\
File System Watcher.lnk - c:\program files\file system watcher\FileSystemWatcher.exe [2010-2-5 185856]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PSI_SVC_2"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 16:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 21:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/08/2011 23:38 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/10/2009 12:17 366152]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 18:19 50704]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [28/07/2009 03:08 576024]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [18/04/2007 03:09 11032]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [26/10/2011 15:06 439632]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/07/2011 08:00 105592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/10/2009 12:17 22216]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140455926-1894099151-3587781780-1126Core.job
- c:\documents and settings\JSchofield\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-29 13:57]
.
2011-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140455926-1894099151-3587781780-1126UA.job
- c:\documents and settings\JSchofield\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-29 13:57]
.
2011-11-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2011-11-01 c:\windows\Tasks\User_Feed_Synchronization-{9E519B8F-D70A-469E-B9E9-875D3727E7A1}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://server
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.10.1.2
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://server/Reports_SQLEXPRESS/Reserved.ReportViewerWebControl.axd?ReportSession=bfuvwc555aozov45ffjwlv45&ControlID=ae2ec9e224b749a5adffa4420ba11dfa&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab&Arch=X86
FF - ProfilePath - c:\documents and settings\Administrator.SCHOFIELDS\Application Data\Mozilla\Firefox\Profiles\5v9dopcf.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-01 10:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-140455926-1894099151-3587781780-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,6a,e8,b1,8a,09,91,46,9c,87,72,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,6a,e8,b1,8a,09,91,46,9c,87,72,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\KMPJLMN.DLL
.
- - - - - - - > 'winlogon.exe'(1568)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-11-01 11:06:17
ComboFix-quarantined-files.txt 2011-11-01 11:05
.
Pre-Run: 446,775,164,928 bytes free
Post-Run: 446,777,307,136 bytes free
.
- - End Of File - - 0E9CE0BC4E05E8619698CF0A955F6717

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:25 PM

Posted 01 November 2011 - 01:18 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 CellsReinvent

CellsReinvent
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 November 2011 - 04:46 AM

I downloaded tdskiller from the URL provided but it won't run on the affected system. I get the "do you want to run this file" dialog, but when I click Run no window appears and no tdskiller process is created. The same file runs fine on other computers.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:25 PM

Posted 02 November 2011 - 11:47 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 CellsReinvent

CellsReinvent
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 03 November 2011 - 04:17 AM

Hi Gringo.

FixTDSS asked for a reboot as soon as it started, then ran after reboot.

It said ***Infected MBR detected

I clicked Repair
It said Repair was successful
Clicked OK
It said Repair Succeeded
Clicked Close

Re-ran TDSSKiller
It ran to completion this time and reported "No threats"

Here's the TDSSKiller report:

09:13:13.0057 2332 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01
09:13:13.0177 2332 ============================================================
09:13:13.0177 2332 Current date / time: 2011/11/03 09:13:13.0177
09:13:13.0177 2332 SystemInfo:
09:13:13.0177 2332
09:13:13.0177 2332 OS Version: 5.1.2600 ServicePack: 3.0
09:13:13.0177 2332 Product type: Workstation
09:13:13.0177 2332 ComputerName: JON-PC
09:13:13.0177 2332 UserName: Administrator
09:13:13.0177 2332 Windows directory: C:\WINDOWS
09:13:13.0177 2332 System windows directory: C:\WINDOWS
09:13:13.0177 2332 Processor architecture: Intel x86
09:13:13.0177 2332 Number of processors: 2
09:13:13.0177 2332 Page size: 0x1000
09:13:13.0177 2332 Boot type: Normal boot
09:13:13.0177 2332 ============================================================
09:13:14.0186 2332 Initialize success
09:13:22.0876 3684 ============================================================
09:13:22.0876 3684 Scan started
09:13:22.0876 3684 Mode: Manual;
09:13:22.0876 3684 ============================================================
09:13:23.0177 3684 Abiosdsk - ok
09:13:23.0207 3684 abp480n5 - ok
09:13:23.0252 3684 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
09:13:23.0252 3684 ac97intc - ok
09:13:23.0298 3684 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:13:23.0298 3684 ACPI - ok
09:13:23.0328 3684 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:13:23.0328 3684 ACPIEC - ok
09:13:23.0343 3684 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
09:13:23.0358 3684 adpu160m - ok
09:13:23.0373 3684 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
09:13:23.0373 3684 adpu320 - ok
09:13:23.0403 3684 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:13:23.0403 3684 aec - ok
09:13:23.0448 3684 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:13:23.0448 3684 AFD - ok
09:13:23.0463 3684 Aha154x - ok
09:13:23.0478 3684 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
09:13:23.0478 3684 aic78u2 - ok
09:13:23.0539 3684 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
09:13:23.0539 3684 aic78xx - ok
09:13:23.0569 3684 AliIde - ok
09:13:23.0584 3684 amsint - ok
09:13:23.0614 3684 asc - ok
09:13:23.0644 3684 asc3350p - ok
09:13:23.0659 3684 asc3550 - ok
09:13:23.0719 3684 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:13:23.0719 3684 AsyncMac - ok
09:13:23.0749 3684 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:13:23.0749 3684 atapi - ok
09:13:23.0764 3684 Atdisk - ok
09:13:23.0795 3684 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:13:23.0795 3684 Atmarpc - ok
09:13:23.0825 3684 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:13:23.0825 3684 audstub - ok
09:13:23.0840 3684 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:13:23.0840 3684 Beep - ok
09:13:23.0960 3684 catchme - ok
09:13:23.0975 3684 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:13:23.0975 3684 cbidf2k - ok
09:13:24.0005 3684 cd20xrnt - ok
09:13:24.0036 3684 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:13:24.0036 3684 Cdaudio - ok
09:13:24.0051 3684 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:13:24.0051 3684 Cdfs - ok
09:13:24.0051 3684 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:13:24.0051 3684 Cdrom - ok
09:13:24.0066 3684 Changer - ok
09:13:24.0096 3684 CmdIde - ok
09:13:24.0126 3684 Cpqarray - ok
09:13:24.0156 3684 dac2w2k - ok
09:13:24.0171 3684 dac960nt - ok
09:13:24.0186 3684 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:13:24.0186 3684 Disk - ok
09:13:24.0231 3684 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:13:24.0231 3684 dmboot - ok
09:13:24.0246 3684 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:13:24.0246 3684 dmio - ok
09:13:24.0261 3684 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:13:24.0261 3684 dmload - ok
09:13:24.0292 3684 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:13:24.0292 3684 DMusic - ok
09:13:24.0322 3684 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
09:13:24.0322 3684 dpti2o - ok
09:13:24.0352 3684 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:13:24.0352 3684 drmkaud - ok
09:13:24.0367 3684 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
09:13:24.0367 3684 E100B - ok
09:13:24.0442 3684 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
09:13:24.0442 3684 eeCtrl - ok
09:13:24.0472 3684 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
09:13:24.0472 3684 EraserUtilRebootDrv - ok
09:13:24.0517 3684 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:13:24.0517 3684 Fastfat - ok
09:13:24.0548 3684 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
09:13:24.0548 3684 Fdc - ok
09:13:24.0563 3684 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:13:24.0563 3684 Fips - ok
09:13:24.0578 3684 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
09:13:24.0578 3684 Flpydisk - ok
09:13:24.0593 3684 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
09:13:24.0608 3684 FltMgr - ok
