Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bluescreen when not in safemode


  • This topic is locked This topic is locked
19 replies to this topic

#1 habashny

habashny

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 11 November 2011 - 10:21 AM

Hello,

Since I was prompted to restart my computer after an MBAM scan, my computer get a bluescreen error on startup. I've since gotten around this by starting in safe mode. I've run MBAM again, aswell as HJT. Here are the logs:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8129

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19120

11/11/2011 9:44:38 AM
mbam-log-2011-11-11 (09-44-38).txt

Scan type: Full scan (C:\|D:\|F:\|G:\|)
Objects scanned: 429230
Time elapsed: 1 hour(s), 16 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\Brutus\BrutusA2.exe (HackTool.Brutus) -> Quarantined and deleted successfully.
c:\Users\Ralph\AppData\Local\c91c8978\U\80000000.@ (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Ralph\AppData\Local\c91c8978\U\800000cb.@ (Backdoor.0Access) -> Quarantined and deleted successfully.
c:\Users\Ralph\AppData\Local\c91c8978\U\800000cf.@ (Rootkit.Agent) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:00:10 AM, on 11/11/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19120)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Ralph\Desktop\Downloads[ff]\HijackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WWllGOC1DSzdRRy05VUJVUi03U1VMUy00NEtSMi1GS1NV"&"inst=NzctNTcyMDczMjExLUJBKzEtWEwrMS1UMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GMTBNKzUtUUlYMSs0LVgyMDEwKzItRjEwTTEwRCsy"&"prod=90"&"ver=10.0.1204
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\Users\Ralph\AppData\Local\Temp\F-Secure\BlackLight\fsblsrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Hercules DJ Control MP3 (HerculesDJControlMP3) - Unknown owner - C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Scheduler - Unknown owner - C:\Program Files\StaffCop\SchedulerSVC.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Time Control Service - AtomPark group - C:\Windows\system32\csrss_tc.exe

--
End of file - 6652 bytes




Any help is much appreciated.
Thanks

BC AdBot (Login to Remove)

 


#2 habashny

habashny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 11 November 2011 - 05:02 PM

Update:
after restarting it a few times and running more scans, the "Privacy Protection" virus/rootkit popped up (in safe mode!..) I then restarted (still in safe mode) to run tdsskiller.exe, but it came up with nothing, and the virus doesn't appear to be present at all anymore. Here are current GMER logs:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-11 16:59:31
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000007c WDC_WD32 rev.12.0
Running: dxhgfjg'.exe; Driver: C:\Users\Ralph\AppData\Local\Temp\fglorpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.PAGE1 C:\Windows\system32\DRIVERS\smb.sys unknown last section [0x8076BA00, 0x100, 0xC0000040]
? C:\Windows\system32\DRIVERS\smb.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[332] ntdll.dll!LdrLoadDll 770393A8 5 Bytes JMP 6D8D2EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1240] USER32.dll!SetWindowLongA 7581E7CD 5 Bytes JMP 6DC9C350 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1240] USER32.dll!SetWindowLongW 758213B4 5 Bytes JMP 6DC9C2E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1240] USER32.dll!GetWindowInfo 7582428E 5 Bytes JMP 6DA4E363 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1240] USER32.dll!TrackPopupMenu 758314F3 5 Bytes JMP 6DA4E91C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 80739000-80747000 (57344 bytes)
Module (noname) (*** hidden *** ) 80772000-8077B000 (36864 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:316] 807763E0
Thread System [4:320] 807763E0
Thread System [4:324] 86D6F330
Thread System [4:328] 86D6F330

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x92 0xF3 0x18 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1C 0xEA 0x0B 0x51 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x88 0xB8 0xC9 0xEC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x92 0xF3 0x18 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1C 0xEA 0x0B 0x51 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x88 0xB8 0xC9 0xEC ...

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB49051$\3374090616 0 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\@ 2048 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\L 0 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\L\ogejidap 66560 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U 0 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U\@00000001 45968 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U\@000000c0 3072 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U\@000000cb 3072 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U\@000000cf 1536 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U\@80000000 23040 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U\@800000c0 35840 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U\@800000cb 23040 bytes
File C:\Windows\$NtUninstallKB49051$\3374090616\U\@800000cf 29184 bytes
File C:\Windows\$NtUninstallKB49051$\3403837215 0 bytes

---- EOF - GMER 1.0.15 ----




I would post a DDS log, but it doesn't seem to work in safe mode.

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:43 PM

Posted 16 November 2011 - 10:16 AM

Hi,


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds file to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 habashny

habashny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 16 November 2011 - 09:30 PM

I tried already; it opens the cmd window for a second, too fast for any text to come up, and then closes right away.

#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:43 PM

Posted 17 November 2011 - 10:10 AM

Hi,

Please download and run this. Let the settings be as default and run. Post back the logs it creates.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 habashny

habashny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 17 November 2011 - 04:17 PM

The program works fine until I press start, at which point it closes. I've tried renaming the file but it still doesn't work.
By the way, the blue screen error I'm getting is «DRIVER_IRQL_NOT_OR_LESS_EQUAL *** STOP:0x00000D1 (0x00000008, 0x000000FF, 0x00000008, 0x00000008)»
I don't know if that helps at all, lol.

Thanks

Edit: PrivacyProtection popped up again while I was trying to open a PhotoShop project on my USB key (still in safe mode). I rebooted, scanned with MBAM and deleted it again. I then ran Hitman 3.5 and removed what it suggested. Should I post current logs of MBAM, HJT, and GMER?

2nd edit: When I scanned with MBAM, it always picked up a Backdoor.Agent or something, and whenever I restarted (it asked me to), it kept on coming back. After running Hitman, MBAM still brought up the Backdoor.Agent, but it really was gone this time after I restarted. I ran MBAM one last time to make sure, it brought up some other infections, removed them and restarted in normal mode without a blue screen error!
I ran F-Secure Blacklight, MBAM and TDSSkiller, all of which reported that my computer was clean again. I ran DDS (now that it works in normal mode), so here's the log:

DDS (Ver_2011-09-30.01) - NTFS_x86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_21
Run by Ralph at 6:53:06 on 2011-11-18
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2814.1271 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: STOPzilla Anti-Spyware *Enabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\csrss_tc.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\StaffCop\SchedulerSVC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\Ralph\Pictures\fsbl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\csrss_tc.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: mswsock.dll
DPF: RaptisoftGameLoader - hxxp://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{2DE07B5E-2B75-4578-8D5F-5F56B424094E} : DHCPNameServer = 192.168.1.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2011-9-26 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2011-8-16 59080]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-7-24 21504]
R2 HerculesDJControlMP3;Hercules DJ Control MP3;c:\program files\hercules\audio\dj console series\drivers\x86\HerculesDJControlMP3.EXE [2011-6-28 17408]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-27 366152]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-15 2214504]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-7-27 439632]
R2 Scheduler;Scheduler;c:\program files\staffcop\SchedulerSVC.exe [2011-6-25 1071616]
R2 Time Control Service;Time Control Service;c:\windows\system32\csrss_tc.exe [2010-8-20 863232]
R3 Bulk;HDJBulk;c:\windows\system32\drivers\HDJBulk.sys [2011-6-28 159232]
R3 HDJAsioK;HDJAsioK;c:\windows\system32\drivers\HDJAsioK.sys [2011-6-28 219648]
R3 HDJMidi;Hercules DJ Console Rmx MIDI;c:\windows\system32\drivers\HDJMidi.sys [2011-6-28 209408]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-7-27 23624]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-27 22216]
R3 netmonzMP;netmonzMP;c:\windows\system32\drivers\netmonz.sys [2009-4-6 18432]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-6-17 128272]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2011-9-26 61328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-7 136176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-4-3 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-7 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 netmonz;NetmonZ Service;c:\windows\system32\drivers\netmonz.sys [2009-4-6 18432]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-7-25 552448]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2011-8-5 268512]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-24 16896]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\Winword.exe="c:\program files\microsoft office\office12\WINWORD.EXE" /n /dde [UserChoice] [default=edit - 'Open' doesn't exist]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 6:53:12.04 ===============



BTW, you may notice I have STOPzilla, don't worry, I removed it now, I was just trying it out.

