Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible zeroaccess rootkit


  • This topic is locked This topic is locked
28 replies to this topic

#1 fireal20

fireal20

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 09 November 2011 - 10:35 PM

If reply is on Nov 14 or later, please do not delete topic due to my non-response. I will be out of town with no internet access until the evening of Nov 18

I recently removed the System Restore program using the guide found here at bleepingcomputer. I had some luck with the guide, but actually Microsoft Security Essentials ended up finding and removing it. Ever since then, I am still getting the redirects from google or bing links, iexplore.exe randomly opens (although no browser window opens, only in Task Manager...I end the process, but it just comes back after a few mins), and Firefox seems to use up quite a bit more system memory than it did before. I am running windows 7 home premium 64-bit. I have run full scans with Malwarebytes, Adaware and MS Security Essentials. They all found and removed a few things, but I am still having the same problem.

Something that may be related is that I can't get my Windows Firewall to come back on. I dont have any other firewall program. My Windows Firewall Authorization Driver seems to be corrupted. There is a topic here that addresses all the details here. If this is unrelated, my apologies for putting two problems in the same post

Posted first here http://www.bleepingcomputer.com/forums/topic426598.html/page__gopid__2469442
Since i am running 64-bit Windows, I was not able to run gmer

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wmcknight at 21:20:29 on 2011-11-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4086.1451 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\SysWOW64\java.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Zune\ZuneNss.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
c:\Program Files\Zune\zune.exe
c:\Program Files\Zune\WMZuneComm.exe
c:\Program Files\Zune\ZuneWlanCfgSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files\Logitech\SetPoint\SetPoint.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: $talisma_url$
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller64.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://lmpassage3.external.lmco.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{625F0FFA-3EFB-4167-A6FE-48CCC9812AB8} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{A09E1B86-EFDD-4F09-9530-C4AC09B48054} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\puresp4.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\wmcknight\AppData\Roaming\Mozilla\Firefox\Profiles\op75zpe3.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - component: C:\Users\wmcknight\AppData\Roaming\Mozilla\Firefox\Profiles\op75zpe3.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Motive\npMotive.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-6-15 249648]
R2 LinksysUpdater;Linksys Updater;C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2010-11-2 517632]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2011-8-5 306400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-7-7 195336]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-11-10 02:56:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{28236F8C-4476-4BD2-8E38-91C166CBF2CE}
2011-11-10 02:56:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{01E99C1D-EDD0-4CEE-9E86-FA46D5322150}
2011-11-09 16:44:23 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{73924D98-C2FC-4470-BC31-A32800C990C0}\offreg.dll
2011-11-09 16:44:21 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{73924D98-C2FC-4470-BC31-A32800C990C0}\mpengine.dll
2011-11-09 14:55:36 -------- d-----w- C:\Users\wmcknight\AppData\Local\{249C9E90-F3C8-41A1-AAAA-5950C40E0EA9}
2011-11-09 02:54:51 -------- d-----w- C:\Users\wmcknight\AppData\Local\{9D12CCED-37A1-4AB8-8225-99DC928F2025}
2011-11-08 14:54:14 -------- d-----w- C:\Users\wmcknight\AppData\Local\{FEE1AFAC-BBC4-4A17-B68A-F35CBC09F5A5}
2011-11-08 02:53:35 -------- d-----w- C:\Users\wmcknight\AppData\Local\{97C8551F-DE6C-4671-AB9E-02118F55B582}
2011-11-07 14:52:57 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D77F9C18-CDF8-4B4C-81A5-4FE480DA9EEB}
2011-11-07 02:52:13 -------- d-----w- C:\Users\wmcknight\AppData\Local\{1A6FF9B4-DDD4-4B33-BBEF-4BE19F782F16}
2011-11-07 02:51:50 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EC40ADA8-F3A9-4AF9-83F3-4F93C8E1AE73}
2011-11-06 14:51:09 -------- d-----w- C:\Users\wmcknight\AppData\Local\{3F91246B-C8FA-46EF-8049-74AA41CE7C7D}
2011-11-06 14:50:56 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BE48B1DA-2347-42C6-9481-0A64A7FDF3BD}
2011-11-05 09:38:25 -------- d-----w- C:\Users\wmcknight\AppData\Local\{F97659FC-CD0D-41BA-8034-744DA85ED251}
2011-11-05 09:38:02 -------- d-----w- C:\Users\wmcknight\AppData\Local\{F96E3F13-06A5-424B-AC3C-9AAD7B348846}
2011-11-05 01:30:08 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-11-04 21:37:12 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BD0C90B1-B950-43C9-9A0B-09C37E32A14D}
2011-11-04 21:36:51 -------- d-----w- C:\Users\wmcknight\AppData\Local\{3C3166C7-AF68-44B8-A1AF-F64D4B4B5038}
2011-11-04 02:59:59 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EB9E894B-BFA0-4DFC-8892-45218F8554F6}
2011-11-04 02:59:35 -------- d-----w- C:\Users\wmcknight\AppData\Local\{69B3688F-0083-4A8A-82B8-FC32B234C43A}
2011-11-04 02:21:05 -------- d-----w- C:\Users\wmcknight\AppData\Roaming\Malwarebytes
2011-11-04 02:20:58 -------- d-----w- C:\ProgramData\Malwarebytes
2011-11-04 01:00:11 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-11-04 00:45:50 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-11-04 00:45:50 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-11-03 23:45:14 -------- d-----we C:\Windows\system64
2011-11-03 14:59:05 -------- d-----w- C:\Users\wmcknight\AppData\Local\{0B7041A6-13C7-41B7-BA81-E887396B6B89}
2011-11-03 14:58:42 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D7647D9F-4680-4006-B64F-7AEFAF3EBCE8}
2011-11-03 02:58:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{4FF1EF27-BF9A-4779-94FA-4CEC764E121D}
2011-11-03 02:58:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E36811DF-3D35-4D41-91C8-B8C4E7F35E67}
2011-11-02 14:57:52 -------- d-----w- C:\Users\wmcknight\AppData\Local\{08DD7401-785D-4EDF-8211-2F387619E6B8}
2011-11-02 14:57:30 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CB207E9A-4425-4EC8-B683-59294DB0ADCF}
2011-11-02 02:57:15 -------- d-----w- C:\Users\wmcknight\AppData\Local\{85B78469-C7DA-4BE6-B6E6-FC0E1AE07B70}
2011-11-01 14:56:39 -------- d-----w- C:\Users\wmcknight\AppData\Local\{5D56932C-0603-472F-82A2-7761EBCC6CBA}
2011-11-01 02:56:03 -------- d-----w- C:\Users\wmcknight\AppData\Local\{8FB9E888-BBE5-4E79-B398-6EE384C18F7E}
2011-10-31 14:55:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E09D69F6-37B8-4239-87D9-CFC0C641EE54}
2011-10-31 02:54:52 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EBE8FC3E-1D3B-4770-AD95-4DFD441BEDAB}
2011-10-31 02:54:30 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BC9A0918-F234-4A05-B4B2-95DD5E5A9995}
2011-10-30 14:54:03 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E8D78B9F-3F4D-4D0C-BEF9-34F461663C17}
2011-10-30 14:53:41 -------- d-----w- C:\Users\wmcknight\AppData\Local\{415871ED-B3A3-47FF-9EE8-B2DF423A5AC1}
2011-10-30 02:53:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{C4DC32C7-272C-4AF5-83BA-6848025DD4EE}
2011-10-30 02:53:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{A58DF3FE-6B45-48C1-8604-A6216000D205}
2011-10-29 14:52:52 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CCA13ABA-F031-4DB2-A850-1621CC1FC492}
2011-10-29 14:52:29 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D567203C-EA59-4A38-8343-D39BA6EDB759}
2011-10-29 02:52:15 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6B7CD9BB-2F69-42C4-A905-98B457D1C13A}
2011-10-29 02:51:53 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D43C9FCC-69AA-4735-A6D8-A88A40162A3C}
2011-10-28 14:50:26 -------- d-----w- C:\Users\wmcknight\AppData\Local\{55A65CBE-06CC-4BE2-8B50-9D2D8F2160CC}
2011-10-28 14:49:59 -------- d-----w- C:\Users\wmcknight\AppData\Local\{612060AF-5EEA-4EC1-BCA0-343A94CFFA5A}
