Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with google redirect and popups


  • This topic is locked This topic is locked
17 replies to this topic

#1 SLN64T

SLN64T

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 25 November 2011 - 06:41 PM

Hi all,

I recently had the Windows System Restore Virus, which I successfully removed using the Bleeping Computer uninstall guide found here: http://www.bleepingcomputer.com/virus-removal/remove-system-restore

However, google still redirects in Firefox and Chrome, as well as Internet Explorer randomly opening with add sites and popups. I have attempted to remove using Malwarebytes Anti-Malware, Microsoft Security Essentials and Avira, none of which report a detection so I'm sort of at a loss as to how to proceed. Below I have pasted DDS.txt, but unfortunately I'm running 64bit Windows and consequently cannot create a GMER log.

Please let me know if there is any other information I can provide. Thanks in advance, I'm incredibly appreciative.



DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_21
Run by Timothy at 10:30:38 on 2011-11-26
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.4094.2106 [GMT 11:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SysWOW64\brsvc01a.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\SysWOW64\brss01a.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\splwow64.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.youtube.com/results?uploaded=d&search_query=modern+warfare+2&search_type=videos&suggested_categories=20%2C43&uni=3
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Facebook Update] "C:\Users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8664CF2C-3E06-45DB-9413-78228635B333} : DhcpNameServer = 192.168.0.1
Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Timothy\AppData\Roaming\Mozilla\Firefox\Profiles\62ahtnii.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Wolfram Research\Browser\8.0.3.2427702\npmathplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: C:\Users\Timothy\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-21 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-10-21 110032]
R2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-2-2 18656]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe [2009-12-21 68136]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-8-4 2329480]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-16 136176]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-11-7 366152]
S3 Dnetr7364;D-Link USB Extensible Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\Dnetr7364.sys --> C:\Windows\system32\DRIVERS\Dnetr7364.sys [?]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-4-15 1431888]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-16 136176]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;C:\Windows\System32\drivers\Maypro.sys [2009-12-30 12160]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-11-25 23:10:10 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C5EB1AD0-A242-4614-8176-80C55E4F4F52}\offreg.dll
2011-11-25 06:26:12 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C5EB1AD0-A242-4614-8176-80C55E4F4F52}\mpengine.dll
2011-11-15 01:31:37 -------- d-----w- C:\Users\Timothy\AppData\Local\Skyrim
2011-11-15 01:25:26 519000 ----a-w- C:\Windows\System32\d3dx10_40.dll
2011-11-15 01:25:26 452440 ----a-w- C:\Windows\SysWow64\d3dx10_40.dll
2011-11-15 01:25:26 2605920 ----a-w- C:\Windows\System32\D3DCompiler_40.dll
2011-11-15 01:25:26 2036576 ----a-w- C:\Windows\SysWow64\D3DCompiler_40.dll
2011-11-15 01:25:23 5631312 ----a-w- C:\Windows\System32\D3DX9_40.dll
2011-11-15 01:25:23 4379984 ----a-w- C:\Windows\SysWow64\D3DX9_40.dll
2011-11-15 01:17:45 -------- d-----w- C:\Program Files (x86)\The Elder Scrolls V Skyrim
2011-11-14 01:29:58 633816 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2011-11-14 01:29:58 555992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2011-11-14 01:29:58 486360 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2011-11-14 01:29:58 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2011-11-13 06:10:47 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-13 06:10:46 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-13 06:10:44 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-13 06:10:33 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-09 04:58:01 -------- d--h--w- C:\LG3G
2011-11-07 07:32:12 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-07 07:31:41 388096 ----a-r- C:\Users\Timothy\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 04:08:15 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C86BF29F-0574-4DA9-B777-835428AE0D4C}\gapaengine.dll
2011-11-07 04:06:05 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-11-07 04:05:53 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-11-07 01:05:02 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-06 22:52:14 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-11-04 21:52:58 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2DB242FA-1F51-4EBB-81AA-69A5FFE0FF08}\mpengine.dll
2011-10-29 23:32:08 -------- d-----w- C:\Program Files (x86)\Design Science
2011-10-29 23:31:57 -------- d-----w- C:\Windows\SysWow64\Adobe
2011-10-29 23:31:36 69632 ----a-w- C:\pp.dat
2011-10-29 23:31:36 152848 ----a-w- C:\comdlg32.ocx
2011-10-29 23:31:36 1482752 ----a-w- C:\OC40.exe
2011-10-29 23:31:36 10240 ----a-w- C:\Interop.AcroPDFLib.dll
2011-10-29 23:31:35 9216 ----a-w- C:\AxInterop.AcroPDFLib.dll
2011-10-29 23:25:35 -------- d-----w- C:\Program Files (x86)\Code Visual to Flowchart
2011-10-29 23:07:37 -------- d-----w- C:\Program Files (x86)\Visustin
2011-10-29 23:07:29 253648 ------w- C:\Windows\Setup1.exe
2011-10-29 23:07:25 77016 ----a-w- C:\Windows\ST6UNST.EXE
.
==================== Find3M ====================
.
2011-11-25 23:10:38 25640 ----a-w- C:\Windows\gdrv.sys
2011-11-14 21:21:15 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-24 03:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-10-24 03:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2011-10-11 04:00:32 27760 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2011-10-11 04:00:31 97312 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2011-09-25 00:56:36 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-30 12:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-30 12:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-30 12:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-30 12:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
.
============= FINISH: 10:38:02.91 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 27 November 2011 - 11:19 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 SLN64T

SLN64T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 28 November 2011 - 06:35 AM

Hi Gringo,

Thanks very much for the reply, much appreciated. I have run Combofix as instructed, but unfortunately the problems still persist. The redirect did appear to be eliminated immediately after I ran the program, however some popups still appeared. But following a restart all the symptoms have reappeared in full. The Combofix log is pasted below.

Thanks very much for your time.

