Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Relentless browser redirection rootkit


  • This topic is locked This topic is locked
21 replies to this topic

#1 spangler321

spangler321

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 November 2011 - 09:37 PM

Hello world!

So in all of my years of computer experience I've never encountered a virus this stubborn. This problem initially started as a fake "anti virus" scanner, having encountered these before, I immediately disabled it and removed it manually. By the way this problem is on my parents computer, they got the virus and asked me to remove it for them, they had almost zero virus and firewall protection. Anyways, after removing the fake anti virus, I downloaded and ran SuperANTImaleware, spybot, and malewarebytes (not at the same time) this removed a few Trojans and spyware. After a reboot I noticed a few more problems, iexplorer.exe was reproducing itself many times in taskmanager, and I also noticed that both IE and firefox had been hijacked by a browser redirection virus. I used comodo firewall to block the iexplorer processes temporarily, and after a boot scan with unhackme and avast antivirus, a few more Trojans and a rootkit were found and fixed. This solved the iexporer problem, but I still am unable to get rid of the browser redirection problem. I've rescanned the system with superANTI, malewarebytes, Avast, and Panda cloud (individually of course, with live protection turned off to prevent complications). Nothing. I scanned the system with TDSS killer and nothing malicious was revealed. Pleases help!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 16:36:35 on 2011-11-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.725 [GMT -5:00]
.
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\WTouch\WTouchService.exe
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\afasrv32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Carbonite\CarbonitePreinstaller.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
C:\Program Files\USIM Editor\iconcs916839438.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uSearch Page =
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:1044
mSearchAssistant =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [USBestCR] c:\program files\usim editor\iconcs916839438.exe RunFromReg
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250525517718
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: Interfaces\{447E196F-78FF-4308-B6B6-E6867A76DA08} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D0A550AE-0745-4D5B-9504-55F8216C9509} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{F985F99A-EA74-4FAD-AB95-1DD04CC1D11F} : NameServer = 8.26.56.26,156.154.70.22
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: SDWinLogon - SDWinLogon.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\c4687ves.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com/?pr=vmn&id=pandasecuritytb&v=2_0
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-22 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-22 320856]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-10-7 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-10-7 31704]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
R1 MpKsl1798c327;MpKsl1798c327;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{59e12f0e-799d-44ab-8028-bbae630cd4be}\MpKsl1798c327.sys [2011-11-25 28752]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 129992]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656]
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\spybot - search & destroy 2\SDHookDrv32.sys [2011-11-19 38504]
R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [2011-6-28 65536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-22 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-22 44768]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-10-7 1883328]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-7-5 143752]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112456]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-11-19 955816]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-8-8 4408616]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-8-8 112936]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-11-19 892336]
S1 MpKsl01f05f3e;MpKsl01f05f3e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d1e9b9d-e208-4974-b83c-0533f4781ffb}\mpksl01f05f3e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d1e9b9d-e208-4974-b83c-0533f4781ffb}\MpKsl01f05f3e.sys [?]
S1 MpKsl24e89010;MpKsl24e89010;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0d54b5b-4eeb-4ff1-aabc-ca46ffd710a6}\mpksl24e89010.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0d54b5b-4eeb-4ff1-aabc-ca46ffd710a6}\MpKsl24e89010.sys [?]
S1 MpKsl4540303a;MpKsl4540303a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{76f7db37-5bd8-43d2-b106-e25f6520d684}\mpksl4540303a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{76f7db37-5bd8-43d2-b106-e25f6520d684}\MpKsl4540303a.sys [?]
S1 MpKsl7cb86acc;MpKsl7cb86acc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7768c778-3850-4fd4-afc9-447a1514eb9b}\mpksl7cb86acc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7768c778-3850-4fd4-afc9-447a1514eb9b}\MpKsl7cb86acc.sys [?]
S1 MpKsla93b85ec;MpKsla93b85ec;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7768c778-3850-4fd4-afc9-447a1514eb9b}\mpksla93b85ec.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7768c778-3850-4fd4-afc9-447a1514eb9b}\MpKsla93b85ec.sys [?]
S1 MpKslc202d5b0;MpKslc202d5b0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1536b829-b650-4b00-86d8-c3ba2b7e789f}\mpkslc202d5b0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1536b829-b650-4b00-86d8-c3ba2b7e789f}\MpKslc202d5b0.sys [?]
S1 MpKsldfb179c9;MpKsldfb179c9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fab5b5b0-a690-4a5e-bd8d-a48807b395f3}\mpksldfb179c9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fab5b5b0-a690-4a5e-bd8d-a48807b395f3}\MpKsldfb179c9.sys [?]
S1 MpKslf0040c87;MpKslf0040c87;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4e74e441-00e0-4c0f-97f9-7d69ad505b4c}\mpkslf0040c87.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4e74e441-00e0-4c0f-97f9-7d69ad505b4c}\MpKslf0040c87.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-26 136176]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\spybot - search & destroy 2\SDHookSvc.exe [2011-11-19 130976]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2010-3-3 20160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-26 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\50.tmp --> c:\windows\system32\50.tmp [?]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [2011-6-28 51072]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2011-11-22 24416]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-8-8 15656]
.
=============== Created Last 30 ================
.
2011-11-25 19:56:31 518144 ----a-w- c:\windows\SWREG.exe
2011-11-25 19:56:00 -------- d-s---w- C:\ComboFix
2011-11-25 19:31:57 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2011-11-25 19:31:54 51200 ----a-w- c:\windows\system32\dumphive.exe
2011-11-25 19:31:53 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2011-11-25 19:31:48 53248 ----a-w- c:\windows\system32\Process.exe
2011-11-25 08:51:10 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{59e12f0e-799d-44ab-8028-bbae630cd4be}\MpKsl1798c327.sys
2011-11-25 08:51:00 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{59e12f0e-799d-44ab-8028-bbae630cd4be}\offreg.dll
2011-11-25 08:50:45 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{59e12f0e-799d-44ab-8028-bbae630cd4be}\mpengine.dll
2011-11-24 00:54:28 -------- d-----w- c:\windows\RR2IOTZXV0LTZXV0
2011-11-23 07:15:38 -------- d-----w- c:\documents and settings\owner\application data\Panda Security
2011-11-23 07:14:20 -------- d-----w- c:\program files\Toolbar Cleaner
2011-11-23 07:14:10 -------- d-----w- c:\documents and settings\owner\local settings\application data\panda2_0dn
2011-11-23 07:13:57 -------- d-----w- c:\documents and settings\all users\application data\Panda Security URL Filtering
2011-11-23 07:13:29 -------- d-----w- c:\documents and settings\owner\application data\pandasecuritytb
2011-11-23 07:12:10 -------- d-----w- c:\program files\Panda Security
2011-11-23 07:12:10 -------- d-----w- c:\documents and settings\all users\application data\Panda Security
2011-11-23 07:11:15 -------- d-----w- C:\temp
2011-11-23 05:06:08 -------- d-----w- C:\WTablet
2011-11-23 04:05:50 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-11-23 04:00:32 39192 ----a-w- c:\windows\system32\Partizan.exe
2011-11-23 04:00:32 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2011-11-23 03:59:55 2 --shatr- c:\windows\winstart.bat
2011-11-23 03:59:25 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-11-23 03:59:00 -------- d-----w- c:\program files\UnHackMe
2011-11-23 03:49:09 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-22 16:42:20 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-22 16:41:18 41184 ----a-w- c:\windows\avastSS.scr
2011-11-22 16:40:57 -------- d-----w- c:\program files\AVAST Software
2011-11-22 16:40:57 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-11-22 15:40:13 4338 ----a-w- c:\windows\system32\tmp.reg
2011-11-22 01:50:45 -------- d--h--w- C:\VritualRoot
2011-11-21 22:20:40 -------- d--h--w- c:\windows\PIF
2011-11-21 21:31:34 -------- d-----w- c:\documents and settings\all users\application data\Comodo
2011-11-21 21:30:46 -------- d-----w- c:\program files\COMODO
2011-11-21 21:29:41 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader
2011-11-20 16:29:56 -------- d-----w- c:\program files\Sophos
2011-11-20 16:16:41 -------- d-----w- C:\ProcAlyzer Dumps
2011-11-20 16:15:45 -------- d-----w- C:\SpybotBootCD
2011-11-20 01:18:21 819 ----a-w- c:\documents and settings\all users\application data\amqnaaa.tmp
2011-11-19 17:33:25 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-11-19 17:33:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-11-19 06:49:51 -------- d-----w- c:\windows\system32\NtmsData
2011-11-06 00:11:02 -------- d-----w- c:\documents and settings\owner\local settings\application data\AOL
2011-11-06 00:11:02 -------- d-----w- c:\documents and settings\owner\local settings\application data\AIM
2011-11-06 00:10:55 -------- d-----w- c:\documents and settings\all users\application data\AIM
2011-11-06 00:10:48 -------- d-----w- c:\program files\AIM
2011-11-06 00:10:46 -------- d-----w- c:\program files\common files\Software Update Utility
.
==================== Find3M ====================
.
2011-10-07 23:48:02 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-10-07 23:48:02 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-10-07 23:48:00 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-10-07 23:47:12 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-10-07 23:47:12 300200 ----a-w- c:\windows\system32\guard32.dll
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 16:39:40.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:36 PM