09:13:24.0623 3684 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:13:24.0623 3684 Fs_Rec - ok
09:13:24.0638 3684 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:13:24.0638 3684 Ftdisk - ok
09:13:24.0653 3684 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:13:24.0653 3684 Gpc - ok
09:13:24.0683 3684 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:13:24.0683 3684 HDAudBus - ok
09:13:24.0713 3684 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:13:24.0713 3684 HidUsb - ok
09:13:24.0728 3684 hpn - ok
09:13:24.0773 3684 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:13:24.0773 3684 HTTP - ok
09:13:24.0789 3684 i2omgmt - ok
09:13:24.0804 3684 i2omp - ok
09:13:24.0819 3684 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:13:24.0819 3684 i8042prt - ok
09:13:24.0834 3684 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
09:13:24.0834 3684 i81x - ok
09:13:24.0849 3684 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
09:13:24.0849 3684 iAimFP0 - ok
09:13:24.0849 3684 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
09:13:24.0849 3684 iAimFP1 - ok
09:13:24.0864 3684 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
09:13:24.0864 3684 iAimFP2 - ok
09:13:24.0879 3684 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
09:13:24.0879 3684 iAimFP3 - ok
09:13:24.0894 3684 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
09:13:24.0894 3684 iAimFP4 - ok
09:13:24.0909 3684 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
09:13:24.0909 3684 iAimFP5 - ok
09:13:24.0924 3684 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
09:13:24.0924 3684 iAimFP6 - ok
09:13:24.0924 3684 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
09:13:24.0924 3684 iAimFP7 - ok
09:13:24.0939 3684 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
09:13:24.0939 3684 iAimTV0 - ok
09:13:24.0954 3684 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
09:13:24.0954 3684 iAimTV1 - ok
09:13:24.0969 3684 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
09:13:24.0969 3684 iAimTV3 - ok
09:13:24.0984 3684 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
09:13:24.0984 3684 iAimTV4 - ok
09:13:24.0999 3684 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
09:13:24.0999 3684 iAimTV5 - ok
09:13:24.0999 3684 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
09:13:24.0999 3684 iAimTV6 - ok
09:13:25.0165 3684 ialm (c4018896856a1a1f1f3a0a6ee7206551) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
09:13:25.0195 3684 ialm - ok
09:13:25.0210 3684 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:13:25.0210 3684 Imapi - ok
09:13:25.0225 3684 ini910u - ok
09:13:25.0316 3684 IntcAzAudAddService (5731a30009baac8a38103866f6046d8a) C:\WINDOWS\system32\drivers\RtkHDAud.sys
09:13:25.0331 3684 IntcAzAudAddService - ok
09:13:25.0346 3684 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
09:13:25.0361 3684 IntelIde - ok
09:13:25.0376 3684 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:13:25.0376 3684 intelppm - ok
09:13:25.0391 3684 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
09:13:25.0391 3684 Ip6Fw - ok
09:13:25.0406 3684 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:13:25.0421 3684 IpFilterDriver - ok
09:13:25.0436 3684 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:13:25.0436 3684 IpInIp - ok
09:13:25.0466 3684 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:13:25.0466 3684 IpNat - ok
09:13:25.0481 3684 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:13:25.0481 3684 IPSec - ok
09:13:25.0496 3684 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:13:25.0496 3684 IRENUM - ok
09:13:25.0542 3684 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:13:25.0542 3684 isapnp - ok
09:13:25.0587 3684 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
09:13:25.0587 3684 Iviaspi - ok
09:13:25.0632 3684 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:13:25.0632 3684 Kbdclass - ok
09:13:25.0677 3684 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:13:25.0677 3684 kbdhid - ok
09:13:25.0707 3684 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:13:25.0707 3684 kmixer - ok
09:13:25.0737 3684 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:13:25.0737 3684 KSecDD - ok
09:13:25.0767 3684 lbrtfdc - ok
09:13:25.0828 3684 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
09:13:25.0828 3684 MBAMProtector - ok
09:13:25.0873 3684 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:13:25.0873 3684 mnmdd - ok
09:13:25.0888 3684 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:13:25.0888 3684 Modem - ok
09:13:25.0918 3684 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:13:25.0918 3684 Mouclass - ok
09:13:25.0948 3684 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:13:25.0948 3684 mouhid - ok
09:13:25.0963 3684 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:13:25.0963 3684 MountMgr - ok
09:13:25.0978 3684 mraid35x - ok
09:13:25.0993 3684 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:13:25.0993 3684 MRxDAV - ok