Combofix log file

ComboFix 11-11-27.02 - Timothy 28/11/2011 16:41:48.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.4094.2433 [GMT 11:00]
Running from: c:\users\Timothy\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\Timothy\AppData\Roaming\vso_ts_preview.xml
c:\windows\SysWow64\win.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2050-03-17 12:05 . 2011-05-16 13:30 -------- d-----w- c:\programdata\FLEXnet
2011-11-28 07:11 . 2011-11-28 07:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-27 22:24 . 2011-11-27 22:24 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{89338A0F-498C-4CDD-9CFA-162F2B5B1D64}\offreg.dll
2011-11-27 06:17 . 2011-10-06 10:16 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{89338A0F-498C-4CDD-9CFA-162F2B5B1D64}\mpengine.dll
2011-11-18 06:17 . 2011-11-18 06:20 -------- d-----w- c:\users\Friday Night Lights Season 4
2011-11-15 01:31 . 2011-11-15 01:31 -------- d-----w- c:\users\Timothy\AppData\Local\Skyrim
2011-11-15 01:25 . 2008-10-14 19:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2011-11-15 01:17 . 2011-11-16 07:15 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
2011-11-14 08:44 . 2011-11-14 23:14 -------- d-----w- c:\users\rzr-skrm
2011-11-14 01:29 . 2011-11-27 00:59 486360 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2011-11-14 01:29 . 2011-11-27 00:59 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-11-14 01:29 . 2011-11-27 00:59 633816 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2011-11-14 01:29 . 2011-11-27 00:59 555992 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2011-11-13 07:37 . 2011-11-13 07:37 -------- d-----w- c:\windows\system32\Macromed
2011-11-13 06:10 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-13 06:10 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-13 06:10 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 06:10 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 04:58 . 2011-11-09 04:58 -------- d-----w- C:\LG3G
2011-11-07 07:32 . 2011-10-06 10:16 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-07 07:31 . 2011-11-07 07:31 388096 ----a-r- c:\users\Timothy\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 04:08 . 2011-11-07 04:08 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C86BF29F-0574-4DA9-B777-835428AE0D4C}\gapaengine.dll
2011-11-07 04:06 . 2011-11-07 04:06 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-11-07 04:05 . 2011-11-07 04:06 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-07 01:05 . 2011-11-07 01:05 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-06 22:52 . 2011-11-07 02:00 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-04 21:52 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2DB242FA-1F51-4EBB-81AA-69A5FFE0FF08}\mpengine.dll
2011-10-29 23:32 . 2011-10-29 23:32 -------- d-----w- c:\program files (x86)\Design Science
2011-10-29 23:31 . 2011-10-29 23:31 -------- d-----w- c:\windows\SysWow64\Adobe
2011-10-29 23:31 . 2009-01-15 22:44 1482752 ----a-w- C:\OC40.exe
2011-10-29 23:31 . 2008-10-04 21:09 152848 ----a-w- C:\comdlg32.ocx
2011-10-29 23:31 . 2008-09-28 10:26 69632 ----a-w- C:\pp.dat
2011-10-29 23:31 . 2007-05-10 13:26 10240 ----a-w- C:\Interop.AcroPDFLib.dll
2011-10-29 23:31 . 2001-01-07 11:27 4554 ----a-w- C:\Title.js
2011-10-29 23:31 . 2007-05-10 13:26 9216 ----a-w- C:\AxInterop.AcroPDFLib.dll
2011-10-29 23:25 . 2011-10-29 23:25 -------- d-----w- c:\program files (x86)\Code Visual to Flowchart
2011-10-29 23:07 . 2011-10-29 23:07 -------- d-----w- c:\program files (x86)\Visustin
2011-10-29 23:07 . 2011-10-29 23:07 253648 ------w- c:\windows\Setup1.exe
2011-10-29 23:07 . 2011-10-29 23:07 77016 ----a-w- c:\windows\ST6UNST.EXE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-27 22:25 . 2009-12-21 04:29 25640 ----a-w- c:\windows\gdrv.sys
2011-11-14 21:21 . 2011-05-19 22:56 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-24 03:29 . 2011-10-24 03:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 03:29 . 2011-10-24 03:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-10-18 03:19 . 2010-02-11 03:34 336192 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-10-11 04:00 . 2011-10-21 02:28 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-11 04:00 . 2011-10-21 02:28 97312 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-11 04:00 . 2011-10-21 02:28 130760 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-25 00:56 . 2011-09-25 00:56 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-01 05:24 . 2011-10-14 00:00 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 05:17 . 2011-10-14 00:00 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 05:12 . 2011-10-14 00:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-01 02:35 . 2011-10-14 00:00 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-09-01 02:28 . 2011-10-14 00:00 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-09-01 02:22 . 2011-10-14 00:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-08-30 12:05 . 2011-08-30 12:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 12:05 . 2011-08-30 12:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 12:05 . 2011-08-30 12:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-30 12:05 . 2011-08-30 12:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-22 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-30 98304]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-11 1523360]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
.
R1 ewflyreu;ewflyreu;c:\windows\system32\drivers\ewflyreu.sys [x]
R1 fxklfozq;fxklfozq;c:\windows\system32\drivers\fxklfozq.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-18 136176]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 Dnetr7364;D-Link USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\Dnetr7364.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-04-15 1431888]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-18 136176]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
R3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\Drivers\MayPro.sys [2007-08-12 25120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-11 86224]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-08-24 68136]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-08-04 2329480]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-391138697-2687591887-3929988086-1000Core.job
- c:\users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-22 07:26]
.
2011-11-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-391138697-2687591887-3929988086-1000UA.job
- c:\users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-22 07:26]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-15 06:27]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-15 06:27]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-18 8067616]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.youtube.com/results?uploaded=d&search_query=modern+warfare+2&search_type=videos&suggested_categories=20%2C43&uni=3
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Timothy\AppData\Roaming\Mozilla\Firefox\Profiles\62ahtnii.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-28 18:41:13
ComboFix-quarantined-files.txt 2011-11-28 07:41
.
Pre-Run: 196,497,928,192 bytes free
Post-Run: 197,214,986,240 bytes free
.
- - End Of File - - 46FECA6585F35CF0CAB906D9B867347A

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 28 November 2011 - 11:08 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 SLN64T

SLN64T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 28 November 2011 - 03:57 PM

I ran the scan as requested, but no detection was found.

The log file is pasted below as requested.

Thanks again for your time Gringo.

