Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect and Pop up Email


  • This topic is locked This topic is locked
13 replies to this topic

#1 poetist

poetist

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 03 November 2011 - 04:20 AM

Referred from here: http://www.bleepingcomputer.com/forums/topic419643.html ~ OB

To make a long story short, it's back -- the problem. I didn't really use the internet that much. Maybe, a week or two, with about four searches in total, before I got the dreaded redirect. This time, there is a difference, my computer is running slower and I get this Rundll32 error. Update: Now, I'm getting pop up email, an email service I don't use.


I am looking at the prep. guide, and it wants me to put a firewall. Well, I've tried, but the message reads: firewall is turned off. Network admin. is using group policy to control these settings.

(By the way, what are CD emulation programs? I don't do anything fancy or use CDs, if that has anything to do with it. )


Please help.

esults of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG 2012
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 22
Java™ SE Runtime Environment 6 Update 1
Java 2 Runtime Environment, SE v1.4.2
Out of date Java installed!
Adobe Flash Player 11.0.1.152
Mozilla Firefox (3.6.23) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgnsx.exe
``````````End of Log````````````


Mini-toolbox

MiniToolBox by Farbar
Ran by Tracy (administrator) on 01-11-2011 at 00:50:56
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Poetist

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : home



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-0F-1F-47-04-95

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

68.238.64.12

Lease Obtained. . . . . . . . . . : Monday, October 31, 2011 9:30:32 PM

Lease Expires . . . . . . . . . . : Tuesday, November 01, 2011 9:30:32 PM

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.224.81, 74.125.224.82, 74.125.224.80, 74.125.224.84
74.125.224.83



Pinging google.com [74.125.224.115] with 32 bytes of data:



Reply from 74.125.224.115: bytes=32 time=21ms TTL=251

Reply from 74.125.224.115: bytes=32 time=20ms TTL=251



Ping statistics for 74.125.224.115:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 21ms, Average = 20ms

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 72.30.2.43, 98.137.149.56
98.139.180.149



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=95ms TTL=52

Reply from 67.195.160.76: bytes=32 time=201ms TTL=52



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 95ms, Maximum = 201ms, Average = 148ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=48

Reply from 127.0.0.1: bytes=32 time<1ms TTL=48



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0f 1f 47 04 95 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 20
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 20
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 20
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/26/2011 06:03:41 PM) (Source: Application Error) (User: )
Description: Faulting application mbam.exe, version 1.51.0.1118, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x000109f9.
Processing media-specific event for [mbam.exe!ws!]

Error: (10/24/2011 11:05:46 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 1.9.2.4280, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/23/2011 00:03:44 PM) (Source: Application Error) (User: )
Description: Faulting application hpdj00.exe, version 2.323.0.0, faulting module unknown, version 0.0.0.0, fault address 0x0012e731.
Processing media-specific event for [hpdj00.exe!ws!]

Error: (09/25/2011 00:05:36 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6000.16574, faulting module mshtml.dll, version 7.0.6000.16587, fault address 0x00092ea0.
Processing media-specific event for [iexplore.exe!ws!]

Error: (09/24/2011 11:48:51 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6000.16574, faulting module mshtml.dll, version 7.0.6000.16587, fault address 0x00092ea0.
Processing media-specific event for [iexplore.exe!ws!]

Error: (09/15/2011 09:48:27 PM) (Source: Application Hang) (User: )
Description: Hanging application avgui.exe, version 9.0.0.914, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/22/2011 09:28:07 PM) (Source: MsiInstaller) (User: Tracy)Tracy
Description: Product: Walmart Photo Manager -- Error 1720.There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor. Custom action GenerateGUID script error -2147024770, : Line 6, Column 1,

Error: (08/22/2011 02:02:35 AM) (Source: Application Hang) (User: )
Description: Hanging application pspa.exe, version 4.0.0.3, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/22/2011 01:52:59 AM) (Source: Application Hang) (User: )
Description: Hanging application realplay.exe, version 12.0.1.660, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/22/2011 01:52:16 AM) (Source: Application Hang) (User: )
Description: Hanging application realplay.exe, version 12.0.1.660, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (10/31/2011 09:32:18 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
wff

Error: (10/31/2011 09:32:18 PM) (Source: Service Control Manager) (User: )
Description: The IHA_MessageCenter service hung on starting.

Error: (10/31/2011 09:30:54 PM) (Source: Service Control Manager) (User: )
Description: The McAfee.com VirusScan Online Realtime Engine service failed to start due to the following error:
%%3

Error: (10/31/2011 09:30:54 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (10/30/2011 11:35:35 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
wff

Error: (10/30/2011 11:35:35 AM) (Source: Service Control Manager) (User: )
Description: The IHA_MessageCenter service hung on starting.

Error: (10/30/2011 11:34:12 AM) (Source: Service Control Manager) (User: )
Description: The McAfee.com VirusScan Online Realtime Engine service failed to start due to the following error:
%%3

Error: (10/30/2011 11:34:12 AM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (10/29/2011 00:06:55 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
wff

Error: (10/29/2011 00:06:55 PM) (Source: Service Control Manager) (User: )
Description: The IHA_MessageCenter service hung on starting.


Microsoft Office Sessions:
=========================
Error: (10/26/2011 06:03:41 PM) (Source: Application Error)(User: )
Description: mbam.exe1.51.0.1118ntdll.dll5.1.2600.5512000109f9

Error: (10/24/2011 11:05:46 PM) (Source: Application Hang)(User: )
Description: firefox.exe1.9.2.4280hungapp0.0.0.000000000

Error: (10/23/2011 00:03:44 PM) (Source: Application Error)(User: )
Description: hpdj00.exe2.323.0.0unknown0.0.0.00012e731

Error: (09/25/2011 00:05:36 AM) (Source: Application Error)(User: )
Description: iexplore.exe7.0.6000.16574mshtml.dll7.0.6000.1658700092ea0

Error: (09/24/2011 11:48:51 PM) (Source: Application Error)(User: )
Description: iexplore.exe7.0.6000.16574mshtml.dll7.0.6000.1658700092ea0

Error: (09/15/2011 09:48:27 PM) (Source: Application Hang)(User: )
Description: avgui.exe9.0.0.914hungapp0.0.0.000000000

Error: (08/22/2011 09:28:07 PM) (Source: MsiInstaller)(User: Tracy)Tracy
Description: Product: Walmart Photo Manager -- Error 1720.There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor. Custom action GenerateGUID script error -2147024770, : Line 6, Column 1, (NULL)(NULL)(NULL)

Error: (08/22/2011 02:02:35 AM) (Source: Application Hang)(User: )
Description: pspa.exe4.0.0.3hungapp0.0.0.000000000

Error: (08/22/2011 01:52:59 AM) (Source: Application Hang)(User: )
Description: realplay.exe12.0.1.660hungapp0.0.0.000000000

Error: (08/22/2011 01:52:16 AM) (Source: Application Hang)(User: )
Description: realplay.exe12.0.1.660hungapp0.0.0.000000000


=========================== Installed Programs ============================

Adobe Download Manager (Version: 1.6.2.60)
Adobe Flash Player 10 ActiveX (Version: 10.1.82.76)
Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Adobe Reader 7.1.0 (Version: 7.1.0)
Adobe Shockwave Player (Version: 10.1.4.20)
Anonymizer SpyWare Killer + Privacy Manager (Version: 1.5)
AVG 2012 (Version: 12.0.1834)
AVG 2012 (Version: 12.0.2092)
AVG 2012 (Version: 2012.0.1834)
Banctec Service Agreement (Version: 1.00.00)
Banctec Service Agreement (Version: 1.00.0005)
California Real Estate Exam Guide (Version: 1.00.000)
Conexant D850 56K V.9x DFVc Modem
Conexant SmartHSFi V.9x 56K DF PCI Modem
Dell Digital Jukebox Driver
Dell Networking Guide (Version: 1.00.0001)
Digital Line Detect (Version: 1.09)
DVDSentry (Version: 1.00.0000)
Final Draft 6 (Version: 6.0.35)
Final Draft AV Demo
FrostWire 4.21.8 (Version: 4.21.8.0)
FrostWire 5.0.8 (Version: 5.0.8.0)
Google Chrome (Version: 15.0.874.106)
Google Update Helper (Version: 1.3.21.79)
Help and Support Customization (Version: 1.00.0000)
Highlight Viewer (Windows Live Toolbar) (Version: 03.01.0146)
IHA_MessageCenter (Version: 1.1.0)
Intel® Extreme Graphics Driver
Internet Explorer Default Page (Version: 1.00.03)
J2SE Runtime Environment 5.0 Update 10 (Version: 1.5.0.100)
J2SE Runtime Environment 5.0 Update 3 (Version: 1.5.0.30)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
J2SE Runtime Environment 5.0 Update 9 (Version: 1.5.0.90)
Jasc Paint Shop Photo Album (Version: 4.0.3)
Jasc Paint Shop Pro 8 Dell Edition (Version: 8.10.0000)
Java 2 Runtime Environment, SE v1.4.2 (Version: 1.4.2)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 22 (Version: 6.0.220)
Java™ SE Runtime Environment 6 Update 1 (Version: 1.6.0.10)
Junk Mail filter update (Version: 14.0.8089.726)
Learn2 Player (Uninstall Only)
