Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan:Win32/sirefef.O !!! Redirects and computer restarting!


  • This topic is locked This topic is locked
22 replies to this topic

#1 jjjbadboy32

jjjbadboy32

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 27 October 2011 - 08:04 PM

Windows defender came up yesterday and warned me that I have "trojan:Win32/sirefef.O". I cannot remove or quarantine it. Google is redirecting my searches, my computer is doing strange things, and the computer is even shutting down and restarting by itself!

I was directed here from this topic: http://www.bleepingcomputer.com/forums/topic425178.html/page__p__2455470#entry2455470

I was able to run DDS, but I can't get GMER to run! GMER appears like it's going to run, and then it just disappears while on the "checkmark" screen.

PLEASE HELP ME


Here is my DDS log:


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_29
Run by Jeff Admin at 19:52:11 on 2011-10-27
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.1045 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\1646864507:2228737693.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uWinlogon: Shell=c:\users\jeff admin\appdata\local\7b282962\X
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe" -delete
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: mswsock.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{28FE735C-FFBB-40B1-86FA-74B7A2A44D17} : DhcpNameServer = 68.87.72.130 68.87.77.130 68.87.66.196
TCP: Interfaces\{3367CDE5-B29D-4570-B32D-2BA13B4480F8} : DhcpNameServer = 68.87.72.134 68.87.77.134
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jeff admin\appdata\roaming\mozilla\firefox\profiles\nf16vi1r.jeff\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\users\jeff admin\appdata\roaming\mozilla\firefox\profiles\nf16vi1r.jeff\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2008-11-8 408064]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2007-12-11 21280]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
.
=============== File Associations ===============
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
=============== Created Last 30 ================
.
2011-10-26 23:10:53 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-26 13:38:12 -------- d-sh--w- c:\users\jeff admin\appdata\local\7b282962
2011-10-26 12:46:00 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{24eaa09c-ae9e-42b6-9c16-3d99a89898f6}\offreg.dll
2011-10-26 12:45:56 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{24eaa09c-ae9e-42b6-9c16-3d99a89898f6}\mpengine.dll
.
==================== Find3M ====================
.
2011-10-18 23:35:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 19:52:25.56 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 29 October 2011 - 08:35 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jjjbadboy32

jjjbadboy32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 30 October 2011 - 08:50 AM

Thanks for the response Gringo. I have run combofix and it says that I have an infected rootkit. When combofix restarted my computer, I got a blue screen, and now I get this screen every time I try to turn the computer on. I have included a link to the pic of the screen in this message. I can't get on to my computer now.

HELP please!

http://imageshack.us/photo/my-images/401/img2011103000390.jpg/

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 30 October 2011 - 12:19 PM

Fix MBR Vista

1.Start your computer from the Windows Vista Installation DVD
2.Press a key when prompted to continue
3.Choose your language, time, keyboard and click Next:
4.Next, click "Repair your Computer":
5.Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
6.From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
7.Type the following into the "Command Prompt Window": and press enter after each line
bootrec.exe /fixmbr

[/list]
If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter

bootrec.exe /fixboot

[/list]8.Remove the Vista Installation DVD and restart your PC.
[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jjjbadboy32

jjjbadboy32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 30 October 2011 - 12:24 PM

I purchased this computer a couple of years ago from Sam's Club. It was a display model, and it didn't come with a Vista DVD. :(

Am I screwed?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 30 October 2011 - 12:34 PM

System Recovery Environment

To access the System Recovery Environment simply boot your PC,

  • just before the system loads the Windows operating system, hit the [F8] Function 8 key on your keyboard which will launch the Advanced Boot Options menu.
  • There you will see a new option 'Repair Your Computer', select this option and hit 'Enter' on your keyboard.
  • Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
  • From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
  • Type the following into the "Command Prompt Window": and press enter

    bootrec.exe /fixmbr

If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter

bootrec.exe /fixboot
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 jjjbadboy32

jjjbadboy32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 30 October 2011 - 12:49 PM

I did the fixmbr and fixboot, and I am still getting the blue screen with the same message when windows tries to load.

The only thing I see is the options for "safemode", or "start normally" , and then when I select "start normally", the windows logo comes on, and then the blue screen with the message comes on.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 30 October 2011 - 02:33 PM

what happens if you try safe mode
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jjjbadboy32

jjjbadboy32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 30 October 2011 - 02:55 PM

When I went on safe mode, the combofix finished running. I still get the blue screen when I try to start windows the regular way.