09:13:26.0023 3684 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:13:26.0023 3684 MRxSmb - ok
09:13:26.0069 3684 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:13:26.0069 3684 Msfs - ok
09:13:26.0099 3684 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:13:26.0099 3684 MSKSSRV - ok
09:13:26.0114 3684 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:13:26.0114 3684 MSPCLOCK - ok
09:13:26.0129 3684 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:13:26.0129 3684 MSPQM - ok
09:13:26.0159 3684 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:13:26.0159 3684 mssmbios - ok
09:13:26.0189 3684 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:13:26.0189 3684 Mup - ok
09:13:26.0310 3684 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20111102.039\NAVENG.SYS
09:13:26.0310 3684 NAVENG - ok
09:13:26.0340 3684 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20111102.039\NAVEX15.SYS
09:13:26.0355 3684 NAVEX15 - ok
09:13:26.0400 3684 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
09:13:26.0400 3684 NDIS - ok
09:13:26.0430 3684 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:13:26.0430 3684 NdisTapi - ok
09:13:26.0445 3684 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:13:26.0445 3684 Ndisuio - ok
09:13:26.0475 3684 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:13:26.0475 3684 NdisWan - ok
09:13:26.0505 3684 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:13:26.0505 3684 NDProxy - ok
09:13:26.0520 3684 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:13:26.0520 3684 NetBIOS - ok
09:13:26.0536 3684 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:13:26.0536 3684 NetBT - ok
09:13:26.0626 3684 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
09:13:26.0626 3684 NPF - ok
09:13:26.0626 3684 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:13:26.0626 3684 Npfs - ok
09:13:26.0656 3684 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:13:26.0656 3684 Ntfs - ok
09:13:26.0686 3684 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:13:26.0686 3684 Null - ok
09:13:26.0716 3684 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:13:26.0716 3684 NwlnkFlt - ok
09:13:26.0746 3684 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:13:26.0746 3684 NwlnkFwd - ok
09:13:26.0807 3684 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
09:13:26.0807 3684 P3 - ok
09:13:26.0822 3684 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:13:26.0822 3684 Parport - ok
09:13:26.0837 3684 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:13:26.0837 3684 PartMgr - ok
09:13:26.0852 3684 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:13:26.0852 3684 ParVdm - ok
09:13:26.0882 3684 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:13:26.0882 3684 PCI - ok
09:13:26.0897 3684 PCIDump - ok
09:13:26.0927 3684 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:13:26.0927 3684 PCIIde - ok
09:13:26.0957 3684 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:13:26.0957 3684 Pcmcia - ok
09:13:26.0972 3684 PDCOMP - ok
09:13:27.0002 3684 PDFRAME - ok
09:13:27.0032 3684 PDRELI - ok
09:13:27.0048 3684 PDRFRAME - ok
09:13:27.0078 3684 perc2 - ok
09:13:27.0078 3684 perc2hib - ok
09:13:27.0138 3684 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:13:27.0138 3684 PptpMiniport - ok
09:13:27.0153 3684 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:13:27.0153 3684 PSched - ok
09:13:27.0168 3684 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:13:27.0168 3684 Ptilink - ok
09:13:27.0168 3684 ql1080 - ok
09:13:27.0183 3684 Ql10wnt - ok
09:13:27.0198 3684 ql12160 - ok
09:13:27.0213 3684 ql1240 - ok
09:13:27.0228 3684 ql1280 - ok
09:13:27.0243 3684 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:13:27.0243 3684 RasAcd - ok
09:13:27.0258 3684 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:13:27.0258 3684 Rasl2tp - ok
09:13:27.0273 3684 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:13:27.0273 3684 RasPppoe - ok
09:13:27.0289 3684 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:13:27.0289 3684 Raspti - ok
09:13:27.0304 3684 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:13:27.0304 3684 Rdbss - ok
09:13:27.0319 3684 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:13:27.0319 3684 RDPCDD - ok
09:13:27.0349 3684 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:13:27.0349 3684 rdpdr - ok
09:13:27.0379 3684 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:13:27.0379 3684 RDPWD - ok
09:13:27.0424 3684 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:13:27.0424 3684 redbook - ok
09:13:27.0469 3684 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
09:13:27.0469 3684 regi - ok
09:13:27.0529 3684 RTLE8023xp (badabe0940c01619e8510b90fb314929) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
09:13:27.0529 3684 RTLE8023xp - ok
09:13:27.0620 3684 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
09:13:27.0620 3684 SASDIFSV - ok