LimeWire 5.5.16 (Version: 5.5.16)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Map Button (Windows Live Toolbar) (Version: 03.01.0146)
Memories Disc Creator 2.0 (Version: 2.0.479.1607)
MiaMath
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 (Version: 2.0.50727)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Data Access Components KB870669
Microsoft IntelliPoint
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004 (Version: 12.0.50)
Microsoft Money 2004 System Pack (Version: 12.0.80)
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3 (Version: 2.0.2313.0)
Microsoft Office XP Professional with FrontPage (Version: 10.0.2627.0)
Microsoft Search Enhancement Pack (Version: 1.2.123.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Modem Helper (Version: 2.28)
Mozilla Firefox (3.6.23) (Version: 3.6.23 (en-US))
MSN Music Assistant
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB925672) (Version: 4.20.9839.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MUSICMATCH® Jukebox
NetWaiting (Version: 2.5.12)
PowerDVD
QuickTime
RealNetworks - Microsoft Visual C++ 2005 Runtime (Version: 8.0)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer
RealUpgrade 1.1 (Version: 1.1.0)
Rhapsody
Rhapsody Player Engine (Version: 1.0.604)
Segoe UI (Version: 14.0.4327.805)
Smart Menus (Windows Live Toolbar) (Version: 03.01.0146)
Sonic DLA (Version: 4.50)
Sonic RecordNow! (Version: 6.5.3)
Sonic Update Manager (Version: 2.80)
Timez Attack (Version: 3.51)
TotalAccess Smart Installer
VC 9.0 Runtime (Version: 1.0.0)
Verizon Online Support Center
Visual C++ 8.0 CRT (x86) WinSXS MSM (Version: 8.0.50727.762)
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM (Version: 8.0.50727.762)
Vz In Home Agent (Version: 8.02.27)
WebFldrs XP (Version: 9.50.6513)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Imaging Component (Version: 3.0.0.0)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Live Communications Platform (Version: 14.0.8098.930)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Family Safety (Version: 14.0.8093.805)
Windows Live Favorites for Windows Live Toolbar (Version: 03.01.0146)
Windows Live Mail
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Toolbar (Version: 14.0.8064.206)
Windows Live Toolbar Extension (Windows Live Toolbar) (Version: 03.01.0146)
Windows Live Writer (Version: 14.0.8089.0726)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WordPerfect Office 11 (Version: 11.0)
Yahoo! Detect

========================= Memory info: ===================================

Percentage of memory in use: 95%
Total physical RAM: 1534 MB
Available physical RAM: 76.45 MB
Total Pagefile: 2155.6 MB
Available Pagefile: 826.51 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.14 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:111.73 GB) (Free:70.85 GB) NTFS
5 Drive f: (USB DISK) (Removable) (Total:0.12 GB) (Free:0.09 GB) FAT

========================= Users: ========================================

User accounts for \\POETIST

Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 SUPPORT_3f151ab9
Tracy


**** End of log ****

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8025

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

11/1/2011 2:03:56 AM
mbam-log-2011-11-01 (02-03-41).txt

Scan type: Quick scan
Objects scanned: 197933
Time elapsed: 56 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\documents and settings\Tracy\local settings\application data\servicecodec.dll (Trojan.SHarpro) -> No action taken.
c:\documents and settings\all users\application data\appleupdateprofile.dll (Trojan.SHarpro.PGen) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{00018A7F-C9C2-40CD-A5D0-59F092423233} (Trojan.SHarpro) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00018A7F-C9C2-40CD-A5D0-59F092423233} (Trojan.SHarpro) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00018A7F-C9C2-40CD-A5D0-59F092423233} (Trojan.SHarpro) -> No action taken.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppleUpdateProfile (Trojan.SHarpro.PGen) -> Value: AppleUpdateProfile -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Tracy\local settings\Temp\thpm4984954598501747057.tmp (Exploit.Drop.3) -> No action taken.
c:\documents and settings\Tracy\local settings\Temp\thpm7986074076000232100.tmp (Exploit.Drop.3) -> No action taken.
c:\documents and settings\Tracy\local settings\application data\servicecodec.dll (Trojan.SHarpro) -> No action taken.
c:\documents and settings\Tracy\local settings\application data\explorerwin32.dll (Trojan.SHarpro.Gen) -> No action taken.
c:\documents and settings\all users\application data\appleupdateprofile.dll (Trojan.SHarpro.PGen) -> No action taken.

Edited by Orange Blossom, 03 November 2011 - 05:58 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 AM

Posted 08 November 2011 - 04:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426124 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 poetist

poetist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 09 November 2011 - 02:36 AM

Update on my scans:

Malaware:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8122

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

11/8/2011 11:10:03 PM
mbam-log-2011-11-08 (23-10-03).txt

Scan type: Quick scan
Objects scanned: 201167
Time elapsed: 23 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\documents and settings\all users\application data\javabackupbackup.dll (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Tracy\local settings\application data\asktoolbar\asktoolbarupdate\asktoolbarup.dll (Trojan.SHarpro.PGen) -> Delete on reboot.
c:\documents and settings\Tracy\local settings\application data\isolatedstorage\isolatedstorageupdate\isolatedstorageup.dll (Trojan.SHarpro.PGen) -> Delete on reboot.
c:\documents and settings\Tracy\local settings\application data\Help\helpupdate\Helpup.dll (Trojan.SHarpro.PGen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{00018A7F-C9C2-40CD-A5D0-59F092423233} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00018A7F-C9C2-40CD-A5D0-59F092423233} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaBackupBackup (Trojan.Agent) -> Value: JavaBackupBackup -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Update (Trojan.SHarpro.PGen) -> Value: Adobe Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MEGAUPLOADER Update (Trojan.SHarpro.PGen) -> Value: MEGAUPLOADER Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PepiMK Update (Trojan.SHarpro.PGen) -> Value: PepiMK Update -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\javabackupbackup.dll (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Tracy\local settings\application data\networkwin32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Tracy\local settings\Temp\thpm1350558725478888469.tmp (Trojan.Exploit.Drop.THPM) -> Quarantined and deleted successfully.
c:\documents and settings\Tracy\local settings\Temp\nsmB4.tmp\001.jgg (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Tracy\local settings\Temp\nsmB4.tmp\002.jgg (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Tracy\local settings\Temp\nsmB4.tmp\003.jgg (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Tracy\local settings\Temp\nsmB4.tmp\004.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Tracy\local settings\application data\asktoolbar\asktoolbarupdate\asktoolbarup.dll (Trojan.SHarpro.PGen) -> Delete on reboot.
c:\documents and settings\Tracy\local settings\application data\isolatedstorage\isolatedstorageupdate\isolatedstorageup.dll (Trojan.SHarpro.PGen) -> Delete on reboot.
c:\documents and settings\Tracy\local settings\application data\Help\helpupdate\Helpup.dll (Trojan.SHarpro.PGen) -> Delete on reboot.


Gore Fix

GooredFix by jpshortstuff (03.07.10.1)
Log created at 23:15 on 08/11/2011 (Tracy)
Firefox version 3.6.23 (en-US)

========== GooredScan ==========

Deleting "C:\Documents and Settings\Tracy\Application Data\Mozilla\Firefox\Profiles\xx3lzray.default\extensions\{cf0e09f6-f304-4e2e-9647-8b488de89542}" -> Success!
Deleting "C:\Documents and Settings\Tracy\Application Data\Mozilla\Firefox\Profiles\xx3lzray.default\extensions\{dc18f430-268c-42bc-ba0e-be5d970813bb}" -> Success!
Removing Orphan:
"{EB132DB0-A4CA-11DF-9732-0E29E0D72085}"="C:\Program Files\Object\facetheme" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{3112ca9c-de6d-4884-a869-9855de68056c} [08:31 21/11/2006]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [08:25 29/06/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [09:24 06/08/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [02:43 28/11/2010]

C:\Documents and Settings\Tracy\Application Data\Mozilla\Firefox\Profiles\xx3lzray.default\extensions\
avg@toolbar [02:02 25/09/2011]
feedly@devhd [05:56 08/08/2010]
{3112ca9c-de6d-4884-a869-9855de68056c} [05:15 10/06/2011]
{4176DFF4-4698-11DE-BEEB-45DA55D89593} [05:56 08/08/2010]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [08:43 29/08/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [09:23 06/08/2010]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext" [07:52 16/11/2010]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"="C:\Program Files\AVG\AVG2012\Firefox4\" [02:00 25/09/2011]

---------- Old Logs ----------

-=E.O.F=-


Check up


Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
AVG 2012
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 22
Java™ SE Runtime Environment 6 Update 1
Java 2 Runtime Environment, SE v1.4.2
Adobe Flash Player 11.0.1.152
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.23)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgnsx.exe
``````````End of Log````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:10 AM

