Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unwanted IE browser re-directs


  • This topic is locked This topic is locked
12 replies to this topic

#1 VasM

VasM

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 18 November 2011 - 01:19 AM

Hi,

I have a Win 7 machine that has recently contracted some virus/malware. Microsoft security essentials found several items but even after the removal of those items iexplore.exe starts on it's own and appears in the running process list. Occasionally you will see the IE window appear and be at some random page. Additionally when doing a google search and clicking on the search results you are re-directed elsewhere.

Here is the DDS log :

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by vasm at 16:19:59 on 2011-11-18
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.61.1033.18.3037.1681 [GMT 11:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.5
TCP: Interfaces\{005B49CA-3BC8-42D9-8451-C3E37FA7A4B3} : DhcpNameServer = 192.168.1.5
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\759\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl24f2bbd8;MpKsl24f2bbd8;c:\programdata\microsoft\microsoft antimalware\definition updates\{5de19336-a06f-401c-8a60-8f9cd1658992}\MpKsl24f2bbd8.sys [2011-11-18 28752]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-3-15 127488]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-1-14 39272]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
.
=============== Created Last 30 ================
.
2011-11-18 05:11:55 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5de19336-a06f-401c-8a60-8f9cd1658992}\MpKsl24f2bbd8.sys
2011-11-18 05:11:53 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5de19336-a06f-401c-8a60-8f9cd1658992}\offreg.dll
2011-11-18 04:50:24 -------- d-----w- c:\windows\system32\SPReview
2011-11-18 04:38:02 -------- d-----w- c:\users\vasm.looknet\appdata\local\ElevatedDiagnostics
2011-11-18 03:16:18 6668624 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5de19336-a06f-401c-8a60-8f9cd1658992}\mpengine.dll
2011-11-18 01:37:42 -------- d-s---w- C:\ComboFix
2011-11-15 05:05:37 -------- d-----w- c:\program files\ESET
2011-11-15 03:58:53 -------- d-----w- c:\users\vasm.looknet\appdata\local\temp
2011-11-15 03:55:15 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-15 02:54:44 6668624 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-11-15 01:59:11 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-14 23:27:13 -------- d-----w- c:\programdata\Malwarebytes
2011-11-14 23:27:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-13 23:16:45 2339840 ----a-w- c:\windows\system32\win32k.sys
2011-11-13 23:16:44 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-13 23:16:43 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 23:05:45 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-11-13 23:05:44 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a7d926f4-163e-4714-be71-24489ce3ae6e}\gapaengine.dll
2011-11-13 23:04:38 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-13 22:57:45 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-13 22:57:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
.
==================== Find3M ====================
.
2011-08-27 04:43:07 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:43:06 233472 ----a-w- c:\windows\system32\oleacc.dll
.
============= FINISH: 16:26:50.52 ===============


Here is the GMER log :

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-18 14:09:54
Windows 6.1.7600
Running: sm2nlkcm.exe; Driver: C:\Users\JIMMIL~1\AppData\Local\Temp\pxldypow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@COD 9600
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@DibServiceVersion 131072
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@Name 0x41 0x70 0x70 0x6C ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@PID 781
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@Store Link Key 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@VID 1452
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@VIDType 2
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\CachedServices
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\CachedServices@00010000 0x36 0x01 0x54 0x09 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@AuthenticationRequirements 5
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@IoCapability 255
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@RemoteAuthenticationRequirements 255
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@SSP MITM Protected 0
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@SSP Paired 0
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@SSP Supported 0
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}@Instance 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000@CounterInstanceId 0
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000@DeviceString
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000@Enabled 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000@PriLangServiceName 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Keys
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Keys\00190e060b43
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT\Keys\00190e060b43@c42c03ade670 0x99 0x32 0x88 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\HidBth
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\HidBth\Devices
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\HidBth\Devices\00190e060b43c42c03ade670
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\HidBth\Devices\00190e060b43c42c03ade670@ConnectionAuthenticated 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\HidBth\Devices\00190e060b43c42c03ade670@VirtuallyCabled 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@BackupContext 0x02 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@COD Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@ExtPropDescSemaphore 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Scans Before Out of Range 8
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SCO Max Channels 2
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicLinkName \??\USB#VID_0A5C&PID_2153#00190E060B43#{0850302a-b344-4fda-9be9-90576b8d46f0}
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicName \??\USB#VID_0A5C&PID_2153#00190E060B43#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@COD 9600
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@DibServiceVersion 131072
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@Name 0x41 0x70 0x70 0x6C ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@PID 781
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@Store Link Key 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@VID 1452
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670@VIDType 2
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\CachedServices (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\CachedServices@00010000 0x36 0x01 0x54 0x09 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@AuthenticationRequirements 5
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@IoCapability 255
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@RemoteAuthenticationRequirements 255
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@SSP MITM Protected 0
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@SSP Paired 0
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43@SSP Supported 0
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb} (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}@Instance 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000@CounterInstanceId 0
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000@DeviceString
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000@Enabled 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Devices\c42c03ade670\ServicesFor00190e060b43\{00001124-0000-1000-8000-00805f9b34fb}\C00000000@PriLangServiceName 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Keys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Keys\00190e060b43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT\Keys\00190e060b43@c42c03ade670 0x99 0x32 0x88 0x7F ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\HidBth (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\HidBth\Devices (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\HidBth\Devices\00190e060b43c42c03ade670 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\HidBth\Devices\00190e060b43c42c03ade670@ConnectionAuthenticated 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\HidBth\Devices\00190e060b43c42c03ade670@VirtuallyCabled 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@BackupContext 0x02 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@COD Type 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@ExtPropDescSemaphore 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Scans Before Out of Range 8
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SCO Max Channels 2
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicLinkName \??\USB#VID_0A5C&PID_2153#00190E060B43#{0850302a-b344-4fda-9be9-90576b8d46f0}
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicName \??\USB#VID_0A5C&PID_2153#00190E060B43#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