Edited by habashny, 18 November 2011 - 07:17 AM.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:43 PM

Posted 18 November 2011 - 09:18 AM

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 habashny

habashny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 22 November 2011 - 08:39 PM

Rootkit.ZeroAccess has been detected... uh oh. Here are the logs:

ComboFix 11-11-22.02 - Ralph 11/22/2011 20:09:31.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2814.2121 [GMT -5:00]
Running from: c:\users\Ralph\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\POL
c:\program files\POL\akv.cfg
c:\program files\POL\POL.001
c:\program files\POL\POL.002
c:\program files\POL\POL.005
c:\program files\POL\POL.009
c:\program files\POL\test
c:\program files\POL\Uninstall.exe
c:\users\Ralph\AppData\Local\{A19DFF43-0EFC-4CA2-B7A5-C89A72442843}
c:\users\Ralph\AppData\Local\{A19DFF43-0EFC-4CA2-B7A5-C89A72442843}\chrome.manifest
c:\users\Ralph\AppData\Local\{A19DFF43-0EFC-4CA2-B7A5-C89A72442843}\chrome\content\overlay.xul
c:\users\Ralph\AppData\Local\{A19DFF43-0EFC-4CA2-B7A5-C89A72442843}\install.rdf
c:\users\Ralph\AppData\Local\c91c8978\U
c:\users\Ralph\AppData\Local\c91c8978\U\800000cf.@
c:\users\Ralph\AppData\Roaming\Adobe\plugs
c:\users\Ralph\AppData\Roaming\Adobe\shed
c:\users\Ralph\Documents\~WRL0001.tmp
c:\windows\$NtUninstallKB49051$
c:\windows\$NtUninstallKB49051$\3374090616\@
c:\windows\$NtUninstallKB49051$\3374090616\L\ogejidap
c:\windows\$NtUninstallKB49051$\3374090616\loader.tlb
c:\windows\$NtUninstallKB49051$\3374090616\U\@00000001
c:\windows\$NtUninstallKB49051$\3374090616\U\@000000c0
c:\windows\$NtUninstallKB49051$\3374090616\U\@000000cb
c:\windows\$NtUninstallKB49051$\3374090616\U\@000000cf
c:\windows\$NtUninstallKB49051$\3374090616\U\@80000000
c:\windows\$NtUninstallKB49051$\3374090616\U\@800000c0
c:\windows\$NtUninstallKB49051$\3374090616\U\@800000cb
c:\windows\$NtUninstallKB49051$\3374090616\U\@800000cf
c:\windows\$NtUninstallKB49051$\3403837215
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\XSxS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.netbt
.
.
((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))
.
.
2011-11-23 01:20 . 2011-11-23 01:22 -------- d-----w- c:\users\Ralph\AppData\Local\temp
2011-11-23 01:20 . 2011-11-23 01:20 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-11-23 01:20 . 2011-11-23 01:20 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-11-23 01:20 . 2011-11-23 01:20 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-11-23 01:20 . 2011-11-23 01:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-18 00:20 . 2011-11-18 12:02 -------- d-----w- c:\programdata\STOPzilla!
2011-11-10 23:21 . 2011-11-23 01:20 -------- d-sh--w- c:\users\Ralph\AppData\Local\c91c8978
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 03:55 . 2011-07-28 04:12 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-18 19:42 . 2011-05-21 13:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 21:00 . 2011-03-27 14:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-09 14:21 . 2011-03-20 03:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-08-20 21:14 863232 --sha-w- c:\windows\System32\csrss_tc.exe
2009-02-19 17:17 48128 --sha-w- c:\windows\System32\hideagent.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Ralph^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^firefox - Shortcut.lnk]
path=c:\users\Ralph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firefox - Shortcut.lnk
backup=c:\windows\pss\firefox - Shortcut.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hercules DJ Series]
2011-04-26 13:00 1287464 ----a-w- c:\program files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 13:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 06:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-04-11 18:17 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2011-06-17 13:30 412432 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-15 21:17 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trend Micro RUBotted V2.0 Beta]
2010-12-17 13:33 1103184 ----a-w- c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2011-08-05 16:29 159456 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3001680465-2197587723-1104898170-1000]
"EnableNotificationsRef"=dword:00000002
.
3;2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R0 dnmsyuxk;dnmsyuxk;c:\windows\System32\drivers\xtxvqyf.sys [x]
R0 rcjm;rcjm;c:\windows\System32\drivers\bpqovbs.sys [x]
R1 MpKsl0d6025ad;MpKsl0d6025ad;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F40E8D8D-F72A-4621-A4E6-EE06D42FB10F}\MpKsl0d6025ad.sys [x]
R1 MpKsl124e5498;MpKsl124e5498;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{15756233-0291-4268-97C4-B307337FE321}\MpKsl124e5498.sys [x]
R1 MpKsl1d2f7310;MpKsl1d2f7310;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D50F10B7-8808-449A-9414-CA372F84614C}\MpKsl1d2f7310.sys [x]
R1 MpKsl29050fcf;MpKsl29050fcf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E4F263FB-AF55-444E-8268-4BA63F7E3987}\MpKsl29050fcf.sys [x]
R1 MpKsl2cad18b9;MpKsl2cad18b9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{734C49A3-91A8-42E2-9200-61378AAE89ED}\MpKsl2cad18b9.sys [x]
R1 MpKsl35aca0aa;MpKsl35aca0aa;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC91515C-56CF-45E6-BB33-7290FB4724FC}\MpKsl35aca0aa.sys [x]
R1 MpKsl3a781cd3;MpKsl3a781cd3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F71DA00C-9E4C-4F2F-836B-55788D5A7758}\MpKsl3a781cd3.sys [x]
R1 MpKsl4552d119;MpKsl4552d119;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C996EDBF-BF6C-4E2B-931F-42E16C02E8CB}\MpKsl4552d119.sys [x]
R1 MpKsl4d5b7d84;MpKsl4d5b7d84;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1837218-F761-4E9B-B041-0E0BC1081B97}\MpKsl4d5b7d84.sys [x]
R1 MpKsl55348e41;MpKsl55348e41;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FAA3B32A-C34D-4E62-B2E2-3BACA7292BCA}\MpKsl55348e41.sys [x]
R1 MpKsl5c305883;MpKsl5c305883;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3A8FDE27-C8FF-4381-AF54-D06161119EC2}\MpKsl5c305883.sys [x]
R1 MpKsl5c7bf158;MpKsl5c7bf158;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F8EB80F4-B2A1-4E33-9B11-7556589C5104}\MpKsl5c7bf158.sys [x]
R1 MpKsl78ac9282;MpKsl78ac9282;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E58D8A09-9172-4DAA-976F-5FA9C6076903}\MpKsl78ac9282.sys [x]
R1 MpKsl9e0ba02d;MpKsl9e0ba02d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{124E958D-77B4-4939-B2C0-0FCB1D286F81}\MpKsl9e0ba02d.sys [x]
R1 MpKsla81223c7;MpKsla81223c7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A72020CA-7E32-49AB-BCD6-11547464AA04}\MpKsla81223c7.sys [x]
R1 MpKslaa15bd2b;MpKslaa15bd2b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9D541A19-E70D-4C8E-B6CF-EEDA21F6C259}\MpKslaa15bd2b.sys [x]
R1 MpKslb846277e;MpKslb846277e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C996EDBF-BF6C-4E2B-931F-42E16C02E8CB}\MpKslb846277e.sys [x]
R1 MpKslbad4a01d;MpKslbad4a01d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8763C6E4-7BE3-47A1-A105-808525E7245D}\MpKslbad4a01d.sys [x]
R1 MpKslc18cba68;MpKslc18cba68;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{58D55E26-05BE-4C14-B3C3-1F7A36BD31A6}\MpKslc18cba68.sys [x]
R1 MpKslc80a50ae;MpKslc80a50ae;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9DDF64AA-0BCC-4780-867A-3AC7AEC5384C}\MpKslc80a50ae.sys [x]
R1 MpKsle14888c8;MpKsle14888c8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1837218-F761-4E9B-B041-0E0BC1081B97}\MpKsle14888c8.sys [x]
R1 MpKsle503c7eb;MpKsle503c7eb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65ED258-36A9-422B-8F5D-12189CBE46FE}\MpKsle503c7eb.sys [x]
R1 MpKslec3fdd80;MpKslec3fdd80;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FDE2F323-FBDE-4638-BF72-7D1973D14C77}\MpKslec3fdd80.sys [x]
R1 MpKslf0b3f80c;MpKslf0b3f80c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{99D42273-72C1-4D6B-A29D-571D365B665A}\MpKslf0b3f80c.sys [x]
R1 MpKslf801665c;MpKslf801665c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CFA2DCD0-81D2-4CB0-824E-3B2C30B2E4CF}\MpKslf801665c.sys [x]
R1 rswecpce;rswecpce;c:\windows\system32\drivers\rswecpce.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-08-24 36608]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 136176]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-11-18 23624]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 netmonz;NetmonZ Service;c:\windows\system32\DRIVERS\netmonz.sys [2009-04-06 18432]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-08-15 552448]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 268512]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-20 691696]
S2 HerculesDJControlMP3;Hercules DJ Control MP3;c:\program files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE [2011-06-07 17408]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]
S2 Scheduler;Scheduler;c:\program files\StaffCop\SchedulerSVC.exe [2010-08-20 1071616]
S2 Time Control Service;Time Control Service;c:\windows\system32\csrss_tc.exe [2010-08-20 863232]
S3 Bulk;HDJBulk;c:\windows\system32\Drivers\HDJBulk.sys [2011-04-28 159232]
S3 HDJAsioK;HDJAsioK;c:\windows\system32\Drivers\HDJAsioK.sys [2011-04-28 219648]
S3 HDJMidi;Hercules DJ Console Rmx MIDI;c:\windows\system32\DRIVERS\HDJMidi.sys [2011-04-28 209408]
S3 netmonzMP;netmonzMP;c:\windows\system32\DRIVERS\netmonz.sys [2009-04-06 18432]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 13:12]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 13:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: RaptisoftGameLoader - hxxp://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
FF - ProfilePath - c:\users\Ralph\AppData\Roaming\Mozilla\Firefox\Profiles\mdj9cwxa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/|http://www.youtube.com/|www.bleepingcomputer.com/forums/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-POL Agent - c:\program files\POL\POL.exe
AddRemove-Virtual DJ - Atomix Productions - c:\progra~1\VIRTUA~1\UNWISE.EXE
AddRemove-Virtual DJ Home - Atomix Productions - c:\progra~1\VIRTUA~1\UNWISE.EXE
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3588)
c:\windows\system32\HideAgent.dll
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-11-22 20:28:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-23 01:27
ComboFix2.txt 2011-04-11 20:20
.
Pre-Run: 150,293,250,048 bytes free
Post-Run: 150,013,206,528 bytes free
.
- - End Of File - - B91A6813DF498AFB4F15DFEBBD64D437