Posted 09 November 2011 - 11:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

While I check your log execute this.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 22
Java™ SE Runtime Environment 6 Update 1
Java 2 Runtime Environment, SE v1.4.2

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Please post the ComboFix log and let me know what problem persists.

#5 poetist

poetist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 11 November 2011 - 04:16 AM

I forgot to add that I do not have a Windows CD.

Plus, what is CD emmulation? I read the link, but I'm at a loss.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:10 AM

Posted 11 November 2011 - 11:18 AM

CD emmulation? I read the link

A program that simulate a CD.
If you do not know about it you do not have one.

Please run the tools I suggested in my previous post.

Post the logs when ready.

#7 poetist

poetist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 11 November 2011 - 08:36 PM

Here is the latest scan:

ComboFix 11-11-11.06 - Tracy 11/11/2011 16:52:31.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.241 [GMT -8:00]
Running from: c:\documents and settings\Tracy\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\nsv
c:\documents and settings\All Users\Application Data\nsv\cache\277.dfn
c:\documents and settings\All Users\Application Data\nsv\keys.dat
c:\documents and settings\All Users\Application Data\nsv\wmv0104.dbd
c:\documents and settings\All Users\Application Data\nsv\wmv0106.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0204.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0412.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0504.ddx
c:\documents and settings\All Users\Application Data\nsv\wmv0904.ddx
c:\documents and settings\All Users\Application Data\picsvr
c:\documents and settings\All Users\Application Data\picsvr\picsvr.inf
c:\documents and settings\All Users\Application Data\picsvr\picsvrsh.inf
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\LocalService\Application Data\Sskknwrd.dll
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\Ssk.log
c:\documents and settings\Tracy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
c:\documents and settings\Tracy\Local Settings\Application Data\ShellCodec.dll
c:\documents and settings\Tracy\My Documents\~WRL0001.tmp
c:\documents and settings\Tracy\My Documents\~WRL0002.tmp
c:\documents and settings\Tracy\My Documents\~WRL0003.tmp
c:\documents and settings\Tracy\My Documents\~WRL0004.tmp
c:\documents and settings\Tracy\My Documents\~WRL0289.tmp
c:\documents and settings\Tracy\My Documents\~WRL0439.tmp
c:\documents and settings\Tracy\My Documents\~WRL0644.tmp
c:\documents and settings\Tracy\My Documents\~WRL0793.tmp
c:\documents and settings\Tracy\My Documents\~WRL0949.tmp
c:\documents and settings\Tracy\My Documents\~WRL0989.tmp
c:\documents and settings\Tracy\My Documents\~WRL1056.tmp
c:\documents and settings\Tracy\My Documents\~WRL1700.tmp
c:\documents and settings\Tracy\My Documents\~WRL2013.tmp
c:\documents and settings\Tracy\My Documents\~WRL2867.tmp
c:\documents and settings\Tracy\My Documents\~WRL2897.tmp
c:\documents and settings\Tracy\My Documents\~WRL2914.tmp
c:\documents and settings\Tracy\My Documents\~WRL3860.tmp
c:\documents and settings\Tracy\tsqlecnyem.tmp
c:\documents and settings\Tracy\WINDOWS
C:\lswmv.ini
c:\program files\Common Files\uninstall information
c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\sodda.bak1
c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\sodda.bak2
c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\sodda.ini
c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\sodda.ini2
c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\sodda.tmp
c:\windows\bundles
c:\windows\bundles\180searchScreenSaver.exe
c:\windows\bundles\2504040901.exe
c:\windows\bundles\2517040824.exe
c:\windows\bundles\58kd52fg.exe
c:\windows\bundles\77_350_i.exe
c:\windows\bundles\activeshopper.exe
c:\windows\bundles\AdSmartMedia_bundle.exe
c:\windows\bundles\adv0ltc0m.exe
c:\windows\bundles\ast_5_adsav.exe
c:\windows\bundles\b2s-162813.exe
c:\windows\bundles\Beryllium.exe
c:\windows\bundles\bs5-tsrkqn.exe
c:\windows\bundles\CSV7P070.exe
c:\windows\bundles\cxt_big.exe
c:\windows\bundles\cxt_wmg.exe
c:\windows\bundles\d_ic.exe
c:\windows\bundles\d_otbp.exe
c:\windows\bundles\dealhelper.exe
c:\windows\bundles\Decade.exe
c:\windows\bundles\e2g51.exe
c:\windows\bundles\HLInstaller.exe
c:\windows\bundles\ICMedia-350.exe
c:\windows\bundles\icmedia2_56.exe
c:\windows\bundles\ICMMedia_1cmm3d1a.exe
c:\windows\bundles\iehost.exe
c:\windows\bundles\installcasino.exe
c:\windows\bundles\KnNe1.exe
c:\windows\bundles\newmb.exe
c:\windows\bundles\NzI0MDo4OjEy.exe
c:\windows\bundles\optimizejames.exe
c:\windows\bundles\package8033_MARKETING5.exe
c:\windows\bundles\rop_marketing_1_168.exe
c:\windows\bundles\ropbundle.exe
c:\windows\bundles\runsearch.exe
c:\windows\bundles\sahagent-dectest1001.exe
c:\windows\bundles\sahagent-seedcorn1002.exe
c:\windows\bundles\setup_silent_25040.exe
c:\windows\bundles\setupactiv2.exe
c:\windows\bundles\stlb2_seed.exe
c:\windows\bundles\thin-8-1-x-x.exe
c:\windows\bundles\TVM_B5.EXE
c:\windows\bundles\Tvm_b5_269.exe
c:\windows\bundles\txdesuf.exe
c:\windows\bundles\vb6rt.exe
c:\windows\bundles\vl_ezstub.exe
c:\windows\bundles\winversion.exe
c:\windows\jestertb.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e99abd90a66c31dc.fb
c:\windows\system32\comrepl.exe
c:\windows\system32\picsvr
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WMIAPSRV32
-------\Service_WmiApSrv32
.
.
((((((((((((((((((((((((( Files Created from 2011-10-12 to 2011-11-12 )))))))))))))))))))))))))))))))
.
.
2011-11-10 02:25 . 2011-11-10 02:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-10-29 07:48 . 2011-11-01 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2011-10-23 19:53 . 2011-11-10 02:06 -------- d-----w- c:\program files\AVG Secure Search
2011-10-17 08:38 . 2011-10-18 08:23 -------- d-----w- c:\documents and settings\Tracy\Application Data\Ibp