---- EOF - GMER 1.0.15 ----


Thanks

Vas

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 19 November 2011 - 12:47 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 VasM

VasM
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 20 November 2011 - 09:37 PM

Hi,

Here's the combofix log :

ComboFix 11-11-20.02 - Jim Milligan 21/11/2011 12:27:07.2.2 - x86
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.61.1033.18.3037.1618 [GMT 11:00]
Running from: c:\temp\Antivirus files\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\gotomon.log . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
.
.
2011-11-21 02:04 . 2011-11-21 02:04 -------- d-----w- c:\users\vasm\AppData\Local\temp
2011-11-21 02:04 . 2011-11-21 02:04 -------- d-----w- c:\users\vasm.LOOKNET\AppData\Local\temp
2011-11-21 02:04 . 2011-11-21 02:04 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-11-21 02:04 . 2011-11-21 02:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-21 02:04 . 2011-11-21 02:04 -------- d-----w- c:\users\Charles Munforte\AppData\Local\temp
2011-11-21 02:04 . 2011-11-21 02:04 -------- d-----w- c:\users\Brendan Kay\AppData\Local\temp
2011-11-20 15:13 . 2011-11-20 15:13 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7DBB8772-E0F2-4415-88FF-B993C4D1577B}\MpKsl28f03f24.sys
2011-11-20 15:12 . 2011-11-21 02:12 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7DBB8772-E0F2-4415-88FF-B993C4D1577B}\offreg.dll
2011-11-20 15:12 . 2011-10-06 09:48 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7DBB8772-E0F2-4415-88FF-B993C4D1577B}\mpengine.dll
2011-11-18 05:58 . 2011-11-18 06:00 -------- d-----w- c:\users\vasm.LOOKNET\AppData\Roaming\Skype
2011-11-18 05:58 . 2011-11-18 05:58 -------- d-----r- c:\program files\Skype
2011-11-18 04:50 . 2011-11-18 04:50 -------- d-----w- c:\windows\system32\SPReview
2011-11-18 04:38 . 2011-11-18 04:38 -------- d-----w- c:\users\vasm.LOOKNET\AppData\Local\ElevatedDiagnostics
2011-11-15 05:05 . 2011-11-15 05:05 -------- d-----w- c:\program files\ESET
2011-11-15 03:28 . 2011-11-21 02:15 -------- d-----w- c:\users\Jim Milligan\AppData\Local\temp
2011-11-15 02:54 . 2011-10-06 09:48 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-15 01:59 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-14 23:27 . 2011-11-14 23:27 -------- d-----w- c:\users\Jim Milligan\AppData\Roaming\Malwarebytes
2011-11-14 23:27 . 2011-11-14 23:27 -------- d-----w- c:\programdata\Malwarebytes
2011-11-14 23:27 . 2011-11-14 23:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-13 23:16 . 2011-09-29 04:20 2339840 ----a-w- c:\windows\system32\win32k.sys
2011-11-13 23:16 . 2011-10-01 04:43 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-13 23:16 . 2011-09-29 15:43 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 23:05 . 2011-11-13 23:04 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-11-13 23:05 . 2011-11-13 23:04 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7D926F4-163E-4714-BE71-24489CE3AE6E}\gapaengine.dll
2011-11-13 23:04 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-13 22:57 . 2011-11-13 22:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-13 22:57 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-11-13 22:37 . 2011-11-13 22:37 -------- d-----w- c:\users\vasm\AppData\Roaming\Apple Computer
2011-11-13 22:36 . 2011-11-13 22:36 -------- d-----r- c:\users\vasm\Virtual Machines
2011-11-10 07:38 . 2011-11-10 07:38 -------- d--h--w- c:\windows\Sun
2011-10-25 06:02 . 2011-11-13 22:16 -------- d-----w- c:\program files\Apple Software Update
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-27 04:43 . 2011-10-12 08:20 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:43 . 2011-10-12 08:20 233472 ----a-w- c:\windows\system32\oleacc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-15 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-15 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-15 170520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-09-13 04:23 13672 ----a-w- c:\program files\Citrix\GoToAssist\759\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
.
[HKLM\~\startupfolder\C:^Users^Jim Milligan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
path=c:\users\Jim Milligan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-17 06:04 133104 ----atw- c:\users\Jim Milligan\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMyPC]
2008-09-30 05:04 258856 ----a-w- c:\program files\Citrix\GoToMyPC\g2svc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 01:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-10-15 11:36 171032 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 04:52 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-10-15 11:36 137752 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-17 09:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaCie Backup]
2006-07-05 23:30 2596864 ----a-w- c:\program files\LaCie\Backup Software\LacieBackup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-09 15:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-10-15 11:36 170520 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 06:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14 1173504 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
R1 MpKsl0e8d288d;MpKsl0e8d288d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0608F85E-27D9-4F05-9FB9-6D065C1266BA}\MpKsl0e8d288d.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-14 1343400]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]
S1 MpKsl28f03f24;MpKsl28f03f24;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7DBB8772-E0F2-4415-88FF-B993C4D1577B}\MpKsl28f03f24.sys [2011-11-20 28752]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-03-14 127488]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - eeCtrl
*Deregistered* - SymEvent
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1078145449-682003330-1114Core.job
- c:\users\Jim Milligan\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-17 06:04]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1078145449-682003330-1114UA.job
- c:\users\Jim Milligan\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-17 06:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.5
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2011-11-21 13:30:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-21 02:30
.
Pre-Run: 65,087,528,960 bytes free
Post-Run: 65,372,876,800 bytes free
.
- - End Of File - - 9DAA85BE3CA19D1CDAC023E105467EE9