Here is my log:


ComboFix 11-10-30.02 - Jeff Admin 10/30/2011 14:25:47.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.1541 [GMT -5:00]
Running from: c:\users\Jeff Admin\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jeff Admin\AppData\Local\7b282962
c:\users\Jeff Admin\AppData\Local\7b282962\@
c:\users\Jeff Admin\AppData\Local\7b282962\U\80000000.@
c:\users\Jeff Admin\AppData\Local\7b282962\U\800000cb.@
c:\users\Jeff Admin\AppData\Local\7b282962\X
c:\windows\$NtUninstallKB44469$\2066229602\@
c:\windows\$NtUninstallKB44469$\2066229602\L\qnbwvoto
c:\windows\$NtUninstallKB44469$\2066229602\loader.tlb
c:\windows\$NtUninstallKB44469$\2066229602\U\@00000001
c:\windows\$NtUninstallKB44469$\2066229602\U\@000000c0
c:\windows\$NtUninstallKB44469$\2066229602\U\@000000cb
c:\windows\$NtUninstallKB44469$\2066229602\U\@000000cf
c:\windows\$NtUninstallKB44469$\2066229602\U\@80000000
c:\windows\$NtUninstallKB44469$\2066229602\U\@800000c0
c:\windows\$NtUninstallKB44469$\2066229602\U\@800000cb
c:\windows\$NtUninstallKB44469$\2066229602\U\@800000cf
c:\windows\$NtUninstallKB44469$\2791519549
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\$NtUninstallKB44469$ . . . . Failed to delete
.
Infected copy of c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Program Files!Hewlett-Packard!HP Health Check!hphc_service.exe
.
Infected copy of c:\windows\System32\LEXBCES.EXE was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!LEXBCES.EXE
.
Infected copy of c:\program files\Common Files\LightScribe\LSSrvc.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Program Files!Common Files!LightScribe!LSSrvc.exe
.
Infected copy of c:\windows\system32\nvvsvc.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!nvvsvc.exe
.
Infected copy of c:\windows\system32\DRIVERS\xaudio.exe was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\trx200cz.inf_d6d56f45\XAudio.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_7b282962
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-30 )))))))))))))))))))))))))))))))
.
.
2011-10-30 19:34 . 2011-10-30 19:34 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{24EAA09C-AE9E-42B6-9C16-3D99A89898F6}\offreg.dll
2011-10-30 19:33 . 2011-10-30 19:33 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-10-30 19:33 . 2011-10-30 19:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-26 23:10 . 2011-10-26 23:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-26 12:45 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{24EAA09C-AE9E-42B6-9C16-3D99A89898F6}\mpengine.dll
2011-10-22 01:05 . 2011-10-22 01:05 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-18 23:35 . 2011-06-06 23:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06 . 2010-04-20 05:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-11 15:14 . 2011-05-01 19:11 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2007-12-11 21280]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [2005-12-16 408064]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
FF - ProfilePath - c:\users\Jeff Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nf16vi1r.jeff\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-10-30 14:48:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-30 19:47
.
Pre-Run: 305,548,783,616 bytes free
Post-Run: 305,526,550,528 bytes free
.
- - End Of File - - 1E199B1E5BDA42166CA43D1095B37CA9

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 30 October 2011 - 04:12 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jjjbadboy32

jjjbadboy32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 30 October 2011 - 04:34 PM

OK, I ran tdskiller in safe mode, and when I restarted the computer I actually was able to get back onto my regular windows!!! I haven't had any redirects or shutdowns in the couple of minutes I have been browsing the net.

I still get a Windows message that pops up and says "Host Process for Windows Services stopped working and was closed"

Here is the log:

16:20:53.0276 1520 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01
16:20:53.0292 1520 ============================================================
16:20:53.0292 1520 Current date / time: 2011/10/30 16:20:53.0292
16:20:53.0292 1520 SystemInfo:
16:20:53.0292 1520
16:20:53.0292 1520 OS Version: 6.0.6002 ServicePack: 2.0
16:20:53.0292 1520 Product type: Workstation
16:20:53.0292 1520 ComputerName: JEFFSPC
16:20:53.0292 1520 UserName: Jeff Admin
16:20:53.0292 1520 Windows directory: C:\Windows
16:20:53.0292 1520 System windows directory: C:\Windows
16:20:53.0292 1520 Processor architecture: Intel x86
16:20:53.0292 1520 Number of processors: 2
16:20:53.0292 1520 Page size: 0x1000
16:20:53.0292 1520 Boot type: Safe boot with network
16:20:53.0292 1520 ============================================================
16:20:53.0682 1520 Initialize success
16:20:55.0554 1340 ============================================================
16:20:55.0554 1340 Scan started
16:20:55.0554 1340 Mode: Manual;
16:20:55.0554 1340 ============================================================
16:20:56.0100 1340 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
16:20:56.0100 1340 ACPI - ok
16:20:56.0162 1340 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
16:20:56.0162 1340 adp94xx - ok
16:20:56.0193 1340 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
16:20:56.0193 1340 adpahci - ok
16:20:56.0209 1340 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
16:20:56.0209 1340 adpu160m - ok
16:20:56.0240 1340 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
16:20:56.0240 1340 adpu320 - ok
16:20:56.0365 1340 AFD (da2227c21a862b8ead4d1f03a9d3fba9) C:\Windows\system32\drivers\afd.sys
16:20:56.0365 1340 AFD ( Rootkit.Win32.ZAccess.g ) - infected
16:20:56.0365 1340 AFD - detected Rootkit.Win32.ZAccess.g (0)
16:20:56.0412 1340 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
16:20:56.0412 1340 agp440 - ok
16:20:56.0427 1340 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
16:20:56.0427 1340 aic78xx - ok
16:20:56.0459 1340 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
16:20:56.0459 1340 aliide - ok
16:20:56.0490 1340 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
16:20:56.0490 1340 amdagp - ok
16:20:56.0521 1340 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
16:20:56.0521 1340 amdide - ok
16:20:56.0568 1340 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
16:20:56.0568 1340 AmdK7 - ok
16:20:56.0630 1340 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
16:20:56.0630 1340 AmdK8 - ok
16:20:56.0661 1340 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
16:20:56.0661 1340 arc - ok
16:20:56.0708 1340 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
16:20:56.0708 1340 arcsas - ok
16:20:56.0739 1340 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
16:20:56.0755 1340 AsyncMac - ok
16:20:56.0802 1340 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
16:20:56.0802 1340 atapi - ok
16:20:56.0833 1340 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
16:20:56.0833 1340 Beep - ok
16:20:56.0911 1340 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
16:20:56.0911 1340 blbdrive - ok
16:20:56.0942 1340 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
16:20:56.0942 1340 bowser - ok
16:20:56.0973 1340 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
16:20:56.0973 1340 BrFiltLo - ok
16:20:56.0989 1340 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
16:20:56.0989 1340 BrFiltUp - ok
16:20:57.0020 1340 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
16:20:57.0020 1340 Brserid - ok
16:20:57.0036 1340 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
16:20:57.0036 1340 BrSerWdm - ok
16:20:57.0051 1340 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
16:20:57.0067 1340 BrUsbMdm - ok
16:20:57.0114 1340 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
16:20:57.0114 1340 BrUsbSer - ok
16:20:57.0145 1340 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
16:20:57.0145 1340 BTHMODEM - ok
16:20:57.0192 1340 catchme - ok
16:20:57.0239 1340 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
16:20:57.0239 1340 cdfs - ok
16:20:57.0285 1340 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
16:20:57.0285 1340 cdrom - ok
16:20:57.0332 1340 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
16:20:57.0332 1340 circlass - ok
16:20:57.0426 1340 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
16:20:57.0426 1340 CLFS - ok
16:20:57.0504 1340 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
16:20:57.0504 1340 cmdide - ok
16:20:57.0535 1340 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
16:20:57.0535 1340 Compbatt - ok
16:20:57.0551 1340 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
16:20:57.0551 1340 crcdisk - ok
16:20:57.0597 1340 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
16:20:57.0597 1340 Crusoe - ok
16:20:57.0707 1340 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
16:20:57.0707 1340 DfsC - ok
16:20:57.0816 1340 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
16:20:57.0816 1340 disk - ok
16:20:57.0878 1340 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
16:20:57.0878 1340 drmkaud - ok
16:20:57.0941 1340 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
16:20:57.0941 1340 DXGKrnl - ok
16:20:58.0019 1340 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
16:20:58.0019 1340 E1G60 - ok
16:20:58.0097 1340 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