Posted 27 November 2011 - 11:54 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 spangler321

spangler321
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 28 November 2011 - 07:52 PM

Hey!

Combofix ran with out a hitch. Unfortunately both firefox and IE redirects still.


here is my combofix log

ComboFix 11-11-28.02 - Owner 11/28/2011 16:35:24.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.706 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\amqnaaa.tmp
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\WINDOWS
C:\install.exe
c:\windows\$NtUninstallKB598$
c:\windows\$NtUninstallKB598$\157198212
c:\windows\$NtUninstallKB598$\181078173\@
c:\windows\$NtUninstallKB598$\181078173\bckfg.tmp
c:\windows\$NtUninstallKB598$\181078173\cfg.ini
c:\windows\$NtUninstallKB598$\181078173\Desktop.ini
c:\windows\$NtUninstallKB598$\181078173\keywords
c:\windows\$NtUninstallKB598$\181078173\kwrd.dll
c:\windows\$NtUninstallKB598$\181078173\L\maaamtym
c:\windows\$NtUninstallKB598$\181078173\lsflt7.ver
c:\windows\$NtUninstallKB598$\181078173\U\00000001.@
c:\windows\$NtUninstallKB598$\181078173\U\00000002.@
c:\windows\$NtUninstallKB598$\181078173\U\00000004.@
c:\windows\$NtUninstallKB598$\181078173\U\80000000.@
c:\windows\$NtUninstallKB598$\181078173\U\80000004.@
c:\windows\$NtUninstallKB598$\181078173\U\80000032.@
c:\windows\CSC\d6
c:\windows\expl.dat
c:\windows\system32\CF17094.exe
c:\windows\system32\CF19233.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\svch.dat
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2011-11-28 21:24 . 2011-11-28 23:30 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{59E12F0E-799D-44AB-8028-BBAE630CD4BE}\offreg.dll
2011-11-25 08:50 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{59E12F0E-799D-44AB-8028-BBAE630CD4BE}\mpengine.dll
2011-11-24 00:54 . 2011-11-24 00:54 -------- d-----w- c:\windows\RR2IOTZXV0LTZXV0
2011-11-23 07:15 . 2011-11-23 07:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2011-11-23 07:14 . 2011-11-23 07:14 -------- d-----w- c:\program files\Toolbar Cleaner
2011-11-23 07:14 . 2011-11-23 07:14 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\panda2_0dn
2011-11-23 07:13 . 2011-11-24 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security URL Filtering
2011-11-23 07:13 . 2011-11-23 07:13 -------- d-----w- c:\documents and settings\Owner\Application Data\pandasecuritytb
2011-11-23 07:12 . 2011-11-23 07:13 -------- d-----w- c:\program files\Panda Security
2011-11-23 07:12 . 2011-11-23 07:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-11-23 07:11 . 2011-11-23 07:11 -------- d-----w- C:\temp
2011-11-23 05:06 . 2011-11-23 05:06 -------- d-----w- C:\WTablet
2011-11-23 04:05 . 2011-11-23 04:05 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-11-23 04:00 . 2011-11-23 04:00 39192 ----a-w- c:\windows\system32\Partizan.exe
2011-11-23 04:00 . 2011-11-23 04:00 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2011-11-23 03:59 . 2011-11-23 03:59 2 --shatr- c:\windows\winstart.bat
2011-11-23 03:59 . 2011-11-03 17:58 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-11-23 03:59 . 2011-11-23 23:35 -------- d-----w- c:\program files\UnHackMe
2011-11-23 03:49 . 2011-11-23 03:49 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-22 16:42 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-22 16:42 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-22 16:42 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-22 16:42 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-22 16:42 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-22 16:42 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-22 16:42 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-22 16:42 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-22 16:41 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-22 16:41 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-22 16:40 . 2011-11-22 16:40 -------- d-----w- c:\program files\AVAST Software
2011-11-22 16:40 . 2011-11-22 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-22 01:50 . 2011-11-22 01:50 -------- d-----w- C:\VritualRoot
2011-11-21 23:05 . 2011-11-21 23:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-11-21 22:20 . 2011-11-21 22:20 -------- d--h--w- c:\windows\PIF
2011-11-21 21:31 . 2011-11-22 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-11-21 21:30 . 2011-11-21 23:08 -------- d-----w- c:\program files\COMODO
2011-11-21 21:29 . 2011-11-21 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2011-11-20 16:29 . 2011-11-20 16:29 -------- d-----w- c:\program files\Sophos
2011-11-20 16:16 . 2011-11-20 16:16 -------- d-----w- C:\ProcAlyzer Dumps
2011-11-20 16:15 . 2011-11-20 16:15 -------- d-----w- C:\SpybotBootCD
2011-11-19 21:02 . 2011-11-19 21:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-19 17:33 . 2009-01-25 18:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-11-19 17:33 . 2011-11-20 04:03 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-11-19 09:43 . 2011-11-19 09:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-11-19 06:49 . 2011-11-19 06:52 -------- d-----w- c:\windows\system32\NtmsData
2011-11-06 00:11 . 2011-11-06 00:11 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore
2011-11-06 00:11 . 2011-11-06 00:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AIM
2011-11-06 00:11 . 2011-11-06 00:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
2011-11-06 00:10 . 2011-11-06 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2011-11-06 00:10 . 2011-11-23 06:10 -------- d-----w- c:\program files\AIM
2011-11-06 00:10 . 2011-11-06 00:10 -------- d-----w- c:\program files\Common Files\Software Update Utility
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 23:31 . 2005-04-13 16:56 544768 ----a-w- c:\windows\system32\winlogon.exe
2011-11-28 22:16 . 2005-04-13 16:56 39424 ----a-w- c:\windows\system32\svchost.exe
2011-11-22 04:05 . 2009-05-29 22:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2011-11-22 04:05 . 2009-05-29 22:57 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2011-11-22 04:05 . 2009-05-29 22:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2011-10-07 23:48 . 2011-10-07 23:48 97760 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-10-07 23:48 . 2011-10-07 23:48 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-10-07 23:48 . 2011-10-07 23:48 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-10-07 23:48 . 2011-10-07 23:48 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-10-07 23:47 . 2011-10-07 23:47 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-10-07 23:47 . 2011-10-07 23:47 300200 ----a-w- c:\windows\system32\guard32.dll
2011-10-07 03:48 . 2010-03-06 15:17 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-31 22:00 . 2010-03-03 19:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 07:58 . 2011-11-19 06:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-11-28 . 599AC936C547DF11B5932CEC4D9F1864 . 544768 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
.
[-] 2011-11-28 . 22DBF4E8DC053A688636FACF1C9A4CDA . 39424 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2010-03-04 . 9491C2135C30B82BB1A6ACF928063A59 . 16896 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 . 74E14DFEE6178D6D11BD471410175EF3 . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2004-08-10 . 6B06B770BADD3BA36DA67304FF587CE2 . 1034240 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[-] 2004-08-10 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie8\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2011-06-24 17:37 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-06-24 86696]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-10-24 106496]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"USBestCR"="c:\program files\USIM Editor\iconcs916839438.exe" [2011-06-28 7041024]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-10-05 3578272]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2011-10-05 3025304]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-06-29 217256]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-5-28 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-08 14:03 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG311T Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311T Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG311T Smart Wizard.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2011-01-21 17:03 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-10-14 00:00 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-10-22 01:44 2744832 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 01:30 543232 ----a-w- c:\windows\zHotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 18:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-08-13 00:45 61952 ----a-w- c:\windows\system32\Hdaudpropshortcut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-12-01 18:55 126976 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-12-01 19:00 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-09-23 13:50 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mixersel]