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 20 November 2011 - 09:55 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 VasM

VasM
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 20 November 2011 - 10:05 PM

Hi Gringo,

No luck running tdskiller. I could see it start via the task manager process list but it would be gone after a few seconds. I renamed the file and ran that and got the same result. I re-booted in safe mode (no networking) and re-ran it but other than it lasting a few seconds more in the task list it didn't run...I'm assuming there may be something on the machine (malicious) that is killing the process.

Thanks

Vas

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 20 November 2011 - 10:43 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 VasM

VasM
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 20 November 2011 - 11:16 PM

Hi Gringo,

It looks like fixtdss did the trick, it ran, found an issue and then allowed for repair :

** infected MBR detected
repair succeeded

And here is the tdskiller results :

15:12:20.0547 3268 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50
15:12:21.0842 3268 ============================================================
15:12:21.0842 3268 Current date / time: 2011/11/21 15:12:21.0842
15:12:21.0842 3268 SystemInfo:
15:12:21.0842 3268
15:12:21.0842 3268 OS Version: 6.1.7600 ServicePack: 0.0
15:12:21.0842 3268 Product type: Workstation
15:12:21.0842 3268 ComputerName: JIM
15:12:21.0842 3268 UserName: Jim Milligan
15:12:21.0842 3268 Windows directory: C:\Windows
15:12:21.0842 3268 System windows directory: C:\Windows
15:12:21.0842 3268 Processor architecture: Intel x86
15:12:21.0842 3268 Number of processors: 2
15:12:21.0842 3268 Page size: 0x1000
15:12:21.0842 3268 Boot type: Normal boot
15:12:21.0842 3268 ============================================================
15:12:33.0074 3268 Initialize success
15:12:46.0880 1000 ============================================================
15:12:46.0880 1000 Scan started
15:12:46.0880 1000 Mode: Manual;
15:12:46.0880 1000 ============================================================
15:12:51.0388 1000 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
15:12:51.0404 1000 1394ohci - ok
15:12:51.0575 1000 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
15:12:51.0591 1000 ACPI - ok
15:12:51.0731 1000 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
15:12:51.0762 1000 AcpiPmi - ok
15:12:51.0872 1000 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
15:12:51.0887 1000 adp94xx - ok
15:12:51.0950 1000 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
15:12:51.0965 1000 adpahci - ok
15:12:51.0996 1000 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
15:12:52.0012 1000 adpu320 - ok
15:12:52.0121 1000 AFD (0db7a48388d54d154ebec120461a0fcd) C:\Windows\system32\drivers\afd.sys
15:12:52.0137 1000 AFD - ok
15:12:52.0199 1000 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
15:12:52.0199 1000 agp440 - ok
15:12:52.0324 1000 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
15:12:52.0324 1000 aic78xx - ok
15:12:52.0464 1000 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
15:12:52.0464 1000 aliide - ok
15:12:52.0527 1000 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
15:12:52.0527 1000 amdagp - ok
15:12:52.0558 1000 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
15:12:52.0558 1000 amdide - ok
15:12:52.0620 1000 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
15:12:52.0620 1000 AmdK8 - ok
15:12:52.0823 1000 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
15:12:52.0823 1000 AmdPPM - ok
15:12:52.0854 1000 amdsata (19ce906b4cdc11fc4fef5745f33a63b6) C:\Windows\system32\drivers\amdsata.sys
15:12:52.0854 1000 amdsata - ok
15:12:52.0948 1000 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
15:12:52.0979 1000 amdsbs - ok
15:12:53.0010 1000 amdxata (869e67d66be326a5a9159fba8746fa70) C:\Windows\system32\drivers\amdxata.sys
15:12:53.0010 1000 amdxata - ok
15:12:53.0120 1000 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
15:12:53.0135 1000 AppID - ok
15:12:53.0338 1000 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
15:12:53.0354 1000 arc - ok
15:12:53.0385 1000 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
15:12:53.0400 1000 arcsas - ok
15:12:53.0525 1000 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
15:12:53.0541 1000 AsyncMac - ok
15:12:53.0588 1000 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
15:12:53.0588 1000 atapi - ok
15:12:53.0681 1000 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
15:12:53.0697 1000 b06bdrv - ok
15:12:53.0744 1000 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
15:12:53.0744 1000 b57nd60x - ok
15:12:53.0822 1000 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
15:12:53.0822 1000 Beep - ok
15:12:53.0946 1000 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
15:12:53.0946 1000 blbdrive - ok
15:12:54.0009 1000 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\Windows\system32\DRIVERS\bowser.sys
15:12:54.0024 1000 bowser - ok
15:12:54.0040 1000 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
15:12:54.0040 1000 BrFiltLo - ok
15:12:54.0056 1000 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
15:12:54.0071 1000 BrFiltUp - ok
15:12:54.0102 1000 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
15:12:54.0102 1000 Brserid - ok
15:12:54.0118 1000 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
15:12:54.0134 1000 BrSerWdm - ok