16:20:58.0097 1340 Ecache - ok
16:20:58.0143 1340 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
16:20:58.0143 1340 elxstor - ok
16:20:58.0190 1340 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
16:20:58.0190 1340 ErrDev - ok
16:20:58.0284 1340 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
16:20:58.0299 1340 exfat - ok
16:20:58.0331 1340 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
16:20:58.0331 1340 fastfat - ok
16:20:58.0393 1340 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
16:20:58.0393 1340 fdc - ok
16:20:58.0424 1340 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
16:20:58.0424 1340 FileInfo - ok
16:20:58.0455 1340 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
16:20:58.0455 1340 Filetrace - ok
16:20:58.0502 1340 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
16:20:58.0502 1340 flpydisk - ok
16:20:58.0565 1340 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
16:20:58.0565 1340 FltMgr - ok
16:20:58.0611 1340 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
16:20:58.0611 1340 Fs_Rec - ok
16:20:58.0674 1340 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
16:20:58.0674 1340 gagp30kx - ok
16:20:58.0767 1340 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
16:20:58.0767 1340 HDAudBus - ok
16:20:58.0830 1340 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
16:20:58.0830 1340 HidBth - ok
16:20:58.0861 1340 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
16:20:58.0861 1340 HidIr - ok
16:20:58.0892 1340 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
16:20:58.0892 1340 HidUsb - ok
16:20:58.0955 1340 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
16:20:58.0955 1340 HpCISSs - ok
16:20:59.0048 1340 HSF_DP (88749fbf8beb18c90e7d6626c8c1910b) C:\Windows\system32\DRIVERS\HSX_DP.sys
16:20:59.0064 1340 HSF_DP - ok
16:20:59.0111 1340 HSXHWBS2 (fe440536bd98af772130dc3a6fe1915f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
16:20:59.0111 1340 HSXHWBS2 - ok
16:20:59.0173 1340 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
16:20:59.0173 1340 HTTP - ok
16:20:59.0204 1340 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
16:20:59.0204 1340 i2omp - ok
16:20:59.0267 1340 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
16:20:59.0267 1340 i8042prt - ok
16:20:59.0298 1340 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
16:20:59.0298 1340 iaStorV - ok
16:20:59.0360 1340 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
16:20:59.0360 1340 iirsp - ok
16:20:59.0501 1340 IntcAzAudAddService (84ed2154239f9d013bbd3220755ada8b) C:\Windows\system32\drivers\RTKVHDA.sys
16:20:59.0516 1340 IntcAzAudAddService - ok
16:20:59.0563 1340 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
16:20:59.0563 1340 intelide - ok
16:20:59.0594 1340 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
16:20:59.0594 1340 intelppm - ok
16:20:59.0657 1340 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
16:20:59.0657 1340 IpFilterDriver - ok
16:20:59.0688 1340 IpInIp - ok
16:20:59.0703 1340 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
16:20:59.0703 1340 IPMIDRV - ok
16:20:59.0719 1340 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
16:20:59.0719 1340 IPNAT - ok
16:20:59.0735 1340 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
16:20:59.0735 1340 IRENUM - ok
16:20:59.0766 1340 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
16:20:59.0766 1340 isapnp - ok
16:20:59.0813 1340 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
16:20:59.0813 1340 iScsiPrt - ok
16:20:59.0859 1340 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
16:20:59.0859 1340 iteatapi - ok
16:20:59.0937 1340 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
16:20:59.0937 1340 iteraid - ok
16:20:59.0953 1340 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
16:20:59.0969 1340 kbdclass - ok
16:20:59.0984 1340 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
16:21:00.0000 1340 kbdhid - ok
16:21:00.0047 1340 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
16:21:00.0062 1340 KSecDD - ok
16:21:00.0093 1340 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
16:21:00.0093 1340 lltdio - ok
16:21:00.0140 1340 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
16:21:00.0140 1340 LSI_FC - ok
16:21:00.0187 1340 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
16:21:00.0187 1340 LSI_SAS - ok
16:21:00.0265 1340 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
16:21:00.0265 1340 LSI_SCSI - ok
16:21:00.0281 1340 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
16:21:00.0281 1340 luafv - ok
16:21:00.0312 1340 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
16:21:00.0312 1340 mdmxsdk - ok
16:21:00.0343 1340 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
16:21:00.0343 1340 megasas - ok
16:21:00.0405 1340 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
16:21:00.0405 1340 MegaSR - ok
16:21:00.0452 1340 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
16:21:00.0452 1340 Modem - ok
16:21:00.0515 1340 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
16:21:00.0515 1340 monitor - ok
16:21:00.0546 1340 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
16:21:00.0546 1340 mouclass - ok
16:21:00.0561 1340 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\drivers\mouhid.sys
16:21:00.0561 1340 mouhid - ok
16:21:00.0577 1340 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