2011-10-28 02:48:47 -------- d-----w- C:\Users\wmcknight\AppData\Local\{56139CA4-15A2-410B-8BAA-76EBBE88A1C5}
2011-10-28 02:48:20 -------- d-----w- C:\Users\wmcknight\AppData\Local\{1A743A88-A706-4FF1-A304-7BF9781BB24E}
2011-10-27 14:47:10 -------- d-----w- C:\Users\wmcknight\AppData\Local\{66F32617-3CEF-4D86-8018-70CD511B625A}
2011-10-27 14:46:44 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D46A070A-A0C1-4291-81DF-D793D7329A80}
2011-10-27 02:45:41 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BC60D511-5BC7-4D13-926B-84A8D1995625}
2011-10-27 02:45:15 -------- d-----w- C:\Users\wmcknight\AppData\Local\{B6E26C6B-F026-47EC-8BA1-B34379AB6CC6}
2011-10-26 14:44:13 -------- d-----w- C:\Users\wmcknight\AppData\Local\{27D30913-2909-4BEF-B216-35ABC3F971CC}
2011-10-26 14:43:47 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6C085C06-6145-473B-A9F2-66A34008ED9C}
2011-10-26 02:42:41 -------- d-----w- C:\Users\wmcknight\AppData\Local\{7C705415-1693-4A4E-9037-312B840EE63C}
2011-10-26 02:42:15 -------- d-----w- C:\Users\wmcknight\AppData\Local\{36BF77F1-B553-4297-8384-1331CF9FB949}
2011-10-25 14:41:00 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6CFDBC47-3C08-4431-B2A1-C334840046FF}
2011-10-25 14:40:34 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6C45A441-0145-47EB-BEC8-8F18033515D5}
2011-10-25 02:39:39 -------- d-----w- C:\Users\wmcknight\AppData\Local\{229547AD-E3B7-4343-B96F-92DF165075A3}
2011-10-25 02:39:14 -------- d-----w- C:\Users\wmcknight\AppData\Local\{23E54277-8DDD-450E-A7EC-91160C5087DE}
2011-10-24 14:38:18 -------- d-----w- C:\Users\wmcknight\AppData\Local\{B740A004-6AAD-4C03-BF2C-52D536919CD3}
2011-10-24 14:37:53 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E2D1CE7C-C8A5-47CA-8CC2-AF3BCDC92AA6}
2011-10-24 02:36:56 -------- d-----w- C:\Users\wmcknight\AppData\Local\{57C2A500-A0E4-4EDC-9CC3-6C01F97A2E9B}
2011-10-24 02:36:31 -------- d-----w- C:\Users\wmcknight\AppData\Local\{272E0FBE-9405-4B71-9FD8-C516C5D7020A}
2011-10-23 14:35:36 -------- d-----w- C:\Users\wmcknight\AppData\Local\{15298EF0-9903-4078-A8D0-4A92725A9122}
2011-10-23 14:35:11 -------- d-----w- C:\Users\wmcknight\AppData\Local\{9E0FFE40-40E7-40FA-B21D-D23ADE2C4E7F}
2011-10-23 02:34:16 -------- d-----w- C:\Users\wmcknight\AppData\Local\{7249E6C0-7CF8-4E9A-8028-F73E611F00E9}
2011-10-23 02:33:50 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BC7C4F4F-FEB3-45E3-BF6E-7E7E87D18F96}
2011-10-22 14:32:59 -------- d-----w- C:\Users\wmcknight\AppData\Local\{23756CA0-C00C-4242-B4E0-B77E5AA545D2}
2011-10-22 14:32:34 -------- d-----w- C:\Users\wmcknight\AppData\Local\{33C9F090-EF68-4D03-9D6A-5B3CBB73BCE1}
2011-10-22 02:31:42 -------- d-----w- C:\Users\wmcknight\AppData\Local\{336348D7-F696-45E2-B7EB-2CE43B4AFEA6}
2011-10-22 02:31:17 -------- d-----w- C:\Users\wmcknight\AppData\Local\{32747E1E-E5BD-4CE5-B9A7-4B6164048164}
2011-10-21 14:30:25 -------- d-----w- C:\Users\wmcknight\AppData\Local\{47FE817D-6A68-4464-8747-ACFF45016462}
2011-10-21 14:30:00 -------- d-----w- C:\Users\wmcknight\AppData\Local\{A6026569-D578-49E1-9D67-8463927BF3E7}
2011-10-21 02:29:09 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D9F6A9DF-0DF7-4805-B3B5-0F90D8E3A791}
2011-10-21 02:28:44 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E8A6F881-42F3-4D5C-85F7-D4EB7A06EA7B}
2011-10-20 14:27:53 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CAEF38FA-ECE1-4D38-93B8-D03B5769E38D}
2011-10-20 14:27:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{B7B783C3-AB81-4C55-86A2-B12776E5D23F}
2011-10-20 02:26:38 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EF114222-4098-48A5-B141-EB60C60361EE}
2011-10-20 02:26:14 -------- d-----w- C:\Users\wmcknight\AppData\Local\{45178A65-F6EA-48FF-B7C7-C50C13C66A86}
2011-10-19 14:25:23 -------- d-----w- C:\Users\wmcknight\AppData\Local\{1AC06BD7-54BF-4896-9B71-04E41EE9E8C2}
2011-10-19 14:24:58 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CA02349E-5508-4322-8896-376235C87998}
2011-10-19 02:24:08 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CE6C3286-E484-451B-AFEA-9B89604D2217}
2011-10-19 02:23:44 -------- d-----w- C:\Users\wmcknight\AppData\Local\{FFF8962E-812A-4854-941B-8597EF74CADF}
2011-10-18 14:23:30 -------- d-----w- C:\Users\wmcknight\AppData\Local\{C3E343C4-68BD-4514-8E1F-010F9C180AF6}
2011-10-18 14:23:08 -------- d-----w- C:\Users\wmcknight\AppData\Local\{2F086C20-7576-4C57-907E-C09B0B5A0340}
2011-10-18 02:22:54 -------- d-----w- C:\Users\wmcknight\AppData\Local\{54B13AFA-D1FB-42BE-9105-6C4C6914FAA0}
2011-10-18 02:22:32 -------- d-----w- C:\Users\wmcknight\AppData\Local\{283723B7-9C6D-4A8D-8839-036AF614B21B}
2011-10-17 14:22:07 -------- d-----w- C:\Users\wmcknight\AppData\Local\{B8A1E12A-F935-431B-85E2-148250CAC735}
2011-10-17 14:21:45 -------- d-----w- C:\Users\wmcknight\AppData\Local\{27F9575A-39AF-4E89-95FD-D0A96F7EC965}
2011-10-17 02:21:31 -------- d-----w- C:\Users\wmcknight\AppData\Local\{72E7D18E-7347-41BF-B711-1CFFC93DCAF9}
2011-10-17 02:21:09 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BCE632DC-5E47-4DC4-A3D2-0CDBD997ABB4}
2011-10-16 14:20:40 -------- d-----w- C:\Users\wmcknight\AppData\Local\{07B2E439-4D4D-4482-B572-D5150FB15735}
2011-10-16 14:20:22 -------- d-----w- C:\Users\wmcknight\AppData\Local\{3CA9736D-C45C-41A3-B5F1-C6562ED1A5F2}
2011-10-16 02:20:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{5187EA64-05C7-469F-B19F-05C21666B5FF}
2011-10-16 02:19:44 -------- d-----w- C:\Users\wmcknight\AppData\Local\{A21DB672-C3C5-487F-9FF2-D1F51D9E3936}
2011-10-15 14:19:30 -------- d-----w- C:\Users\wmcknight\AppData\Local\{34B74B25-B0E1-4B3E-8683-0F4608948214}
2011-10-15 14:19:08 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EE043EE5-8233-45EF-8843-5F34C27D3561}
2011-10-15 02:18:55 -------- d-----w- C:\Users\wmcknight\AppData\Local\{60AD78BF-FA88-4BBB-92EB-3FB84CFD0015}
2011-10-15 02:18:32 -------- d-----w- C:\Users\wmcknight\AppData\Local\{C96E9092-1ADC-4B87-BA94-BCFB44F68672}
2011-10-14 14:18:19 -------- d-----w- C:\Users\wmcknight\AppData\Local\{F83A56E3-DCF4-47D1-BF66-2CCED9F04F1E}
2011-10-14 14:17:56 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CAEF8A74-5A45-4597-820C-492A89A4EAD9}
2011-10-14 02:17:25 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E0A65C78-300E-4C6C-BE99-3406735EC029}
2011-10-14 02:17:02 -------- d-----w- C:\Users\wmcknight\AppData\Local\{7098C8B4-D229-48DE-987A-411F2599BC99}
2011-10-13 22:54:07 3138048 ----a-w- C:\Windows\System32\win32k.sys
2011-10-13 22:54:06 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-10-13 22:54:06 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-10-13 22:54:06 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-10-13 22:54:06 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-10-13 22:53:51 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-10-13 22:53:51 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-10-13 22:53:50 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-10-13 22:53:50 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-10-13 14:16:45 -------- d-----w- C:\Users\wmcknight\AppData\Local\{7815100B-2D77-40C6-BA6B-5BB181156B4D}
2011-10-13 14:16:23 -------- d-----w- C:\Users\wmcknight\AppData\Local\{84B0F65D-EF09-42AC-913F-A1B43AE6F044}
2011-10-13 02:16:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{8441CEF6-E5F8-4A53-AE85-E6E0810627AF}
2011-10-13 02:15:43 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CFB4CE11-E594-4C2B-9B03-DE0382F4CA6F}
2011-10-12 14:15:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6B023773-1478-467B-8732-D9F97FA55C71}
2011-10-12 14:15:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{76C39C27-0352-45CC-A2F1-5C8F575FF157}
2011-10-12 02:14:51 -------- d-----w- C:\Users\wmcknight\AppData\Local\{216800FA-E49E-479B-A357-D9FB4546A3E6}
2011-10-12 02:14:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{A687EA09-083B-4489-975C-83EA399503BB}
2011-10-11 14:14:14 -------- d-----w- C:\Users\wmcknight\AppData\Local\{694D469E-8C1A-49E0-8A6F-E12A6A397F46}
2011-10-11 14:13:52 -------- d-----w- C:\Users\wmcknight\AppData\Local\{A38DAA8A-4B77-4A45-8DCA-F5344ABE3FBD}
.
==================== Find3M ====================
.
2011-11-06 17:11:58 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-10-08 03:21:14 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 21:30:53.89 ===============