TDSSKiller.2.6.21.0_29.11.2011_07.53.34_log.txt


07:53:34.0898 4520 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
07:53:36.0021 4520 ============================================================
07:53:36.0021 4520 Current date / time: 2011/11/29 07:53:36.0021
07:53:36.0021 4520 SystemInfo:
07:53:36.0021 4520
07:53:36.0021 4520 OS Version: 6.1.7601 ServicePack: 1.0
07:53:36.0021 4520 Product type: Workstation
07:53:36.0021 4520 ComputerName: TIMOTHY-PC
07:53:36.0021 4520 UserName: Timothy
07:53:36.0021 4520 Windows directory: C:\Windows
07:53:36.0021 4520 System windows directory: C:\Windows
07:53:36.0021 4520 Running under WOW64
07:53:36.0021 4520 Processor architecture: Intel x64
07:53:36.0021 4520 Number of processors: 4
07:53:36.0021 4520 Page size: 0x1000
07:53:36.0021 4520 Boot type: Normal boot
07:53:36.0021 4520 ============================================================
07:53:37.0238 4520 Initialize success
07:53:40.0124 1556 ============================================================
07:53:40.0124 1556 Scan started
07:53:40.0124 1556 Mode: Manual;
07:53:40.0124 1556 ============================================================
07:53:40.0982 1556 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
07:53:40.0982 1556 1394ohci - ok
07:53:41.0060 1556 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
07:53:41.0060 1556 ACPI - ok
07:53:41.0123 1556 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
07:53:41.0123 1556 AcpiPmi - ok
07:53:41.0201 1556 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
07:53:41.0232 1556 adp94xx - ok
07:53:41.0279 1556 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
07:53:41.0294 1556 adpahci - ok
07:53:41.0310 1556 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
07:53:41.0326 1556 adpu320 - ok
07:53:41.0404 1556 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
07:53:41.0419 1556 AFD - ok
07:53:41.0450 1556 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
07:53:41.0450 1556 agp440 - ok
07:53:41.0482 1556 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
07:53:41.0482 1556 aliide - ok
07:53:41.0513 1556 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
07:53:41.0513 1556 amdide - ok
07:53:41.0560 1556 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
07:53:41.0560 1556 AmdK8 - ok
07:53:41.0825 1556 amdkmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
07:53:42.0074 1556 amdkmdag - ok
07:53:42.0106 1556 amdkmdap (6b4e9261b613b047a9a145f328889968) C:\Windows\system32\DRIVERS\atikmpag.sys
07:53:42.0106 1556 amdkmdap - ok
07:53:42.0152 1556 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
07:53:42.0152 1556 AmdPPM - ok
07:53:42.0230 1556 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
07:53:42.0246 1556 amdsata - ok
07:53:42.0277 1556 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
07:53:42.0277 1556 amdsbs - ok
07:53:42.0308 1556 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
07:53:42.0324 1556 amdxata - ok
07:53:42.0449 1556 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
07:53:42.0449 1556 AppID - ok
07:53:42.0527 1556 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
07:53:42.0542 1556 arc - ok
07:53:42.0542 1556 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
07:53:42.0558 1556 arcsas - ok
07:53:42.0589 1556 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
07:53:42.0589 1556 AsyncMac - ok
07:53:42.0620 1556 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
07:53:42.0620 1556 atapi - ok
07:53:42.0761 1556 AtiHDAudioService (fda1e117a7e880bff5540d180c06ea87) C:\Windows\system32\drivers\AtihdW76.sys
07:53:42.0776 1556 AtiHDAudioService - ok
07:53:43.0057 1556 atikmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
07:53:43.0088 1556 atikmdag - ok
07:53:43.0166 1556 avgntflt (aa8f79a1bdfc03b3bc70c44ab00589b4) C:\Windows\system32\DRIVERS\avgntflt.sys
07:53:43.0166 1556 avgntflt - ok
07:53:43.0213 1556 avipbb (d959309ececca73fc79f8ef8521346b2) C:\Windows\system32\DRIVERS\avipbb.sys
07:53:43.0229 1556 avipbb - ok
07:53:43.0260 1556 avkmgr (248db59fc86de44d2779f4c7fb1a567d) C:\Windows\system32\DRIVERS\avkmgr.sys
07:53:43.0260 1556 avkmgr - ok
07:53:43.0354 1556 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
07:53:43.0369 1556 b06bdrv - ok
07:53:43.0463 1556 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
07:53:43.0478 1556 b57nd60a - ok
07:53:43.0525 1556 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
07:53:43.0525 1556 Beep - ok
07:53:43.0603 1556 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
07:53:43.0619 1556 blbdrive - ok
07:53:43.0697 1556 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
07:53:43.0712 1556 bowser - ok
07:53:43.0728 1556 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
07:53:43.0744 1556 BrFiltLo - ok
07:53:43.0759 1556 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
07:53:43.0759 1556 BrFiltUp - ok
07:53:43.0806 1556 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
07:53:43.0822 1556 Brserid - ok
07:53:43.0837 1556 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
07:53:43.0837 1556 BrSerWdm - ok
07:53:43.0837 1556 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
07:53:43.0853 1556 BrUsbMdm - ok
07:53:43.0853 1556 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
07:53:43.0853 1556 BrUsbSer - ok
07:53:43.0915 1556 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\Windows\system32\drivers\BthEnum.sys
07:53:43.0931 1556 BthEnum - ok
07:53:43.0946 1556 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
07:53:43.0946 1556 BTHMODEM - ok
07:53:44.0009 1556 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\Windows\system32\DRIVERS\bthpan.sys
07:53:44.0024 1556 BthPan - ok
07:53:44.0102 1556 BTHPORT (64c198198501f7560ee41d8d1efa7952) C:\Windows\System32\Drivers\BTHport.sys
07:53:44.0134 1556 BTHPORT - ok
07:53:44.0227 1556 BTHUSB (f188b7394d81010767b6df3178519a37) C:\Windows\System32\Drivers\BTHUSB.sys
07:53:44.0243 1556 BTHUSB - ok
07:53:44.0414 1556 catchme - ok
07:53:44.0492 1556 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
07:53:44.0492 1556 cdfs - ok
07:53:44.0570 1556 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
07:53:44.0586 1556 cdrom - ok
07:53:44.0617 1556 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
07:53:44.0617 1556 circlass - ok
07:53:44.0680 1556 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
07:53:44.0680 1556 CLFS - ok
07:53:44.0789 1556 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
07:53:44.0789 1556 CmBatt - ok
07:53:44.0804 1556 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
07:53:44.0820 1556 cmdide - ok
07:53:44.0867 1556 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
07:53:44.0914 1556 CNG - ok
07:53:44.0929 1556 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
07:53:44.0929 1556 Compbatt - ok
07:53:44.0976 1556 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
07:53:44.0992 1556 CompositeBus - ok
07:53:45.0007 1556 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
07:53:45.0023 1556 crcdisk - ok
07:53:45.0085 1556 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
07:53:45.0132 1556 CSC - ok
07:53:45.0194 1556 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
07:53:45.0210 1556 DfsC - ok
07:53:45.0241 1556 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
07:53:45.0241 1556 discache - ok
07:53:45.0288 1556 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
07:53:45.0304 1556 Disk - ok
07:53:45.0350 1556 Dnetr7364 (93a240fd4c133d1ed7ccf829159c4b78) C:\Windows\system32\DRIVERS\Dnetr7364.sys
07:53:45.0382 1556 Dnetr7364 - ok
07:53:45.0475 1556 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
07:53:45.0475 1556 drmkaud - ok
07:53:45.0553 1556 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
07:53:45.0584 1556 DXGKrnl - ok
07:53:45.0694 1556 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
07:53:45.0772 1556 ebdrv - ok
07:53:45.0865 1556 ElbyCDIO (9a47ac3dfcf81d30922cdaaf1c2d579f) C:\Windows\system32\Drivers\ElbyCDIO.sys