15:12:54.0212 1000 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
15:12:54.0227 1000 BrUsbMdm - ok
15:12:54.0274 1000 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
15:12:54.0290 1000 BrUsbSer - ok
15:12:54.0336 1000 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
15:12:54.0336 1000 BTHMODEM - ok
15:12:54.0820 1000 catchme - ok
15:12:54.0992 1000 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
15:12:54.0992 1000 cdfs - ok
15:12:55.0054 1000 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
15:12:55.0054 1000 cdrom - ok
15:12:55.0163 1000 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
15:12:55.0179 1000 circlass - ok
15:12:55.0226 1000 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
15:12:55.0226 1000 CLFS - ok
15:12:55.0272 1000 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
15:12:55.0288 1000 CmBatt - ok
15:12:55.0319 1000 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
15:12:55.0319 1000 cmdide - ok
15:12:55.0428 1000 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
15:12:55.0444 1000 CNG - ok
15:12:55.0475 1000 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
15:12:55.0491 1000 Compbatt - ok
15:12:55.0538 1000 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
15:12:55.0538 1000 CompositeBus - ok
15:12:55.0584 1000 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
15:12:55.0584 1000 crcdisk - ok
15:12:55.0647 1000 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
15:12:55.0647 1000 CSC - ok
15:12:55.0694 1000 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\Windows\system32\Drivers\dfsc.sys
15:12:55.0709 1000 DfsC - ok
15:12:55.0740 1000 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
15:12:55.0740 1000 discache - ok
15:12:55.0818 1000 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
15:12:55.0818 1000 Disk - ok
15:12:55.0896 1000 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
15:12:55.0912 1000 drmkaud - ok
15:12:55.0974 1000 DXGKrnl (1679a4669326cb1a67cc95658d273234) C:\Windows\System32\drivers\dxgkrnl.sys
15:12:55.0974 1000 DXGKrnl - ok
15:12:56.0364 1000 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
15:12:56.0442 1000 ebdrv - ok
15:12:56.0552 1000 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
15:12:56.0567 1000 elxstor - ok
15:12:56.0598 1000 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
15:12:56.0598 1000 ErrDev - ok
15:12:56.0676 1000 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
15:12:56.0708 1000 exfat - ok
15:12:56.0770 1000 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
15:12:56.0786 1000 fastfat - ok
15:12:56.0864 1000 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
15:12:56.0864 1000 fdc - ok
15:12:56.0910 1000 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
15:12:56.0910 1000 FileInfo - ok
15:12:56.0942 1000 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
15:12:56.0942 1000 Filetrace - ok
15:12:56.0957 1000 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
15:12:56.0957 1000 flpydisk - ok
15:12:57.0004 1000 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
15:12:57.0004 1000 FltMgr - ok
15:12:57.0051 1000 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
15:12:57.0051 1000 FsDepends - ok
15:12:57.0160 1000 fssfltr (d909075fa72c090f27aa926c32cb4612) C:\Windows\system32\DRIVERS\fssfltr.sys
15:12:57.0176 1000 fssfltr - ok
15:12:57.0207 1000 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
15:12:57.0207 1000 Fs_Rec - ok
15:12:57.0300 1000 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
15:12:57.0300 1000 fvevol - ok
15:12:57.0378 1000 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
15:12:57.0394 1000 gagp30kx - ok
15:12:57.0410 1000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
15:12:57.0410 1000 GEARAspiWDM - ok
15:12:57.0503 1000 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
15:12:57.0503 1000 hcw85cir - ok
15:12:57.0550 1000 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
15:12:57.0566 1000 HdAudAddService - ok
15:12:57.0612 1000 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
15:12:57.0628 1000 HDAudBus - ok
15:12:57.0675 1000 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
15:12:57.0690 1000 HidBatt - ok
15:12:57.0753 1000 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
15:12:57.0768 1000 HidBth - ok
15:12:57.0815 1000 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
15:12:57.0831 1000 HidIr - ok
15:12:57.0956 1000 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
15:12:57.0956 1000 HidUsb - ok
15:12:57.0987 1000 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
15:12:57.0987 1000 HpSAMD - ok
15:12:58.0065 1000 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
15:12:58.0080 1000 HTTP - ok
15:12:58.0112 1000 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
15:12:58.0112 1000 hwpolicy - ok
15:12:58.0174 1000 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
15:12:58.0190 1000 i8042prt - ok
15:12:58.0299 1000 iaStorV (71f1a494fedf4b33c02c4a6a28d6d9e9) C:\Windows\system32\drivers\iaStorV.sys
15:12:58.0314 1000 iaStorV - ok
15:13:00.0077 1000 igfx (88740882a8fa53fce0532f1cf33548ab) C:\Windows\system32\DRIVERS\igdkmd32.sys
15:13:00.0233 1000 igfx - ok
15:13:00.0327 1000 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
15:13:00.0327 1000 iirsp - ok
15:13:00.0452 1000 IntcHdmiAddService (81486f0eb4238b65c317f97de246c4ac) C:\Windows\system32\drivers\IntcHdmi.sys
15:13:00.0467 1000 IntcHdmiAddService - ok
15:13:00.0530 1000 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