Attached Files


Edited by fireal20, 09 November 2011 - 10:47 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,669 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 14 November 2011 - 10:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427177 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 fireal20

fireal20
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 16 November 2011 - 12:47 PM

I am running win 7 home premium 64-bit, so cannot run GMER. i still have the original disk



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wmcknight at 11:34:07 on 2011-11-16
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4086.1575 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\SysWOW64\java.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Zune\ZuneNss.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files\Logitech\SetPoint\SetPoint.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: $talisma_url$
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller64.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://lmpassage3.external.lmco.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{625F0FFA-3EFB-4167-A6FE-48CCC9812AB8} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{A09E1B86-EFDD-4F09-9530-C4AC09B48054} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\puresp4.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\wmcknight\AppData\Roaming\Mozilla\Firefox\Profiles\op75zpe3.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - component: C:\Users\wmcknight\AppData\Roaming\Mozilla\Firefox\Profiles\op75zpe3.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Motive\npMotive.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-6-15 249648]
R2 LinksysUpdater;Linksys Updater;C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2010-11-2 517632]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-7-7 195336]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2011-8-5 306400]
.
=============== Created Last 30 ================
.
2011-11-16 17:28:37 -------- d-----w- C:\Users\wmcknight\AppData\Local\{79B3A31A-B18C-4745-932F-0FD4CA9EEB04}
2011-11-16 17:28:25 -------- d-----w- C:\Users\wmcknight\AppData\Local\{B6560934-77FA-46F9-A070-6BB129D0D52D}
2011-11-15 18:34:38 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CC26D9F5-B111-45A5-A1BE-3D72DCE84B08}\offreg.dll
2011-11-15 18:34:31 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CC26D9F5-B111-45A5-A1BE-3D72DCE84B08}\mpengine.dll
2011-11-14 11:09:45 -------- d-----w- C:\Users\wmcknight\AppData\Local\{1556C311-D59C-4A2E-8FEE-68427A6C4D34}
2011-11-14 11:09:13 -------- d-----w- C:\Users\wmcknight\AppData\Local\{909FA7A8-4D59-4370-9E9B-C59F7AC338F1}
2011-11-13 23:08:58 -------- d-----w- C:\Users\wmcknight\AppData\Local\{C6BE1425-BBF1-4E24-B795-9A4EB007D010}
2011-11-13 23:08:35 -------- d-----w- C:\Users\wmcknight\AppData\Local\{756DF7EB-CDF1-4843-AD1B-A6DB3D6F657D}
2011-11-13 11:08:20 -------- d-----w- C:\Users\wmcknight\AppData\Local\{F2394F96-AF44-4CD6-B26A-D458A3646045}
2011-11-13 11:07:58 -------- d-----w- C:\Users\wmcknight\AppData\Local\{290B7937-F0E2-4E24-905D-26D17BD5ADD2}
2011-11-12 23:07:43 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E005F7A9-EA26-4653-BD46-DE539EA0DAFB}
2011-11-12 23:07:21 -------- d-----w- C:\Users\wmcknight\AppData\Local\{0E1349D4-CBCB-4287-9439-BA3B0BCCDE6A}
2011-11-12 11:07:07 -------- d-----w- C:\Users\wmcknight\AppData\Local\{22137A06-C1B4-43ED-92A2-CF98FF65E12D}
2011-11-12 11:06:44 -------- d-----w- C:\Users\wmcknight\AppData\Local\{9D5BDF23-E13B-46A4-9697-F940ADB42C7F}
2011-11-11 23:06:31 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E8B4B475-153C-401E-A0F9-CB989E0A3623}
2011-11-11 23:06:08 -------- d-----w- C:\Users\wmcknight\AppData\Local\{91505080-15C4-421A-BE2B-7B0E63C0DB72}
2011-11-11 11:05:41 -------- d-----w- C:\Users\wmcknight\AppData\Local\{91E6BA41-708D-4AE7-B4E2-59F0201691AF}
2011-11-10 23:05:05 -------- d-----w- C:\Users\wmcknight\AppData\Local\{0AB7F94C-0AE1-4E56-822B-1CB8AC38D2CA}
2011-11-10 23:04:52 -------- d-----w- C:\Users\wmcknight\AppData\Local\{2C41FA29-7D89-45D9-BC35-B4300848D1B3}
2011-11-10 02:56:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{28236F8C-4476-4BD2-8E38-91C166CBF2CE}
2011-11-10 02:56:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{01E99C1D-EDD0-4CEE-9E86-FA46D5322150}
2011-11-09 19:16:35 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 19:16:35 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 19:16:33 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-09 19:16:31 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-09 14:55:36 -------- d-----w- C:\Users\wmcknight\AppData\Local\{249C9E90-F3C8-41A1-AAAA-5950C40E0EA9}
2011-11-09 02:54:51 -------- d-----w- C:\Users\wmcknight\AppData\Local\{9D12CCED-37A1-4AB8-8225-99DC928F2025}
2011-11-08 14:54:14 -------- d-----w- C:\Users\wmcknight\AppData\Local\{FEE1AFAC-BBC4-4A17-B68A-F35CBC09F5A5}
2011-11-08 02:53:35 -------- d-----w- C:\Users\wmcknight\AppData\Local\{97C8551F-DE6C-4671-AB9E-02118F55B582}
2011-11-07 14:52:57 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D77F9C18-CDF8-4B4C-81A5-4FE480DA9EEB}
2011-11-07 02:52:13 -------- d-----w- C:\Users\wmcknight\AppData\Local\{1A6FF9B4-DDD4-4B33-BBEF-4BE19F782F16}
2011-11-07 02:51:50 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EC40ADA8-F3A9-4AF9-83F3-4F93C8E1AE73}
2011-11-06 14:51:09 -------- d-----w- C:\Users\wmcknight\AppData\Local\{3F91246B-C8FA-46EF-8049-74AA41CE7C7D}
2011-11-06 14:50:56 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BE48B1DA-2347-42C6-9481-0A64A7FDF3BD}
2011-11-05 09:38:25 -------- d-----w- C:\Users\wmcknight\AppData\Local\{F97659FC-CD0D-41BA-8034-744DA85ED251}
2011-11-05 09:38:02 -------- d-----w- C:\Users\wmcknight\AppData\Local\{F96E3F13-06A5-424B-AC3C-9AAD7B348846}
2011-11-05 01:30:08 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-11-04 21:37:12 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BD0C90B1-B950-43C9-9A0B-09C37E32A14D}
2011-11-04 21:36:51 -------- d-----w- C:\Users\wmcknight\AppData\Local\{3C3166C7-AF68-44B8-A1AF-F64D4B4B5038}
2011-11-04 02:59:59 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EB9E894B-BFA0-4DFC-8892-45218F8554F6}
2011-11-04 02:59:35 -------- d-----w- C:\Users\wmcknight\AppData\Local\{69B3688F-0083-4A8A-82B8-FC32B234C43A}
2011-11-04 02:21:05 -------- d-----w- C:\Users\wmcknight\AppData\Roaming\Malwarebytes
2011-11-04 02:20:58 -------- d-----w- C:\ProgramData\Malwarebytes
2011-11-04 01:00:11 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-11-04 00:45:50 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-11-04 00:45:50 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-11-03 23:45:14 -------- d-----we C:\Windows\system64
2011-11-03 14:59:05 -------- d-----w- C:\Users\wmcknight\AppData\Local\{0B7041A6-13C7-41B7-BA81-E887396B6B89}
2011-11-03 14:58:42 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D7647D9F-4680-4006-B64F-7AEFAF3EBCE8}
2011-11-03 02:58:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{4FF1EF27-BF9A-4779-94FA-4CEC764E121D}
2011-11-03 02:58:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E36811DF-3D35-4D41-91C8-B8C4E7F35E67}