2011-10-17 08:38 . 2011-10-18 06:00 -------- d-----w- c:\documents and settings\Tracy\Application Data\Ifqi
2011-10-16 22:59 . 2011-10-16 22:59 -------- d-----w- c:\documents and settings\Tracy\Application Data\SanDisk
2011-10-14 23:24 . 2011-10-21 06:14 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-23 16:05 . 2011-06-28 04:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-15 06:22 . 2011-09-15 06:22 1409 ----a-w- c:\windows\QTFont.for
2011-09-01 00:00 . 2010-06-25 04:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-11-10 02:06 1451336 ----a-w- c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll" [2011-11-10 1451336]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SPYKILLER"="c:\program files\Anonymizer\sk\SpyWareKiller.exe" [2004-02-12 110592]
"ihanotify"="c:\program files\Verizon\FiOS\ihs\IHANotify.exe" [2010-12-28 237568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 131072]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-22 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-08-13 273544]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2011-10-23 218440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [7/11/2011 12:14 AM 23120]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [7/11/2011 12:14 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 4:06 PM 98304]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [9/24/2011 6:01 PM 246600]
S0 wff;wff;c:\windows\system32\drivers\wff.sys --> c:\windows\system32\drivers\wff.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/15/2010 11:45 PM 136176]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/15/2010 11:45 PM 136176]
S3 lredbooo;lredbooo;\??\c:\docume~1\Tracy\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\Tracy\LOCALS~1\Temp\lredbooo.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 07:45]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 07:45]
.
2011-11-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1575197745-3283536573-500172640-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1575197745-3283536573-500172640-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://websearch.shopnav.com/sidesearch.cgi?uid=10509758&id=1.20031
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Tracy\Application Data\Mozilla\Firefox\Profiles\xx3lzray.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B443c6f18-ebf9-4c3e-b8de-6ea2fbf1d123%7D&mid=1bf83d4e15b101d46ccf0aec741062ad-191f6c5406cc20549f131cc4031681b168fdf9a9&ds=AVG&v=8.0.0.34.1&lang=en&pr=fr&d=2011-09-24%2019%3A01%3A51&sap=ku&q=
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: AniWeather: {4176DFF4-4698-11DE-BEEB-45DA55D89593} - %profile%\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}
FF - Ext: feedly: feedly@devhd - %profile%\extensions\feedly@devhd
FF - Ext: AVG Security Toolbar: avg@toolbar - %profile%\extensions\avg@toolbar
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{ED048B67-24D7-414B-B007-E40D0B01A418} - c:\windows\lbbho.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-SansaDispatch - c:\documents and settings\Tracy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
HKCU-Run-{7A07605C-B12F-D178-8775-E019D2B991BF} - c:\documents and settings\Tracy\Application Data\Ifqi\eqvosyo.exe
Notify-addos - c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\addos.dll
AddRemove-SysSnap - c:\progra~1\COMMON~1\EACCEL~1\SysSnap\syssnap.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 17:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Tracy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y120P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89AEA2C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3052)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-11-11 17:18:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-12 01:18
.
Pre-Run: 76,718,358,528 bytes free
Post-Run: 82,488,348,672 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 946DB7C6AEA392C97E8D944EC76796EA

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:10 AM

Posted 12 November 2011 - 10:01 AM

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs and let me know what problem persists.

#9 poetist

poetist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 November 2011 - 06:22 AM

After running these scans, I haven't had time to be online, so I have no opportunity to spot problems.

ASWMBR log

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-13 02:45:51
-----------------------------
02:45:51.953 OS Version: Windows 5.1.2600 Service Pack 3
02:45:51.953 Number of processors: 1 586 0x209
02:45:52.109 ComputerName: POETIST UserName: Tracy
02:45:56.296 Initialize success
02:46:32.218 AVAST engine defs: 11111300
02:49:46.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
02:49:46.781 Disk 0 Vendor: Maxtor_6Y120P0 YAR41BW0 Size: 114440MB BusType: 3
02:49:46.781 Device \Driver\atapi -> DriverStartIo 89e2f2c6
02:49:48.796 Disk 0 MBR read successfully
02:49:48.796 Disk 0 MBR scan
02:49:48.906 Disk 0 MBR:Pihar-B [Rtk]
02:49:48.906 Disk 0 TDL4@MBR code has been found
02:49:48.906 Disk 0 Windows XP default MBR code found via API
02:49:48.906 Disk 0 MBR hidden
02:49:48.921 Disk 0 MBR [TDL4] **ROOTKIT**
02:49:48.921 Disk 0 trace - called modules:
02:49:48.921 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89e2f49f]<<
02:49:48.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a508ab8]
02:49:48.921 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a1ff278]
02:49:48.937 \Driver\atapi[0x8a180b10] -> IRP_MJ_CREATE -> 0x89e2f49f
02:49:50.171 AVAST engine scan C:\WINDOWS
02:50:17.890 AVAST engine scan C:\WINDOWS\system32
02:53:02.281 AVAST engine scan C:\WINDOWS\system32\drivers
02:53:06.421 File: C:\WINDOWS\system32\drivers\df_kmd.sys **INFECTED** Win32:Trojano-DQD [Trj]
02:53:18.328 AVAST engine scan C:\Documents and Settings\Tracy
03:04:09.171 AVAST engine scan C:\Documents and Settings\All Users
03:05:43.406 Scan finished successfully
03:06:28.906 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tracy\Desktop\MBR.dat"
03:06:28.937 The log file has been saved successfully to "C:\Documents and Settings\Tracy\Desktop\aswMBR log.txt"