07:53:45.0865 1556 ElbyCDIO - ok
07:53:45.0896 1556 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
07:53:45.0928 1556 elxstor - ok
07:53:45.0974 1556 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
07:53:45.0974 1556 ErrDev - ok
07:53:46.0037 1556 ewflyreu - ok
07:53:46.0052 1556 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
07:53:46.0052 1556 exfat - ok
07:53:46.0068 1556 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
07:53:46.0084 1556 fastfat - ok
07:53:46.0115 1556 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
07:53:46.0115 1556 fdc - ok
07:53:46.0130 1556 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
07:53:46.0146 1556 FileInfo - ok
07:53:46.0162 1556 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
07:53:46.0162 1556 Filetrace - ok
07:53:46.0193 1556 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
07:53:46.0193 1556 flpydisk - ok
07:53:46.0240 1556 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
07:53:46.0255 1556 FltMgr - ok
07:53:46.0302 1556 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
07:53:46.0318 1556 FsDepends - ok
07:53:46.0333 1556 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
07:53:46.0333 1556 Fs_Rec - ok
07:53:46.0396 1556 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
07:53:46.0396 1556 fvevol - ok
07:53:46.0442 1556 fxklfozq - ok
07:53:46.0458 1556 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
07:53:46.0474 1556 gagp30kx - ok
07:53:46.0520 1556 gdrv (7907e14f9bcf3a4689c9a74a1a873cb6) C:\Windows\gdrv.sys
07:53:46.0536 1556 gdrv - ok
07:53:46.0583 1556 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
07:53:46.0598 1556 GEARAspiWDM - ok
07:53:46.0692 1556 hamachi (1e6438d4ea6e1174a3b3b1edc4de660b) C:\Windows\system32\DRIVERS\hamachi.sys
07:53:46.0692 1556 hamachi - ok
07:53:46.0754 1556 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
07:53:46.0754 1556 hcw85cir - ok
07:53:46.0817 1556 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
07:53:46.0848 1556 HdAudAddService - ok
07:53:46.0895 1556 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
07:53:46.0910 1556 HDAudBus - ok
07:53:46.0942 1556 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
07:53:46.0942 1556 HidBatt - ok
07:53:46.0957 1556 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
07:53:46.0957 1556 HidBth - ok
07:53:46.0988 1556 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
07:53:46.0988 1556 HidIr - ok
07:53:47.0035 1556 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
07:53:47.0035 1556 HidUsb - ok
07:53:47.0066 1556 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
07:53:47.0066 1556 HpSAMD - ok
07:53:47.0144 1556 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
07:53:47.0160 1556 HTTP - ok
07:53:47.0207 1556 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
07:53:47.0207 1556 hwpolicy - ok
07:53:47.0254 1556 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
07:53:47.0269 1556 i8042prt - ok
07:53:47.0332 1556 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
07:53:47.0363 1556 iaStorV - ok
07:53:47.0410 1556 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
07:53:47.0410 1556 iirsp - ok
07:53:47.0519 1556 IntcAzAudAddService (f04d22d7a49a1b2210dbadf0b803e870) C:\Windows\system32\drivers\RTKVHD64.sys
07:53:47.0550 1556 IntcAzAudAddService - ok
07:53:47.0581 1556 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
07:53:47.0597 1556 intelide - ok
07:53:47.0612 1556 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
07:53:47.0612 1556 intelppm - ok
07:53:47.0659 1556 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
07:53:47.0675 1556 IpFilterDriver - ok
07:53:47.0706 1556 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
07:53:47.0706 1556 IPMIDRV - ok
07:53:47.0722 1556 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
07:53:47.0737 1556 IPNAT - ok
07:53:47.0784 1556 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
07:53:47.0784 1556 IRENUM - ok
07:53:47.0815 1556 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
07:53:47.0815 1556 isapnp - ok
07:53:47.0831 1556 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
07:53:47.0956 1556 iScsiPrt - ok
07:53:48.0127 1556 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
07:53:48.0127 1556 kbdclass - ok
07:53:48.0190 1556 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
07:53:48.0190 1556 kbdhid - ok
07:53:48.0252 1556 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
07:53:48.0252 1556 KSecDD - ok
07:53:48.0299 1556 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
07:53:48.0314 1556 KSecPkg - ok
07:53:48.0346 1556 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
07:53:48.0346 1556 ksthunk - ok
07:53:48.0439 1556 Lavasoft Kernexplorer - ok
07:53:48.0470 1556 libusb0 - ok
07:53:48.0517 1556 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
07:53:48.0533 1556 lltdio - ok
07:53:48.0564 1556 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
07:53:48.0580 1556 LSI_FC - ok
07:53:48.0595 1556 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
07:53:48.0611 1556 LSI_SAS - ok
07:53:48.0626 1556 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
07:53:48.0626 1556 LSI_SAS2 - ok
07:53:48.0673 1556 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
07:53:48.0689 1556 LSI_SCSI - ok
07:53:48.0704 1556 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
07:53:48.0720 1556 luafv - ok
07:53:48.0767 1556 MayPro (69e654083fefbb96612051134824ba40) C:\Windows\system32\Drivers\MayPro.sys
07:53:48.0782 1556 MayPro - ok
07:53:48.0829 1556 MBAMProtector - ok
07:53:48.0860 1556 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
07:53:48.0860 1556 megasas - ok
07:53:48.0892 1556 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
07:53:48.0907 1556 MegaSR - ok
07:53:48.0954 1556 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
07:53:48.0954 1556 Modem - ok
07:53:49.0016 1556 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
07:53:49.0016 1556 monitor - ok
07:53:49.0079 1556 MotioninJoyXFilter (16f9f464da6e02a020bce626c56a1797) C:\Windows\system32\DRIVERS\MijXfilt.sys
07:53:49.0110 1556 MotioninJoyXFilter - ok
07:53:49.0157 1556 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
07:53:49.0172 1556 mouclass - ok
07:53:49.0219 1556 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
07:53:49.0235 1556 mouhid - ok
07:53:49.0282 1556 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
07:53:49.0282 1556 mountmgr - ok
07:53:49.0344 1556 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
07:53:49.0360 1556 MpFilter - ok
07:53:49.0406 1556 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
07:53:49.0422 1556 mpio - ok
07:53:49.0469 1556 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
07:53:49.0484 1556 MpNWMon - ok
07:53:49.0516 1556 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
07:53:49.0516 1556 mpsdrv - ok
07:53:49.0562 1556 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
07:53:49.0578 1556 MRxDAV - ok
07:53:49.0625 1556 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
07:53:49.0625 1556 mrxsmb - ok
07:53:49.0687 1556 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
07:53:49.0703 1556 mrxsmb10 - ok
07:53:49.0734 1556 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
07:53:49.0734 1556 mrxsmb20 - ok
07:53:49.0828 1556 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
07:53:49.0828 1556 msahci - ok
07:53:49.0874 1556 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
07:53:49.0890 1556 msdsm - ok
07:53:49.0937 1556 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
07:53:49.0937 1556 Msfs - ok
07:53:49.0968 1556 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
07:53:49.0968 1556 mshidkmdf - ok
07:53:50.0030 1556 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
07:53:50.0030 1556 msisadrv - ok
07:53:50.0077 1556 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
07:53:50.0093 1556 MSKSSRV - ok
07:53:50.0140 1556 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