2011-11-02 14:57:52 -------- d-----w- C:\Users\wmcknight\AppData\Local\{08DD7401-785D-4EDF-8211-2F387619E6B8}
2011-11-02 14:57:30 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CB207E9A-4425-4EC8-B683-59294DB0ADCF}
2011-11-02 02:57:15 -------- d-----w- C:\Users\wmcknight\AppData\Local\{85B78469-C7DA-4BE6-B6E6-FC0E1AE07B70}
2011-11-01 14:56:39 -------- d-----w- C:\Users\wmcknight\AppData\Local\{5D56932C-0603-472F-82A2-7761EBCC6CBA}
2011-11-01 02:56:03 -------- d-----w- C:\Users\wmcknight\AppData\Local\{8FB9E888-BBE5-4E79-B398-6EE384C18F7E}
2011-10-31 14:55:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E09D69F6-37B8-4239-87D9-CFC0C641EE54}
2011-10-31 02:54:52 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EBE8FC3E-1D3B-4770-AD95-4DFD441BEDAB}
2011-10-31 02:54:30 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BC9A0918-F234-4A05-B4B2-95DD5E5A9995}
2011-10-30 14:54:03 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E8D78B9F-3F4D-4D0C-BEF9-34F461663C17}
2011-10-30 14:53:41 -------- d-----w- C:\Users\wmcknight\AppData\Local\{415871ED-B3A3-47FF-9EE8-B2DF423A5AC1}
2011-10-30 02:53:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{C4DC32C7-272C-4AF5-83BA-6848025DD4EE}
2011-10-30 02:53:06 -------- d-----w- C:\Users\wmcknight\AppData\Local\{A58DF3FE-6B45-48C1-8604-A6216000D205}
2011-10-29 14:52:52 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CCA13ABA-F031-4DB2-A850-1621CC1FC492}
2011-10-29 14:52:29 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D567203C-EA59-4A38-8343-D39BA6EDB759}
2011-10-29 02:52:15 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6B7CD9BB-2F69-42C4-A905-98B457D1C13A}
2011-10-29 02:51:53 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D43C9FCC-69AA-4735-A6D8-A88A40162A3C}
2011-10-28 14:50:26 -------- d-----w- C:\Users\wmcknight\AppData\Local\{55A65CBE-06CC-4BE2-8B50-9D2D8F2160CC}
2011-10-28 14:49:59 -------- d-----w- C:\Users\wmcknight\AppData\Local\{612060AF-5EEA-4EC1-BCA0-343A94CFFA5A}
2011-10-28 02:48:47 -------- d-----w- C:\Users\wmcknight\AppData\Local\{56139CA4-15A2-410B-8BAA-76EBBE88A1C5}
2011-10-28 02:48:20 -------- d-----w- C:\Users\wmcknight\AppData\Local\{1A743A88-A706-4FF1-A304-7BF9781BB24E}
2011-10-27 14:47:10 -------- d-----w- C:\Users\wmcknight\AppData\Local\{66F32617-3CEF-4D86-8018-70CD511B625A}
2011-10-27 14:46:44 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D46A070A-A0C1-4291-81DF-D793D7329A80}
2011-10-27 02:45:41 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BC60D511-5BC7-4D13-926B-84A8D1995625}
2011-10-27 02:45:15 -------- d-----w- C:\Users\wmcknight\AppData\Local\{B6E26C6B-F026-47EC-8BA1-B34379AB6CC6}
2011-10-26 14:44:13 -------- d-----w- C:\Users\wmcknight\AppData\Local\{27D30913-2909-4BEF-B216-35ABC3F971CC}
2011-10-26 14:43:47 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6C085C06-6145-473B-A9F2-66A34008ED9C}
2011-10-26 02:42:41 -------- d-----w- C:\Users\wmcknight\AppData\Local\{7C705415-1693-4A4E-9037-312B840EE63C}
2011-10-26 02:42:15 -------- d-----w- C:\Users\wmcknight\AppData\Local\{36BF77F1-B553-4297-8384-1331CF9FB949}
2011-10-25 14:41:00 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6CFDBC47-3C08-4431-B2A1-C334840046FF}
2011-10-25 14:40:34 -------- d-----w- C:\Users\wmcknight\AppData\Local\{6C45A441-0145-47EB-BEC8-8F18033515D5}
2011-10-25 02:39:39 -------- d-----w- C:\Users\wmcknight\AppData\Local\{229547AD-E3B7-4343-B96F-92DF165075A3}
2011-10-25 02:39:14 -------- d-----w- C:\Users\wmcknight\AppData\Local\{23E54277-8DDD-450E-A7EC-91160C5087DE}
2011-10-24 14:38:18 -------- d-----w- C:\Users\wmcknight\AppData\Local\{B740A004-6AAD-4C03-BF2C-52D536919CD3}
2011-10-24 14:37:53 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E2D1CE7C-C8A5-47CA-8CC2-AF3BCDC92AA6}
2011-10-24 02:36:56 -------- d-----w- C:\Users\wmcknight\AppData\Local\{57C2A500-A0E4-4EDC-9CC3-6C01F97A2E9B}
2011-10-24 02:36:31 -------- d-----w- C:\Users\wmcknight\AppData\Local\{272E0FBE-9405-4B71-9FD8-C516C5D7020A}
2011-10-23 14:35:36 -------- d-----w- C:\Users\wmcknight\AppData\Local\{15298EF0-9903-4078-A8D0-4A92725A9122}
2011-10-23 14:35:11 -------- d-----w- C:\Users\wmcknight\AppData\Local\{9E0FFE40-40E7-40FA-B21D-D23ADE2C4E7F}
2011-10-23 02:34:16 -------- d-----w- C:\Users\wmcknight\AppData\Local\{7249E6C0-7CF8-4E9A-8028-F73E611F00E9}
2011-10-23 02:33:50 -------- d-----w- C:\Users\wmcknight\AppData\Local\{BC7C4F4F-FEB3-45E3-BF6E-7E7E87D18F96}
2011-10-22 14:32:59 -------- d-----w- C:\Users\wmcknight\AppData\Local\{23756CA0-C00C-4242-B4E0-B77E5AA545D2}
2011-10-22 14:32:34 -------- d-----w- C:\Users\wmcknight\AppData\Local\{33C9F090-EF68-4D03-9D6A-5B3CBB73BCE1}
2011-10-22 02:31:42 -------- d-----w- C:\Users\wmcknight\AppData\Local\{336348D7-F696-45E2-B7EB-2CE43B4AFEA6}
2011-10-22 02:31:17 -------- d-----w- C:\Users\wmcknight\AppData\Local\{32747E1E-E5BD-4CE5-B9A7-4B6164048164}
2011-10-21 14:30:25 -------- d-----w- C:\Users\wmcknight\AppData\Local\{47FE817D-6A68-4464-8747-ACFF45016462}
2011-10-21 14:30:00 -------- d-----w- C:\Users\wmcknight\AppData\Local\{A6026569-D578-49E1-9D67-8463927BF3E7}
2011-10-21 02:29:09 -------- d-----w- C:\Users\wmcknight\AppData\Local\{D9F6A9DF-0DF7-4805-B3B5-0F90D8E3A791}
2011-10-21 02:28:44 -------- d-----w- C:\Users\wmcknight\AppData\Local\{E8A6F881-42F3-4D5C-85F7-D4EB7A06EA7B}
2011-10-20 14:27:53 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CAEF38FA-ECE1-4D38-93B8-D03B5769E38D}
2011-10-20 14:27:28 -------- d-----w- C:\Users\wmcknight\AppData\Local\{B7B783C3-AB81-4C55-86A2-B12776E5D23F}
2011-10-20 02:26:38 -------- d-----w- C:\Users\wmcknight\AppData\Local\{EF114222-4098-48A5-B141-EB60C60361EE}
2011-10-20 02:26:14 -------- d-----w- C:\Users\wmcknight\AppData\Local\{45178A65-F6EA-48FF-B7C7-C50C13C66A86}
2011-10-19 14:25:23 -------- d-----w- C:\Users\wmcknight\AppData\Local\{1AC06BD7-54BF-4896-9B71-04E41EE9E8C2}
2011-10-19 14:24:58 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CA02349E-5508-4322-8896-376235C87998}
2011-10-19 02:24:08 -------- d-----w- C:\Users\wmcknight\AppData\Local\{CE6C3286-E484-451B-AFEA-9B89604D2217}
2011-10-19 02:23:44 -------- d-----w- C:\Users\wmcknight\AppData\Local\{FFF8962E-812A-4854-941B-8597EF74CADF}
2011-10-18 14:23:30 -------- d-----w- C:\Users\wmcknight\AppData\Local\{C3E343C4-68BD-4514-8E1F-010F9C180AF6}
2011-10-18 14:23:08 -------- d-----w- C:\Users\wmcknight\AppData\Local\{2F086C20-7576-4C57-907E-C09B0B5A0340}
2011-10-18 02:22:54 -------- d-----w- C:\Users\wmcknight\AppData\Local\{54B13AFA-D1FB-42BE-9105-6C4C6914FAA0}
2011-10-18 02:22:32 -------- d-----w- C:\Users\wmcknight\AppData\Local\{283723B7-9C6D-4A8D-8839-036AF614B21B}
.
==================== Find3M ====================
.
2011-11-06 17:11:58 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-10-08 03:21:14 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
.
============= FINISH: 11:42:58.49 ===============

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:49 AM

Posted 17 November 2011 - 11:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

BackupYour Registry with ERUNT
  • Please go here, scroll down to ERUNT, and download.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your Registry to the folder of your choice.