2003-11-11 01:23 369664 ----a-w- c:\program files\Realtek\InstallShield\mixersel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-09-23 13:25 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-25 23:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 03:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 16:09 36864 ----a-w- c:\windows\ShowWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-10-21 22:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 20:31 2144088 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-03-04 17:36 36975 ----a-w- c:\program files\Java\jre1.5.0_02\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tsuhidix]
c:\windows\ijonuxafujahozaz.dll [BU]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim"="c:\program files\AIM\aim.exe" /d locale=en-US
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/22/2011 11:42 AM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/22/2011 11:42 AM 320856]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 6:48 PM 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 6:48 PM 31704]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 1:57 PM 129992]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 67656]
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [11/19/2011 12:33 PM 38504]
R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [6/28/2011 10:52 AM 65536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/22/2011 11:42 AM 20568]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 10:32 PM 189736]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 1:58 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [7/5/2011 12:12 PM 143752]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 1:57 PM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 1:57 PM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 1:57 PM 112456]
R2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [11/19/2011 12:33 PM 130976]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/19/2011 12:33 PM 955816]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [8/8/2010 3:53 PM 4408616]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 6:31 AM 92008]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [8/8/2010 3:54 PM 112936]
S1 MpKsl01f05f3e;MpKsl01f05f3e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9D1E9B9D-E208-4974-B83C-0533F4781FFB}\MpKsl01f05f3e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9D1E9B9D-E208-4974-B83C-0533F4781FFB}\MpKsl01f05f3e.sys [?]
S1 MpKsl24e89010;MpKsl24e89010;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D54B5B-4EEB-4FF1-AABC-CA46FFD710A6}\MpKsl24e89010.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D54B5B-4EEB-4FF1-AABC-CA46FFD710A6}\MpKsl24e89010.sys [?]
S1 MpKsl4540303a;MpKsl4540303a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76F7DB37-5BD8-43D2-B106-E25F6520D684}\MpKsl4540303a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76F7DB37-5BD8-43D2-B106-E25F6520D684}\MpKsl4540303a.sys [?]
S1 MpKsl7cb86acc;MpKsl7cb86acc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7768C778-3850-4FD4-AFC9-447A1514EB9B}\MpKsl7cb86acc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7768C778-3850-4FD4-AFC9-447A1514EB9B}\MpKsl7cb86acc.sys [?]
S1 MpKsla93b85ec;MpKsla93b85ec;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7768C778-3850-4FD4-AFC9-447A1514EB9B}\MpKsla93b85ec.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7768C778-3850-4FD4-AFC9-447A1514EB9B}\MpKsla93b85ec.sys [?]
S1 MpKslc202d5b0;MpKslc202d5b0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1536B829-B650-4B00-86D8-C3BA2B7E789F}\MpKslc202d5b0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1536B829-B650-4B00-86D8-C3BA2B7E789F}\MpKslc202d5b0.sys [?]
S1 MpKsldfb179c9;MpKsldfb179c9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FAB5B5B0-A690-4A5E-BD8D-A48807B395F3}\MpKsldfb179c9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FAB5B5B0-A690-4A5E-BD8D-A48807B395F3}\MpKsldfb179c9.sys [?]
S1 MpKslf0040c87;MpKslf0040c87;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4E74E441-00E0-4C0F-97F9-7D69AD505B4C}\MpKslf0040c87.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4E74E441-00E0-4C0F-97F9-7D69AD505B4C}\MpKslf0040c87.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2011 6:49 PM 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [3/3/2010 2:52 PM 20160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2011 6:49 PM 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\50.tmp --> c:\windows\system32\50.tmp [?]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [6/28/2011 10:52 AM 51072]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [11/22/2011 11:05 PM 24416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 12872]
S3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/19/2011 12:33 PM 892336]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/8/2010 3:53 PM 15656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-25 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2011-11-19 20:46]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 23:49]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 23:49]
.
2011-11-26 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]
.
2011-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-11-25 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2011-11-19 20:46]
.
2011-11-23 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2011-11-19 20:46]
.
2011-11-28 c:\windows\Tasks\User_Feed_Synchronization-{8410A7B8-9EBE-484D-A78B-B16614BC4DCC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:1044
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{D0A550AE-0745-4D5B-9504-55F8216C9509}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{F985F99A-EA74-4FAD-AB95-1DD04CC1D11F}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4687ves.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com/?pr=vmn&id=pandasecuritytb&v=2_0
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-28 18:44
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\50.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,fc,27,0b,2b,32,2d,4f,b3,62,de,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,fc,27,0b,2b,32,2d,4f,b3,62,de,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(996)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
.
- - - - - - - > 'lsass.exe'(1052)
c:\windows\system32\guard32.dll
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
.
- - - - - - - > 'explorer.exe'(4128)
c:\windows\system32\WININET.dll
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
c:\windows\system32\guard32.dll
c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\panda_url_filtering.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'csrss.exe'(968)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\windows\system32\WISPTIS.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2011-11-28 19:02:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-29 00:01
ComboFix2.txt 2010-06-14 15:16
ComboFix3.txt 2010-03-03 21:34
ComboFix4.txt 2010-03-03 19:50
ComboFix5.txt 2011-11-25 19:56
.
Pre-Run: 171,496,660,992 bytes free
Post-Run: 172,083,032,064 bytes free
.
- - End Of File - - 956BE4F9EBD099660370EAE946773B70

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:36 PM

Posted 28 November 2011 - 07:55 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 spangler321

spangler321
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 28 November 2011 - 08:22 PM

Hey Gringo!