09:13:27.0635 3684 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
09:13:27.0635 3684 SASKUTIL - ok
09:13:27.0695 3684 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:13:27.0695 3684 Secdrv - ok
09:13:27.0725 3684 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:13:27.0725 3684 serenum - ok
09:13:27.0740 3684 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:13:27.0740 3684 Serial - ok
09:13:27.0770 3684 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:13:27.0770 3684 Sfloppy - ok
09:13:27.0785 3684 Simbad - ok
09:13:27.0831 3684 Sparrow - ok
09:13:27.0906 3684 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
09:13:27.0906 3684 SPBBCDrv - ok
09:13:27.0921 3684 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:13:27.0921 3684 splitter - ok
09:13:27.0951 3684 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:13:27.0951 3684 sr - ok
09:13:27.0981 3684 SRTSP (b36f8d6a02ff2b3a53e250a629782f29) C:\WINDOWS\system32\Drivers\SRTSP.SYS
09:13:27.0996 3684 SRTSP - ok
09:13:28.0057 3684 SRTSPL (e99bd98ac171a29fc1ba9376be87ae73) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
09:13:28.0057 3684 SRTSPL - ok
09:13:28.0057 3684 SRTSPX (1af34729898063e9b7df8d149d767e07) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
09:13:28.0057 3684 SRTSPX - ok
09:13:28.0132 3684 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:13:28.0132 3684 Srv - ok
09:13:28.0177 3684 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:13:28.0177 3684 swenum - ok
09:13:28.0177 3684 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:13:28.0177 3684 swmidi - ok
09:13:28.0207 3684 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
09:13:28.0207 3684 symc810 - ok
09:13:28.0222 3684 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
09:13:28.0222 3684 symc8xx - ok
09:13:28.0267 3684 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
09:13:28.0267 3684 SymEvent - ok
09:13:28.0298 3684 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
09:13:28.0298 3684 Symmpi - ok
09:13:28.0328 3684 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
09:13:28.0328 3684 SYMREDRV - ok
09:13:28.0343 3684 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
09:13:28.0358 3684 SYMTDI - ok
09:13:28.0358 3684 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
09:13:28.0373 3684 sym_hi - ok
09:13:28.0388 3684 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
09:13:28.0388 3684 sym_u3 - ok
09:13:28.0403 3684 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:13:28.0403 3684 sysaudio - ok
09:13:28.0463 3684 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:13:28.0463 3684 Tcpip - ok
09:13:28.0493 3684 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:13:28.0493 3684 TDPIPE - ok
09:13:28.0493 3684 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:13:28.0493 3684 TDTCP - ok
09:13:28.0538 3684 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:13:28.0538 3684 TermDD - ok
09:13:28.0554 3684 TosIde - ok
09:13:28.0584 3684 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:13:28.0584 3684 Udfs - ok
09:13:28.0599 3684 ultra - ok
09:13:28.0629 3684 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:13:28.0629 3684 usbccgp - ok
09:13:28.0644 3684 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:13:28.0644 3684 usbehci - ok
09:13:28.0674 3684 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:13:28.0674 3684 usbhub - ok
09:13:28.0704 3684 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:13:28.0704 3684 usbprint - ok
09:13:28.0719 3684 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:13:28.0719 3684 USBSTOR - ok
09:13:28.0749 3684 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:13:28.0749 3684 usbuhci - ok
09:13:28.0764 3684 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:13:28.0764 3684 VgaSave - ok
09:13:28.0779 3684 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
09:13:28.0779 3684 ViaIde - ok
09:13:28.0795 3684 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:13:28.0795 3684 VolSnap - ok
09:13:28.0825 3684 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:13:28.0825 3684 Wanarp - ok
09:13:28.0825 3684 WDICA - ok
09:13:28.0855 3684 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:13:28.0855 3684 wdmaud - ok
09:13:28.0975 3684 MBR (0x1B8) (4f02a8d4048a138c450ed7f867eb0144) \Device\Harddisk0\DR0
09:13:29.0066 3684 \Device\Harddisk0\DR0 - ok
09:13:29.0081 3684 Boot (0x1200) (411dbff52e7df507e5ab07d393cb9188) \Device\Harddisk0\DR0\Partition0
09:13:29.0081 3684 \Device\Harddisk0\DR0\Partition0 - ok
09:13:29.0096 3684 Boot (0x1200) (2cc8dd448f23e93c043d23375413e86a) \Device\Harddisk0\DR0\Partition1
09:13:29.0096 3684 \Device\Harddisk0\DR0\Partition1 - ok
09:13:29.0096 3684 ============================================================
09:13:29.0096 3684 Scan finished
09:13:29.0096 3684 ============================================================
09:13:29.0111 3632 Detected object count: 0
09:13:29.0111 3632 Actual detected object count: 0