16:21:00.0577 1340 MountMgr - ok
16:21:00.0624 1340 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
16:21:00.0624 1340 mpio - ok
16:21:00.0655 1340 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
16:21:00.0655 1340 mpsdrv - ok
16:21:00.0686 1340 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
16:21:00.0686 1340 Mraid35x - ok
16:21:00.0780 1340 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
16:21:00.0780 1340 MRxDAV - ok
16:21:00.0811 1340 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
16:21:00.0811 1340 mrxsmb - ok
16:21:00.0842 1340 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
16:21:00.0842 1340 mrxsmb10 - ok
16:21:00.0858 1340 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
16:21:00.0858 1340 mrxsmb20 - ok
16:21:00.0905 1340 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
16:21:00.0905 1340 msahci - ok
16:21:00.0951 1340 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
16:21:00.0951 1340 msdsm - ok
16:21:00.0967 1340 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
16:21:00.0967 1340 Msfs - ok
16:21:01.0045 1340 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
16:21:01.0045 1340 msisadrv - ok
16:21:01.0092 1340 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
16:21:01.0092 1340 MSKSSRV - ok
16:21:01.0139 1340 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
16:21:01.0139 1340 MSPCLOCK - ok
16:21:01.0154 1340 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
16:21:01.0154 1340 MSPQM - ok
16:21:01.0201 1340 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
16:21:01.0201 1340 MsRPC - ok
16:21:01.0232 1340 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
16:21:01.0232 1340 mssmbios - ok
16:21:01.0279 1340 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
16:21:01.0279 1340 MSTEE - ok
16:21:01.0295 1340 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
16:21:01.0295 1340 Mup - ok
16:21:01.0357 1340 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
16:21:01.0357 1340 NativeWifiP - ok
16:21:01.0466 1340 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
16:21:01.0482 1340 NDIS - ok
16:21:01.0513 1340 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
16:21:01.0513 1340 NdisTapi - ok
16:21:01.0544 1340 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
16:21:01.0560 1340 Ndisuio - ok
16:21:01.0638 1340 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
16:21:01.0638 1340 NdisWan - ok
16:21:01.0653 1340 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
16:21:01.0653 1340 NDProxy - ok
16:21:01.0669 1340 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
16:21:01.0669 1340 NetBIOS - ok
16:21:01.0731 1340 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
16:21:01.0731 1340 netbt - ok
16:21:01.0825 1340 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
16:21:01.0825 1340 nfrd960 - ok
16:21:01.0887 1340 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
16:21:01.0887 1340 Npfs - ok
16:21:01.0919 1340 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
16:21:01.0919 1340 nsiproxy - ok
16:21:01.0997 1340 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
16:21:01.0997 1340 Ntfs - ok
16:21:02.0059 1340 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
16:21:02.0059 1340 ntrigdigi - ok
16:21:02.0090 1340 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
16:21:02.0090 1340 Null - ok
16:21:02.0137 1340 NVENETFD (d668632606d1cebf0b6ec64c1df7ed6f) C:\Windows\system32\DRIVERS\nvmfdx32.sys
16:21:02.0153 1340 NVENETFD - ok
16:21:02.0340 1340 nvlddmkm (fbba09782f2fac5a57619df378ba9372) C:\Windows\system32\DRIVERS\nvlddmkm.sys
16:21:02.0387 1340 nvlddmkm - ok
16:21:02.0480 1340 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
16:21:02.0480 1340 nvraid - ok
16:21:02.0496 1340 nvrd32 (6f5bb0b40d251351a913b61ba9d64b3f) C:\Windows\system32\drivers\nvrd32.sys
16:21:02.0496 1340 nvrd32 - ok
16:21:02.0511 1340 nvsmu (c44ee36dd84fa95eb81d79c374756003) C:\Windows\system32\drivers\nvsmu.sys
16:21:02.0511 1340 nvsmu - ok
16:21:02.0527 1340 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
16:21:02.0527 1340 nvstor - ok
16:21:02.0574 1340 nvstor32 (1a649b87a7b7c1220a2b16b121f2198e) C:\Windows\system32\DRIVERS\nvstor32.sys
16:21:02.0574 1340 nvstor32 - ok
16:21:02.0683 1340 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
16:21:02.0683 1340 nv_agp - ok
16:21:02.0699 1340 NwlnkFlt - ok
16:21:02.0714 1340 NwlnkFwd - ok
16:21:02.0761 1340 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
16:21:02.0761 1340 ohci1394 - ok
16:21:02.0792 1340 papycpu2 (6c9213343229a610879c7dd371b22565) C:\Windows\System32\DRIVERS\papycpu2.sys
16:21:02.0792 1340 papycpu2 - ok
16:21:02.0808 1340 papyjoy (3e957ffc9e90aa981d5a5dd616f67ae4) C:\Windows\System32\DRIVERS\papyjoy.sys
16:21:02.0808 1340 papyjoy - ok
16:21:02.0823 1340 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
16:21:02.0823 1340 Parport - ok
16:21:02.0886 1340 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
16:21:02.0886 1340 partmgr - ok
16:21:02.0901 1340 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
16:21:02.0901 1340 Parvdm - ok
16:21:02.0995 1340 PCD5SRVC{BD6912E3-AC9D80E8-05040000} (77a76c2da7c9431024b299ef7700dd4f) C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms
16:21:03.0011 1340 PCD5SRVC{BD6912E3-AC9D80E8-05040000} - ok
16:21:03.0104 1340 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
16:21:03.0120 1340 pci - ok