-------------------------------------------------------------------------------------------------------------------------
DDS (Ver_2011-09-30.01) - NTFS_x86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_21
Run by Ralph at 20:38:57 on 2011-11-22
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2814.1622 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\csrss_tc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\csrss_tc.exe
C:\Windows\system32\conime.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\StaffCop\SchedulerSVC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: RaptisoftGameLoader - hxxp://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{2DE07B5E-2B75-4578-8D5F-5F56B424094E} : DHCPNameServer = 192.168.1.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ralph\appdata\roaming\mozilla\firefox\profiles\mdj9cwxa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/|http://www.youtube.com/|www.bleepingcomputer.com/forums/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-7-24 21504]
R2 HerculesDJControlMP3;Hercules DJ Control MP3;c:\program files\hercules\audio\dj console series\drivers\x86\HerculesDJControlMP3.EXE [2011-6-28 17408]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-27 366152]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-15 2214504]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-7-27 439632]
R2 Scheduler;Scheduler;c:\program files\staffcop\SchedulerSVC.exe [2011-6-25 1071616]
R2 Time Control Service;Time Control Service;c:\windows\system32\csrss_tc.exe [2010-8-20 863232]
R3 Bulk;HDJBulk;c:\windows\system32\drivers\HDJBulk.sys [2011-6-28 159232]
R3 HDJAsioK;HDJAsioK;c:\windows\system32\drivers\HDJAsioK.sys [2011-6-28 219648]
R3 HDJMidi;Hercules DJ Console Rmx MIDI;c:\windows\system32\drivers\HDJMidi.sys [2011-6-28 209408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-27 22216]
R3 netmonzMP;netmonzMP;c:\windows\system32\drivers\netmonz.sys [2009-4-6 18432]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-6-17 128272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-7 136176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-4-3 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-7 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-7-27 23624]
S3 netmonz;NetmonZ Service;c:\windows\system32\drivers\netmonz.sys [2009-4-6 18432]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-7-25 552448]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2011-8-5 268512]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-24 16896]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\Winword.exe="c:\program files\microsoft office\office12\WINWORD.EXE" /n /dde [UserChoice] [default=edit - 'Open' doesn't exist]
.
=============== Created Last 30 ================
.
2011-11-23 01:28:25 -------- d-----w- c:\users\ralph\appdata\local\temp
2011-11-23 01:22:36 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-22 23:48:13 256000 ----a-w- c:\windows\PEV.exe
2011-11-22 23:48:08 -------- d-----w- C:\ComboFix
2011-11-18 00:20:25 -------- d-----w- c:\programdata\STOPzilla!
2011-11-10 23:21:49 -------- d-sh--w- c:\users\ralph\appdata\local\c91c8978
2011-11-10 16:46:49 -------- d-----w- c:\users\ralph\appdata\local\{321EBB4C-D9B6-432A-91EA-B100F184B83A}
2011-11-10 16:46:10 -------- d-----w- c:\users\ralph\appdata\local\{CFCF64F8-6AFB-4E2A-8329-3E47CC792CD2}
2011-11-09 14:21:48 -------- d-----w- c:\users\ralph\appdata\local\{30EF8CEC-E087-4526-AE7E-CD18C8DA5854}
2011-11-09 14:21:34 -------- d-----w- c:\users\ralph\appdata\local\{669B0E3C-EEE3-451C-823B-644D70F940FD}
2011-11-08 13:15:21 -------- d-----w- c:\users\ralph\appdata\local\{D494A3B8-8A9A-419E-9AD5-1C9636D40A4B}
2011-11-08 13:14:39 -------- d-----w- c:\users\ralph\appdata\local\{3F581236-3F1B-40A8-AA3D-AF6AD5CA9C22}
2011-11-07 13:53:11 -------- d-----w- c:\users\ralph\appdata\local\{D3E2B18B-7A7D-47A2-96C9-F67E63929407}
2011-11-07 13:52:27 -------- d-----w- c:\users\ralph\appdata\local\{0C3BFB43-F7AD-4035-97D7-8D2926616506}
2011-11-06 14:08:17 -------- d-----w- c:\users\ralph\appdata\local\{01407A96-BAC6-4519-A88D-C84B33288589}
2011-11-06 14:07:43 -------- d-----w- c:\users\ralph\appdata\local\{FDF8CB59-4490-4BB8-8965-5797376DE5C9}
2011-11-05 12:54:54 -------- d-----w- c:\users\ralph\appdata\local\{C574453A-51E3-42C6-8312-56DB49679BC7}
2011-11-05 12:53:19 -------- d-----w- c:\users\ralph\appdata\local\{41E4E158-7D09-4463-83A3-CDF71FCF56F6}
2011-11-04 19:48:41 -------- d-----w- c:\users\ralph\appdata\local\{A86BA565-69B0-481B-9327-772EA1630022}
2011-11-04 19:48:39 -------- d-----w- c:\users\ralph\appdata\local\{0CA98899-FA36-4592-A760-F257E3783B24}
2011-11-03 19:46:57 -------- d-----w- c:\users\ralph\appdata\local\{7D136809-8A5F-4C7E-B54F-94DEC1129E66}
2011-11-03 19:46:49 -------- d-----w- c:\users\ralph\appdata\local\{6B170F32-109C-453A-B941-0F34CD988D47}
2011-11-02 20:09:17 -------- d-----w- c:\users\ralph\appdata\local\{55827218-32BD-4BA2-BB30-D254168D3FC4}
2011-11-02 20:09:13 -------- d-----w- c:\users\ralph\appdata\local\{D9CBE880-1A01-446C-81BF-5843854F1123}
2011-11-01 22:05:48 -------- d-----w- c:\users\ralph\appdata\local\{DA78E126-EA3E-4337-8382-45E9BB82B40F}
2011-11-01 22:05:39 -------- d-----w- c:\users\ralph\appdata\local\{39E4619F-E9BB-496F-BDDC-EC1549CE84FC}
2011-10-31 22:57:08 -------- d-----w- c:\users\ralph\appdata\local\{ADE61EDE-7AB4-4C9B-B395-F99F07113033}
2011-10-31 22:56:59 -------- d-----w- c:\users\ralph\appdata\local\{8E3FA850-B186-424B-A2FC-4A0B5B35A1EB}
2011-10-30 21:34:21 -------- d-----w- c:\users\ralph\appdata\local\{8C2715DD-FBA3-49F3-A3AA-57683B718B35}
2011-10-30 21:33:35 -------- d-----w- c:\users\ralph\appdata\local\{871BC1FC-2DF2-455E-AB9C-C67DE8201EC5}
2011-10-29 13:16:43 -------- d-----w- c:\users\ralph\appdata\local\{4EADBE90-567D-423E-B3D8-B7DAC5D9E9F9}
2011-10-29 13:16:41 -------- d-----w- c:\users\ralph\appdata\local\{DF265C48-41DC-46D4-9825-7D4A81024264}
2011-10-28 19:58:21 -------- d-----w- c:\users\ralph\appdata\local\{F0E66166-ADAB-4F9D-89FC-2726CBD3740D}
2011-10-28 19:58:11 -------- d-----w- c:\users\ralph\appdata\local\{075073D3-48B6-4686-8837-363EABAE93D8}
2011-10-27 20:53:38 -------- d-----w- c:\users\ralph\appdata\local\{5A8D8D71-EF80-40D7-8D77-D0938C704AA0}
2011-10-27 20:53:31 -------- d-----w- c:\users\ralph\appdata\local\{7C3EA886-6D34-46EE-9972-9B059CBB0D1F}
2011-10-26 22:09:37 -------- d-----w- c:\users\ralph\appdata\local\{A85E9AC6-E666-4A6D-B849-D30AE48B2CCB}
2011-10-26 22:08:23 -------- d-----w- c:\users\ralph\appdata\local\{2A49A31F-BAE1-48E0-B519-B49EB83964A6}
2011-10-25 22:11:41 -------- d-----w- c:\users\ralph\appdata\local\{17232A0F-EEA1-4B1E-B469-590DE9BA39E2}
2011-10-25 22:11:33 -------- d-----w- c:\users\ralph\appdata\local\{68968673-1227-4FA1-B4EF-D9727E0E6E8B}
.
==================== Find3M ====================
.
2011-11-18 03:55:01 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-18 19:42:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-20 21:14:32 863232 --sha-w- c:\windows\system32\csrss_tc.exe
2009-02-19 17:17:36 48128 --sha-w- c:\windows\system32\hideagent.dll
.
============= FINISH: 20:39:18.83 ===============