TDS log

03:08:58.0421 5208 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
03:08:58.0906 5208 ============================================================
03:08:58.0906 5208 Current date / time: 2011/11/13 03:08:58.0906
03:08:58.0906 5208 SystemInfo:
03:08:58.0906 5208
03:08:58.0906 5208 OS Version: 5.1.2600 ServicePack: 3.0
03:08:58.0906 5208 Product type: Workstation
03:08:59.0031 5208 ComputerName: POETIST
03:08:59.0062 5208 UserName: Tracy
03:08:59.0062 5208 Windows directory: C:\WINDOWS
03:08:59.0062 5208 System windows directory: C:\WINDOWS
03:08:59.0062 5208 Processor architecture: Intel x86
03:08:59.0062 5208 Number of processors: 1
03:08:59.0062 5208 Page size: 0x1000
03:08:59.0062 5208 Boot type: Normal boot
03:08:59.0062 5208 ============================================================
03:09:01.0484 5208 Initialize success
03:09:03.0468 5244 ============================================================
03:09:03.0468 5244 Scan started
03:09:03.0468 5244 Mode: Manual;
03:09:03.0468 5244 ============================================================
03:09:04.0609 5244 Abiosdsk - ok
03:09:04.0703 5244 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
03:09:04.0703 5244 abp480n5 - ok
03:09:04.0828 5244 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
03:09:04.0843 5244 ACPI - ok
03:09:04.0953 5244 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
03:09:04.0953 5244 ACPIEC - ok
03:09:05.0062 5244 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
03:09:05.0062 5244 adpu160m - ok
03:09:05.0140 5244 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
03:09:05.0140 5244 aeaudio - ok
03:09:05.0203 5244 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
03:09:05.0203 5244 aec - ok
03:09:05.0281 5244 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
03:09:05.0281 5244 AFD - ok
03:09:05.0406 5244 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
03:09:05.0406 5244 AFS2K - ok
03:09:05.0484 5244 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
03:09:05.0484 5244 agp440 - ok
03:09:05.0593 5244 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
03:09:05.0593 5244 agpCPQ - ok
03:09:05.0734 5244 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
03:09:05.0734 5244 Aha154x - ok
03:09:05.0843 5244 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
03:09:05.0843 5244 aic78u2 - ok
03:09:05.0937 5244 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
03:09:05.0937 5244 aic78xx - ok
03:09:06.0046 5244 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
03:09:06.0062 5244 AliIde - ok
03:09:06.0156 5244 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
03:09:06.0156 5244 alim1541 - ok
03:09:06.0265 5244 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
03:09:06.0265 5244 amdagp - ok
03:09:06.0359 5244 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
03:09:06.0359 5244 amsint - ok
03:09:06.0484 5244 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
03:09:06.0484 5244 asc - ok
03:09:06.0593 5244 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
03:09:06.0593 5244 asc3350p - ok
03:09:06.0703 5244 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
03:09:06.0703 5244 asc3550 - ok
03:09:06.0843 5244 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\Aspi32.sys
03:09:06.0859 5244 Aspi32 - ok
03:09:06.0953 5244 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
03:09:06.0953 5244 AsyncMac - ok
03:09:07.0031 5244 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
03:09:07.0031 5244 atapi - ok
03:09:07.0078 5244 Atdisk - ok
03:09:07.0187 5244 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
03:09:07.0218 5244 ati2mtag - ok
03:09:07.0328 5244 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
03:09:07.0328 5244 Atmarpc - ok
03:09:07.0500 5244 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
03:09:07.0500 5244 audstub - ok
03:09:07.0578 5244 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
03:09:07.0578 5244 AVGIDSEH - ok
03:09:07.0718 5244 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
03:09:07.0718 5244 Avgtdix - ok
03:09:07.0859 5244 bcm4sbxp (068523d2cd260069b19ad68adea0d739) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
03:09:07.0859 5244 bcm4sbxp - ok
03:09:07.0921 5244 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
03:09:07.0921 5244 Beep - ok
03:09:08.0031 5244 bvrp_pci (c945dc4eee3f624dfd07788ea7f0db0a) C:\WINDOWS\system32\drivers\bvrp_pci.sys
03:09:08.0031 5244 bvrp_pci - ok
03:09:08.0093 5244 BW2NDIS5 - ok
03:09:08.0109 5244 catchme - ok
03:09:08.0187 5244 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
03:09:08.0187 5244 cbidf - ok
03:09:08.0250 5244 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
03:09:08.0250 5244 cbidf2k - ok
03:09:08.0328 5244 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
03:09:08.0328 5244 cd20xrnt - ok
03:09:08.0406 5244 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
03:09:08.0406 5244 Cdaudio - ok
03:09:08.0562 5244 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
03:09:08.0562 5244 Cdfs - ok
03:09:08.0625 5244 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
03:09:08.0625 5244 Cdrom - ok
03:09:08.0671 5244 Changer - ok
03:09:08.0796 5244 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
03:09:08.0796 5244 CmdIde - ok
03:09:08.0921 5244 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
03:09:08.0921 5244 Cpqarray - ok
03:09:09.0031 5244 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
03:09:09.0046 5244 dac2w2k - ok
03:09:09.0140 5244 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
03:09:09.0140 5244 dac960nt - ok
03:09:09.0234 5244 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
03:09:09.0234 5244 Disk - ok
03:09:09.0343 5244 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
03:09:09.0359 5244 dmboot - ok
03:09:09.0484 5244 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
03:09:09.0484 5244 dmio - ok
03:09:09.0593 5244 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
03:09:09.0593 5244 dmload - ok
03:09:09.0671 5244 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
03:09:09.0671 5244 DMusic - ok
03:09:09.0812 5244 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
03:09:09.0828 5244 dpti2o - ok
03:09:09.0906 5244 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
03:09:09.0906 5244 drmkaud - ok
03:09:10.0015 5244 drvmcdb (7f056a52bcba3102d2d37a4a2646c807) C:\WINDOWS\system32\drivers\drvmcdb.sys
03:09:10.0015 5244 drvmcdb - ok
03:09:10.0062 5244 drvnddm (d3c1e501ed42e77574b3095309dd4075) C:\WINDOWS\system32\drivers\drvnddm.sys
03:09:10.0062 5244 drvnddm - ok
03:09:10.0156 5244 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
03:09:10.0156 5244 EL90XBC - ok
03:09:10.0250 5244 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
03:09:10.0250 5244 Fastfat - ok
03:09:10.0328 5244 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
03:09:10.0328 5244 Fdc - ok
03:09:10.0421 5244 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
03:09:10.0421 5244 Fips - ok
03:09:10.0531 5244 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
03:09:10.0531 5244 Flpydisk - ok
03:09:10.0609 5244 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
03:09:10.0609 5244 FltMgr - ok
03:09:10.0765 5244 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
03:09:10.0765 5244 fssfltr - ok
03:09:10.0875 5244 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
03:09:10.0875 5244 Fs_Rec - ok
03:09:11.0015 5244 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
03:09:11.0031 5244 Ftdisk - ok
03:09:11.0171 5244 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
03:09:11.0171 5244 Gpc - ok
03:09:11.0250 5244 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
03:09:11.0250 5244 HidUsb - ok
03:09:11.0343 5244 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
03:09:11.0359 5244 hpn - ok
03:09:11.0468 5244 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
03:09:11.0484 5244 HPZid412 - ok
03:09:11.0640 5244 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
03:09:11.0640 5244 HPZipr12 - ok
03:09:11.0765 5244 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
03:09:11.0765 5244 HPZius12 - ok
03:09:11.0890 5244 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
03:09:11.0906 5244 HSFHWBS2 - ok
03:09:12.0000 5244 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
03:09:12.0031 5244 HSF_DP - ok
03:09:12.0156 5244 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
03:09:12.0156 5244 HTTP - ok
03:09:12.0281 5244 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
03:09:12.0281 5244 i2omgmt - ok
03:09:12.0359 5244 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