Note: To restore your Registry, go to the folder and start ERDNT.exe
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    consrv.dll
    winsrv.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
===

Please do the following:
Download Registry Search (see the link titled RegSearch Download Link), and save it to your Desktop.
  • Extract the files from Regsearch.zip to your Desktop.
  • Double click regsearch.exe to start the program.
  • Enter consrv in the top area of the form and then click "OK".
  • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Copy/paste this file in your next reply.

Please post the log for my review.
Wait for further instructions.

#5 fireal20

fireal20
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 17 November 2011 - 12:05 PM

thanks nasdaq

backed up registry. might add a note to the instructions to run as administrator. otherwise you get access denied errors


SystemLook 30.07.11 by jpshortstuff
Log created at 11:01 on 17/11/2011 by wmcknight
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "consrv.dll"
C:\Windows\system64\consrv.dll --a---- 53760 bytes [23:31 13/07/2009] [01:39 14/07/2009] C7570A7E24B29EE04A48C2C99DA2587B

Searching for "winsrv.dll"
C:\Windows\system64\winsrv.dll --a---- 214528 bytes [04:00 11/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16385_none_12738849b6063c52\winsrv.dll --a---- 214016 bytes [23:38 13/07/2009] [01:41 14/07/2009] 457B44AB6D502E55F64A867D4F35C76C
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16723_none_12b26ed5b5d7569a\winsrv.dll --a---- 214016 bytes [11:20 09/02/2011] [06:16 21/12/2010] B200DECA2186858595A97FBE63E896CC
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16816_none_12c04185b5cc83d5\winsrv.dll --a---- 214528 bytes [11:00 13/07/2011] [07:41 14/05/2011] 3739AA2F57FE492EA976E20C56CDF2F4
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16823_none_12b270bbb5d753c1\winsrv.dll --a---- 214528 bytes [11:00 13/07/2011] [06:44 02/06/2011] DE09FA38A6544829F012B9531C18454F
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16850_none_128f0019b5f25b8f\winsrv.dll --a---- 214528 bytes [04:00 11/08/2011] [05:26 16/07/2011] 0CB6EBF4B461A6043353C570BD72A1E1
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20864_none_1311cc3acf147f7f\winsrv.dll --a---- 214016 bytes [11:20 09/02/2011] [07:15 22/12/2010] 571543B93AE0319185970848024C9E04
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20978_none_130aff5ccf18fdf3\winsrv.dll --a---- 214528 bytes [11:00 13/07/2011] [06:59 03/06/2011] 55917E3ABDDC20D0AAEAC49F5CE67462
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20995_none_12f25ea6cf2be9d0\winsrv.dll --a---- 214528 bytes [04:00 11/08/2011] [05:26 24/06/2011] 6D408ABD60A995A2DAB4BAAE38BCA04F
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17514_none_14a49c11b2f4bfec\winsrv.dll --a---- 214016 bytes [22:46 20/06/2011] [13:27 20/11/2010] E0406AEF04B088D1C49FC78D0546F689
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17527_none_149ccd03b2fa27e2\winsrv.dll --a---- 214016 bytes [11:20 09/02/2011] [11:42 17/12/2010] 15822E7206C7A0A893395CB07A63C7E1
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17617_none_14a79ed5b2f20918\winsrv.dll --a---- 214528 bytes [11:00 13/07/2011] [07:24 14/05/2011] 3A8135A7DED2FA0DAD3BDE1B14865A8A
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17625_none_149ace55b2fbf25b\winsrv.dll --a---- 214528 bytes [11:00 13/07/2011] [06:57 03/06/2011] 9F761CE1C6C013120B2F0DB27D48C06F
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17641_none_14812d55b30fc4e1\winsrv.dll --a---- 214528 bytes [04:00 11/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21624_none_152368f0cc1a7ba7\winsrv.dll --a---- 214016 bytes [11:20 09/02/2011] [08:52 18/12/2010] A199CC08A13EEB667412423F712FE817
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21728_none_15276bfecc16de2a\winsrv.dll --a---- 214528 bytes [11:00 13/07/2011] [07:11 14/05/2011] 1A589228B6DC007120F877DBBD6CB79D
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21738_none_151c9c12cc1efa1b\winsrv.dll --a---- 214528 bytes [11:00 13/07/2011] [07:01 03/06/2011] 5AA1C7B5F471C4657BE38447BC397665
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21756_none_1504fba6cc30ff4f\winsrv.dll --a---- 214528 bytes [04:00 11/08/2011] [05:27 24/06/2011] C13D05A015346DED3D722BE285814495

-= EOF =-



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.6.0

; Results at 11/17/2011 11:04:41 AM for strings:
; 'consrv'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems]
; Contents of value:
; %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,63,00,6f,\
00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
64,00,73,00,3d,00,31,00,36,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems]
; Contents of value:
; %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,63,00,6f,\
00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
64,00,73,00,3d,00,31,00,36,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
; Contents of value:
; %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,63,00,6f,\
00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
64,00,73,00,3d,00,31,00,36,00,00,00

; End Of The Log...

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:49 AM

Posted 17 November 2011 - 01:54 PM

Copy the contents of the below code box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems]
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
  65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
  00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
  72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
  00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
  20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
  00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
  3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
  00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
  76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
  00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
  53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
  00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
  20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,77,00,69,\
  00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
  65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
  00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
  00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
  6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
  00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
  64,00,73,00,3d,00,31,00,36,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems] 
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
  65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
  00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
  72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
  00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
  20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
  00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
  3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
  00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
  76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
  00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
  53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
  00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
  20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,77,00,69,\
  00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
  65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
  00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
  00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
  6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
  00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
  64,00,73,00,3d,00,31,00,36,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
  65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
  00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
  72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
  00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
  20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
  00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
  3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
  00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
  76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
  00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
  53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
  00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
  20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,77,00,69,\
  00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
  65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
  00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
  00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
  6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
  00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
  64,00,73,00,3d,00,31,00,36,00,00,00
Close Notepad.

Locate FixReg.reg on your Desktop. Right-click on it , and select Run as Administrator and answer 'Yes' when asked if you want to merge with the registry.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Wait for further instructions.

#7 fireal20

fireal20
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 17 November 2011 - 02:12 PM