07:53:50.0140 1556 MSPCLOCK - ok
07:53:50.0171 1556 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
07:53:50.0171 1556 MSPQM - ok
07:53:50.0233 1556 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
07:53:50.0249 1556 MsRPC - ok
07:53:50.0280 1556 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
07:53:50.0280 1556 mssmbios - ok
07:53:50.0311 1556 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
07:53:50.0327 1556 MSTEE - ok
07:53:50.0342 1556 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
07:53:50.0358 1556 MTConfig - ok
07:53:50.0405 1556 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
07:53:50.0405 1556 Mup - ok
07:53:50.0483 1556 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
07:53:50.0498 1556 NativeWifiP - ok
07:53:50.0576 1556 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
07:53:50.0592 1556 NDIS - ok
07:53:50.0623 1556 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
07:53:50.0623 1556 NdisCap - ok
07:53:50.0670 1556 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
07:53:50.0670 1556 NdisTapi - ok
07:53:50.0732 1556 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
07:53:50.0732 1556 Ndisuio - ok
07:53:50.0795 1556 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
07:53:50.0810 1556 NdisWan - ok
07:53:50.0873 1556 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
07:53:50.0873 1556 NDProxy - ok
07:53:50.0935 1556 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
07:53:50.0935 1556 NetBIOS - ok
07:53:50.0998 1556 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
07:53:50.0998 1556 NetBT - ok
07:53:51.0122 1556 netr7364 (81b8d0c1ce44a7fdbd596b693783950c) C:\Windows\system32\DRIVERS\netr7364.sys
07:53:51.0169 1556 netr7364 - ok
07:53:51.0216 1556 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
07:53:51.0216 1556 nfrd960 - ok
07:53:51.0263 1556 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
07:53:51.0278 1556 NisDrv - ok
07:53:51.0310 1556 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
07:53:51.0325 1556 Npfs - ok
07:53:51.0341 1556 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
07:53:51.0341 1556 nsiproxy - ok
07:53:51.0419 1556 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
07:53:51.0481 1556 Ntfs - ok
07:53:51.0497 1556 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
07:53:51.0497 1556 Null - ok
07:53:51.0559 1556 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
07:53:51.0575 1556 nvraid - ok
07:53:51.0622 1556 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
07:53:51.0637 1556 nvstor - ok
07:53:51.0684 1556 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
07:53:51.0684 1556 nv_agp - ok
07:53:51.0746 1556 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
07:53:51.0778 1556 ohci1394 - ok
07:53:51.0856 1556 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
07:53:51.0871 1556 Parport - ok
07:53:51.0934 1556 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
07:53:51.0934 1556 partmgr - ok
07:53:51.0996 1556 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
07:53:51.0996 1556 pci - ok
07:53:52.0012 1556 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
07:53:52.0027 1556 pciide - ok
07:53:52.0058 1556 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
07:53:52.0074 1556 pcmcia - ok
07:53:52.0090 1556 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
07:53:52.0105 1556 pcw - ok
07:53:52.0121 1556 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
07:53:52.0152 1556 PEAUTH - ok
07:53:52.0246 1556 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
07:53:52.0261 1556 PptpMiniport - ok
07:53:52.0292 1556 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
07:53:52.0308 1556 Processor - ok
07:53:52.0386 1556 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
07:53:52.0386 1556 Psched - ok
07:53:52.0448 1556 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
07:53:52.0495 1556 ql2300 - ok
07:53:52.0526 1556 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
07:53:52.0526 1556 ql40xx - ok
07:53:52.0558 1556 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
07:53:52.0558 1556 QWAVEdrv - ok
07:53:52.0573 1556 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
07:53:52.0573 1556 RasAcd - ok
07:53:52.0620 1556 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
07:53:52.0620 1556 RasAgileVpn - ok
07:53:52.0682 1556 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
07:53:52.0682 1556 Rasl2tp - ok
07:53:52.0714 1556 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
07:53:52.0729 1556 RasPppoe - ok
07:53:52.0745 1556 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
07:53:52.0745 1556 RasSstp - ok
07:53:52.0807 1556 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
07:53:52.0823 1556 rdbss - ok
07:53:52.0838 1556 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
07:53:52.0854 1556 rdpbus - ok
07:53:52.0870 1556 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
07:53:52.0870 1556 RDPCDD - ok
07:53:52.0932 1556 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
07:53:52.0932 1556 RDPDR - ok
07:53:52.0979 1556 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
07:53:52.0994 1556 RDPENCDD - ok
07:53:53.0010 1556 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
07:53:53.0010 1556 RDPREFMP - ok
07:53:53.0057 1556 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
07:53:53.0072 1556 RDPWD - ok
07:53:53.0166 1556 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
07:53:53.0182 1556 rdyboost - ok
07:53:53.0260 1556 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\Windows\system32\DRIVERS\rfcomm.sys
07:53:53.0275 1556 RFCOMM - ok
07:53:53.0322 1556 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
07:53:53.0338 1556 rspndr - ok
07:53:53.0400 1556 RTHDMIAzAudService (34f05c417f038ffa3bef69b798d7d7dd) C:\Windows\system32\drivers\RtHDMIVX.sys
07:53:53.0400 1556 RTHDMIAzAudService - ok
07:53:53.0478 1556 RTL8167 (f65f171165fbb613f7aa3cc78e8cab42) C:\Windows\system32\DRIVERS\Rt64win7.sys
07:53:53.0478 1556 RTL8167 - ok
07:53:53.0540 1556 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
07:53:53.0540 1556 s3cap - ok
07:53:53.0603 1556 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
07:53:53.0603 1556 sbp2port - ok
07:53:53.0665 1556 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
07:53:53.0681 1556 scfilter - ok
07:53:53.0712 1556 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
07:53:53.0728 1556 secdrv - ok
07:53:53.0759 1556 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
07:53:53.0759 1556 Serenum - ok
07:53:53.0790 1556 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
07:53:53.0790 1556 Serial - ok
07:53:53.0821 1556 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
07:53:53.0821 1556 sermouse - ok
07:53:53.0899 1556 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
07:53:53.0899 1556 sffdisk - ok
07:53:53.0915 1556 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
07:53:53.0930 1556 sffp_mmc - ok
07:53:53.0946 1556 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
07:53:53.0946 1556 sffp_sd - ok
07:53:53.0977 1556 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
07:53:53.0977 1556 sfloppy - ok
07:53:54.0024 1556 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
07:53:54.0040 1556 SiSRaid2 - ok
07:53:54.0055 1556 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
07:53:54.0055 1556 SiSRaid4 - ok
07:53:54.0086 1556 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
07:53:54.0102 1556 Smb - ok
07:53:54.0164 1556 speedfan - ok
07:53:54.0211 1556 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
07:53:54.0211 1556 spldr - ok
07:53:54.0336 1556 sptd (602884696850c86434530790b110e8eb) C:\Windows\System32\Drivers\sptd.sys
07:53:54.0398 1556 sptd - ok
07:53:54.0430 1556 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
07:53:54.0445 1556 srv - ok
07:53:54.0461 1556 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
07:53:54.0476 1556 srv2 - ok