Ran TDSSkiller, here is the log


20:15:41.0316 4924 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
20:15:41.0347 4924 ============================================================
20:15:41.0347 4924 Current date / time: 2011/11/28 20:15:41.0347
20:15:41.0347 4924 SystemInfo:
20:15:41.0347 4924
20:15:41.0347 4924 OS Version: 5.1.2600 ServicePack: 3.0
20:15:41.0347 4924 Product type: Workstation
20:15:41.0347 4924 ComputerName: YOUR-F4CBC988CB
20:15:41.0347 4924 UserName: Owner
20:15:41.0347 4924 Windows directory: C:\WINDOWS
20:15:41.0347 4924 System windows directory: C:\WINDOWS
20:15:41.0347 4924 Processor architecture: Intel x86
20:15:41.0347 4924 Number of processors: 2
20:15:41.0347 4924 Page size: 0x1000
20:15:41.0347 4924 Boot type: Normal boot
20:15:41.0347 4924 ============================================================
20:15:42.0535 4924 Initialize success
20:15:59.0285 5072 ============================================================
20:15:59.0285 5072 Scan started
20:15:59.0285 5072 Mode: Manual; SigCheck; TDLFS;
20:15:59.0285 5072 ============================================================
20:15:59.0847 5072 Aavmker4 (95d1de2a6613494e853a9738d5d9acd4) C:\WINDOWS\system32\drivers\Aavmker4.sys
20:16:00.0004 5072 Aavmker4 - ok
20:16:00.0238 5072 Abiosdsk - ok
20:16:00.0488 5072 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
20:16:00.0722 5072 abp480n5 - ok
20:16:01.0129 5072 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:16:01.0332 5072 ACPI - ok
20:16:01.0597 5072 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:16:01.0738 5072 ACPIEC - ok
20:16:02.0066 5072 ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
20:16:02.0222 5072 ADM8511 - ok
20:16:02.0504 5072 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
20:16:02.0707 5072 adpu160m - ok
20:16:03.0238 5072 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:16:03.0472 5072 aec - ok
20:16:03.0832 5072 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
20:16:03.0847 5072 AegisP ( UnsignedFile.Multi.Generic ) - warning
20:16:03.0847 5072 AegisP - detected UnsignedFile.Multi.Generic (1)
20:16:04.0238 5072 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
20:16:04.0347 5072 AFD - ok
20:16:04.0644 5072 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:16:04.0801 5072 agp440 - ok
20:16:05.0082 5072 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
20:16:05.0238 5072 agpCPQ - ok
20:16:05.0472 5072 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
20:16:05.0551 5072 Aha154x - ok
20:16:05.0801 5072 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
20:16:05.0972 5072 aic78u2 - ok
20:16:06.0238 5072 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
20:16:06.0379 5072 aic78xx - ok
20:16:06.0613 5072 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
20:16:06.0754 5072 AliIde - ok
20:16:07.0035 5072 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
20:16:07.0176 5072 alim1541 - ok
20:16:07.0472 5072 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
20:16:07.0629 5072 amdagp - ok
20:16:07.0941 5072 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
20:16:08.0082 5072 amsint - ok
20:16:08.0504 5072 AR5211 (89b9416fe6f65e7c113f94b2a13cf397) C:\WINDOWS\system32\DRIVERS\WG311T13.sys
20:16:08.0738 5072 AR5211 ( UnsignedFile.Multi.Generic ) - warning
20:16:08.0738 5072 AR5211 - detected UnsignedFile.Multi.Generic (1)
20:16:09.0035 5072 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:16:09.0191 5072 Arp1394 - ok
20:16:09.0441 5072 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
20:16:09.0582 5072 asc - ok
20:16:09.0816 5072 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
20:16:09.0910 5072 asc3350p - ok
20:16:10.0160 5072 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
20:16:10.0301 5072 asc3550 - ok
20:16:10.0582 5072 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
20:16:10.0582 5072 ASCTRM ( UnsignedFile.Multi.Generic ) - warning
20:16:10.0582 5072 ASCTRM - detected UnsignedFile.Multi.Generic (1)
20:16:10.0941 5072 aswFsBlk (c47623ffd181a1e7d63574dde2a0a711) C:\WINDOWS\system32\drivers\aswFsBlk.sys
20:16:10.0972 5072 aswFsBlk - ok
20:16:11.0254 5072 aswMon2 (fff2dbb17a3c89f87f78d5fa72ca47fd) C:\WINDOWS\system32\drivers\aswMon2.sys
20:16:11.0301 5072 aswMon2 - ok
20:16:11.0551 5072 aswRdr (36239e24470a3dd81fae37510953cc6c) C:\WINDOWS\system32\drivers\aswRdr.sys
20:16:11.0582 5072 aswRdr - ok
20:16:11.0941 5072 aswSnx (caa846e9c83836bdc3d2d700c678db65) C:\WINDOWS\system32\drivers\aswSnx.sys
20:16:12.0176 5072 aswSnx - ok
20:16:12.0504 5072 aswSP (748ae7f2d7da33adb063fe05704a9969) C:\WINDOWS\system32\drivers\aswSP.sys
20:16:12.0629 5072 aswSP - ok
20:16:12.0879 5072 aswTdi (ca9925ce1dbd07ffe1eb357752cf5577) C:\WINDOWS\system32\drivers\aswTdi.sys
20:16:12.0910 5072 aswTdi - ok
20:16:13.0176 5072 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:16:13.0347 5072 AsyncMac - ok
20:16:13.0722 5072 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:16:13.0863 5072 atapi - ok
20:16:14.0097 5072 Atdisk - ok
20:16:14.0379 5072 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:16:14.0535 5072 Atmarpc - ok
20:16:14.0832 5072 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:16:14.0972 5072 audstub - ok
20:16:15.0238 5072 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:16:15.0363 5072 Beep - ok
20:16:15.0582 5072 catchme - ok
20:16:15.0926 5072 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
20:16:16.0097 5072 cbidf - ok
20:16:16.0394 5072 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:16:16.0519 5072 cbidf2k - ok
20:16:16.0754 5072 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
20:16:16.0832 5072 cd20xrnt - ok
20:16:17.0176 5072 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:16:17.0316 5072 Cdaudio - ok
20:16:17.0644 5072 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:16:17.0801 5072 Cdfs - ok
20:16:18.0160 5072 Cdr4_xp (2552670e5fbcfdb540eeb426af39704d) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
20:16:18.0191 5072 Cdr4_xp ( UnsignedFile.Multi.Generic ) - warning
20:16:18.0191 5072 Cdr4_xp - detected UnsignedFile.Multi.Generic (1)
20:16:18.0488 5072 Cdralw2k (b761b10d6a541be69ea448a8429d30b0) C:\WINDOWS\system32\drivers\Cdralw2k.sys
20:16:18.0504 5072 Cdralw2k ( UnsignedFile.Multi.Generic ) - warning
20:16:18.0504 5072 Cdralw2k - detected UnsignedFile.Multi.Generic (1)
20:16:18.0738 5072 Changer - ok
20:16:19.0176 5072 cmdGuard (be1e51b694cadc4043e428a914ee544e) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
20:16:19.0457 5072 cmdGuard - ok
20:16:19.0691 5072 cmdHlp (f0a78783a95b788856eec1c36d0a1e59) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
20:16:19.0707 5072 cmdHlp - ok
20:16:19.0941 5072 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
20:16:20.0066 5072 CmdIde - ok
20:16:20.0301 5072 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
20:16:20.0441 5072 Cpqarray - ok
20:16:20.0722 5072 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
20:16:20.0926 5072 dac2w2k - ok
20:16:21.0160 5072 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
20:16:21.0316 5072 dac960nt - ok
20:16:21.0566 5072 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:16:21.0707 5072 Disk - ok
20:16:22.0222 5072 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:16:22.0769 5072 dmboot - ok
20:16:23.0066 5072 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:16:23.0238 5072 dmio - ok
20:16:23.0488 5072 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:16:23.0644 5072 dmload - ok
20:16:23.0910 5072 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:16:24.0051 5072 DMusic - ok
20:16:24.0347 5072 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
20:16:24.0504 5072 dpti2o - ok
20:16:24.0785 5072 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:16:24.0910 5072 drmkaud - ok
20:16:25.0269 5072 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
20:16:25.0347 5072 E100B - ok
20:16:25.0754 5072 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:16:25.0941 5072 Fastfat - ok
20:16:26.0238 5072 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:16:26.0379 5072 Fdc - ok
20:16:26.0738 5072 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:16:26.0894 5072 Fips - ok
20:16:27.0191 5072 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:16:27.0347 5072 Flpydisk - ok
20:16:27.0691 5072 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:16:27.0863 5072 FltMgr - ok
20:16:28.0176 5072 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:16:28.0316 5072 Fs_Rec - ok
20:16:28.0613 5072 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:16:28.0801 5072 Ftdisk - ok
20:16:29.0097 5072 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
20:16:29.0129 5072 GEARAspiWDM - ok
20:16:29.0410 5072 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:16:29.0551 5072 Gpc - ok
20:16:29.0847 5072 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
20:16:29.0926 5072 HdAudAddService - ok
20:16:30.0238 5072 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:16:30.0410 5072 HDAudBus - ok
20:16:30.0785 5072 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:16:30.0926 5072 HidUsb - ok
20:16:31.0238 5072 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
20:16:31.0363 5072 hpn - ok
20:16:31.0644 5072 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