15:13:00.0530 1000 intelide - ok
15:13:00.0576 1000 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
15:13:00.0576 1000 intelppm - ok
15:13:00.0670 1000 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
15:13:00.0686 1000 IpFilterDriver - ok
15:13:00.0795 1000 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
15:13:00.0795 1000 IPMIDRV - ok
15:13:01.0013 1000 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
15:13:01.0029 1000 IPNAT - ok
15:13:01.0310 1000 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
15:13:01.0325 1000 IRENUM - ok
15:13:01.0434 1000 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
15:13:01.0450 1000 isapnp - ok
15:13:01.0793 1000 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
15:13:01.0809 1000 iScsiPrt - ok
15:13:01.0902 1000 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
15:13:01.0902 1000 kbdclass - ok
15:13:01.0965 1000 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
15:13:01.0965 1000 kbdhid - ok
15:13:02.0012 1000 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
15:13:02.0012 1000 KSecDD - ok
15:13:02.0074 1000 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
15:13:02.0090 1000 KSecPkg - ok
15:13:02.0199 1000 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
15:13:02.0214 1000 lltdio - ok
15:13:02.0308 1000 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
15:13:02.0324 1000 LSI_FC - ok
15:13:02.0355 1000 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
15:13:02.0355 1000 LSI_SAS - ok
15:13:02.0448 1000 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
15:13:02.0464 1000 LSI_SAS2 - ok
15:13:02.0526 1000 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
15:13:02.0526 1000 LSI_SCSI - ok
15:13:02.0636 1000 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
15:13:02.0651 1000 luafv - ok
15:13:02.0698 1000 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
15:13:02.0698 1000 megasas - ok
15:13:02.0760 1000 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
15:13:02.0776 1000 MegaSR - ok
15:13:02.0823 1000 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
15:13:02.0823 1000 Modem - ok
15:13:02.0854 1000 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
15:13:02.0854 1000 monitor - ok
15:13:02.0885 1000 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
15:13:02.0885 1000 mouclass - ok
15:13:02.0979 1000 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
15:13:02.0979 1000 mouhid - ok
15:13:03.0026 1000 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
15:13:03.0026 1000 mountmgr - ok
15:13:03.0072 1000 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\Windows\system32\DRIVERS\MpFilter.sys
15:13:03.0088 1000 MpFilter - ok
15:13:03.0119 1000 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
15:13:03.0119 1000 mpio - ok
15:13:03.0291 1000 MpKsl0e8d288d - ok
15:13:03.0431 1000 MpKslcbffda5a (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{030D6F2E-ACF8-4E55-999F-EE30ECFCFE80}\MpKslcbffda5a.sys
15:13:03.0478 1000 MpKslcbffda5a - ok
15:13:03.0759 1000 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\Windows\system32\DRIVERS\MpNWMon.sys
15:13:03.0774 1000 MpNWMon - ok
15:13:03.0821 1000 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
15:13:03.0837 1000 mpsdrv - ok
15:13:03.0868 1000 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
15:13:03.0884 1000 MRxDAV - ok
15:13:03.0962 1000 mrxsmb (ca7570e42522e24324a12161db14ec02) C:\Windows\system32\DRIVERS\mrxsmb.sys
15:13:03.0977 1000 mrxsmb - ok
15:13:04.0040 1000 mrxsmb10 (f965c3ab2b2ae5c378f4562486e35051) C:\Windows\system32\DRIVERS\mrxsmb10.sys
15:13:04.0055 1000 mrxsmb10 - ok
15:13:04.0118 1000 mrxsmb20 (25c38264a3c72594dd21d355d70d7a5d) C:\Windows\system32\DRIVERS\mrxsmb20.sys
15:13:04.0118 1000 mrxsmb20 - ok
15:13:04.0164 1000 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
15:13:04.0164 1000 msahci - ok
15:13:04.0196 1000 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
15:13:04.0196 1000 msdsm - ok
15:13:04.0258 1000 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
15:13:04.0258 1000 Msfs - ok
15:13:04.0305 1000 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
15:13:04.0305 1000 mshidkmdf - ok
15:13:04.0336 1000 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
15:13:04.0336 1000 msisadrv - ok
15:13:04.0383 1000 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
15:13:04.0383 1000 MSKSSRV - ok
15:13:04.0461 1000 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
15:13:04.0476 1000 MSPCLOCK - ok
15:13:04.0492 1000 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
15:13:04.0492 1000 MSPQM - ok
15:13:04.0508 1000 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
15:13:04.0523 1000 MsRPC - ok
15:13:04.0554 1000 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
15:13:04.0554 1000 mssmbios - ok
15:13:04.0586 1000 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
15:13:04.0586 1000 MSTEE - ok
15:13:04.0632 1000 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
15:13:04.0632 1000 MTConfig - ok
15:13:04.0664 1000 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
15:13:04.0664 1000 Mup - ok
15:13:04.0710 1000 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
15:13:04.0710 1000 NativeWifiP - ok
15:13:04.0866 1000 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
15:13:04.0882 1000 NDIS - ok
15:13:04.0913 1000 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
15:13:04.0913 1000 NdisCap - ok
15:13:04.0991 1000 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