07:53:54.0508 1556 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
07:53:54.0508 1556 srvnet - ok
07:53:54.0554 1556 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
07:53:54.0554 1556 stexstor - ok
07:53:54.0617 1556 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
07:53:54.0632 1556 storflt - ok
07:53:54.0664 1556 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
07:53:54.0664 1556 storvsc - ok
07:53:54.0695 1556 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
07:53:54.0695 1556 swenum - ok
07:53:54.0804 1556 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
07:53:54.0882 1556 Tcpip - ok
07:53:54.0929 1556 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
07:53:54.0944 1556 TCPIP6 - ok
07:53:54.0991 1556 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
07:53:54.0991 1556 tcpipreg - ok
07:53:55.0007 1556 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
07:53:55.0007 1556 TDPIPE - ok
07:53:55.0007 1556 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
07:53:55.0007 1556 TDTCP - ok
07:53:55.0054 1556 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
07:53:55.0054 1556 tdx - ok
07:53:55.0069 1556 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
07:53:55.0069 1556 TermDD - ok
07:53:55.0132 1556 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
07:53:55.0132 1556 tssecsrv - ok
07:53:55.0194 1556 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
07:53:55.0210 1556 TsUsbFlt - ok
07:53:55.0272 1556 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
07:53:55.0288 1556 tunnel - ok
07:53:55.0303 1556 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
07:53:55.0303 1556 uagp35 - ok
07:53:55.0366 1556 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
07:53:55.0381 1556 udfs - ok
07:53:55.0428 1556 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
07:53:55.0428 1556 uliagpkx - ok
07:53:55.0475 1556 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
07:53:55.0490 1556 umbus - ok
07:53:55.0506 1556 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
07:53:55.0522 1556 UmPass - ok
07:53:55.0537 1556 USBAAPL64 (f724b03c3dfaacf08d17d38bf3333583) C:\Windows\system32\Drivers\usbaapl64.sys
07:53:55.0553 1556 USBAAPL64 - ok
07:53:55.0615 1556 usbaudio (82e8f44688e6fac57b5b7c6fc7adbc2a) C:\Windows\system32\drivers\usbaudio.sys
07:53:55.0631 1556 usbaudio - ok
07:53:55.0678 1556 usbbus (a760351af8b6d9e8d862db3b657a8bdd) C:\Windows\system32\DRIVERS\lgx64bus.sys
07:53:55.0678 1556 usbbus - ok
07:53:55.0724 1556 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
07:53:55.0740 1556 usbccgp - ok
07:53:55.0834 1556 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
07:53:55.0849 1556 usbcir - ok
07:53:55.0912 1556 UsbDiag (461cc33ce7cc38b696d4f04cd52640e4) C:\Windows\system32\DRIVERS\lgx64diag.sys
07:53:55.0927 1556 UsbDiag - ok
07:53:55.0974 1556 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
07:53:55.0974 1556 usbehci - ok
07:53:56.0068 1556 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
07:53:56.0083 1556 usbhub - ok
07:53:56.0099 1556 USBModem (c51cf486a3af418561077dd828ab70a1) C:\Windows\system32\DRIVERS\lgx64modem.sys
07:53:56.0099 1556 USBModem - ok
07:53:56.0146 1556 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\DRIVERS\usbohci.sys
07:53:56.0161 1556 usbohci - ok
07:53:56.0208 1556 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
07:53:56.0208 1556 usbprint - ok
07:53:56.0270 1556 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
07:53:56.0270 1556 usbscan - ok
07:53:56.0317 1556 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
07:53:56.0317 1556 USBSTOR - ok
07:53:56.0333 1556 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
07:53:56.0333 1556 usbuhci - ok
07:53:56.0411 1556 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\System32\Drivers\usbvideo.sys
07:53:56.0426 1556 usbvideo - ok
07:53:56.0458 1556 VClone (84bb306b7863883018d7f3eb0c453bd5) C:\Windows\system32\DRIVERS\VClone.sys
07:53:56.0473 1556 VClone - ok
07:53:56.0504 1556 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
07:53:56.0520 1556 vdrvroot - ok
07:53:56.0536 1556 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
07:53:56.0536 1556 vga - ok
07:53:56.0567 1556 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
07:53:56.0567 1556 VgaSave - ok
07:53:56.0598 1556 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
07:53:56.0614 1556 vhdmp - ok
07:53:56.0629 1556 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
07:53:56.0629 1556 viaide - ok
07:53:56.0660 1556 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
07:53:56.0676 1556 vmbus - ok
07:53:56.0707 1556 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
07:53:56.0707 1556 VMBusHID - ok
07:53:56.0738 1556 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
07:53:56.0754 1556 volmgr - ok
07:53:56.0832 1556 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
07:53:56.0832 1556 volmgrx - ok
07:53:56.0863 1556 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
07:53:56.0879 1556 volsnap - ok
07:53:56.0894 1556 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
07:53:56.0910 1556 vsmraid - ok
07:53:56.0941 1556 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
07:53:56.0957 1556 vwifibus - ok
07:53:56.0988 1556 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
07:53:57.0004 1556 vwififlt - ok
07:53:57.0019 1556 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
07:53:57.0019 1556 WacomPen - ok
07:53:57.0050 1556 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
07:53:57.0066 1556 WANARP - ok
07:53:57.0066 1556 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
07:53:57.0066 1556 Wanarpv6 - ok
07:53:57.0144 1556 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
07:53:57.0144 1556 Wd - ok
07:53:57.0175 1556 WDC_SAM (a3d04ebf5227886029b4532f20d026f7) C:\Windows\system32\DRIVERS\wdcsam64.sys
07:53:57.0175 1556 WDC_SAM - ok
07:53:57.0222 1556 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
07:53:57.0253 1556 Wdf01000 - ok
07:53:57.0316 1556 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
07:53:57.0331 1556 WfpLwf - ok
07:53:57.0362 1556 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
07:53:57.0362 1556 WIMMount - ok
07:53:57.0440 1556 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
07:53:57.0440 1556 WinUsb - ok
07:53:57.0472 1556 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
07:53:57.0472 1556 WmiAcpi - ok
07:53:57.0503 1556 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
07:53:57.0518 1556 ws2ifsl - ok
07:53:57.0565 1556 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
07:53:57.0581 1556 WudfPf - ok
07:53:57.0612 1556 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
07:53:57.0628 1556 WUDFRd - ok
07:53:57.0690 1556 xusb21 (9176c0822faa649e45121875be32f5d2) C:\Windows\system32\DRIVERS\xusb21.sys
07:53:57.0721 1556 xusb21 - ok
07:53:57.0784 1556 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
07:53:57.0799 1556 \Device\Harddisk0\DR0 - ok
07:53:57.0799 1556 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
07:53:57.0815 1556 \Device\Harddisk1\DR1 - ok
07:53:57.0815 1556 Boot (0x1200) (26859f1aa59a26125a7568133882fdb0) \Device\Harddisk0\DR0\Partition0
07:53:57.0815 1556 \Device\Harddisk0\DR0\Partition0 - ok
07:53:57.0830 1556 Boot (0x1200) (39f98b77e930353793f12427746cdd31) \Device\Harddisk0\DR0\Partition1
07:53:57.0830 1556 \Device\Harddisk0\DR0\Partition1 - ok
07:53:57.0846 1556 Boot (0x1200) (b9c6abe0571d11f06d108255203ca10d) \Device\Harddisk1\DR1\Partition0
07:53:57.0846 1556 \Device\Harddisk1\DR1\Partition0 - ok
07:53:57.0846 1556 ============================================================
07:53:57.0846 1556 Scan finished
07:53:57.0846 1556 ============================================================
07:53:57.0846 2356 Detected object count: 0
07:53:57.0846 2356 Actual detected object count: 0
07:54:32.0260 3268 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 28 November 2011 - 04:09 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 SLN64T