16:21:03.0151 1340 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
16:21:03.0151 1340 pciide - ok
16:21:03.0182 1340 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
16:21:03.0198 1340 pcmcia - ok
16:21:03.0245 1340 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
16:21:03.0245 1340 PEAUTH - ok
16:21:03.0323 1340 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
16:21:03.0323 1340 PptpMiniport - ok
16:21:03.0369 1340 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
16:21:03.0369 1340 Processor - ok
16:21:03.0432 1340 Ps2 (390c204ced3785609ab24e9c52054a84) C:\Windows\system32\DRIVERS\PS2.sys
16:21:03.0432 1340 Ps2 - ok
16:21:03.0510 1340 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
16:21:03.0510 1340 PSched - ok
16:21:03.0572 1340 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
16:21:03.0572 1340 ql2300 - ok
16:21:03.0635 1340 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
16:21:03.0635 1340 ql40xx - ok
16:21:03.0666 1340 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
16:21:03.0666 1340 QWAVEdrv - ok
16:21:03.0666 1340 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
16:21:03.0666 1340 RasAcd - ok
16:21:03.0697 1340 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
16:21:03.0697 1340 Rasl2tp - ok
16:21:03.0775 1340 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
16:21:03.0775 1340 RasPppoe - ok
16:21:03.0822 1340 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
16:21:03.0837 1340 RasSstp - ok
16:21:03.0884 1340 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
16:21:03.0884 1340 rdbss - ok
16:21:03.0947 1340 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
16:21:03.0947 1340 RDPCDD - ok
16:21:03.0978 1340 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
16:21:03.0978 1340 rdpdr - ok
16:21:04.0009 1340 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
16:21:04.0009 1340 RDPENCDD - ok
16:21:04.0040 1340 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
16:21:04.0040 1340 RDPWD - ok
16:21:04.0071 1340 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
16:21:04.0071 1340 RimUsb - ok
16:21:04.0103 1340 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
16:21:04.0103 1340 rspndr - ok
16:21:04.0134 1340 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
16:21:04.0134 1340 sbp2port - ok
16:21:04.0165 1340 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
16:21:04.0165 1340 secdrv - ok
16:21:04.0212 1340 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
16:21:04.0212 1340 Serenum - ok
16:21:04.0243 1340 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
16:21:04.0243 1340 Serial - ok
16:21:04.0290 1340 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
16:21:04.0305 1340 sermouse - ok
16:21:04.0337 1340 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
16:21:04.0337 1340 sffdisk - ok
16:21:04.0368 1340 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
16:21:04.0368 1340 sffp_mmc - ok
16:21:04.0368 1340 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
16:21:04.0368 1340 sffp_sd - ok
16:21:04.0399 1340 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
16:21:04.0399 1340 sfloppy - ok
16:21:04.0461 1340 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
16:21:04.0461 1340 sisagp - ok
16:21:04.0508 1340 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
16:21:04.0508 1340 SiSRaid2 - ok
16:21:04.0524 1340 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
16:21:04.0539 1340 SiSRaid4 - ok
16:21:04.0617 1340 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
16:21:04.0633 1340 Smb - ok
16:21:04.0711 1340 SMCWGU(SMC) (1431c397a8534388369813d04c793373) C:\Windows\system32\DRIVERS\SMCWGU.sys
16:21:04.0711 1340 SMCWGU(SMC) - ok
16:21:04.0742 1340 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
16:21:04.0742 1340 spldr - ok
16:21:04.0789 1340 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
16:21:04.0789 1340 srv - ok
16:21:04.0867 1340 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
16:21:04.0867 1340 srv2 - ok
16:21:04.0898 1340 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
16:21:04.0898 1340 srvnet - ok
16:21:04.0929 1340 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
16:21:04.0929 1340 swenum - ok
16:21:04.0976 1340 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
16:21:04.0976 1340 Symc8xx - ok
16:21:05.0007 1340 SymIM - ok
16:21:05.0007 1340 SymIMMP - ok
16:21:05.0054 1340 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
16:21:05.0054 1340 Sym_hi - ok
16:21:05.0070 1340 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
16:21:05.0070 1340 Sym_u3 - ok
16:21:05.0195 1340 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
16:21:05.0195 1340 Tcpip - ok
16:21:05.0257 1340 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
16:21:05.0257 1340 Tcpip6 - ok
16:21:05.0304 1340 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
16:21:05.0304 1340 tcpipreg - ok
16:21:05.0351 1340 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
16:21:05.0351 1340 TDPIPE - ok
16:21:05.0382 1340 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
16:21:05.0382 1340 TDTCP - ok
16:21:05.0444 1340 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
16:21:05.0444 1340 tdx - ok
16:21:05.0507 1340 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
16:21:05.0507 1340 TermDD - ok
16:21:05.0553 1340 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
16:21:05.0553 1340 tssecsrv - ok