20:16:31.0738 5072 HPZid412 - ok
20:16:32.0082 5072 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
20:16:32.0144 5072 HPZipr12 - ok
20:16:32.0457 5072 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
20:16:32.0551 5072 HPZius12 - ok
20:16:32.0941 5072 HSFHWBS2 (33dfc0afa95f9a2c753ff2adb7d4a21f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
20:16:33.0082 5072 HSFHWBS2 - ok
20:16:33.0754 5072 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
20:16:34.0379 5072 HSF_DP - ok
20:16:34.0785 5072 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:16:34.0941 5072 HTTP - ok
20:16:35.0222 5072 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:16:35.0363 5072 i2omgmt - ok
20:16:35.0597 5072 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
20:16:35.0738 5072 i2omp - ok
20:16:35.0988 5072 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:16:36.0144 5072 i8042prt - ok
20:16:36.0660 5072 ialm (7c7560001937dd47fe933de2181227f2) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
20:16:37.0082 5072 ialm - ok
20:16:37.0441 5072 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:16:37.0582 5072 Imapi - ok
20:16:37.0879 5072 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
20:16:38.0035 5072 ini910u - ok
20:16:38.0332 5072 Inspect (d22ac37cbe6cf295416ef84245b804a8) C:\WINDOWS\system32\DRIVERS\inspect.sys
20:16:38.0379 5072 Inspect - ok
20:16:39.0488 5072 IntcAzAudAddService (1ed9ac45c69e650d4f12d1114132622b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:16:40.0926 5072 IntcAzAudAddService - ok
20:16:41.0285 5072 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:16:41.0410 5072 IntelIde - ok
20:16:41.0691 5072 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:16:41.0832 5072 intelppm - ok
20:16:42.0113 5072 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:16:42.0254 5072 Ip6Fw - ok
20:16:42.0535 5072 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:16:42.0691 5072 IpFilterDriver - ok
20:16:42.0957 5072 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:16:43.0082 5072 IpInIp - ok
20:16:43.0441 5072 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:16:43.0613 5072 IpNat - ok
20:16:43.0879 5072 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:16:44.0051 5072 IPSec - ok
20:16:44.0301 5072 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:16:44.0426 5072 IRENUM - ok
20:16:44.0676 5072 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:16:44.0816 5072 isapnp - ok
20:16:45.0082 5072 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:16:45.0207 5072 Kbdclass - ok
20:16:45.0457 5072 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:16:45.0582 5072 kbdhid - ok
20:16:45.0863 5072 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:16:46.0004 5072 kmixer - ok
20:16:46.0285 5072 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:16:46.0363 5072 KSecDD - ok
20:16:46.0613 5072 lbrtfdc - ok
20:16:46.0879 5072 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:16:46.0941 5072 mdmxsdk - ok
20:16:47.0176 5072 MEMSWEEP2 - ok
20:16:47.0457 5072 MHIKEY10 (8143e6203e5765ed9f7e6dae57cec8d3) C:\WINDOWS\system32\Drivers\MHIKEY10.sys
20:16:47.0504 5072 MHIKEY10 - ok
20:16:47.0738 5072 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:16:47.0769 5072 MHNDRV ( UnsignedFile.Multi.Generic ) - warning
20:16:47.0769 5072 MHNDRV - detected UnsignedFile.Multi.Generic (1)
20:16:48.0019 5072 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:16:48.0129 5072 mnmdd - ok
20:16:48.0394 5072 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:16:48.0519 5072 Modem - ok
20:16:48.0785 5072 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:16:48.0941 5072 Mouclass - ok
20:16:49.0191 5072 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:16:49.0332 5072 mouhid - ok
20:16:49.0597 5072 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:16:49.0738 5072 MountMgr - ok
20:16:50.0035 5072 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
20:16:50.0113 5072 MpFilter - ok
20:16:50.0176 5072 MpKsl01f05f3e - ok
20:16:50.0207 5072 MpKsl24e89010 - ok
20:16:50.0238 5072 MpKsl4540303a - ok
20:16:50.0254 5072 MpKsl7cb86acc - ok
20:16:50.0285 5072 MpKsla93b85ec - ok
20:16:50.0301 5072 MpKslc202d5b0 - ok
20:16:50.0332 5072 MpKsldfb179c9 - ok
20:16:50.0363 5072 MpKslf0040c87 - ok
20:16:50.0676 5072 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
20:16:50.0816 5072 mraid35x - ok
20:16:51.0160 5072 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:16:51.0347 5072 MRxDAV - ok
20:16:51.0738 5072 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:16:51.0988 5072 MRxSmb - ok
20:16:52.0347 5072 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:16:52.0472 5072 Msfs - ok
20:16:52.0738 5072 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:16:52.0879 5072 MSKSSRV - ok
20:16:53.0144 5072 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:16:53.0301 5072 MSPCLOCK - ok
20:16:53.0535 5072 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:16:53.0676 5072 MSPQM - ok
20:16:53.0957 5072 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:16:54.0082 5072 mssmbios - ok
20:16:54.0363 5072 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
20:16:54.0519 5072 Mup - ok
20:16:54.0754 5072 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
20:16:54.0894 5072 mxnic - ok
20:16:55.0222 5072 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:16:55.0410 5072 NDIS - ok
20:16:55.0722 5072 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:16:55.0879 5072 NdisTapi - ok
20:16:56.0160 5072 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:16:56.0301 5072 Ndisuio - ok
20:16:56.0566 5072 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:16:56.0722 5072 NdisWan - ok
20:16:56.0988 5072 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
20:16:57.0129 5072 NDProxy - ok
20:16:57.0379 5072 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:16:57.0519 5072 NetBIOS - ok
20:16:57.0785 5072 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:16:57.0972 5072 NetBT - ok
20:16:58.0254 5072 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:16:58.0410 5072 NIC1394 - ok
20:16:58.0738 5072 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:16:58.0879 5072 Npfs - ok
20:16:59.0394 5072 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:16:59.0801 5072 Ntfs - ok
20:16:59.0894 5072 NTIDrvr - ok
20:17:00.0285 5072 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:17:00.0426 5072 Null - ok
20:17:01.0316 5072 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:17:02.0488 5072 nv - ok
20:17:02.0910 5072 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:17:03.0066 5072 NwlnkFlt - ok
20:17:03.0285 5072 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:17:03.0441 5072 NwlnkFwd - ok
20:17:03.0722 5072 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
20:17:03.0879 5072 NwlnkIpx - ok
20:17:04.0191 5072 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
20:17:04.0363 5072 NwlnkNb - ok
20:17:04.0613 5072 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
20:17:04.0754 5072 NwlnkSpx - ok
20:17:05.0066 5072 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
20:17:05.0238 5072 NWRDR - ok
20:17:05.0488 5072 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:17:05.0644 5072 ohci1394 - ok
20:17:05.0894 5072 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
20:17:06.0051 5072 P3 - ok
20:17:06.0316 5072 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:17:06.0472 5072 Parport - ok
20:17:06.0738 5072 Partizan (6ddcf3f801ec15fe698f6a215cf30a1f) C:\WINDOWS\system32\drivers\Partizan.sys
20:17:06.0754 5072 Partizan - ok
20:17:07.0004 5072 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:17:07.0129 5072 PartMgr - ok
20:17:07.0379 5072 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:17:07.0504 5072 ParVdm - ok
20:17:07.0785 5072 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:17:07.0957 5072 PCI - ok
20:17:08.0191 5072 PCIDump - ok
20:17:08.0441 5072 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:17:08.0566 5072 PCIIde - ok
20:17:08.0847 5072 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:17:09.0035 5072 Pcmcia - ok
20:17:09.0269 5072 PDCOMP - ok
20:17:09.0488 5072 PDFRAME - ok
20:17:09.0707 5072 PDRELI - ok
20:17:09.0926 5072 PDRFRAME - ok
20:17:10.0207 5072 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
20:17:10.0347 5072 perc2 - ok
20:17:10.0566 5072 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
20:17:10.0707 5072 perc2hib - ok
20:17:11.0004 5072 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:17:11.0144 5072 PptpMiniport - ok
20:17:11.0394 5072 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:17:11.0535 5072 PSched - ok
20:17:11.0832 5072 PSINAflt (1a8e10025be59e7f0a2981a52c483fcd) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys
20:17:11.0894 5072 PSINAflt - ok
20:17:12.0176 5072 PSINFile (5bab5fb4cb1963f643a1a8b4d816cf8f) C:\WINDOWS\system32\DRIVERS\PSINFile.sys
20:17:12.0222 5072 PSINFile - ok
20:17:12.0488 5072 PSINKNC (0518f472a69249e18612e29278bd58ec) C:\WINDOWS\system32\DRIVERS\psinknc.sys
20:17:12.0551 5072 PSINKNC - ok
20:17:12.0801 5072 PSINProc (87b2fe6d7b427947541360f48c302054) C:\WINDOWS\system32\DRIVERS\PSINProc.sys
20:17:12.0847 5072 PSINProc - ok