SLN64T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 28 November 2011 - 04:59 PM

Here it is, I ran it with the full Avast virus definitions, I presume this was the correct thing to do?

aswMBR.txt

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-29 08:18:48
-----------------------------
08:18:48.956 OS Version: Windows x64 6.1.7601 Service Pack 1
08:18:48.956 Number of processors: 4 586 0x402
08:18:48.956 ComputerName: TIMOTHY-PC UserName: Timothy
08:18:50.251 Initialize success
08:24:07.338 AVAST engine defs: 11112802
08:24:17.837 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-4
08:24:17.837 Disk 0 Vendor: WDC_WD5000AADS-00S9B0 01.00A01 Size: 476940MB BusType: 3
08:24:19.896 Disk 0 MBR read successfully
08:24:19.896 Disk 0 MBR scan
08:24:19.990 Disk 0 Windows 7 default MBR code
08:24:19.990 Disk 0 MBR hidden
08:24:19.990 Service scanning
08:24:20.879 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
08:24:21.503 Modules scanning
08:24:21.503 Disk 0 trace - called modules:
08:24:21.596 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004a66334]<<
08:24:21.612 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a54060]
08:24:21.612 3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa8003adf670]
08:24:21.628 5 ACPI.sys[fffff88000f017a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-4[0xfffffa8004441060]
08:24:21.643 \Driver\atapi[0xfffffa8003ac8460] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8004a66334
08:24:23.890 AVAST engine scan C:\Windows
08:24:31.830 AVAST engine scan C:\Windows\system32
08:27:42.869 AVAST engine scan C:\Windows\system32\drivers
08:28:01.137 AVAST engine scan C:\Users\Timothy
08:47:07.582 AVAST engine scan C:\ProgramData
08:49:46.232 Scan finished successfully
08:57:28.224 Disk 0 MBR has been saved successfully to "C:\Users\Timothy\Desktop\MBR.dat"
08:57:28.274 The log file has been saved successfully to "C:\Users\Timothy\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 28 November 2011 - 05:03 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun ASWMbr for me and send me the report

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 SLN64T

SLN64T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 28 November 2011 - 05:53 PM

Hi Gringo, thanks again for the swift reply

Here's what I saw after following your last instructions:

TDSS Fix Tool 2.1.3
***Infected MBR detected
Repair succeeded

After I clicked repair, Microsoft Security Essentials detected a Trojan:
Trojan:DOS/Alureon.E Ė recommended action: Remove.

I allowed MSE to do this, I hope this was the appropriate action and that the Trojan detected didnít in fact have something to do with the TDSS Fix Tool. Please let me know if this is not the case and whether or not I should repeat these steps?

After restarting this is the new aswMBR log file:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-29 09:21:12
-----------------------------
09:21:12.227 OS Version: Windows x64 6.1.7601 Service Pack 1
09:21:12.227 Number of processors: 4 586 0x402
09:21:12.227 ComputerName: TIMOTHY-PC UserName: Timothy
09:21:13.241 Initialize success
09:21:20.573 AVAST engine defs: 11112802
09:21:27.624 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-4
09:21:27.624 Disk 0 Vendor: WDC_WD5000AADS-00S9B0 01.00A01 Size: 476940MB BusType: 3
09:21:29.637 Disk 0 MBR read successfully
09:21:29.637 Disk 0 MBR scan
09:21:29.668 Disk 0 Windows 7 default MBR code
09:21:29.683 Service scanning
09:21:35.565 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
09:21:39.387 Modules scanning
09:21:39.387 Disk 0 trace - called modules:
09:21:39.449 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys
09:21:39.449 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a35060]
09:21:39.465 3 CLASSPNP.SYS[fffff880019c943f] -> nt!IofCallDriver -> [0xfffffa8003ad6670]
09:21:39.465 5 ACPI.sys[fffff88000ee67a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-4[0xfffffa80044f2060]
09:21:41.103 AVAST engine scan C:\Windows
09:21:48.606 AVAST engine scan C:\Windows\system32
09:26:11.108 AVAST engine scan C:\Windows\system32\drivers
09:26:43.605 AVAST engine scan C:\Users\Timothy
09:47:41.708 AVAST engine scan C:\ProgramData
09:50:18.347 Scan finished successfully
09:51:49.840 Disk 0 MBR has been saved successfully to "C:\Users\Timothy\Desktop\MBR.dat"
09:51:49.887 The log file has been saved successfully to "C:\Users\Timothy\Desktop\aswMBR 2.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 28 November 2011 - 05:55 PM

Greetings

I need to know how the computer is dong now




Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 SLN64T

SLN64T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 28 November 2011 - 06:29 PM

Hi again Gringo,

I have run the script and Combofix again as suggested with no problems. The computer certainly seems to be getting better now :)

I haven't been redirected from a google link all morning and I have tested in both Firefox and Chrome. However, when I opened up Firefox just then, it indicated that it was not my default browser, which possibly indicates that something is still in the system to have changed this?

Attached below is the latest Combofix log. Again, thank you so much for your support.