03:09:12.0359 5244 i2omp - ok
03:09:12.0437 5244 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
03:09:12.0437 5244 i8042prt - ok
03:09:12.0531 5244 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
03:09:12.0531 5244 i81x - ok
03:09:12.0687 5244 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
03:09:12.0687 5244 iAimFP0 - ok
03:09:12.0781 5244 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
03:09:12.0781 5244 iAimFP1 - ok
03:09:12.0875 5244 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
03:09:12.0875 5244 iAimFP2 - ok
03:09:12.0968 5244 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
03:09:12.0968 5244 iAimFP3 - ok
03:09:13.0062 5244 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
03:09:13.0062 5244 iAimFP4 - ok
03:09:13.0171 5244 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
03:09:13.0171 5244 iAimTV0 - ok
03:09:13.0265 5244 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
03:09:13.0265 5244 iAimTV1 - ok
03:09:13.0437 5244 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
03:09:13.0468 5244 iAimTV3 - ok
03:09:13.0562 5244 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
03:09:13.0578 5244 iAimTV4 - ok
03:09:13.0781 5244 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
03:09:13.0843 5244 ialm - ok
03:09:13.0937 5244 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
03:09:13.0937 5244 Imapi - ok
03:09:14.0046 5244 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
03:09:14.0078 5244 ini910u - ok
03:09:14.0171 5244 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
03:09:14.0203 5244 IntelIde - ok
03:09:14.0296 5244 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
03:09:14.0312 5244 intelppm - ok
03:09:14.0406 5244 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
03:09:14.0437 5244 ip6fw - ok
03:09:14.0562 5244 IPFilter (5b64375d5ff9198b74b0ac50299d6f09) C:\WINDOWS\system32\DRIVERS\IPFilter.sys
03:09:14.0593 5244 IPFilter - ok
03:09:14.0781 5244 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
03:09:14.0796 5244 IpFilterDriver - ok
03:09:14.0875 5244 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
03:09:14.0890 5244 IpInIp - ok
03:09:14.0953 5244 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
03:09:14.0953 5244 IpNat - ok
03:09:15.0031 5244 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
03:09:15.0031 5244 IPSec - ok
03:09:15.0078 5244 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
03:09:15.0078 5244 IRENUM - ok
03:09:15.0140 5244 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
03:09:15.0140 5244 isapnp - ok
03:09:15.0281 5244 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
03:09:15.0312 5244 Kbdclass - ok
03:09:15.0343 5244 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
03:09:15.0343 5244 kbdhid - ok
03:09:15.0390 5244 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
03:09:15.0390 5244 kmixer - ok
03:09:15.0421 5244 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
03:09:15.0421 5244 KSecDD - ok
03:09:15.0468 5244 lbrtfdc - ok
03:09:15.0671 5244 lredbooo - ok
03:09:15.0718 5244 MBAMSwissArmy - ok
03:09:15.0734 5244 MCSTRM - ok
03:09:15.0828 5244 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
03:09:15.0828 5244 mdmxsdk - ok
03:09:15.0859 5244 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
03:09:15.0859 5244 mnmdd - ok
03:09:15.0906 5244 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
03:09:15.0906 5244 Modem - ok
03:09:15.0984 5244 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
03:09:15.0984 5244 MODEMCSA - ok
03:09:16.0015 5244 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
03:09:16.0015 5244 Mouclass - ok
03:09:16.0093 5244 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
03:09:16.0093 5244 mouhid - ok
03:09:16.0125 5244 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
03:09:16.0125 5244 MountMgr - ok
03:09:16.0171 5244 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
03:09:16.0171 5244 mraid35x - ok
03:09:16.0343 5244 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
03:09:16.0359 5244 MREMPR5 - ok
03:09:16.0421 5244 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
03:09:16.0421 5244 MRENDIS5 - ok
03:09:16.0453 5244 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
03:09:16.0453 5244 MRxDAV - ok
03:09:16.0531 5244 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
03:09:16.0562 5244 MRxSmb - ok
03:09:16.0593 5244 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
03:09:16.0593 5244 Msfs - ok
03:09:16.0656 5244 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
03:09:16.0656 5244 MSKSSRV - ok
03:09:16.0703 5244 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
03:09:16.0703 5244 MSPCLOCK - ok
03:09:16.0796 5244 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
03:09:16.0796 5244 MSPQM - ok
03:09:16.0843 5244 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
03:09:16.0843 5244 mssmbios - ok
03:09:16.0875 5244 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
03:09:16.0875 5244 Mup - ok
03:09:16.0937 5244 MxlW2k (e91fc8b52d21e38317dc61a3c7ccfa4b) C:\WINDOWS\system32\drivers\MxlW2k.sys
03:09:16.0937 5244 MxlW2k - ok
03:09:16.0968 5244 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
03:09:16.0984 5244 NDIS - ok
03:09:17.0015 5244 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
03:09:17.0015 5244 NdisTapi - ok
03:09:17.0046 5244 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
03:09:17.0046 5244 Ndisuio - ok
03:09:17.0078 5244 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
03:09:17.0078 5244 NdisWan - ok
03:09:17.0093 5244 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
03:09:17.0093 5244 NDProxy - ok
03:09:17.0125 5244 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
03:09:17.0125 5244 NetBIOS - ok
03:09:17.0156 5244 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
03:09:17.0171 5244 NetBT - ok
03:09:17.0218 5244 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
03:09:17.0218 5244 Npfs - ok
03:09:17.0281 5244 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
03:09:17.0296 5244 Ntfs - ok
03:09:17.0343 5244 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
03:09:17.0343 5244 Null - ok
03:09:17.0468 5244 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
03:09:17.0515 5244 nv - ok
03:09:17.0593 5244 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
03:09:17.0593 5244 NwlnkFlt - ok
03:09:17.0625 5244 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
03:09:17.0625 5244 NwlnkFwd - ok
03:09:17.0718 5244 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
03:09:17.0718 5244 omci - ok
03:09:17.0765 5244 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
03:09:17.0796 5244 P3 - ok
03:09:17.0859 5244 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
03:09:17.0859 5244 Parport - ok
03:09:17.0875 5244 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
03:09:17.0890 5244 PartMgr - ok
03:09:17.0937 5244 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
03:09:17.0937 5244 ParVdm - ok
03:09:17.0968 5244 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
03:09:17.0968 5244 PCI - ok
03:09:17.0984 5244 PCIDump - ok
03:09:18.0046 5244 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
03:09:18.0046 5244 PCIIde - ok
03:09:18.0093 5244 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
03:09:18.0093 5244 Pcmcia - ok
03:09:18.0109 5244 PDCOMP - ok
03:09:18.0140 5244 PDFRAME - ok
03:09:18.0171 5244 PDRELI - ok
03:09:18.0187 5244 PDRFRAME - ok
03:09:18.0218 5244 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
03:09:18.0218 5244 perc2 - ok
03:09:18.0265 5244 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
03:09:18.0265 5244 perc2hib - ok
03:09:18.0359 5244 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
03:09:18.0359 5244 PptpMiniport - ok
03:09:18.0390 5244 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
03:09:18.0406 5244 Processor - ok
03:09:18.0437 5244 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
03:09:18.0437 5244 PSched - ok
03:09:18.0453 5244 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
03:09:18.0453 5244 Ptilink - ok
03:09:18.0531 5244 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
03:09:18.0531 5244 PxHelp20 - ok
03:09:18.0593 5244 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
03:09:18.0593 5244 ql1080 - ok
03:09:18.0625 5244 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
03:09:18.0625 5244 Ql10wnt - ok
03:09:18.0671 5244 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
03:09:18.0687 5244 ql12160 - ok
03:09:18.0734 5244 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