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:25 PM

Posted 03 November 2011 - 08:41 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 CellsReinvent

CellsReinvent
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 03 November 2011 - 02:14 PM

OK Gringo. Ran everything with no problems. Things are looking much better since running the TDSSKiller. No Google redirects, IE not closing itself. Symptom free, so far.

Here's the Combofix log:


ComboFix 11-11-03.02 - Administrator 03/11/2011 18:18:08.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3061.2344 [GMT 0:00]
Running from: c:\documents and settings\Administrator.SCHOFIELDS\Desktop\Tools\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.SCHOFIELDS\Desktop\Tools\CFScript.txt
AV: PC Cleaners *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-03 to 2011-11-03 )))))))))))))))))))))))))))))))
.
.
2011-11-03 09:09 . 2011-11-03 09:09 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{08EF56E7-9871-40A0-9C9B-EF0EDA9F298E}\offreg.dll
2011-11-01 08:46 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{08EF56E7-9871-40A0-9C9B-EF0EDA9F298E}\mpengine.dll
2011-10-26 15:16 . 2011-10-26 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-10-26 15:06 . 2011-10-26 15:06 -------- d-----w- c:\program files\WinPcap
2011-10-26 14:03 . 2011-10-26 15:06 -------- d-----w- c:\program files\Trend Micro
2011-10-26 11:51 . 2011-10-26 11:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-26 11:51 . 2011-10-26 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-26 11:25 . 2011-10-26 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Ask
2011-10-26 11:18 . 2009-09-22 10:50 293888 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HP1006S.DLL
2011-10-26 11:17 . 2011-11-01 10:09 -------- d-----w- c:\documents and settings\Administrator.SCHOFIELDS
2011-10-13 10:42 . 2011-10-13 10:42 -------- d-----w- c:\documents and settings\JSchofield\Application Data\PC Cleaners
2011-10-13 10:42 . 2011-10-13 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC1Data
2011-10-13 10:38 . 2011-10-13 10:38 -------- d-----w- c:\documents and settings\JSchofield\Application Data\ElevatedDiagnostics
2011-10-10 14:02 . 2011-10-10 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-10 14:02 . 2011-10-10 14:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-21 07:44 . 2011-05-16 07:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-13 10:42 . 2009-10-08 12:36 5356304 ----a-w- c:\windows\uninst.exe
2011-10-07 03:48 . 2009-10-08 08:04 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-03 04:06 . 2011-09-29 15:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 01:37 . 2011-09-29 15:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 10:41 . 2008-07-29 19:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2008-04-14 01:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2008-04-14 01:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2008-04-14 01:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 01:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 16:00 . 2009-10-29 12:17 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2008-04-14 01:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-14 01:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-04-14 01:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-04-14 01:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-04-14 01:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-11 10:44 . 2010-01-29 13:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-11 10:44 . 2010-01-29 13:54 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-08-11 09:34 . 2011-08-11 09:34 87408 ----a-w- c:\windows\system32\FwsVpn.dll
2011-08-11 09:34 . 2011-08-11 09:34 625032 ----a-w- c:\windows\system32\SymNeti.dll
2011-08-11 09:34 . 2011-08-11 09:34 242056 ----a-w- c:\windows\system32\SymRedir.dll
2011-08-11 09:34 . 2011-08-11 09:34 107888 ----a-w- c:\windows\system32\SymVPN.dll
2011-08-11 09:34 . 2011-08-11 09:34 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2011-08-11 09:34 . 2011-08-11 09:34 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys
2011-08-11 09:34 . 2011-08-11 09:34 284720 ----a-w- c:\windows\system32\drivers\srtsp.sys
2011-08-11 09:33 . 2011-08-11 09:33 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2011-08-11 09:33 . 2011-08-11 09:33 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2011-08-11 09:33 . 2011-08-11 09:33 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2011-08-11 09:33 . 2011-08-11 09:33 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2011-08-11 09:33 . 2011-08-11 09:33 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2011-08-11 09:33 . 2011-08-11 09:33 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2011-08-11 09:33 . 2011-08-11 09:33 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2011-09-08 07:55 . 2011-06-23 08:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-26_20.31.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-03 09:10 . 2011-11-03 09:10 16384 c:\windows\Temp\Perflib_Perfdata_218.dat
+ 2009-04-06 06:51 . 2011-10-31 08:41 72848 c:\windows\system32\perfc009.dat
+ 2009-10-07 03:51 . 2011-10-28 10:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-07 03:51 . 2011-10-21 09:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-07 03:51 . 2011-10-28 10:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-07 03:51 . 2011-10-21 09:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-07 12:45 . 2011-10-13 14:32 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-04-06 06:51 . 2011-10-31 08:41 445290 c:\windows\system32\perfh009.dat
+ 2009-10-07 12:45 . 2011-10-27 07:50 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-10-07 12:45 . 2011-10-13 14:32 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-10-07 12:45 . 2011-10-27 07:50 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-17 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-08-11 115560]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\JSchofield\Start Menu\Programs\Startup\
File System Watcher.lnk - c:\program files\file system watcher\FileSystemWatcher.exe [2010-2-5 185856]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PSI_SVC_2"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 16:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 21:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/08/2011 23:38 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/10/2009 12:17 366152]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 18:19 50704]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [28/07/2009 03:08 576024]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [18/04/2007 03:09 11032]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [26/10/2011 15:06 439632]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/07/2011 08:00 105592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/10/2009 12:17 22216]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 42987711
*NewlyCreated* - 93034336
*Deregistered* - 42987711
*Deregistered* - 93034336
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140455926-1894099151-3587781780-1126Core.job
- c:\documents and settings\JSchofield\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-29 13:57]
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140455926-1894099151-3587781780-1126UA.job
- c:\documents and settings\JSchofield\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-29 13:57]
.
2011-11-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2011-11-03 c:\windows\Tasks\User_Feed_Synchronization-{9E519B8F-D70A-469E-B9E9-875D3727E7A1}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://server
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.10.1.2
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://server/Reports_SQLEXPRESS/Reserved.ReportViewerWebControl.axd?ReportSession=bfuvwc555aozov45ffjwlv45&ControlID=ae2ec9e224b749a5adffa4420ba11dfa&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab&Arch=X86
FF - ProfilePath - c:\documents and settings\Administrator.SCHOFIELDS\Application Data\Mozilla\Firefox\Profiles\5v9dopcf.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-03 18:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-140455926-1894099151-3587781780-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,6a,e8,b1,8a,09,91,46,9c,87,72,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,6a,e8,b1,8a,09,91,46,9c,87,72,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
c:\windows\system32\KMPJLMN.DLL
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'winlogon.exe'(2808)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3096)
c:\windows\system32\WININET.dll
c:\windows\system32\KMPJLMN.DLL
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-11-03 18:22:51
ComboFix-quarantined-files.txt 2011-11-03 18:22
ComboFix2.txt 2011-11-01 11:06
.
Pre-Run: 446,711,889,920 bytes free
Post-Run: 446,774,435,840 bytes free
.
- - End Of File - - 33FD7FA3CCB2450C38F83EE0A8166097