20:17:13.0129 5072 PSINProt (f4804beb5ff6741019b56a02ead4d3b7) C:\WINDOWS\system32\DRIVERS\PSINProt.sys
20:17:13.0176 5072 PSINProt - ok
20:17:13.0426 5072 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:17:13.0566 5072 Ptilink - ok
20:17:13.0801 5072 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:17:13.0832 5072 PxHelp20 - ok
20:17:14.0082 5072 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
20:17:14.0222 5072 ql1080 - ok
20:17:14.0504 5072 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
20:17:14.0644 5072 Ql10wnt - ok
20:17:14.0879 5072 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
20:17:15.0051 5072 ql12160 - ok
20:17:15.0285 5072 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
20:17:15.0426 5072 ql1240 - ok
20:17:15.0660 5072 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
20:17:15.0801 5072 ql1280 - ok
20:17:16.0051 5072 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:17:16.0176 5072 RasAcd - ok
20:17:16.0441 5072 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:17:16.0582 5072 Rasl2tp - ok
20:17:16.0816 5072 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:17:16.0957 5072 RasPppoe - ok
20:17:17.0222 5072 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:17:17.0363 5072 Raspti - ok
20:17:17.0660 5072 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:17:17.0847 5072 Rdbss - ok
20:17:18.0097 5072 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:17:18.0207 5072 RDPCDD - ok
20:17:18.0519 5072 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:17:18.0707 5072 rdpdr - ok
20:17:19.0004 5072 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
20:17:19.0191 5072 RDPWD - ok
20:17:19.0457 5072 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:17:19.0629 5072 redbook - ok
20:17:19.0894 5072 RegGuard (37ecebdd930395a9c399fb18a3c236d3) C:\WINDOWS\system32\Drivers\regguard.sys
20:17:19.0910 5072 RegGuard - ok
20:17:20.0035 5072 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:17:20.0051 5072 SASDIFSV - ok
20:17:20.0097 5072 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
20:17:20.0113 5072 SASENUM - ok
20:17:20.0191 5072 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
20:17:20.0222 5072 SASKUTIL - ok
20:17:20.0316 5072 SDHookDriver (47dd7bb6b72a5f49e01f53597bcaeac7) C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
20:17:20.0347 5072 SDHookDriver - ok
20:17:20.0691 5072 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:17:20.0863 5072 Secdrv - ok
20:17:21.0191 5072 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:17:21.0332 5072 Serenum - ok
20:17:21.0629 5072 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:17:21.0785 5072 Serial - ok
20:17:22.0082 5072 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:17:22.0222 5072 Sfloppy - ok
20:17:22.0441 5072 Simbad - ok
20:17:22.0707 5072 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
20:17:22.0847 5072 sisagp - ok
20:17:23.0222 5072 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
20:17:23.0379 5072 SONYPVU1 - ok
20:17:23.0691 5072 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
20:17:23.0769 5072 Sparrow - ok
20:17:24.0066 5072 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:17:24.0207 5072 splitter - ok
20:17:24.0472 5072 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:17:24.0644 5072 sr - ok
20:17:25.0035 5072 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
20:17:25.0269 5072 Srv - ok
20:17:25.0629 5072 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys
20:17:25.0644 5072 SunkFilt ( UnsignedFile.Multi.Generic ) - warning
20:17:25.0644 5072 SunkFilt - detected UnsignedFile.Multi.Generic (1)
20:17:25.0941 5072 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:17:26.0066 5072 swenum - ok
20:17:26.0363 5072 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:17:26.0504 5072 swmidi - ok
20:17:26.0832 5072 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
20:17:26.0988 5072 symc810 - ok
20:17:27.0238 5072 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
20:17:27.0379 5072 symc8xx - ok
20:17:27.0613 5072 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
20:17:27.0754 5072 sym_hi - ok
20:17:27.0988 5072 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
20:17:28.0113 5072 sym_u3 - ok
20:17:28.0379 5072 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:17:28.0519 5072 sysaudio - ok
20:17:28.0879 5072 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:17:29.0160 5072 Tcpip - ok
20:17:29.0504 5072 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:17:29.0660 5072 TDPIPE - ok
20:17:29.0910 5072 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:17:30.0066 5072 TDTCP - ok
20:17:30.0332 5072 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:17:30.0457 5072 TermDD - ok
20:17:30.0707 5072 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
20:17:30.0832 5072 TosIde - ok
20:17:31.0144 5072 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:17:31.0301 5072 Udfs - ok
20:17:31.0551 5072 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
20:17:31.0629 5072 ultra - ok
20:17:32.0004 5072 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:17:32.0347 5072 Update - ok
20:17:32.0691 5072 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:17:32.0832 5072 usbccgp - ok
20:17:33.0176 5072 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:17:33.0332 5072 usbehci - ok
20:17:33.0660 5072 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:17:33.0801 5072 usbhub - ok
20:17:34.0176 5072 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:17:34.0301 5072 usbprint - ok
20:17:34.0644 5072 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:17:34.0785 5072 usbscan - ok
20:17:35.0066 5072 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:17:35.0191 5072 USBSTOR - ok
20:17:35.0519 5072 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:17:35.0660 5072 usbuhci - ok
20:17:35.0972 5072 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:17:36.0113 5072 VgaSave - ok
20:17:36.0441 5072 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:17:36.0566 5072 viaagp - ok
20:17:36.0801 5072 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:17:36.0957 5072 ViaIde - ok
20:17:37.0285 5072 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:17:37.0426 5072 VolSnap - ok
20:17:37.0769 5072 wacmoumonitor (826a053968d0faf39afd8aecff580cb6) C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys
20:17:37.0785 5072 wacmoumonitor - ok
20:17:38.0160 5072 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
20:17:38.0176 5072 wacommousefilter - ok
20:17:38.0488 5072 wacomvhid (51d580f30d1a1f2ea4965af6abc2bcb2) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
20:17:38.0504 5072 wacomvhid - ok
20:17:38.0769 5072 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
20:17:38.0801 5072 WacomVKHid - ok
20:17:39.0097 5072 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:17:39.0238 5072 Wanarp - ok
20:17:39.0472 5072 wanatw - ok
20:17:39.0738 5072 WDICA - ok
20:17:40.0035 5072 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:17:40.0191 5072 wdmaud - ok
20:17:40.0644 5072 winachsf (2dc7c0b6175a0a8ed84a4f70199c93b5) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
20:17:41.0097 5072 winachsf - ok
20:17:41.0191 5072 MBR (0x1B8) (b20939cd98b7710036274839082ae757) \Device\Harddisk0\DR0
20:17:41.0316 5072 \Device\Harddisk0\DR0 - ok
20:17:41.0316 5072 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk5\DR13
20:17:41.0426 5072 \Device\Harddisk5\DR13 - ok
20:17:41.0457 5072 Boot (0x1200) (d0746ffa723d6de1d6e9eebcbe516f6a) \Device\Harddisk0\DR0\Partition0
20:17:41.0457 5072 \Device\Harddisk0\DR0\Partition0 - ok
20:17:41.0457 5072 Boot (0x1200) (0ed1d843d9828bf4cb843cab4e22e2b8) \Device\Harddisk0\DR0\Partition1
20:17:41.0457 5072 \Device\Harddisk0\DR0\Partition1 - ok
20:17:41.0457 5072 Boot (0x1200) (e69a820f0feb47058a56bea464259bda) \Device\Harddisk5\DR13\Partition0
20:17:41.0457 5072 \Device\Harddisk5\DR13\Partition0 - ok
20:17:41.0457 5072 ============================================================
20:17:41.0457 5072 Scan finished
20:17:41.0457 5072 ============================================================
20:17:41.0566 5972 Detected object count: 7
20:17:41.0582 5972 Actual detected object count: 7
20:17:57.0285 5972 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user
20:17:57.0285 5972 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:17:57.0285 5972 AR5211 ( UnsignedFile.Multi.Generic ) - skipped by user
20:17:57.0301 5972 AR5211 ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:17:57.0301 5972 ASCTRM ( UnsignedFile.Multi.Generic ) - skipped by user
20:17:57.0301 5972 ASCTRM ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:17:57.0301 5972 Cdr4_xp ( UnsignedFile.Multi.Generic ) - skipped by user
20:17:57.0301 5972 Cdr4_xp ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:17:57.0301 5972 Cdralw2k ( UnsignedFile.Multi.Generic ) - skipped by user
20:17:57.0301 5972 Cdralw2k ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:17:57.0301 5972 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
20:17:57.0301 5972 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:17:57.0301 5972 SunkFilt ( UnsignedFile.Multi.Generic ) - skipped by user
20:17:57.0301 5972 SunkFilt ( UnsignedFile.Multi.Generic ) - User select action: Skip