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:43 PM

Posted 23 November 2011 - 12:24 AM

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select skip and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 habashny

habashny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 23 November 2011 - 05:51 PM

17:51:07.0823 2268 TDSS rootkit removing tool 2.6.20.0 Nov 22 2011 12:05:55
17:51:08.0127 2268 ============================================================
17:51:08.0127 2268 Current date / time: 2011/11/23 17:51:08.0127
17:51:08.0127 2268 SystemInfo:
17:51:08.0127 2268
17:51:08.0127 2268 OS Version: 6.0.6002 ServicePack: 2.0
17:51:08.0127 2268 Product type: Workstation
17:51:08.0127 2268 ComputerName: RALPH-PC
17:51:08.0128 2268 UserName: Ralph
17:51:08.0128 2268 Windows directory: C:\Windows
17:51:08.0128 2268 System windows directory: C:\Windows
17:51:08.0128 2268 Processor architecture: Intel x86
17:51:08.0128 2268 Number of processors: 2
17:51:08.0128 2268 Page size: 0x1000
17:51:08.0128 2268 Boot type: Normal boot
17:51:08.0128 2268 ============================================================
17:51:08.0769 2268 Initialize success
17:51:11.0429 1232 ============================================================
17:51:11.0429 1232 Scan started
17:51:11.0429 1232 Mode: Manual;
17:51:11.0429 1232 ============================================================
17:51:11.0665 1232 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
17:51:11.0670 1232 ACPI - ok
17:51:11.0755 1232 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
17:51:11.0764 1232 adp94xx - ok
17:51:11.0793 1232 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
17:51:11.0798 1232 adpahci - ok
17:51:11.0817 1232 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
17:51:11.0820 1232 adpu160m - ok
17:51:11.0846 1232 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
17:51:11.0849 1232 adpu320 - ok
17:51:11.0922 1232 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
17:51:11.0928 1232 AFD - ok
17:51:12.0102 1232 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
17:51:12.0104 1232 agp440 - ok
17:51:12.0125 1232 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
17:51:12.0127 1232 aic78xx - ok
17:51:12.0162 1232 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
17:51:12.0163 1232 aliide - ok
17:51:12.0184 1232 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
17:51:12.0185 1232 amdagp - ok
17:51:12.0211 1232 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
17:51:12.0212 1232 amdide - ok
17:51:12.0232 1232 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
17:51:12.0234 1232 AmdK7 - ok
17:51:12.0247 1232 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
17:51:12.0249 1232 AmdK8 - ok
17:51:12.0305 1232 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
17:51:12.0308 1232 arc - ok
17:51:12.0337 1232 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
17:51:12.0339 1232 arcsas - ok
17:51:12.0392 1232 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
17:51:12.0393 1232 AsyncMac - ok
17:51:12.0432 1232 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
17:51:12.0433 1232 atapi - ok
17:51:12.0523 1232 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
17:51:12.0524 1232 Beep - ok
17:51:12.0563 1232 blbdrive - ok
17:51:12.0622 1232 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
17:51:12.0623 1232 bowser - ok
17:51:12.0686 1232 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
17:51:12.0687 1232 BrFiltLo - ok
17:51:12.0718 1232 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
17:51:12.0719 1232 BrFiltUp - ok
17:51:12.0738 1232 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
17:51:12.0740 1232 Brserid - ok
17:51:12.0771 1232 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
17:51:12.0773 1232 BrSerWdm - ok
17:51:12.0822 1232 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
17:51:12.0822 1232 BrUsbMdm - ok
17:51:12.0847 1232 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
17:51:12.0848 1232 BrUsbSer - ok
17:51:12.0863 1232 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
17:51:12.0872 1232 BTHMODEM - ok
17:51:12.0938 1232 Bulk (afc3240d40fef137380422ba8364b06d) C:\Windows\system32\Drivers\HDJBulk.sys
17:51:12.0962 1232 Bulk - ok
17:51:13.0029 1232 catchme - ok
17:51:13.0084 1232 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
17:51:13.0086 1232 cdfs - ok
17:51:13.0143 1232 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
17:51:13.0145 1232 cdrom - ok
17:51:13.0186 1232 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
17:51:13.0187 1232 circlass - ok
17:51:13.0229 1232 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
17:51:13.0233 1232 CLFS - ok
17:51:13.0278 1232 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
17:51:13.0279 1232 cmdide - ok
17:51:13.0295 1232 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
17:51:13.0297 1232 Compbatt - ok
17:51:13.0311 1232 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
17:51:13.0313 1232 crcdisk - ok
17:51:13.0336 1232 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
17:51:13.0337 1232 Crusoe - ok
17:51:13.0410 1232 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
17:51:13.0412 1232 DfsC - ok
17:51:13.0484 1232 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
17:51:13.0485 1232 disk - ok
17:51:13.0526 1232 dnmsyuxk - ok
17:51:13.0605 1232 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
17:51:13.0606 1232 drmkaud - ok
17:51:13.0673 1232 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
17:51:13.0690 1232 DXGKrnl - ok
17:51:13.0769 1232 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
17:51:13.0771 1232 E1G60 - ok
17:51:13.0795 1232 EagleNT - ok
17:51:13.0849 1232 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
17:51:13.0852 1232 Ecache - ok
17:51:13.0894 1232 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
17:51:13.0903 1232 elxstor - ok
17:51:13.0989 1232 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
17:51:13.0992 1232 exfat - ok
17:51:14.0032 1232 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
17:51:14.0036 1232 fastfat - ok
17:51:14.0063 1232 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
17:51:14.0064 1232 fdc - ok
17:51:14.0107 1232 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
17:51:14.0108 1232 FileInfo - ok
17:51:14.0127 1232 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
17:51:14.0129 1232 Filetrace - ok
17:51:14.0157 1232 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
17:51:14.0158 1232 flpydisk - ok
17:51:14.0195 1232 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
17:51:14.0199 1232 FltMgr - ok
17:51:14.0283 1232 FsUsbExDisk (790a4ca68f44be35967b3df61f3e4675) C:\Windows\system32\FsUsbExDisk.SYS
17:51:14.0285 1232 FsUsbExDisk - ok
17:51:14.0318 1232 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
17:51:14.0319 1232 Fs_Rec - ok
17:51:14.0362 1232 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
17:51:14.0364 1232 gagp30kx - ok
17:51:14.0410 1232 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
17:51:14.0412 1232 GEARAspiWDM - ok
17:51:14.0499 1232 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
17:51:14.0504 1232 HdAudAddService - ok
17:51:14.0542 1232 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
17:51:14.0552 1232 HDAudBus - ok
17:51:14.0608 1232 HDJAsioK (4c94e989087e6d95fe1f1efd31059390) C:\Windows\system32\Drivers\HDJAsioK.sys