15:13:04.0991 1000 NdisTapi - ok
15:13:05.0038 1000 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
15:13:05.0054 1000 Ndisuio - ok
15:13:05.0100 1000 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
15:13:05.0100 1000 NdisWan - ok
15:13:05.0132 1000 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
15:13:05.0132 1000 NDProxy - ok
15:13:05.0241 1000 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
15:13:05.0241 1000 NetBIOS - ok
15:13:05.0288 1000 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
15:13:05.0303 1000 NetBT - ok
15:13:05.0444 1000 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
15:13:05.0444 1000 nfrd960 - ok
15:13:05.0475 1000 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
15:13:05.0475 1000 NisDrv - ok
15:13:05.0537 1000 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
15:13:05.0537 1000 Npfs - ok
15:13:05.0600 1000 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
15:13:05.0600 1000 nsiproxy - ok
15:13:05.0646 1000 Ntfs (187002ce05693c306f43c873f821381f) C:\Windows\system32\drivers\Ntfs.sys
15:13:05.0678 1000 Ntfs - ok
15:13:05.0771 1000 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
15:13:05.0787 1000 Null - ok
15:13:05.0849 1000 nvraid (f1b0bed906f97e16f6d0c3629d2f21c6) C:\Windows\system32\drivers\nvraid.sys
15:13:05.0865 1000 nvraid - ok
15:13:05.0896 1000 nvstor (4520b63899e867f354ee012d34e11536) C:\Windows\system32\drivers\nvstor.sys
15:13:05.0896 1000 nvstor - ok
15:13:05.0927 1000 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
15:13:05.0943 1000 nv_agp - ok
15:13:05.0974 1000 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
15:13:05.0974 1000 ohci1394 - ok
15:13:06.0036 1000 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
15:13:06.0036 1000 Parport - ok
15:13:06.0083 1000 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
15:13:06.0083 1000 partmgr - ok
15:13:06.0114 1000 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
15:13:06.0114 1000 Parvdm - ok
15:13:06.0161 1000 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
15:13:06.0161 1000 pci - ok
15:13:06.0192 1000 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
15:13:06.0192 1000 pciide - ok
15:13:06.0224 1000 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
15:13:06.0224 1000 pcmcia - ok
15:13:06.0286 1000 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
15:13:06.0286 1000 pcw - ok
15:13:06.0333 1000 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
15:13:06.0364 1000 PEAUTH - ok
15:13:06.0504 1000 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
15:13:06.0504 1000 PptpMiniport - ok
15:13:06.0567 1000 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
15:13:06.0582 1000 Processor - ok
15:13:06.0660 1000 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
15:13:06.0660 1000 Psched - ok
15:13:06.0692 1000 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
15:13:06.0692 1000 PxHelp20 - ok
15:13:06.0801 1000 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
15:13:06.0832 1000 ql2300 - ok
15:13:06.0863 1000 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
15:13:06.0879 1000 ql40xx - ok
15:13:06.0941 1000 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
15:13:06.0957 1000 QWAVEdrv - ok
15:13:06.0988 1000 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
15:13:07.0004 1000 RasAcd - ok
15:13:07.0082 1000 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
15:13:07.0097 1000 RasAgileVpn - ok
15:13:07.0160 1000 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
15:13:07.0175 1000 Rasl2tp - ok
15:13:07.0253 1000 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
15:13:07.0269 1000 RasPppoe - ok
15:13:07.0331 1000 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
15:13:07.0347 1000 RasSstp - ok
15:13:07.0394 1000 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
15:13:07.0394 1000 rdbss - ok
15:13:07.0425 1000 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
15:13:07.0425 1000 rdpbus - ok
15:13:07.0472 1000 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
15:13:07.0472 1000 RDPCDD - ok
15:13:07.0503 1000 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
15:13:07.0503 1000 RDPDR - ok
15:13:07.0550 1000 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
15:13:07.0550 1000 RDPENCDD - ok
15:13:07.0581 1000 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
15:13:07.0581 1000 RDPREFMP - ok
15:13:07.0612 1000 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
15:13:07.0628 1000 RDPWD - ok
15:13:07.0674 1000 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
15:13:07.0690 1000 rdyboost - ok
15:13:07.0737 1000 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
15:13:07.0737 1000 rspndr - ok
15:13:07.0784 1000 RTL8169 (2d19a7469ea19993d0c12e627f4530bc) C:\Windows\system32\DRIVERS\Rtlh86.sys
15:13:07.0784 1000 RTL8169 - ok
15:13:07.0830 1000 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
15:13:07.0846 1000 s3cap - ok
15:13:07.0877 1000 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
15:13:07.0877 1000 sbp2port - ok
15:13:07.0908 1000 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
15:13:07.0924 1000 scfilter - ok
15:13:07.0971 1000 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
15:13:07.0971 1000 secdrv - ok
15:13:08.0033 1000 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
15:13:08.0033 1000 Serenum - ok
15:13:08.0064 1000 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
15:13:08.0064 1000 Serial - ok