thank you!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:36 PM

Posted 28 November 2011 - 08:43 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 spangler321

spangler321
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 28 November 2011 - 11:06 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-28 21:13:30
-----------------------------
21:13:30.238 OS Version: Windows 5.1.2600 Service Pack 3
21:13:30.238 Number of processors: 2 586 0x403
21:13:30.238 ComputerName: YOUR-F4CBC988CB UserName: Owner
21:13:32.910 Initialize success
21:13:34.035 AVAST engine defs: 11112501
21:13:44.363 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
21:13:44.363 Disk 0 Vendor: ST3250823AS 3.03 Size: 238475MB BusType: 3
21:13:44.379 Disk 0 MBR read successfully
21:13:44.379 Disk 0 MBR scan
21:13:45.551 Disk 0 unknown MBR code
21:13:45.582 Disk 0 scanning sectors +488376000
21:13:47.285 Disk 0 scanning C:\WINDOWS\system32\drivers
21:14:26.926 Service scanning
21:14:31.801 Modules scanning
21:14:44.754 Disk 0 trace - called modules:
21:14:44.785 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
21:14:44.785 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5a7ab8]
21:14:44.785 3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-19[0x8a5d6b00]
21:14:47.894 AVAST engine scan C:\WINDOWS
21:15:00.488 AVAST engine scan C:\WINDOWS\system32
21:18:50.457 AVAST engine scan C:\WINDOWS\system32\drivers
21:19:18.301 AVAST engine scan C:\Documents and Settings\Owner
21:54:31.894 AVAST engine scan C:\Documents and Settings\All Users
22:06:37.457 Scan finished successfully
23:00:49.457 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
23:00:49.472 The log file has been saved successfully to "E:\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:36 PM

Posted 29 November 2011 - 09:17 AM

Hello


Are you still getting redirects?


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
wininit.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 spangler321

spangler321
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 29 November 2011 - 10:51 AM

Hello!

btw thanks for helping me thus far.

unfortunately i'm still getting redirects.


SystemLook 30.07.11 by jpshortstuff
Log created at 10:41 on 29/11/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\Program Files\Spybot - Search & Destroy 2\explorer.exe --a---- 3167656 bytes [17:33 19/11/2011] [20:46 05/10/2011] 0AB68BFCE1579A61C36B79CAAFDCE992
C:\WINDOWS\explorer.exe --a---- 1058304 bytes [16:55 13/04/2005] [09:42 14/04/2008] 74E14DFEE6178D6D11BD471410175EF3
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1034240 bytes [17:01 16/06/2010] [19:00 10/08/2004] 6B06B770BADD3BA36DA67304FF587CE2
C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [17:09 16/06/2010] [09:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --a---- 1033728 bytes [00:12 14/04/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "wininit.exe"
No files found.

Searching for "winlogon.exe"
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------- 507904 bytes [17:10 16/06/2010] [09:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --a---- 507904 bytes [00:12 14/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a---- 544768 bytes [16:56 13/04/2005] [23:31 28/11/2011] 599AC936C547DF11B5932CEC4D9F1864

-= EOF =-

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:36 PM

Posted 29 November 2011 - 10:58 AM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
CopyFile:
C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\WINDOWS\explorer.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\WINDOWS\system32\dllcache\explorer.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\WINDOWS\system32\dllcache\winlogon.exe
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 spangler321

spangler321
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 29 November 2011 - 11:50 AM

hey

still redirecting...