ran the fixreg

tdsskiller didnt find anything. here is the log though

13:10:42.0565 2264 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50
13:10:43.0064 2264 ============================================================
13:10:43.0064 2264 Current date / time: 2011/11/17 13:10:43.0064
13:10:43.0064 2264 SystemInfo:
13:10:43.0064 2264
13:10:43.0064 2264 OS Version: 6.1.7601 ServicePack: 1.0
13:10:43.0064 2264 Product type: Workstation
13:10:43.0064 2264 ComputerName: WMCKNIGHT-PC
13:10:43.0064 2264 UserName: wmcknight
13:10:43.0064 2264 Windows directory: C:\Windows
13:10:43.0064 2264 System windows directory: C:\Windows
13:10:43.0064 2264 Running under WOW64
13:10:43.0064 2264 Processor architecture: Intel x64
13:10:43.0064 2264 Number of processors: 4
13:10:43.0064 2264 Page size: 0x1000
13:10:43.0064 2264 Boot type: Normal boot
13:10:43.0064 2264 ============================================================
13:10:44.0163 2264 Initialize success
13:10:50.0343 5252 ============================================================
13:10:50.0343 5252 Scan started
13:10:50.0343 5252 Mode: Manual;
13:10:50.0343 5252 ============================================================
13:10:50.0915 5252 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
13:10:50.0918 5252 1394ohci - ok
13:10:50.0949 5252 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
13:10:50.0953 5252 ACPI - ok
13:10:50.0980 5252 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
13:10:50.0981 5252 AcpiPmi - ok
13:10:51.0008 5252 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
13:10:51.0013 5252 adp94xx - ok
13:10:51.0028 5252 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
13:10:51.0035 5252 adpahci - ok
13:10:51.0043 5252 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
13:10:51.0046 5252 adpu320 - ok
13:10:51.0093 5252 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
13:10:51.0098 5252 AFD - ok
13:10:51.0110 5252 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
13:10:51.0111 5252 agp440 - ok
13:10:51.0144 5252 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
13:10:51.0145 5252 aliide - ok
13:10:51.0163 5252 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
13:10:51.0164 5252 amdide - ok
13:10:51.0175 5252 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
13:10:51.0176 5252 AmdK8 - ok
13:10:51.0284 5252 amdkmdag (1147f8816d4ddc9fc43a40df52f40500) C:\Windows\system32\DRIVERS\atipmdag.sys
13:10:51.0402 5252 amdkmdag - ok
13:10:51.0435 5252 amdkmdap (ebc963d8f5b04c98f5ef597aae79cddd) C:\Windows\system32\DRIVERS\atikmpag.sys
13:10:51.0437 5252 amdkmdap - ok
13:10:51.0448 5252 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
13:10:51.0449 5252 AmdPPM - ok
13:10:51.0461 5252 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
13:10:51.0462 5252 amdsata - ok
13:10:51.0471 5252 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
13:10:51.0473 5252 amdsbs - ok
13:10:51.0485 5252 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
13:10:51.0486 5252 amdxata - ok
13:10:51.0513 5252 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
13:10:51.0515 5252 AppID - ok
13:10:51.0525 5252 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
13:10:51.0526 5252 arc - ok
13:10:51.0533 5252 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
13:10:51.0535 5252 arcsas - ok
13:10:51.0550 5252 AsIO - ok
13:10:51.0552 5252 AsUpIO - ok
13:10:51.0571 5252 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
13:10:51.0571 5252 AsyncMac - ok
13:10:51.0606 5252 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
13:10:51.0606 5252 atapi - ok
13:10:51.0633 5252 AtiHdmiService (77c149e6d702737b2e372dee166faef8) C:\Windows\system32\drivers\AtiHdmi.sys
13:10:51.0634 5252 AtiHdmiService - ok
13:10:51.0738 5252 atikmdag (1147f8816d4ddc9fc43a40df52f40500) C:\Windows\system32\DRIVERS\atikmdag.sys
13:10:51.0823 5252 atikmdag - ok
13:10:51.0854 5252 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
13:10:51.0858 5252 b06bdrv - ok
13:10:51.0874 5252 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
13:10:51.0877 5252 b57nd60a - ok
13:10:51.0925 5252 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
13:10:51.0925 5252 Beep - ok
13:10:51.0951 5252 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
13:10:51.0952 5252 blbdrive - ok
13:10:51.0979 5252 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
13:10:51.0980 5252 bowser - ok
13:10:51.0986 5252 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
13:10:51.0990 5252 BrFiltLo - ok
13:10:51.0996 5252 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
13:10:51.0998 5252 BrFiltUp - ok
13:10:52.0017 5252 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
13:10:52.0020 5252 Brserid - ok
13:10:52.0026 5252 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
13:10:52.0028 5252 BrSerWdm - ok
13:10:52.0034 5252 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
13:10:52.0035 5252 BrUsbMdm - ok
13:10:52.0041 5252 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
13:10:52.0042 5252 BrUsbSer - ok
13:10:52.0049 5252 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
13:10:52.0050 5252 BTHMODEM - ok
13:10:52.0061 5252 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
13:10:52.0063 5252 cdfs - ok
13:10:52.0091 5252 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\drivers\cdrom.sys
13:10:52.0093 5252 cdrom - ok
13:10:52.0102 5252 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
13:10:52.0103 5252 circlass - ok
13:10:52.0128 5252 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
13:10:52.0132 5252 CLFS - ok
13:10:52.0148 5252 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
13:10:52.0149 5252 CmBatt - ok
13:10:52.0177 5252 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
13:10:52.0178 5252 cmdide - ok
13:10:52.0208 5252 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
13:10:52.0213 5252 CNG - ok
13:10:52.0230 5252 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
13:10:52.0231 5252 Compbatt - ok
13:10:52.0254 5252 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
13:10:52.0255 5252 CompositeBus - ok
13:10:52.0270 5252 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
13:10:52.0271 5252 crcdisk - ok
13:10:52.0306 5252 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
13:10:52.0308 5252 DfsC - ok
13:10:52.0318 5252 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
13:10:52.0318 5252 discache - ok
13:10:52.0330 5252 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
13:10:52.0331 5252 Disk - ok
13:10:52.0361 5252 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
13:10:52.0361 5252 drmkaud - ok
13:10:52.0400 5252 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
13:10:52.0409 5252 DXGKrnl - ok
13:10:52.0465 5252 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
13:10:52.0515 5252 ebdrv - ok
13:10:52.0543 5252 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
13:10:52.0548 5252 elxstor - ok
13:10:52.0576 5252 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
13:10:52.0577 5252 ErrDev - ok
13:10:52.0590 5252 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
13:10:52.0592 5252 exfat - ok
13:10:52.0608 5252 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
13:10:52.0611 5252 fastfat - ok
13:10:52.0619 5252 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
13:10:52.0620 5252 fdc - ok
13:10:52.0640 5252 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
13:10:52.0641 5252 FileInfo - ok
13:10:52.0652 5252 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
13:10:52.0653 5252 Filetrace - ok
13:10:52.0666 5252 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
13:10:52.0677 5252 flpydisk - ok
13:10:52.0710 5252 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
13:10:52.0714 5252 FltMgr - ok
13:10:52.0727 5252 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
13:10:52.0728 5252 FsDepends - ok
13:10:52.0737 5252 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
13:10:52.0738 5252 Fs_Rec - ok
13:10:52.0768 5252 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
13:10:52.0771 5252 fvevol - ok
13:10:52.0785 5252 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
13:10:52.0787 5252 gagp30kx - ok
13:10:52.0798 5252 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
13:10:52.0799 5252 hcw85cir - ok
13:10:52.0853 5252 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
13:10:52.0857 5252 HdAudAddService - ok
13:10:52.0871 5252 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
13:10:52.0873 5252 HDAudBus - ok
13:10:52.0879 5252 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
13:10:52.0881 5252 HidBatt - ok
13:10:52.0898 5252 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
13:10:52.0899 5252 HidBth - ok
13:10:52.0906 5252 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
13:10:52.0909 5252 HidIr - ok
13:10:52.0924 5252 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
13:10:52.0925 5252 HidUsb - ok
13:10:52.0954 5252 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
13:10:52.0955 5252 HpSAMD - ok
13:10:53.0002 5252 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
13:10:53.0009 5252 HTTP - ok
13:10:53.0043 5252 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
13:10:53.0044 5252 hwpolicy - ok
13:10:53.0075 5252 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
13:10:53.0076 5252 i8042prt - ok
13:10:53.0093 5252 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
13:10:53.0097 5252 iaStorV - ok
13:10:53.0114 5252 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
13:10:53.0115 5252 iirsp - ok
13:10:53.0137 5252 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
13:10:53.0138 5252 intelide - ok
13:10:53.0148 5252 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
13:10:53.0149 5252 intelppm - ok
13:10:53.0169 5252 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
13:10:53.0170 5252 IpFilterDriver - ok
13:10:53.0190 5252 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
13:10:53.0191 5252 IPMIDRV - ok
13:10:53.0206 5252 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
13:10:53.0207 5252 IPNAT - ok
13:10:53.0225 5252 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
13:10:53.0225 5252 IRENUM - ok
13:10:53.0253 5252 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
13:10:53.0254 5252 isapnp - ok
13:10:53.0273 5252 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
13:10:53.0276 5252 iScsiPrt - ok
13:10:53.0294 5252 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
13:10:53.0295 5252 kbdclass - ok
13:10:53.0322 5252 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
13:10:53.0322 5252 kbdhid - ok
13:10:53.0352 5252 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
13:10:53.0353 5252 KSecDD - ok
13:10:53.0365 5252 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
13:10:53.0367 5252 KSecPkg - ok
13:10:53.0374 5252 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
13:10:53.0375 5252 ksthunk - ok
13:10:53.0418 5252 L8042Kbd (f33c5d79d3273530e1892a0922283a7b) C:\Windows\system32\DRIVERS\L8042Kbd.sys
13:10:53.0419 5252 L8042Kbd - ok
13:10:53.0466 5252 LHidFilt (b6552d382ff070b4ed34cbd6737277c0) C:\Windows\system32\DRIVERS\LHidFilt.Sys
13:10:53.0467 5252 LHidFilt - ok
13:10:53.0483 5252 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
13:10:53.0484 5252 lltdio - ok
13:10:53.0502 5252 LMouFilt (73c1f563ab73d459dffe682d66476558) C:\Windows\system32\DRIVERS\LMouFilt.Sys
13:10:53.0503 5252 LMouFilt - ok
13:10:53.0526 5252 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
13:10:53.0527 5252 LSI_FC - ok
13:10:53.0535 5252 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
13:10:53.0538 5252 LSI_SAS - ok
13:10:53.0552 5252 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
13:10:53.0554 5252 LSI_SAS2 - ok
13:10:53.0562 5252 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
13:10:53.0563 5252 LSI_SCSI - ok
13:10:53.0583 5252 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
13:10:53.0585 5252 luafv - ok
13:10:53.0596 5252 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
13:10:53.0597 5252 megasas - ok
13:10:53.0606 5252 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
13:10:53.0609 5252 MegaSR - ok
13:10:53.0627 5252 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
13:10:53.0628 5252 Modem - ok
13:10:53.0655 5252 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
13:10:53.0656 5252 monitor - ok
13:10:53.0764 5252 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\drivers\mouclass.sys
13:10:53.0765 5252 mouclass - ok
13:10:53.0784 5252 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
13:10:53.0786 5252 mouhid - ok
13:10:53.0815 5252 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
13:10:53.0817 5252 mountmgr - ok
13:10:53.0865 5252 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
13:10:53.0867 5252 MpFilter - ok
13:10:53.0903 5252 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
13:10:53.0905 5252 mpio - ok
13:10:53.0935 5252 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
13:10:53.0936 5252 MpNWMon - ok
13:10:53.0950 5252 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
13:10:53.0951 5252 mpsdrv - ok
13:10:54.0024 5252 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS
13:10:54.0025 5252 MREMP50 - ok
13:10:54.0090 5252 MREMP50a64 (c2758df79c83a0d12a5599a040ca1818) C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS
13:10:54.0102 5252 MREMP50a64 - ok
13:10:54.0105 5252 MREMPR5 - ok
13:10:54.0108 5252 MRENDIS5 - ok
13:10:54.0137 5252 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS
13:10:54.0138 5252 MRESP50 - ok
13:10:54.0155 5252 MRESP50a64 (38bd5b32e0722752be8465d2a6da43d9) C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS
13:10:54.0160 5252 MRESP50a64 - ok
13:10:54.0191 5252 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
13:10:54.0193 5252 MRxDAV - ok
13:10:54.0220 5252 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
13:10:54.0222 5252 mrxsmb - ok
13:10:54.0250 5252 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
13:10:54.0254 5252 mrxsmb10 - ok
13:10:54.0264 5252 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
13:10:54.0266 5252 mrxsmb20 - ok
13:10:54.0296 5252 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
13:10:54.0298 5252 msahci - ok