17:51:14.0632 1232 HDJAsioK - ok
17:51:14.0651 1232 HDJMidi (3b8f0e00bad24aae9ed369fa16a715b9) C:\Windows\system32\DRIVERS\HDJMidi.sys
17:51:14.0667 1232 HDJMidi - ok
17:51:14.0728 1232 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
17:51:14.0730 1232 HidBth - ok
17:51:14.0750 1232 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
17:51:14.0751 1232 HidIr - ok
17:51:14.0783 1232 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
17:51:14.0784 1232 HidUsb - ok
17:51:14.0834 1232 hitmanpro35 (72472b9ce5d02e443cff49a40355455d) C:\Windows\system32\drivers\hitmanpro35.sys
17:51:14.0835 1232 hitmanpro35 - ok
17:51:14.0866 1232 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
17:51:14.0868 1232 HpCISSs - ok
17:51:14.0915 1232 HTTP (0eeeca26c8d4bde2a4664db058a81937) C:\Windows\system32\drivers\HTTP.sys
17:51:14.0923 1232 HTTP - ok
17:51:14.0946 1232 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
17:51:14.0948 1232 i2omp - ok
17:51:15.0003 1232 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
17:51:15.0004 1232 i8042prt - ok
17:51:15.0041 1232 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
17:51:15.0045 1232 iaStorV - ok
17:51:15.0086 1232 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
17:51:15.0087 1232 iirsp - ok
17:51:15.0112 1232 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
17:51:15.0113 1232 intelide - ok
17:51:15.0137 1232 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
17:51:15.0138 1232 intelppm - ok
17:51:15.0195 1232 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
17:51:15.0196 1232 IpFilterDriver - ok
17:51:15.0211 1232 IpInIp - ok
17:51:15.0237 1232 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
17:51:15.0239 1232 IPMIDRV - ok
17:51:15.0259 1232 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
17:51:15.0261 1232 IPNAT - ok
17:51:15.0309 1232 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
17:51:15.0310 1232 IRENUM - ok
17:51:15.0355 1232 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
17:51:15.0356 1232 isapnp - ok
17:51:15.0396 1232 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
17:51:15.0399 1232 iScsiPrt - ok
17:51:15.0426 1232 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
17:51:15.0428 1232 iteatapi - ok
17:51:15.0496 1232 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
17:51:15.0498 1232 iteraid - ok
17:51:15.0537 1232 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
17:51:15.0538 1232 kbdclass - ok
17:51:15.0580 1232 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\drivers\kbdhid.sys
17:51:15.0581 1232 kbdhid - ok
17:51:15.0631 1232 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
17:51:15.0638 1232 KSecDD - ok
17:51:15.0686 1232 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
17:51:15.0687 1232 lltdio - ok
17:51:15.0723 1232 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
17:51:15.0725 1232 LSI_FC - ok
17:51:15.0745 1232 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
17:51:15.0748 1232 LSI_SAS - ok
17:51:15.0771 1232 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
17:51:15.0774 1232 LSI_SCSI - ok
17:51:15.0816 1232 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
17:51:15.0818 1232 luafv - ok
17:51:15.0897 1232 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\Windows\system32\drivers\mbam.sys
17:51:15.0898 1232 MBAMProtector - ok
17:51:15.0939 1232 MBAMSwissArmy - ok
17:51:15.0975 1232 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
17:51:15.0977 1232 megasas - ok
17:51:16.0017 1232 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
17:51:16.0019 1232 Modem - ok
17:51:16.0073 1232 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
17:51:16.0073 1232 monitor - ok
17:51:16.0106 1232 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
17:51:16.0108 1232 mouclass - ok
17:51:16.0162 1232 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
17:51:16.0163 1232 mouhid - ok
17:51:16.0194 1232 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
17:51:16.0195 1232 MountMgr - ok
17:51:16.0255 1232 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\Windows\system32\DRIVERS\MpFilter.sys
17:51:16.0259 1232 MpFilter - ok
17:51:16.0311 1232 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
17:51:16.0312 1232 mpio - ok
17:51:16.0412 1232 MpKsl0d6025ad - ok
17:51:16.0419 1232 MpKsl124e5498 - ok
17:51:16.0470 1232 MpKsl1d2f7310 - ok
17:51:16.0484 1232 MpKsl29050fcf - ok
17:51:16.0497 1232 MpKsl2cad18b9 - ok
17:51:16.0505 1232 MpKsl35aca0aa - ok
17:51:16.0514 1232 MpKsl3a781cd3 - ok
17:51:16.0593 1232 MpKsl41b37aa6 (5f53edfead46fa7adb78eee9ecce8fdf) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D286BE62-4CA0-43D0-B9F8-01D8AD6CA18C}\MpKsl41b37aa6.sys
17:51:16.0593 1232 MpKsl41b37aa6 - ok
17:51:16.0612 1232 MpKsl4552d119 - ok
17:51:16.0623 1232 MpKsl4d5b7d84 - ok
17:51:16.0636 1232 MpKsl55348e41 - ok
17:51:16.0648 1232 MpKsl5c305883 - ok
17:51:16.0665 1232 MpKsl5c7bf158 - ok
17:51:16.0675 1232 MpKsl78ac9282 - ok
17:51:16.0684 1232 MpKsl9e0ba02d - ok
17:51:16.0695 1232 MpKsla81223c7 - ok
17:51:16.0703 1232 MpKslaa15bd2b - ok
17:51:16.0713 1232 MpKslb846277e - ok
17:51:16.0722 1232 MpKslbad4a01d - ok
17:51:16.0729 1232 MpKslc18cba68 - ok
17:51:16.0738 1232 MpKslc80a50ae - ok
17:51:16.0748 1232 MpKsle14888c8 - ok
17:51:16.0755 1232 MpKsle503c7eb - ok
17:51:16.0766 1232 MpKslec3fdd80 - ok
17:51:16.0775 1232 MpKslf0b3f80c - ok
17:51:16.0784 1232 MpKslf801665c - ok
17:51:16.0888 1232 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\Windows\system32\DRIVERS\MpNWMon.sys
17:51:16.0890 1232 MpNWMon - ok
17:51:16.0936 1232 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
17:51:16.0937 1232 mpsdrv - ok
17:51:17.0005 1232 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
17:51:17.0006 1232 Mraid35x - ok
17:51:17.0035 1232 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
17:51:17.0037 1232 MRxDAV - ok
17:51:17.0092 1232 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
17:51:17.0094 1232 mrxsmb - ok
17:51:17.0145 1232 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
17:51:17.0149 1232 mrxsmb10 - ok
17:51:17.0165 1232 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
17:51:17.0167 1232 mrxsmb20 - ok
17:51:17.0183 1232 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
17:51:17.0184 1232 msahci - ok
17:51:17.0209 1232 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
17:51:17.0211 1232 msdsm - ok
17:51:17.0254 1232 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
17:51:17.0255 1232 Msfs - ok
17:51:17.0314 1232 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
17:51:17.0315 1232 msisadrv - ok
17:51:17.0391 1232 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
17:51:17.0392 1232 MSKSSRV - ok
17:51:17.0435 1232 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
17:51:17.0437 1232 MSPCLOCK - ok
17:51:17.0466 1232 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
17:51:17.0467 1232 MSPQM - ok
17:51:17.0497 1232 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
17:51:17.0500 1232 MsRPC - ok
17:51:17.0538 1232 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
17:51:17.0539 1232 mssmbios - ok
17:51:17.0556 1232 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
17:51:17.0557 1232 MSTEE - ok
17:51:17.0576 1232 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
17:51:17.0577 1232 Mup - ok