16:21:05.0585 1340 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
16:21:05.0585 1340 tunmp - ok
16:21:05.0647 1340 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
16:21:05.0647 1340 tunnel - ok
16:21:05.0678 1340 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
16:21:05.0678 1340 uagp35 - ok
16:21:05.0756 1340 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
16:21:05.0756 1340 udfs - ok
16:21:05.0803 1340 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
16:21:05.0803 1340 uliagpkx - ok
16:21:05.0881 1340 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
16:21:05.0881 1340 uliahci - ok
16:21:05.0912 1340 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
16:21:05.0912 1340 UlSata - ok
16:21:05.0943 1340 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
16:21:05.0943 1340 ulsata2 - ok
16:21:05.0990 1340 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
16:21:05.0990 1340 umbus - ok
16:21:06.0053 1340 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
16:21:06.0053 1340 usbaudio - ok
16:21:06.0099 1340 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
16:21:06.0099 1340 usbccgp - ok
16:21:06.0131 1340 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
16:21:06.0131 1340 usbcir - ok
16:21:06.0177 1340 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
16:21:06.0177 1340 usbehci - ok
16:21:06.0177 1340 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
16:21:06.0193 1340 usbhub - ok
16:21:06.0224 1340 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
16:21:06.0224 1340 usbohci - ok
16:21:06.0271 1340 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
16:21:06.0271 1340 usbprint - ok
16:21:06.0333 1340 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:21:06.0333 1340 USBSTOR - ok
16:21:06.0365 1340 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
16:21:06.0380 1340 usbuhci - ok
16:21:06.0427 1340 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
16:21:06.0427 1340 vga - ok
16:21:06.0443 1340 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
16:21:06.0443 1340 VgaSave - ok
16:21:06.0474 1340 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
16:21:06.0474 1340 viaagp - ok
16:21:06.0505 1340 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
16:21:06.0505 1340 ViaC7 - ok
16:21:06.0536 1340 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
16:21:06.0536 1340 viaide - ok
16:21:06.0552 1340 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
16:21:06.0552 1340 volmgr - ok
16:21:06.0614 1340 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
16:21:06.0614 1340 volmgrx - ok
16:21:06.0692 1340 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
16:21:06.0692 1340 volsnap - ok
16:21:06.0723 1340 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
16:21:06.0723 1340 vsmraid - ok
16:21:06.0786 1340 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
16:21:06.0786 1340 WacomPen - ok
16:21:06.0786 1340 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
16:21:06.0786 1340 Wanarp - ok
16:21:06.0801 1340 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
16:21:06.0801 1340 Wanarpv6 - ok
16:21:06.0848 1340 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
16:21:06.0848 1340 Wd - ok
16:21:06.0879 1340 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
16:21:06.0879 1340 Wdf01000 - ok
16:21:06.0989 1340 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
16:21:06.0989 1340 winachsf - ok
16:21:07.0113 1340 WinUSB (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\WinUSB.sys
16:21:07.0113 1340 WinUSB - ok
16:21:07.0145 1340 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
16:21:07.0145 1340 WmiAcpi - ok
16:21:07.0207 1340 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
16:21:07.0207 1340 ws2ifsl - ok
16:21:07.0316 1340 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
16:21:07.0316 1340 WudfPf - ok
16:21:07.0394 1340 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
16:21:07.0394 1340 WUDFRd - ok
16:21:07.0457 1340 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
16:21:07.0457 1340 XAudio - ok
16:21:07.0503 1340 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
16:21:07.0503 1340 \Device\Harddisk0\DR0 - ok
16:21:07.0519 1340 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk5\DR5
16:21:08.0221 1340 \Device\Harddisk5\DR5 - ok
16:21:08.0221 1340 Boot (0x1200) (66527017276d16093bdd44bd3342a438) \Device\Harddisk0\DR0\Partition0
16:21:08.0221 1340 \Device\Harddisk0\DR0\Partition0 - ok
16:21:08.0252 1340 Boot (0x1200) (60f98f500c7ae6bd3ec70c13646926c3) \Device\Harddisk0\DR0\Partition1
16:21:08.0252 1340 \Device\Harddisk0\DR0\Partition1 - ok
16:21:08.0252 1340 Boot (0x1200) (5af2d6f95c60530263fc75fca19d5d33) \Device\Harddisk5\DR5\Partition0
16:21:08.0252 1340 \Device\Harddisk5\DR5\Partition0 - ok
16:21:08.0268 1340 ============================================================
16:21:08.0268 1340 Scan finished
16:21:08.0268 1340 ============================================================
16:21:08.0268 0604 Detected object count: 1
16:21:08.0268 0604 Actual detected object count: 1
16:22:17.0547 0604 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\Windows\system32\drivers\afd.sys) error 1813
16:22:25.0441 0604 Backup copy found, using it..
16:22:25.0472 0604 C:\Windows\system32\drivers\afd.sys - will be cured on reboot
16:22:25.0472 0604 AFD ( Rootkit.Win32.ZAccess.g ) - User select action: Cure
16:22:29.0669 1500 Deinitialize success