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:25 PM

Posted 03 November 2011 - 02:48 PM

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 CellsReinvent

CellsReinvent
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 03 November 2011 - 03:34 PM

Hey Gringo!

Still no malware symptoms.

TFC ran without any issues -rebooted afterwards.

MBAM updated and ran a Quick Scan - nothing found - report:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8079

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/11/2011 20:29:06
mbam-log-2011-11-03 (20-29-06).txt

Scan type: Quick scan
Objects scanned: 201228
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






HijackThis Report:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:32:47, on 03/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\msiexec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} (RSClientPrint 2008 Class) - http://server/Reports_SQLEXPRESS/Reserved.ReportViewerWebControl.axd?ReportSession=bfuvwc555aozov45ffjwlv45&ControlID=ae2ec9e224b749a5adffa4420ba11dfa&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab&Arch=X86
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260281083779
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schofields.local
O17 - HKLM\Software\..\Telephony: DomainName = schofields.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schofields.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 6157 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:25 PM

Posted 03 November 2011 - 09:34 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 CellsReinvent

CellsReinvent
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 04 November 2011 - 03:00 PM

Hi Gringo,

Removed the startup items as instructed.

Ran ESET scan - no results found. It didn't produce a log, and I couldn't copy the results page to the clipboard (wouldn't let me swipe/select any of the text), so I've had to attach a screenshot - hope that's OK.

Basically, it said
Scanned files: 64207
Infected Files: 0
Cleaned Files: 0

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users