03:09:18.0734 5244 ql1240 - ok
03:09:18.0765 5244 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
03:09:18.0765 5244 ql1280 - ok
03:09:18.0812 5244 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
03:09:18.0843 5244 RasAcd - ok
03:09:18.0890 5244 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
03:09:18.0906 5244 Rasl2tp - ok
03:09:18.0921 5244 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
03:09:18.0921 5244 RasPppoe - ok
03:09:18.0953 5244 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
03:09:18.0953 5244 Raspti - ok
03:09:19.0000 5244 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
03:09:19.0000 5244 Rdbss - ok
03:09:19.0031 5244 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
03:09:19.0031 5244 RDPCDD - ok
03:09:19.0093 5244 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
03:09:19.0093 5244 rdpdr - ok
03:09:19.0125 5244 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
03:09:19.0140 5244 RDPWD - ok
03:09:19.0203 5244 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
03:09:19.0203 5244 redbook - ok
03:09:19.0328 5244 SbcpHid (2f0d9848b2eb1fa97d089bb3521d5377) C:\WINDOWS\System32\Drivers\SbcpHid.sys
03:09:19.0328 5244 SbcpHid - ok
03:09:19.0406 5244 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
03:09:19.0406 5244 Secdrv - ok
03:09:19.0453 5244 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
03:09:19.0453 5244 serenum - ok
03:09:19.0484 5244 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
03:09:19.0484 5244 Serial - ok
03:09:19.0546 5244 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
03:09:19.0546 5244 Sfloppy - ok
03:09:19.0578 5244 Simbad - ok
03:09:19.0625 5244 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
03:09:19.0640 5244 sisagp - ok
03:09:19.0718 5244 smwdm (99a9e1ef62f955c82a5001ac94b4b77b) C:\WINDOWS\system32\drivers\smwdm.sys
03:09:19.0750 5244 smwdm - ok
03:09:19.0796 5244 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
03:09:19.0796 5244 Sparrow - ok
03:09:19.0859 5244 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
03:09:19.0890 5244 splitter - ok
03:09:19.0937 5244 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
03:09:19.0953 5244 sr - ok
03:09:19.0984 5244 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
03:09:20.0000 5244 Srv - ok
03:09:20.0046 5244 sscdbhk5 (328e8bb94ec58480f60458fb4b8437a7) C:\WINDOWS\system32\drivers\sscdbhk5.sys
03:09:20.0062 5244 sscdbhk5 - ok
03:09:20.0093 5244 ssrtln (7ec8b427cee5c0cdac066320b93f1355) C:\WINDOWS\system32\drivers\ssrtln.sys
03:09:20.0093 5244 ssrtln - ok
03:09:20.0156 5244 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
03:09:20.0156 5244 swenum - ok
03:09:20.0187 5244 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
03:09:20.0187 5244 swmidi - ok
03:09:20.0250 5244 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
03:09:20.0250 5244 symc810 - ok
03:09:20.0328 5244 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
03:09:20.0328 5244 symc8xx - ok
03:09:20.0515 5244 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
03:09:20.0515 5244 sym_hi - ok
03:09:20.0531 5244 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
03:09:20.0531 5244 sym_u3 - ok
03:09:20.0593 5244 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
03:09:20.0593 5244 sysaudio - ok
03:09:20.0703 5244 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
03:09:20.0718 5244 Tcpip - ok
03:09:20.0781 5244 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
03:09:20.0781 5244 TDPIPE - ok
03:09:20.0843 5244 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
03:09:20.0843 5244 TDTCP - ok
03:09:20.0890 5244 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
03:09:20.0937 5244 TermDD - ok
03:09:21.0031 5244 tfsnboio (c229bf90443be8d3bd2b65d7f3ac0f35) C:\WINDOWS\system32\dla\tfsnboio.sys
03:09:21.0031 5244 tfsnboio - ok
03:09:21.0062 5244 tfsncofs (79ee9fcd7728e54ab8fbc30962f0416f) C:\WINDOWS\system32\dla\tfsncofs.sys
03:09:21.0062 5244 tfsncofs - ok
03:09:21.0093 5244 tfsndrct (9efb37e7de17d783a059b653f7e8afad) C:\WINDOWS\system32\dla\tfsndrct.sys
03:09:21.0125 5244 tfsndrct - ok
03:09:21.0156 5244 tfsndres (130254995ebedcb34d62e8d78ec9dbd0) C:\WINDOWS\system32\dla\tfsndres.sys
03:09:21.0156 5244 tfsndres - ok
03:09:21.0187 5244 tfsnifs (9b40e1e4aeed849812a2e43a388a7e77) C:\WINDOWS\system32\dla\tfsnifs.sys
03:09:21.0187 5244 tfsnifs - ok
03:09:21.0234 5244 tfsnopio (818047ad850b312705aa17ca96b9427d) C:\WINDOWS\system32\dla\tfsnopio.sys
03:09:21.0234 5244 tfsnopio - ok
03:09:21.0296 5244 tfsnpool (4603e813bcc6dd465cd8d2afd37fa90d) C:\WINDOWS\system32\dla\tfsnpool.sys
03:09:21.0296 5244 tfsnpool - ok
03:09:21.0343 5244 tfsnudf (6fc2cd904a9a55acfdfc780a611a75ed) C:\WINDOWS\system32\dla\tfsnudf.sys
03:09:21.0375 5244 tfsnudf - ok
03:09:21.0406 5244 tfsnudfa (d4afa4d00f8db3fd1c15b3fe49c3a96c) C:\WINDOWS\system32\dla\tfsnudfa.sys
03:09:21.0406 5244 tfsnudfa - ok
03:09:21.0484 5244 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
03:09:21.0484 5244 TosIde - ok
03:09:21.0546 5244 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
03:09:21.0546 5244 Udfs - ok
03:09:21.0593 5244 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
03:09:21.0593 5244 ultra - ok
03:09:21.0656 5244 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
03:09:21.0734 5244 Update - ok
03:09:21.0796 5244 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
03:09:21.0796 5244 usbccgp - ok
03:09:21.0859 5244 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
03:09:21.0859 5244 usbehci - ok
03:09:21.0890 5244 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
03:09:21.0890 5244 usbhub - ok
03:09:21.0937 5244 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
03:09:21.0937 5244 usbprint - ok
03:09:21.0984 5244 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
03:09:22.0000 5244 usbscan - ok
03:09:22.0015 5244 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
03:09:22.0015 5244 USBSTOR - ok
03:09:22.0062 5244 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
03:09:22.0062 5244 usbuhci - ok
03:09:22.0093 5244 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
03:09:22.0093 5244 VgaSave - ok
03:09:22.0156 5244 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
03:09:22.0156 5244 viaagp - ok
03:09:22.0187 5244 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
03:09:22.0187 5244 ViaIde - ok
03:09:22.0250 5244 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
03:09:22.0250 5244 VolSnap - ok
03:09:22.0312 5244 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
03:09:22.0312 5244 Wanarp - ok
03:09:22.0328 5244 WDICA - ok
03:09:22.0375 5244 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
03:09:22.0375 5244 wdmaud - ok
03:09:22.0406 5244 wff - ok
03:09:22.0500 5244 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
03:09:22.0515 5244 winachsf - ok
03:09:22.0640 5244 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
03:09:22.0671 5244 WpdUsb - ok
03:09:22.0718 5244 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
03:09:22.0734 5244 WudfPf - ok
03:09:22.0781 5244 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
03:09:22.0781 5244 WudfRd - ok
03:09:22.0875 5244 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
03:09:22.0875 5244 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
03:09:22.0906 5244 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
03:09:22.0906 5244 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
03:09:22.0921 5244 MBR (0x1B8) (b0b17de2470979f6aa7d36e451109b01) \Device\Harddisk0\DR0
03:09:22.0921 5244 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
03:09:22.0921 5244 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
03:09:22.0937 5244 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR3
03:09:23.0859 5244 \Device\Harddisk1\DR3 - ok
03:09:23.0890 5244 Boot (0x1200) (ac7b78dbc8ff12f566aa43be56dbb97b) \Device\Harddisk0\DR0\Partition0
03:09:23.0890 5244 \Device\Harddisk0\DR0\Partition0 - ok
03:09:23.0906 5244 Boot (0x1200) (08114fc202b62f464ef76efdb3eab06b) \Device\Harddisk1\DR3\Partition0
03:09:23.0906 5244 \Device\Harddisk1\DR3\Partition0 - ok
03:09:23.0906 5244 ============================================================
03:09:23.0906 5244 Scan finished
03:09:23.0906 5244 ============================================================
03:09:23.0921 4900 Detected object count: 1
03:09:23.0921 4900 Actual detected object count: 1
03:09:54.0093 4900 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
03:09:54.0093 4900 \Device\Harddisk0\DR0 - ok
03:09:54.0093 4900 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
03:10:00.0203 5732 Deinitialize success