13:10:54.0325 5252 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
13:10:54.0327 5252 msdsm - ok
13:10:54.0356 5252 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
13:10:54.0357 5252 Msfs - ok
13:10:54.0370 5252 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
13:10:54.0370 5252 mshidkmdf - ok
13:10:54.0404 5252 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
13:10:54.0405 5252 msisadrv - ok
13:10:54.0439 5252 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
13:10:54.0439 5252 MSKSSRV - ok
13:10:54.0453 5252 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
13:10:54.0454 5252 MSPCLOCK - ok
13:10:54.0467 5252 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
13:10:54.0468 5252 MSPQM - ok
13:10:54.0492 5252 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
13:10:54.0496 5252 MsRPC - ok
13:10:54.0512 5252 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
13:10:54.0513 5252 mssmbios - ok
13:10:54.0530 5252 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
13:10:54.0531 5252 MSTEE - ok
13:10:54.0542 5252 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
13:10:54.0543 5252 MTConfig - ok
13:10:54.0580 5252 MTsensor (2219a3d695405e7ba2186ba6b9ede14a) C:\Windows\system32\DRIVERS\ASACPI.sys
13:10:54.0581 5252 MTsensor - ok
13:10:54.0598 5252 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
13:10:54.0599 5252 Mup - ok
13:10:54.0623 5252 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
13:10:54.0626 5252 NativeWifiP - ok
13:10:54.0678 5252 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
13:10:54.0687 5252 NDIS - ok
13:10:54.0700 5252 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
13:10:54.0701 5252 NdisCap - ok
13:10:54.0719 5252 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
13:10:54.0720 5252 NdisTapi - ok
13:10:54.0746 5252 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
13:10:54.0747 5252 Ndisuio - ok
13:10:54.0790 5252 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
13:10:54.0812 5252 NdisWan - ok
13:10:54.0833 5252 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
13:10:54.0834 5252 NDProxy - ok
13:10:54.0849 5252 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
13:10:54.0850 5252 NetBIOS - ok
13:10:54.0881 5252 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
13:10:54.0884 5252 NetBT - ok
13:10:54.0917 5252 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
13:10:54.0918 5252 nfrd960 - ok
13:10:54.0947 5252 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
13:10:54.0948 5252 NisDrv - ok
13:10:54.0993 5252 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
13:10:54.0994 5252 Npfs - ok
13:10:55.0011 5252 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
13:10:55.0011 5252 nsiproxy - ok
13:10:55.0107 5252 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
13:10:55.0126 5252 Ntfs - ok
13:10:55.0138 5252 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
13:10:55.0138 5252 Null - ok
13:10:55.0172 5252 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
13:10:55.0174 5252 nvraid - ok
13:10:55.0203 5252 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
13:10:55.0205 5252 nvstor - ok
13:10:55.0219 5252 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
13:10:55.0221 5252 nv_agp - ok
13:10:55.0255 5252 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
13:10:55.0256 5252 ohci1394 - ok
13:10:55.0303 5252 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
13:10:55.0304 5252 Parport - ok
13:10:55.0327 5252 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
13:10:55.0328 5252 partmgr - ok
13:10:55.0348 5252 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
13:10:55.0349 5252 pci - ok
13:10:55.0356 5252 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
13:10:55.0357 5252 pciide - ok
13:10:55.0373 5252 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
13:10:55.0375 5252 pcmcia - ok
13:10:55.0387 5252 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
13:10:55.0388 5252 pcw - ok
13:10:55.0409 5252 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
13:10:55.0416 5252 PEAUTH - ok
13:10:55.0455 5252 pnarp (4ff73a83a25d0eead4f5e6c841bb6704) C:\Windows\system32\DRIVERS\pnarp.sys
13:10:55.0456 5252 pnarp - ok
13:10:55.0494 5252 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
13:10:55.0496 5252 PptpMiniport - ok
13:10:55.0512 5252 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
13:10:55.0514 5252 Processor - ok
13:10:55.0564 5252 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
13:10:55.0566 5252 Psched - ok
13:10:55.0599 5252 purendis (9a68a89f10f283a23afee2a1bfe4bffb) C:\Windows\system32\DRIVERS\purendis.sys
13:10:55.0599 5252 purendis - ok
13:10:55.0629 5252 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
13:10:55.0644 5252 ql2300 - ok
13:10:55.0663 5252 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
13:10:55.0664 5252 ql40xx - ok
13:10:55.0683 5252 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
13:10:55.0684 5252 QWAVEdrv - ok
13:10:55.0693 5252 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
13:10:55.0694 5252 RasAcd - ok
13:10:55.0721 5252 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
13:10:55.0722 5252 RasAgileVpn - ok
13:10:55.0746 5252 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
13:10:55.0748 5252 Rasl2tp - ok
13:10:55.0771 5252 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
13:10:55.0772 5252 RasPppoe - ok
13:10:55.0787 5252 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
13:10:55.0788 5252 RasSstp - ok
13:10:55.0817 5252 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
13:10:55.0820 5252 rdbss - ok
13:10:55.0832 5252 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
13:10:55.0833 5252 rdpbus - ok
13:10:55.0848 5252 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
13:10:55.0848 5252 RDPCDD - ok
13:10:55.0864 5252 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
13:10:55.0865 5252 RDPENCDD - ok
13:10:55.0873 5252 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
13:10:55.0873 5252 RDPREFMP - ok
13:10:55.0899 5252 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
13:10:55.0902 5252 RDPWD - ok
13:10:55.0932 5252 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
13:10:55.0935 5252 rdyboost - ok
13:10:55.0961 5252 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
13:10:55.0962 5252 rspndr - ok
13:10:55.0997 5252 RTL8167 (7ea8d2eb9bbfd2ab8a3117a1e96d3b3a) C:\Windows\system32\DRIVERS\Rt64win7.sys
13:10:56.0001 5252 RTL8167 - ok
13:10:56.0029 5252 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
13:10:56.0030 5252 sbp2port - ok
13:10:56.0062 5252 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
13:10:56.0063 5252 scfilter - ok
13:10:56.0078 5252 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
13:10:56.0079 5252 secdrv - ok
13:10:56.0101 5252 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
13:10:56.0102 5252 Serenum - ok
13:10:56.0117 5252 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
13:10:56.0118 5252 Serial - ok
13:10:56.0142 5252 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
13:10:56.0143 5252 sermouse - ok
13:10:56.0172 5252 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
13:10:56.0173 5252 sffdisk - ok
13:10:56.0187 5252 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
13:10:56.0188 5252 sffp_mmc - ok
13:10:56.0199 5252 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
13:10:56.0200 5252 sffp_sd - ok
13:10:56.0217 5252 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
13:10:56.0218 5252 sfloppy - ok
13:10:56.0244 5252 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
13:10:56.0246 5252 SiSRaid2 - ok
13:10:56.0253 5252 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
13:10:56.0255 5252 SiSRaid4 - ok
13:10:56.0272 5252 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
13:10:56.0273 5252 Smb - ok
13:10:56.0293 5252 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
13:10:56.0294 5252 spldr - ok
13:10:56.0337 5252 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
13:10:56.0341 5252 srv - ok
13:10:56.0362 5252 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
13:10:56.0366 5252 srv2 - ok
13:10:56.0386 5252 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
13:10:56.0388 5252 srvnet - ok
13:10:56.0424 5252 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
13:10:56.0425 5252 stexstor - ok
13:10:56.0457 5252 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
13:10:56.0457 5252 swenum - ok
13:10:56.0518 5252 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
13:10:56.0549 5252 Tcpip - ok
13:10:56.0578 5252 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
13:10:56.0586 5252 TCPIP6 - ok
13:10:56.0612 5252 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
13:10:56.0613 5252 tcpipreg - ok
13:10:56.0627 5252 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
13:10:56.0628 5252 TDPIPE - ok
13:10:56.0635 5252 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
13:10:56.0636 5252 TDTCP - ok
13:10:56.0673 5252 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
13:10:56.0674 5252 tdx - ok
13:10:56.0700 5252 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
13:10:56.0701 5252 TermDD - ok
13:10:56.0737 5252 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
13:10:56.0738 5252 tssecsrv - ok
13:10:56.0764 5252 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
13:10:56.0765 5252 TsUsbFlt - ok
13:10:56.0808 5252 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
13:10:56.0823 5252 tunnel - ok
13:10:56.0834 5252 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
13:10:56.0836 5252 uagp35 - ok
13:10:56.0892 5252 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
13:10:56.0902 5252 udfs - ok
13:10:56.0924 5252 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
13:10:56.0925 5252 uliagpkx - ok
13:10:56.0961 5252 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
13:10:56.0962 5252 umbus - ok
13:10:56.0977 5252 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
13:10:56.0977 5252 UmPass - ok
13:10:57.0007 5252 USBAAPL64 (cd03479f2da26500b203ed075c146a7a) C:\Windows\system32\Drivers\usbaapl64.sys
13:10:57.0013 5252 USBAAPL64 - ok
13:10:57.0067 5252 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
13:10:57.0069 5252 usbccgp - ok
13:10:57.0099 5252 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
13:10:57.0101 5252 usbcir - ok
13:10:57.0119 5252 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\drivers\usbehci.sys
13:10:57.0120 5252 usbehci - ok
13:10:57.0141 5252 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
13:10:57.0145 5252 usbhub - ok
13:10:57.0157 5252 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
13:10:57.0158 5252 usbohci - ok
13:10:57.0184 5252 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
13:10:57.0185 5252 usbprint - ok
13:10:57.0200 5252 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\drivers\USBSTOR.SYS
13:10:57.0202 5252 USBSTOR - ok
13:10:57.0216 5252 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
13:10:57.0217 5252 usbuhci - ok
13:10:57.0254 5252 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
13:10:57.0255 5252 vdrvroot - ok
13:10:57.0284 5252 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
13:10:57.0285 5252 vga - ok
13:10:57.0296 5252 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
13:10:57.0297 5252 VgaSave - ok
13:10:57.0326 5252 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
13:10:57.0329 5252 vhdmp - ok
13:10:57.0346 5252 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
13:10:57.0347 5252 viaide - ok
13:10:57.0365 5252 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
13:10:57.0366 5252 volmgr - ok
13:10:57.0403 5252 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
13:10:57.0407 5252 volmgrx - ok
13:10:57.0421 5252 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
13:10:57.0425 5252 volsnap - ok
13:10:57.0454 5252 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
13:10:57.0456 5252 vsmraid - ok
13:10:57.0470 5252 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
13:10:57.0471 5252 vwifibus - ok
13:10:57.0491 5252 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
13:10:57.0492 5252 WacomPen - ok
13:10:57.0520 5252 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
13:10:57.0521 5252 WANARP - ok
13:10:57.0524 5252 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
13:10:57.0524 5252 Wanarpv6 - ok
13:10:57.0550 5252 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
13:10:57.0551 5252 Wd - ok
13:10:57.0572 5252 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
13:10:57.0578 5252 Wdf01000 - ok
13:10:57.0615 5252 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
13:10:57.0615 5252 WfpLwf - ok
13:10:57.0626 5252 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
13:10:57.0627 5252 WIMMount - ok
13:10:57.0669 5252 WinUSB (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUSB.sys
13:10:57.0670 5252 WinUSB - ok
13:10:57.0685 5252 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
13:10:57.0686 5252 WmiAcpi - ok
13:10:57.0719 5252 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
13:10:57.0720 5252 ws2ifsl - ok
13:10:57.0749 5252 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
13:10:57.0751 5252 WudfPf - ok
13:10:57.0799 5252 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
13:10:57.0801 5252 WUDFRd - ok
13:10:57.0846 5252 xusb21 (2c6bc21b2d5b58d8b1d638c1704cb494) C:\Windows\system32\DRIVERS\xusb21.sys
13:10:57.0848 5252 xusb21 - ok
13:10:57.0859 5252 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
13:10:57.0867 5252 \Device\Harddisk0\DR0 - ok
13:10:57.0870 5252 Boot (0x1200) (d0008dd8a56e713796f3c80836936035) \Device\Harddisk0\DR0\Partition0
13:10:57.0870 5252 \Device\Harddisk0\DR0\Partition0 - ok
13:10:57.0875 5252 Boot (0x1200) (a7152051c6f21b6fe2934019cdb60640) \Device\Harddisk0\DR0\Partition1
13:10:57.0876 5252 \Device\Harddisk0\DR0\Partition1 - ok
13:10:57.0877 5252 ============================================================
13:10:57.0877 5252 Scan finished
13:10:57.0877 5252 ============================================================
13:10:57.0884 3756 Detected object count: 0
13:10:57.0884 3756 Actual detected object count: 0
13:11:16.0216 6704 Deinitialize success