15:13:08.0096 1000 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
15:13:08.0096 1000 sermouse - ok
15:13:08.0127 1000 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
15:13:08.0127 1000 sffdisk - ok
15:13:08.0158 1000 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
15:13:08.0158 1000 sffp_mmc - ok
15:13:08.0189 1000 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
15:13:08.0189 1000 sffp_sd - ok
15:13:08.0205 1000 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
15:13:08.0205 1000 sfloppy - ok
15:13:08.0236 1000 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
15:13:08.0236 1000 sisagp - ok
15:13:08.0252 1000 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
15:13:08.0267 1000 SiSRaid2 - ok
15:13:08.0283 1000 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
15:13:08.0283 1000 SiSRaid4 - ok
15:13:08.0345 1000 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
15:13:08.0345 1000 Smb - ok
15:13:08.0423 1000 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
15:13:08.0423 1000 spldr - ok
15:13:08.0532 1000 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\Windows\system32\DRIVERS\srv.sys
15:13:08.0548 1000 srv - ok
15:13:08.0564 1000 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\Windows\system32\DRIVERS\srv2.sys
15:13:08.0579 1000 srv2 - ok
15:13:08.0595 1000 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\Windows\system32\DRIVERS\srvnet.sys
15:13:08.0610 1000 srvnet - ok
15:13:08.0688 1000 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
15:13:08.0704 1000 stexstor - ok
15:13:08.0751 1000 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
15:13:08.0766 1000 storflt - ok
15:13:08.0798 1000 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
15:13:08.0813 1000 storvsc - ok
15:13:08.0844 1000 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
15:13:08.0844 1000 swenum - ok
15:13:08.0907 1000 Tcpip (56c198ac82efa622dd93e9e43575f79c) C:\Windows\system32\drivers\tcpip.sys
15:13:08.0922 1000 Tcpip - ok
15:13:09.0000 1000 TCPIP6 (56c198ac82efa622dd93e9e43575f79c) C:\Windows\system32\DRIVERS\tcpip.sys
15:13:09.0016 1000 TCPIP6 - ok
15:13:09.0234 1000 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
15:13:09.0250 1000 tcpipreg - ok
15:13:09.0312 1000 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
15:13:09.0312 1000 TDPIPE - ok
15:13:09.0359 1000 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
15:13:09.0375 1000 TDTCP - ok
15:13:09.0453 1000 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
15:13:09.0453 1000 tdx - ok
15:13:09.0500 1000 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
15:13:09.0500 1000 TermDD - ok
15:13:09.0562 1000 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
15:13:09.0578 1000 tssecsrv - ok
15:13:09.0640 1000 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
15:13:09.0656 1000 tunnel - ok
15:13:09.0702 1000 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
15:13:09.0718 1000 uagp35 - ok
15:13:09.0749 1000 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
15:13:09.0765 1000 udfs - ok
15:13:09.0858 1000 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
15:13:09.0858 1000 uliagpkx - ok
15:13:09.0936 1000 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
15:13:09.0952 1000 umbus - ok
15:13:09.0983 1000 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
15:13:09.0999 1000 UmPass - ok
15:13:10.0092 1000 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
15:13:10.0108 1000 USBAAPL - ok
15:13:10.0170 1000 usbaudio (2436a42aab4ad48a9b714e5b0f344627) C:\Windows\system32\drivers\usbaudio.sys
15:13:10.0186 1000 usbaudio - ok
15:13:10.0217 1000 usbccgp (c31ae588e403042632dc796cf09e30b0) C:\Windows\system32\DRIVERS\usbccgp.sys
15:13:10.0217 1000 usbccgp - ok
15:13:10.0248 1000 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
15:13:10.0264 1000 usbcir - ok
15:13:10.0295 1000 usbehci (e4c436d914768ce965d5e659ba7eebd8) C:\Windows\system32\drivers\usbehci.sys
15:13:10.0311 1000 usbehci - ok
15:13:10.0373 1000 usbhub (bdcd7156ec37448f08633fd899823620) C:\Windows\system32\DRIVERS\usbhub.sys
15:13:10.0389 1000 usbhub - ok
15:13:10.0467 1000 usbohci (eb2d819a639015253c871cda09d91d58) C:\Windows\system32\drivers\usbohci.sys
15:13:10.0482 1000 usbohci - ok
15:13:10.0545 1000 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
15:13:10.0545 1000 usbprint - ok
15:13:10.0592 1000 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
15:13:10.0592 1000 usbscan - ok
15:13:10.0607 1000 USBSTOR (1c4287739a93594e57e2a9e6a3ed7353) C:\Windows\system32\DRIVERS\USBSTOR.SYS
15:13:10.0623 1000 USBSTOR - ok
15:13:10.0638 1000 usbuhci (22480bf4e5a09192e5e30ba4dde79fa4) C:\Windows\system32\drivers\usbuhci.sys
15:13:10.0638 1000 usbuhci - ok
15:13:10.0685 1000 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
15:13:10.0685 1000 vdrvroot - ok
15:13:10.0716 1000 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
15:13:10.0716 1000 vga - ok
15:13:10.0763 1000 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
15:13:10.0763 1000 VgaSave - ok
15:13:10.0779 1000 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
15:13:10.0794 1000 vhdmp - ok
15:13:10.0857 1000 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
15:13:10.0872 1000 viaagp - ok
15:13:10.0904 1000 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
15:13:10.0904 1000 ViaC7 - ok
15:13:10.0935 1000 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
15:13:10.0935 1000 viaide - ok
15:13:10.0966 1000 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