Combofix.txt

ComboFix 11-11-28.02 - Timothy 29/11/2011 10:07:12.2.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.4094.2514 [GMT 11:00]
Running from: c:\users\Timothy\Desktop\ComboFix.exe
Command switches used :: c:\users\Timothy\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\~.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2050-03-17 12:05 . 2011-05-16 13:30 -------- d-----w- c:\programdata\FLEXnet
2011-11-28 23:16 . 2011-11-28 23:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-28 22:18 . 2011-11-28 22:18 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0DF6793F-8DF5-4C40-BA83-53108B9B7B01}\offreg.dll
2011-11-28 11:13 . 2011-11-28 11:13 -------- d-----w- c:\users\Timothy\AppData\Roaming\pdfforge
2011-11-28 11:13 . 2004-03-08 14:00 662288 ----a-w- c:\windows\SysWow64\MSCOMCT2.OCX
2011-11-28 11:13 . 1998-06-23 14:00 137000 ----a-w- c:\windows\SysWow64\MSMAPI32.OCX
2011-11-28 11:13 . 1998-07-05 14:00 23552 ----a-w- c:\windows\SysWow64\MSMPIDE.DLL
2011-11-28 11:13 . 2011-11-28 11:14 -------- d-----w- c:\program files (x86)\PDFCreator
2011-11-28 11:06 . 2011-11-28 11:06 854033 ----a-w- c:\windows\SysWow64\~.tmp
2011-11-28 07:51 . 2011-10-06 10:16 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0DF6793F-8DF5-4C40-BA83-53108B9B7B01}\mpengine.dll
2011-11-18 06:17 . 2011-11-28 07:41 -------- d-----w- c:\users\Friday Night Lights Season 4
2011-11-15 01:31 . 2011-11-15 01:31 -------- d-----w- c:\users\Timothy\AppData\Local\Skyrim
2011-11-15 01:25 . 2008-10-14 19:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2011-11-15 01:25 . 2008-10-14 19:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2011-11-15 01:17 . 2011-11-16 07:15 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
2011-11-14 08:44 . 2011-11-28 07:41 -------- d-----w- c:\users\rzr-skrm
2011-11-14 01:29 . 2011-11-27 00:59 486360 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2011-11-14 01:29 . 2011-11-27 00:59 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-11-14 01:29 . 2011-11-27 00:59 633816 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2011-11-14 01:29 . 2011-11-27 00:59 555992 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2011-11-13 07:37 . 2011-11-13 07:37 -------- d-----w- c:\windows\system32\Macromed
2011-11-13 06:10 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-13 06:10 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-13 06:10 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 06:10 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 04:58 . 2011-11-09 04:58 -------- d-----w- C:\LG3G
2011-11-07 07:32 . 2011-10-06 10:16 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-07 07:31 . 2011-11-07 07:31 388096 ----a-r- c:\users\Timothy\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 04:08 . 2011-11-07 04:08 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C86BF29F-0574-4DA9-B777-835428AE0D4C}\gapaengine.dll
2011-11-07 04:06 . 2011-11-07 04:06 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-11-07 04:05 . 2011-11-07 04:06 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-07 01:05 . 2011-11-07 01:05 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-06 22:52 . 2011-11-07 02:00 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-04 21:52 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2DB242FA-1F51-4EBB-81AA-69A5FFE0FF08}\mpengine.dll
2011-10-29 23:32 . 2011-10-29 23:32 -------- d-----w- c:\program files (x86)\Design Science
2011-10-29 23:31 . 2011-10-29 23:31 -------- d-----w- c:\windows\SysWow64\Adobe
2011-10-29 23:31 . 2009-01-15 22:44 1482752 ----a-w- C:\OC40.exe
2011-10-29 23:31 . 2008-10-04 21:09 152848 ----a-w- C:\comdlg32.ocx
2011-10-29 23:31 . 2008-09-28 10:26 69632 ----a-w- C:\pp.dat
2011-10-29 23:31 . 2007-05-10 13:26 10240 ----a-w- C:\Interop.AcroPDFLib.dll
2011-10-29 23:31 . 2001-01-07 11:27 4554 ----a-w- C:\Title.js
2011-10-29 23:31 . 2007-05-10 13:26 9216 ----a-w- C:\AxInterop.AcroPDFLib.dll
2011-10-29 23:25 . 2011-10-29 23:25 -------- d-----w- c:\program files (x86)\Code Visual to Flowchart
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 22:18 . 2009-12-21 04:29 25640 ----a-w- c:\windows\gdrv.sys
2011-11-14 21:21 . 2011-05-19 22:56 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-29 23:07 . 2011-10-29 23:07 253648 ------w- c:\windows\Setup1.exe
2011-10-29 23:07 . 2011-10-29 23:07 77016 ----a-w- c:\windows\ST6UNST.EXE
2011-10-24 03:29 . 2011-10-24 03:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 03:29 . 2011-10-24 03:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-10-18 03:19 . 2010-02-11 03:34 336192 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-10-11 04:00 . 2011-10-21 02:28 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-11 04:00 . 2011-10-21 02:28 97312 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-11 04:00 . 2011-10-21 02:28 130760 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-25 00:56 . 2011-09-25 00:56 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-01 05:24 . 2011-10-14 00:00 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 05:17 . 2011-10-14 00:00 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 05:12 . 2011-10-14 00:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-01 02:35 . 2011-10-14 00:00 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-09-01 02:28 . 2011-10-14 00:00 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-09-01 02:22 . 2011-10-14 00:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-28_07.13.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-21 04:31 . 2011-11-28 22:20 47286 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-28 22:20 40808 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-21 04:24 . 2011-11-28 22:20 17782 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-391138697-2687591887-3929988086-1000_UserData.bin
+ 2009-12-20 23:43 . 2011-11-28 11:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-20 23:43 . 2011-11-15 04:00 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-20 23:43 . 2011-11-28 11:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-20 23:43 . 2011-11-15 04:00 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-15 04:00 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-28 11:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-11-27 22:24 . 2011-11-27 22:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-28 22:18 . 2011-11-28 22:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-28 22:18 . 2011-11-28 22:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-27 22:24 . 2011-11-27 22:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2011-11-27 16:02 548456 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-11-28 22:17 548456 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 02:36 . 2011-11-28 10:54 6044598 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-11-28 10:54 12575536 c:\windows\system32\perfh009.dat
+ 2010-11-08 13:11 . 2011-11-28 22:17 61021932 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-391138697-2687591887-3929988086-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-22 137536]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-30 98304]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-11 1523360]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
.
R1 ewflyreu;ewflyreu;c:\windows\system32\drivers\ewflyreu.sys [x]
R1 fxklfozq;fxklfozq;c:\windows\system32\drivers\fxklfozq.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-18 136176]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 Dnetr7364;D-Link USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\Dnetr7364.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-04-15 1431888]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-18 136176]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
R3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\Drivers\MayPro.sys [2007-08-12 25120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-11 86224]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-08-24 68136]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-08-04 2329480]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-391138697-2687591887-3929988086-1000Core.job
- c:\users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-22 07:26]
.
2011-11-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-391138697-2687591887-3929988086-1000UA.job
- c:\users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-22 07:26]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-15 06:27]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-15 06:27]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-18 8067616]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.youtube.com/results?uploaded=d&search_query=modern+warfare+2&search_type=videos&suggested_categories=20%2C43&uni=3
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Timothy\AppData\Roaming\Mozilla\Firefox\Profiles\62ahtnii.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-29 10:18:25
ComboFix-quarantined-files.txt 2011-11-28 23:18
ComboFix2.txt 2011-11-28 07:41
.
Pre-Run: 196,738,920,448 bytes free
Post-Run: 196,517,277,696 bytes free
.
- - End Of File - - 05EA5C6B4D7463E21DC6963C32ADEF7F

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 28 November 2011 - 07:11 PM

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 SLN64T

SLN64T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 28 November 2011 - 07:43 PM

I have now done the above steps as requested. MBAM did not find a detection, but this was only a quick scan as opposed to a full system scan. As far as I can tell, my computer appears to be free of the infection. I'm certainly not getting any popups or being redirected from search engines any more.

The MBAM and Hijackthis logs are pasted below as requested.

Thank you so much for your time! :)

mbam-log-2011-11-29 (11-33-31)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8261

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

29/11/2011 11:33:31 AM
mbam-log-2011-11-29 (11-33-31).txt

Scan type: Quick scan
Objects scanned: 431396
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hijackthis logfile


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:37:43 AM, on 29/11/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/results?uploaded=d&search_query=modern+warfare+2&search_type=videos&suggested_categories=20%2C43&uni=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Autodesk Content Service - Unknown owner - C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\SysWOW64\brsvc01a.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service 64 - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9287 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 28 November 2011 - 07:52 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
      O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Timothy\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
      O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 SLN64T

SLN64T
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 28 November 2011 - 11:06 PM

Hi again Gringo,

Sorry about the delay in my reply, that scan took a while to complete. I have performed the start up changes that you suggested above. Below is pasted the log file from the ESET scan. The scan did detect two viruses, though I am almost certain both of these are a false detection. They are safe files that my brother downloaded as activator tools and are just being detected as a function of how they work.

I think you have breathed new life back in to my computer now. It appears to be virus free now and isn't displaying any more symptoms. I can't tell you how grateful I am for all your help!

Cheers,

Tim.

ESET log file

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-29 03:40:06
# local_time=2011-11-29 02:40:06 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1792 16777215 100 0 2530942 2530942 0 0
# compatibility_mode=5893 16776574 100 94 1064097 74163679 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=209202
# found=2
# cleaned=0
# scan_time=7777
C:\Users\WOAT_v3.2.rar a variant of Win32/HackKMS.A application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Windows 7 Ultimate (32 Bit)\Other Windows 7 Activation Tools\Windows 7 Loader eXtreme Edition 3.5.0.3.exe a variant of Win32/HackKMS.A application (unable to clean) 00000000000000000000000000000000 I




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users