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:10 AM

Posted 13 November 2011 - 10:16 AM

Open notepad and copy/paste the text in the quote box below into it:

File::
C:\WINDOWS\system32\drivers\df_kmd.sys



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

===

Please run the awsMBR tool again and post a fresh log.

Let me know what problem persists.

#11 poetist

poetist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 17 November 2011 - 03:57 AM

I tried my best to drag the CSF icon, but it did not disappear into Combo icon.
I've noticed that I am able to select Add Firewall on my control panel. I was not able to do that before.

Once again, thanks in advance.

Here's the CSF log:

ComboFix 11-11-16.02 - Tracy 11/17/2011 0:40.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1011 [GMT -8:00]
Running from: c:\documents and settings\Tracy\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Tracy\Desktop\CFScript.txt
AV: McAfee VirusScan *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
FILE ::
"c:\windows\system32\drivers\df_kmd.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\df_kmd.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-10 02:25 . 2011-11-10 02:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-10-29 07:48 . 2011-11-01 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2011-10-23 19:53 . 2011-11-10 02:06 -------- d-----w- c:\program files\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-13 11:13 . 2011-06-28 04:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-15 06:22 . 2011-09-15 06:22 1409 ----a-w- c:\windows\QTFont.for
2011-09-01 00:00 . 2010-06-25 04:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-12_01.12.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-17 06:30 . 2011-11-17 06:30 16384 c:\windows\Temp\Perflib_Perfdata_330.dat
+ 2011-11-13 11:13 . 2011-11-13 11:13 247968 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil11e_Plugin.exe
+ 2009-07-18 03:21 . 2011-11-13 11:13 8527008 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2011-11-17 06:36 . 2011-11-17 06:36 4671488 c:\windows\Installer\5a3e6.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-11-10 02:06 1451336 ----a-w- c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll" [2011-11-10 1451336]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SPYKILLER"="c:\program files\Anonymizer\sk\SpyWareKiller.exe" [2004-02-12 110592]
"ihanotify"="c:\program files\Verizon\FiOS\ihs\IHANotify.exe" [2010-12-28 237568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 131072]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-22 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-08-13 273544]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2011-10-23 218440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [7/11/2011 12:14 AM 23120]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [7/11/2011 12:14 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 4:06 PM 98304]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [9/24/2011 6:01 PM 246600]
S0 wff;wff;c:\windows\system32\drivers\wff.sys --> c:\windows\system32\drivers\wff.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/15/2010 11:45 PM 136176]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/15/2010 11:45 PM 136176]
S3 lredbooo;lredbooo;\??\c:\docume~1\Tracy\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\Tracy\LOCALS~1\Temp\lredbooo.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 07:45]
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 07:45]
.
2011-11-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1575197745-3283536573-500172640-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1575197745-3283536573-500172640-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://websearch.shopnav.com/sidesearch.cgi?uid=10509758&id=1.20031
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Tracy\Application Data\Mozilla\Firefox\Profiles\xx3lzray.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B443c6f18-ebf9-4c3e-b8de-6ea2fbf1d123%7D&mid=1bf83d4e15b101d46ccf0aec741062ad-191f6c5406cc20549f131cc4031681b168fdf9a9&ds=AVG&v=8.0.0.34.1&lang=en&pr=fr&d=2011-09-24%2019%3A01%3A51&sap=ku&q=
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: AniWeather: {4176DFF4-4698-11DE-BEEB-45DA55D89593} - %profile%\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}
FF - Ext: feedly: feedly@devhd - %profile%\extensions\feedly@devhd
FF - Ext: AVG Security Toolbar: avg@toolbar - %profile%\extensions\avg@toolbar
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-17 00:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-11-17 00:52:14
ComboFix-quarantined-files.txt 2011-11-17 08:52
ComboFix2.txt 2011-11-12 01:18
.
Pre-Run: 81,862,381,568 bytes free
Post-Run: 82,279,272,448 bytes free
.
- - End Of File - - 9844E79A7A91598625C165DE187D62C3


AWS MBR Log:


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-17 00:54:47
-----------------------------
00:54:47.437 OS Version: Windows 5.1.2600 Service Pack 3
00:54:47.437 Number of processors: 1 586 0x209
00:54:47.437 ComputerName: POETIST UserName: Tracy
00:54:49.343 Initialize success
00:55:12.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
00:55:12.765 Disk 0 Vendor: Maxtor_6Y120P0 YAR41BW0 Size: 114440MB BusType: 3
00:55:14.781 Disk 0 MBR read successfully
00:55:14.781 Disk 0 MBR scan
00:55:14.781 Disk 0 Windows XP default MBR code
00:55:14.796 Disk 0 scanning sectors +234372285
00:55:14.843 Disk 0 scanning C:\WINDOWS\system32\drivers
00:55:37.406 Service scanning
00:55:38.625 Modules scanning
00:55:47.187 Disk 0 trace - called modules:
00:55:47.234 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
00:55:47.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a508ab8]
00:55:47.234 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a4b2d98]
00:55:47.234 Scan finished successfully
00:56:46.093 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tracy\Desktop\MBR.dat"
00:56:46.093 The log file has been saved successfully to "C:\Documents and Settings\Tracy\Desktop\aswMBR nov. 17.txt"

Edited by poetist, 17 November 2011 - 04:00 AM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:10 AM

Posted 17 November 2011 - 10:48 AM

Looking good.

Any remaining issues?

#13 poetist

poetist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 17 November 2011 - 11:48 PM

So far, so good.
Thanks so very much.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:10 AM

Posted 18 November 2011 - 08:17 AM

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users