15:13:10.0982 1000 vmbus - ok
15:13:11.0013 1000 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
15:13:11.0013 1000 VMBusHID - ok
15:13:11.0060 1000 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
15:13:11.0060 1000 volmgr - ok
15:13:11.0106 1000 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
15:13:11.0122 1000 volmgrx - ok
15:13:11.0153 1000 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
15:13:11.0153 1000 volsnap - ok
15:13:11.0200 1000 vpcbus (33e74df34753fcaab06f6f2bdc8cabf5) C:\Windows\system32\DRIVERS\vpchbus.sys
15:13:11.0216 1000 vpcbus - ok
15:13:11.0262 1000 vpcnfltr (5f04362ceb5fb5901037e9d9eadd3760) C:\Windows\system32\DRIVERS\vpcnfltr.sys
15:13:11.0262 1000 vpcnfltr - ok
15:13:11.0294 1000 vpcusb (625088d6ee9ede977fd03cf18d1cd5c5) C:\Windows\system32\DRIVERS\vpcusb.sys
15:13:11.0294 1000 vpcusb - ok
15:13:11.0356 1000 vpcvmm (1023c696d42268e9071bb376dbec8396) C:\Windows\system32\drivers\vpcvmm.sys
15:13:11.0356 1000 vpcvmm - ok
15:13:11.0387 1000 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
15:13:11.0387 1000 vsmraid - ok
15:13:11.0434 1000 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
15:13:11.0434 1000 vwifibus - ok
15:13:11.0465 1000 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
15:13:11.0465 1000 WacomPen - ok
15:13:11.0512 1000 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
15:13:11.0512 1000 WANARP - ok
15:13:11.0512 1000 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
15:13:11.0512 1000 Wanarpv6 - ok
15:13:11.0590 1000 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
15:13:11.0606 1000 Wd - ok
15:13:11.0637 1000 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
15:13:11.0652 1000 Wdf01000 - ok
15:13:11.0715 1000 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
15:13:11.0715 1000 WfpLwf - ok
15:13:11.0746 1000 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
15:13:11.0746 1000 WIMMount - ok
15:13:11.0871 1000 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\Windows\system32\DRIVERS\WinUsb.sys
15:13:11.0871 1000 WinUsb - ok
15:13:11.0933 1000 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
15:13:11.0933 1000 WmiAcpi - ok
15:13:11.0980 1000 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
15:13:11.0980 1000 ws2ifsl - ok
15:13:12.0011 1000 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
15:13:12.0011 1000 WudfPf - ok
15:13:12.0074 1000 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
15:13:12.0074 1000 WUDFRd - ok
15:13:12.0136 1000 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
15:13:12.0152 1000 \Device\Harddisk0\DR0 - ok
15:13:12.0167 1000 Boot (0x1200) (34832009c020a1fa77773451f44beb5a) \Device\Harddisk0\DR0\Partition0
15:13:12.0183 1000 \Device\Harddisk0\DR0\Partition0 - ok
15:13:12.0183 1000 Boot (0x1200) (948eade6fdd378432ff32dbae2e4da2b) \Device\Harddisk0\DR0\Partition1
15:13:12.0198 1000 \Device\Harddisk0\DR0\Partition1 - ok
15:13:12.0198 1000 ============================================================
15:13:12.0198 1000 Scan finished
15:13:12.0198 1000 ============================================================
15:13:12.0198 1392 Detected object count: 0
15:13:12.0198 1392 Actual detected object count: 0
15:15:28.0948 3164 Deinitialize success

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 20 November 2011 - 11:23 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.6

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 VasM

VasM
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 21 November 2011 - 12:02 AM

Hi Gringo,

So far everything is workign well..including Skype which previously crashed everytime you tried to logon.

Malwarebytes log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8205

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

21/11/2011 3:44:06 PM
mbam-log-2011-11-21 (15-44-06).txt

Scan type: Quick scan
Objects scanned: 240422
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Hijackthis logs

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:59:32 PM, on 21/11/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\taskmgr.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = looknet.looksoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = looknet.looksoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = looknet.looksoftware.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = looknet.looksoftware.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\759\G2AWinLogon.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\759\g2aservice.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Presentation Foundation Font Cache 4.0.0.0 (WPFFontCache_v0400) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (file missing)

--
End of file - 6042 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 21 November 2011 - 12:12 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 VasM

VasM
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 21 November 2011 - 06:20 AM

Hi Gringo,

The Eset online scan didn't show any problems. There wasn't any obvious log file. I checked log.txt but it only had :

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

I also cleared out the items you recommended via Hijackthis.

I'm guessing we are good to go.

I really appreciate your help.

Thank you very much.

Vas

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 21 November 2011 - 07:42 AM

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 24 November 2011 - 09:03 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users