17:51:17.0614 1232 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
17:51:17.0617 1232 NativeWifiP - ok
17:51:17.0676 1232 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
17:51:17.0685 1232 NDIS - ok
17:51:17.0736 1232 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
17:51:17.0737 1232 NdisTapi - ok
17:51:17.0751 1232 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
17:51:17.0753 1232 Ndisuio - ok
17:51:17.0765 1232 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
17:51:17.0768 1232 NdisWan - ok
17:51:17.0785 1232 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
17:51:17.0787 1232 NDProxy - ok
17:51:17.0815 1232 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
17:51:17.0816 1232 NetBIOS - ok
17:51:17.0863 1232 netmonz (472a7d82d64d5f7cde8273fbff94b8a1) C:\Windows\system32\DRIVERS\netmonz.sys
17:51:17.0867 1232 netmonz - ok
17:51:17.0874 1232 netmonzMP (472a7d82d64d5f7cde8273fbff94b8a1) C:\Windows\system32\DRIVERS\netmonz.sys
17:51:17.0875 1232 netmonzMP - ok
17:51:17.0960 1232 netr28u (6f8480809d14f0594b4b1df07385da33) C:\Windows\system32\DRIVERS\netr28u.sys
17:51:17.0973 1232 netr28u - ok
17:51:18.0021 1232 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
17:51:18.0023 1232 nfrd960 - ok
17:51:18.0062 1232 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
17:51:18.0065 1232 NisDrv - ok
17:51:18.0130 1232 NPF (b9730495e0cf674680121e34bd95a73b) C:\Windows\system32\drivers\npf.sys
17:51:18.0131 1232 NPF - ok
17:51:18.0165 1232 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
17:51:18.0166 1232 Npfs - ok
17:51:18.0193 1232 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
17:51:18.0195 1232 nsiproxy - ok
17:51:18.0247 1232 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
17:51:18.0272 1232 Ntfs - ok
17:51:18.0316 1232 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
17:51:18.0317 1232 ntrigdigi - ok
17:51:18.0365 1232 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
17:51:18.0366 1232 Null - ok
17:51:18.0454 1232 NVENETFD (d958a2b5f6ad5c3b8ccdc4d7da62466c) C:\Windows\system32\DRIVERS\nvmfdx32.sys
17:51:18.0479 1232 NVENETFD - ok
17:51:18.0766 1232 nvlddmkm (847b1755f7757f825305a1ffe6dac3e9) C:\Windows\system32\DRIVERS\nvlddmkm.sys
17:51:18.0834 1232 nvlddmkm - ok
17:51:18.0876 1232 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
17:51:18.0878 1232 nvraid - ok
17:51:18.0897 1232 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
17:51:18.0899 1232 nvstor - ok
17:51:18.0942 1232 nvstor32 (1a649b87a7b7c1220a2b16b121f2198e) C:\Windows\system32\DRIVERS\nvstor32.sys
17:51:18.0943 1232 nvstor32 - ok
17:51:18.0998 1232 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
17:51:19.0001 1232 nv_agp - ok
17:51:19.0013 1232 NwlnkFlt - ok
17:51:19.0034 1232 NwlnkFwd - ok
17:51:19.0089 1232 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
17:51:19.0091 1232 ohci1394 - ok
17:51:19.0142 1232 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
17:51:19.0145 1232 Parport - ok
17:51:19.0182 1232 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
17:51:19.0184 1232 partmgr - ok
17:51:19.0208 1232 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
17:51:19.0212 1232 Parvdm - ok
17:51:19.0254 1232 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
17:51:19.0257 1232 pci - ok
17:51:19.0272 1232 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
17:51:19.0274 1232 pciide - ok
17:51:19.0308 1232 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
17:51:19.0312 1232 pcmcia - ok
17:51:19.0379 1232 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
17:51:19.0404 1232 PEAUTH - ok
17:51:19.0535 1232 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
17:51:19.0537 1232 PptpMiniport - ok
17:51:19.0567 1232 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
17:51:19.0568 1232 Processor - ok
17:51:19.0613 1232 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
17:51:19.0615 1232 PSched - ok
17:51:19.0663 1232 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys
17:51:19.0664 1232 PxHelp20 - ok
17:51:19.0724 1232 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
17:51:19.0744 1232 ql2300 - ok
17:51:19.0770 1232 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
17:51:19.0773 1232 ql40xx - ok
17:51:19.0811 1232 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
17:51:19.0813 1232 QWAVEdrv - ok
17:51:19.0838 1232 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
17:51:19.0840 1232 RasAcd - ok
17:51:19.0868 1232 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
17:51:19.0870 1232 Rasl2tp - ok
17:51:19.0897 1232 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
17:51:19.0899 1232 RasPppoe - ok
17:51:19.0911 1232 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
17:51:19.0914 1232 RasSstp - ok
17:51:19.0941 1232 rcjm - ok
17:51:19.0986 1232 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
17:51:19.0990 1232 rdbss - ok
17:51:20.0017 1232 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
17:51:20.0018 1232 RDPCDD - ok
17:51:20.0066 1232 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
17:51:20.0073 1232 rdpdr - ok
17:51:20.0104 1232 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
17:51:20.0105 1232 RDPENCDD - ok
17:51:20.0141 1232 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
17:51:20.0144 1232 RDPWD - ok
17:51:20.0208 1232 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
17:51:20.0209 1232 RimUsb - ok
17:51:20.0259 1232 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
17:51:20.0261 1232 RimVSerPort - ok
17:51:20.0273 1232 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
17:51:20.0275 1232 ROOTMODEM - ok
17:51:20.0342 1232 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
17:51:20.0344 1232 rspndr - ok
17:51:20.0358 1232 rswecpce - ok
17:51:20.0427 1232 SbieDrv (4dc71d072aa8cc54634469b22120bdb8) C:\Program Files\Sandboxie\SbieDrv.sys
17:51:20.0430 1232 SbieDrv - ok
17:51:20.0472 1232 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
17:51:20.0474 1232 sbp2port - ok
17:51:20.0530 1232 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
17:51:20.0532 1232 secdrv - ok
17:51:20.0572 1232 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
17:51:20.0575 1232 Serenum - ok
17:51:20.0601 1232 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
17:51:20.0603 1232 Serial - ok
17:51:20.0628 1232 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
17:51:20.0629 1232 sermouse - ok
17:51:20.0678 1232 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
17:51:20.0680 1232 sffdisk - ok
17:51:20.0705 1232 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
17:51:20.0706 1232 sffp_mmc - ok
17:51:20.0731 1232 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
17:51:20.0732 1232 sffp_sd - ok
17:51:20.0752 1232 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
17:51:20.0753 1232 sfloppy - ok
17:51:20.0782 1232 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
17:51:20.0787 1232 sisagp - ok
17:51:20.0811 1232 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
17:51:20.0813 1232 SiSRaid2 - ok
17:51:20.0875 1232 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
17:51:20.0877 1232 SiSRaid4 - ok
17:51:20.0926 1232 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
17:51:20.0928 1232 Smb - ok
17:51:20.0971 1232 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
17:51:20.0972 1232 spldr - ok