Edited by jjjbadboy32, 30 October 2011 - 04:38 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 30 October 2011 - 06:18 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 jjjbadboy32

jjjbadboy32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 30 October 2011 - 06:58 PM

Computer has not given my any warnings since combofix completed. (so far anyway)

Here is my newest log



ComboFix 11-10-30.02 - Jeff Admin 10/30/2011 18:40:32.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.902 [GMT -5:00]
Running from: c:\users\Jeff Admin\Downloads\ComboFix.exe
Command switches used :: c:\users\Jeff Admin\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB44469$
c:\windows\$NtUninstallKB44469$\2066229602\@
c:\windows\$NtUninstallKB44469$\2066229602\L\qnbwvoto
c:\windows\$NtUninstallKB44469$\2066229602\loader.tlb
c:\windows\$NtUninstallKB44469$\2066229602\U\@00000001
c:\windows\$NtUninstallKB44469$\2066229602\U\@000000c0
c:\windows\$NtUninstallKB44469$\2066229602\U\@000000cb
c:\windows\$NtUninstallKB44469$\2066229602\U\@000000cf
c:\windows\$NtUninstallKB44469$\2066229602\U\@80000000
c:\windows\$NtUninstallKB44469$\2066229602\U\@800000c0
c:\windows\$NtUninstallKB44469$\2066229602\U\@800000cb
c:\windows\$NtUninstallKB44469$\2066229602\U\@800000cf
c:\windows\$NtUninstallKB44469$\864718732
c:\windows\system32\
c:\windows\system32\c_91721.nls
c:\windows\system32\drivers\ . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\System32\LEXBCES.EXE was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!LEXBCES.EXE
.
Infected copy of c:\windows\system32\nvvsvc.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!nvvsvc.exe
.
Infected copy of c:\windows\system32\DRIVERS\xaudio.exe was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\trx200cz.inf_d6d56f45\XAudio.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_7b282962
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-30 )))))))))))))))))))))))))))))))
.
.
2011-10-30 23:48 . 2011-10-30 23:48 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{24EAA09C-AE9E-42B6-9C16-3D99A89898F6}\offreg.dll
2011-10-30 23:47 . 2011-10-30 23:49 -------- d-----w- c:\users\Jeff Admin\AppData\Local\temp
2011-10-30 23:47 . 2011-10-30 23:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-10-30 23:47 . 2011-10-30 23:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-30 23:36 . 2008-01-21 02:23 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-10-30 21:28 . 2011-10-30 21:28 48016 --sha-w- c:\windows\system32\c_91721.nl_
2011-10-26 23:10 . 2011-10-26 23:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-26 12:45 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{24EAA09C-AE9E-42B6-9C16-3D99A89898F6}\mpengine.dll
2011-10-22 01:05 . 2011-10-22 01:05 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 21:28 . 2009-07-31 22:16 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-18 23:35 . 2011-06-06 23:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06 . 2010-04-20 05:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-11 15:14 . 2011-05-01 19:11 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2007-12-11 21280]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [2005-12-16 408064]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
FF - ProfilePath - c:\users\Jeff Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nf16vi1r.jeff\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-80366661.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-30 18:48
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\LEXBCES.EXE
c:\windows\System32\LEXPPS.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-10-30 18:55:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-30 23:55
ComboFix2.txt 2011-10-30 19:48
.
Pre-Run: 303,451,811,840 bytes free
Post-Run: 303,422,959,616 bytes free
.
- - End Of File - - DD569E5396AFA87A6718E235E47AE153

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 30 October 2011 - 09:00 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\c_91721.nl_


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 jjjbadboy32

jjjbadboy32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 30 October 2011 - 09:20 PM

Computer has been running good. Here is my new log:

ComboFix 11-10-30.02 - Jeff Admin 10/30/2011 21:05:39.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.956 [GMT -5:00]
Running from: c:\users\Jeff Admin\Downloads\ComboFix.exe
Command switches used :: c:\users\Jeff Admin\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\c_91721.nl_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\c_91721.nl_
c:\windows\system32\drivers\ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))
.
.
2011-10-31 02:12 . 2011-10-31 02:12 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{24EAA09C-AE9E-42B6-9C16-3D99A89898F6}\offreg.dll
2011-10-31 02:11 . 2011-10-31 02:13 -------- d-----w- c:\users\Jeff Admin\AppData\Local\temp
2011-10-31 02:11 . 2011-10-31 02:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-10-31 02:11 . 2011-10-31 02:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-30 23:36 . 2008-01-21 02:23 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-10-26 23:10 . 2011-10-26 23:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-26 12:45 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{24EAA09C-AE9E-42B6-9C16-3D99A89898F6}\mpengine.dll
2011-10-22 01:05 . 2011-10-22 01:05 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 21:28 . 2009-07-31 22:16 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-18 23:35 . 2011-06-06 23:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06 . 2010-04-20 05:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-11 15:14 . 2011-05-01 19:11 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2007-12-11 21280]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [2005-12-16 408064]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
FF - ProfilePath - c:\users\Jeff Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nf16vi1r.jeff\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-30 21:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\LEXBCES.EXE
c:\windows\System32\LEXPPS.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-10-30 21:18:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-31 02:18
ComboFix2.txt 2011-10-30 23:55
ComboFix3.txt 2011-10-30 19:48
.
Pre-Run: 304,365,051,904 bytes free
Post-Run: 304,414,101,504 bytes free
.
- - End Of File - - FC131202A92BA69FF31F98D9EDE01C78




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users