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:49 AM

Posted 17 November 2011 - 02:29 PM

Just want to make sure we are ready for the next tool.

1. Please download the Rootkit.Sirefef removal tool by BitDefender, and save it to your Desktop.
2. Please locate and run the tool.
3. Once it has completed, please reboot the system.

How is your computer running now?

#9 fireal20

fireal20
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 17 November 2011 - 02:32 PM

i get the following error when trying to run that tool

"Could not load trufos.sys"

i did notice that the link you posted is for the 32-bit version. i am running a 64-bit system

Edited by fireal20, 17 November 2011 - 02:33 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:49 AM

Posted 17 November 2011 - 04:18 PM

Sorry about that.

This infection is difficult to remove and I do not want to go faster then necessary.

How is the computer performing?

#11 fireal20

fireal20
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 17 November 2011 - 06:42 PM

i am still getting the redirects from bing and google. also still have iexplore.exe randomly opening in task manager (but not an actual browser window). windows firewall authorization driver still seems to be corrupted

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:49 AM

Posted 18 November 2011 - 08:10 AM

Please run this tool.

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When the Kaspersky Virus Removal Tool starts, to the right of Security Level click Recommended, and select Settings.
  • In the window that opens (Autoscan), in the Scope tab place a checkmark to the left of Parse email formats.
  • Click the Additional tab and click to place a checkmark to the left of Deep scan, and click OK.
  • Select all the scanable items except for CD-ROM drives and click the Start scan button.
    Posted Image
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply.


#13 fireal20

fireal20
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 18 November 2011 - 03:36 PM

downloaded and began running the kaspersky tool. ran through about 4 hours worth then popped up a window that said it needed to do the special scan of any active programs before continuing. i hit ok and selected delete on the two things it found and it automatically rebooted. when windows tried to restart, i got the following error on a blue screen:

"STOP: c0000135 The program can't start because %hs is missing from your computer. Try reinstalling the program to fix the problem."

I had to hit the actual power button on my tower to restart. I selected the startup repair option and its stuck on "Windows is loading files..." with no apparent progress on the progress bar. I am now stuck and can't seem to get back into Windows at all

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:49 AM

Posted 19 November 2011 - 10:55 AM

PLEASE NOTE: Most authorities say that a PC with a polymorphic file infector can never again be trusted and should be reformatted. You should seriously consider reformatting and reinstalling Windows.

That said, if you wish we can attempt disinfection but you are cautioned that theoretically you can never be sure cleaning is 100% complete.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like BurnAware Free or ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?


Summarizing:
  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

How is it now?

#15 fireal20

fireal20
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 19 November 2011 - 12:29 PM

i have no problem with formatting and starting over, but there are some files id like to rescue before i do that. while i am working on this latest task, can you give some advice on the best way to do that? i can drag the files over to another computer via my home network pretty easily, but am i risking infecting the other PC? whats the best way to format a hard drive?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users