17:51:21.0016 1232 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
17:51:21.0016 1232 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
17:51:21.0036 1232 sptd ( LockedFile.Multi.Generic ) - warning
17:51:21.0036 1232 sptd - detected LockedFile.Multi.Generic (1)
17:51:21.0072 1232 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
17:51:21.0078 1232 srv - ok
17:51:21.0131 1232 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
17:51:21.0133 1232 srv2 - ok
17:51:21.0179 1232 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
17:51:21.0181 1232 srvnet - ok
17:51:21.0220 1232 ss_bus (5a1d0ca8a5f1e7b4ec50b9d76c001f0e) C:\Windows\system32\DRIVERS\ss_bus.sys
17:51:21.0222 1232 ss_bus - ok
17:51:21.0255 1232 ss_mdfl (f0a85580e36a3a85059037d39a9cf079) C:\Windows\system32\DRIVERS\ss_mdfl.sys
17:51:21.0256 1232 ss_mdfl - ok
17:51:21.0281 1232 ss_mdm (84c3dbfd1bfa4adc0a950b3d5506cb00) C:\Windows\system32\DRIVERS\ss_mdm.sys
17:51:21.0283 1232 ss_mdm - ok
17:51:21.0313 1232 StarOpen (306521935042fc0a6988d528643619b3) C:\Windows\system32\drivers\StarOpen.sys
17:51:21.0314 1232 StarOpen - ok
17:51:21.0371 1232 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
17:51:21.0373 1232 swenum - ok
17:51:21.0417 1232 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
17:51:21.0419 1232 Symc8xx - ok
17:51:21.0443 1232 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
17:51:21.0445 1232 Sym_hi - ok
17:51:21.0471 1232 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
17:51:21.0473 1232 Sym_u3 - ok
17:51:21.0564 1232 Tcpip (6647fce6fc4970daafe5c64c794513d3) C:\Windows\system32\drivers\tcpip.sys
17:51:21.0587 1232 Tcpip - ok
17:51:21.0614 1232 Tcpip6 (6647fce6fc4970daafe5c64c794513d3) C:\Windows\system32\DRIVERS\tcpip.sys
17:51:21.0620 1232 Tcpip6 - ok
17:51:21.0670 1232 tcpipreg (36606b165d04a397bdf613096986d85d) C:\Windows\system32\drivers\tcpipreg.sys
17:51:21.0672 1232 tcpipreg - ok
17:51:21.0713 1232 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
17:51:21.0715 1232 TDPIPE - ok
17:51:21.0736 1232 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
17:51:21.0738 1232 TDTCP - ok
17:51:21.0771 1232 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
17:51:21.0774 1232 tdx - ok
17:51:21.0801 1232 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
17:51:21.0803 1232 TermDD - ok
17:51:21.0867 1232 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
17:51:21.0869 1232 tssecsrv - ok
17:51:21.0897 1232 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
17:51:21.0898 1232 tunmp - ok
17:51:21.0932 1232 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
17:51:21.0934 1232 tunnel - ok
17:51:21.0968 1232 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
17:51:21.0971 1232 uagp35 - ok
17:51:22.0013 1232 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
17:51:22.0017 1232 udfs - ok
17:51:22.0056 1232 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
17:51:22.0058 1232 uliagpkx - ok
17:51:22.0084 1232 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
17:51:22.0088 1232 uliahci - ok
17:51:22.0107 1232 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
17:51:22.0109 1232 UlSata - ok
17:51:22.0132 1232 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
17:51:22.0135 1232 ulsata2 - ok
17:51:22.0171 1232 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
17:51:22.0172 1232 umbus - ok
17:51:22.0209 1232 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\Windows\system32\Drivers\usbaapl.sys
17:51:22.0212 1232 USBAAPL - ok
17:51:22.0278 1232 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
17:51:22.0280 1232 usbaudio - ok
17:51:22.0307 1232 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
17:51:22.0324 1232 usbccgp - ok
17:51:22.0375 1232 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
17:51:22.0377 1232 usbcir - ok
17:51:22.0423 1232 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
17:51:22.0425 1232 usbehci - ok
17:51:22.0479 1232 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
17:51:22.0485 1232 usbhub - ok
17:51:22.0549 1232 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
17:51:22.0550 1232 usbohci - ok
17:51:22.0575 1232 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
17:51:22.0577 1232 usbprint - ok
17:51:22.0607 1232 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
17:51:22.0608 1232 USBSTOR - ok
17:51:22.0632 1232 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
17:51:22.0633 1232 usbuhci - ok
17:51:22.0657 1232 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
17:51:22.0658 1232 vga - ok
17:51:22.0698 1232 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
17:51:22.0699 1232 VgaSave - ok
17:51:22.0726 1232 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
17:51:22.0728 1232 viaagp - ok
17:51:22.0746 1232 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
17:51:22.0748 1232 ViaC7 - ok
17:51:22.0765 1232 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
17:51:22.0767 1232 viaide - ok
17:51:22.0808 1232 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
17:51:22.0809 1232 volmgr - ok
17:51:22.0841 1232 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
17:51:22.0845 1232 volmgrx - ok
17:51:22.0881 1232 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
17:51:22.0885 1232 volsnap - ok
17:51:22.0924 1232 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
17:51:22.0927 1232 vsmraid - ok
17:51:22.0966 1232 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
17:51:22.0968 1232 WacomPen - ok
17:51:23.0010 1232 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
17:51:23.0012 1232 Wanarp - ok
17:51:23.0019 1232 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
17:51:23.0021 1232 Wanarpv6 - ok
17:51:23.0066 1232 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
17:51:23.0067 1232 Wd - ok
17:51:23.0126 1232 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
17:51:23.0134 1232 Wdf01000 - ok
17:51:23.0235 1232 WinUSB (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\WinUSB.sys
17:51:23.0237 1232 WinUSB - ok
17:51:23.0286 1232 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
17:51:23.0287 1232 WmiAcpi - ok
17:51:23.0390 1232 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
17:51:23.0392 1232 WpdUsb - ok
17:51:23.0448 1232 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
17:51:23.0452 1232 ws2ifsl - ok
17:51:23.0503 1232 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
17:51:23.0504 1232 WSDPrintDevice - ok
17:51:23.0549 1232 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
17:51:23.0552 1232 WudfPf - ok
17:51:23.0599 1232 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
17:51:23.0602 1232 WUDFRd - ok
17:51:23.0651 1232 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
17:51:23.0804 1232 \Device\Harddisk0\DR0 - ok
17:51:23.0837 1232 Boot (0x1200) (c6b245765030ad8f50beff68304c67d6) \Device\Harddisk0\DR0\Partition0
17:51:23.0838 1232 \Device\Harddisk0\DR0\Partition0 - ok
17:51:23.0838 1232 ============================================================
17:51:23.0838 1232 Scan finished
17:51:23.0838 1232 ============================================================
17:51:23.0856 3588 Detected object count: 1
17:51:23.0857 3588 Actual detected object count: 1
17:51:34.0436 3588 sptd ( LockedFile.Multi.Generic ) - skipped by user
17:51:34.0436 3588 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:43 PM

Posted 24 November 2011 - 12:50 AM

Hi,

Please post attach.txt part of DDS run. It was missing in your earlier post.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 habashny

habashny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 25 November 2011 - 12:16 AM

Didn't notice I had to check that second box before scanning, sorry about that. I decided to simply run a fresh scan, so here is the current Attach.txt.

Thanks

Attached Files


Edited by habashny, 25 November 2011 - 12:16 AM.


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:43 PM

Posted 25 November 2011 - 02:04 AM

Hi again,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\users\ralph\appdata\local\c91c8978
Driver::
dnmsyuxk
rcjm
MpKsl0d6025ad
MpKsl124e5498
MpKsl1d2f7310
MpKsl29050fcf
MpKsl2cad18b9
MpKsl35aca0aa
MpKsl3a781cd3
MpKsl4552d119
MpKsl4d5b7d84
MpKsl55348e41
MpKsl5c305883
MpKsl5c7bf158
MpKsl78ac9282
MpKsl9e0ba02d
MpKsla81223c7
MpKslaa15bd2b
MpKslb846277e
MpKslbad4a01d
MpKslc18cba68
MpKslc80a50ae
MpKsle14888c8
MpKsle503c7eb
MpKslec3fdd80
MpKslf0b3f80c
MpKslf801665c
rswecpce


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1 and separate 10.1.1 update for it) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 7 Update 1.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u1-windows-i586.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 habashny

habashny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 25 November 2011 - 05:42 PM

Hello,

for ComboFix, I'm prompted to close Microsoft Security Essentials antivirus and antimalware before clicking Ok to start the scan, but it's not even in the task bar.. What should I do next?

Thanks

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:43 PM

Posted 26 November 2011 - 05:55 AM

Hi,

Ignore the warning.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users