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\explorer.exe", destinationFile = "\??\c:\windows\system32\dllcache\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\winlogon.exe", destinationFile = "\??\c:\windows\system32\dllcache\winlogon.exe"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:36 PM

Posted 29 November 2011 - 01:02 PM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 spangler321

spangler321
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 29 November 2011 - 04:09 PM

hello

ComboFix 11-11-29.04 - Owner 11/29/2011 13:24:42.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1088 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\267135.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\winA.tmp
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-29 )))))))))))))))))))))))))))))))
.
.
2011-11-29 20:16 . 2011-11-29 20:16 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-11-29 20:16 . 2011-11-29 20:16 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-11-29 20:16 . 2011-11-29 20:16 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-11-29 20:16 . 2011-11-29 20:16 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-11-29 20:16 . 2011-11-29 20:16 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-11-29 20:16 . 2011-11-29 20:16 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-11-29 20:16 . 2011-11-29 20:16 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-11-29 20:16 . 2011-11-29 20:16 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-11-29 20:16 . 2011-11-29 20:16 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-11-29 20:15 . 2011-11-29 20:15 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-11-29 20:15 . 2011-11-29 20:15 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-11-29 20:15 . 2011-11-29 20:15 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-11-29 20:15 . 2011-11-29 20:15 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-11-29 20:15 . 2011-11-29 20:15 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-11-29 20:15 . 2011-11-29 20:15 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-11-29 20:15 . 2011-11-29 20:15 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-11-29 20:15 . 2011-11-29 20:15 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-11-29 16:34 . 2011-11-29 20:15 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{59E12F0E-799D-44AB-8028-BBAE630CD4BE}\offreg.dll
2011-11-28 20:42 . 2011-11-29 18:19 -------- d-----w- C:\ComboFix
2011-11-25 08:50 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{59E12F0E-799D-44AB-8028-BBAE630CD4BE}\mpengine.dll
2011-11-24 00:54 . 2011-11-24 00:54 -------- d-----w- c:\windows\RR2IOTZXV0LTZXV0
2011-11-23 07:15 . 2011-11-23 07:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2011-11-23 07:14 . 2011-11-23 07:14 -------- d-----w- c:\program files\Toolbar Cleaner
2011-11-23 07:14 . 2011-11-23 07:14 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\panda2_0dn
2011-11-23 07:13 . 2011-11-24 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security URL Filtering
2011-11-23 07:13 . 2011-11-23 07:13 -------- d-----w- c:\documents and settings\Owner\Application Data\pandasecuritytb
2011-11-23 07:12 . 2011-11-23 07:13 -------- d-----w- c:\program files\Panda Security
2011-11-23 07:12 . 2011-11-23 07:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-11-23 07:11 . 2011-11-23 07:11 -------- d-----w- C:\temp
2011-11-23 05:06 . 2011-11-23 05:06 -------- d-----w- C:\WTablet
2011-11-23 04:05 . 2011-11-23 04:05 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-11-23 04:00 . 2011-11-23 04:00 39192 ----a-w- c:\windows\system32\Partizan.exe
2011-11-23 04:00 . 2011-11-23 04:00 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2011-11-23 03:59 . 2011-11-23 03:59 2 --shatr- c:\windows\winstart.bat
2011-11-23 03:59 . 2011-11-03 17:58 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-11-23 03:59 . 2011-11-23 23:35 -------- d-----w- c:\program files\UnHackMe
2011-11-23 03:49 . 2011-11-23 03:49 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-22 16:42 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-22 16:42 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-22 16:42 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-22 16:42 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-22 16:42 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-22 16:42 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-22 16:42 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-22 16:42 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-22 16:41 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-22 16:41 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-22 16:40 . 2011-11-22 16:40 -------- d-----w- c:\program files\AVAST Software
2011-11-22 16:40 . 2011-11-22 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-22 01:50 . 2011-11-22 01:50 -------- d-----w- C:\VritualRoot
2011-11-21 23:05 . 2011-11-21 23:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-11-21 22:20 . 2011-11-21 22:20 -------- d--h--w- c:\windows\PIF
2011-11-21 21:31 . 2011-11-22 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-11-21 21:30 . 2011-11-21 23:08 -------- d-----w- c:\program files\COMODO
2011-11-21 21:29 . 2011-11-21 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2011-11-20 16:29 . 2011-11-20 16:29 -------- d-----w- c:\program files\Sophos
2011-11-20 16:16 . 2011-11-20 16:16 -------- d-----w- C:\ProcAlyzer Dumps
2011-11-20 16:15 . 2011-11-20 16:15 -------- d-----w- C:\SpybotBootCD
2011-11-19 21:02 . 2011-11-19 21:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-19 17:33 . 2009-01-25 18:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-11-19 17:33 . 2011-11-20 04:03 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-11-19 09:43 . 2011-11-19 09:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-11-19 06:49 . 2011-11-19 06:52 -------- d-----w- c:\windows\system32\NtmsData
2011-11-06 00:11 . 2011-11-06 00:11 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore
2011-11-06 00:11 . 2011-11-06 00:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AIM
2011-11-06 00:11 . 2011-11-06 00:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
2011-11-06 00:10 . 2011-11-06 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2011-11-06 00:10 . 2011-11-23 06:10 -------- d-----w- c:\program files\AIM
2011-11-06 00:10 . 2011-11-06 00:10 -------- d-----w- c:\program files\Common Files\Software Update Utility
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 16:34 . 2005-04-13 16:55 1058304 ----a-w- c:\windows\explorer.exe
2011-11-22 04:05 . 2009-05-29 22:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2011-11-22 04:05 . 2009-05-29 22:57 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2011-11-22 04:05 . 2009-05-29 22:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2011-10-07 23:48 . 2011-10-07 23:48 97760 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-10-07 23:48 . 2011-10-07 23:48 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-10-07 23:48 . 2011-10-07 23:48 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-10-07 23:48 . 2011-10-07 23:48 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-10-07 23:47 . 2011-10-07 23:47 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-10-07 23:47 . 2011-10-07 23:47 300200 ----a-w- c:\windows\system32\guard32.dll
2011-10-07 03:48 . 2010-03-06 15:17 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-31 22:00 . 2010-03-03 19:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 07:58 . 2011-11-19 06:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 599AC936C547DF11B5932CEC4D9F1864 . 544768 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
.
[-] 2010-03-04 . 9491C2135C30B82BB1A6ACF928063A59 . 16896 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . 22DBF4E8DC053A688636FACF1C9A4CDA . 39424 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
.
[-] 2011-11-29 . 74E14DFEE6178D6D11BD471410175EF3 . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2004-08-10 . 6B06B770BADD3BA36DA67304FF587CE2 . 1034240 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2011-06-24 17:37 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-06-24 86696]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-10-24 106496]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"USBestCR"="c:\program files\USIM Editor\iconcs916839438.exe" [2011-06-28 7041024]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-10-05 3578272]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2011-10-05 3025304]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-06-29 217256]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-5-28 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-08 14:03 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG311T Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311T Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG311T Smart Wizard.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2011-01-21 17:03 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-10-14 00:00 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-10-22 01:44 2744832 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 01:30 543232 ----a-w- c:\windows\zHotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 18:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-08-13 00:45 61952 ----a-w- c:\windows\system32\Hdaudpropshortcut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-12-01 18:55 126976 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-12-01 19:00 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-09-23 13:50 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mixersel]
2003-11-11 01:23 369664 ----a-w- c:\program files\Realtek\InstallShield\mixersel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-09-23 13:25 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-25 23:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 03:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 16:09 36864 ----a-w- c:\windows\ShowWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-10-21 22:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 20:31 2144088 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-03-04 17:36 36975 ----a-w- c:\program files\Java\jre1.5.0_02\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tsuhidix]
c:\windows\ijonuxafujahozaz.dll [BU]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim"="c:\program files\AIM\aim.exe" /d locale=en-US
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/22/2011 11:42 AM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/22/2011 11:42 AM 320856]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [10/7/2011 6:48 PM 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/7/2011 6:48 PM 31704]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 1:57 PM 129992]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 67656]
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [11/19/2011 12:33 PM 38504]
R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [6/28/2011 10:52 AM 65536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/22/2011 11:42 AM 20568]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 10:32 PM 189736]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 1:58 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [7/5/2011 12:12 PM 143752]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 1:57 PM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 1:57 PM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 1:57 PM 112456]
R2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [11/19/2011 12:33 PM 130976]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [8/8/2010 3:53 PM 4408616]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 6:31 AM 92008]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [8/8/2010 3:54 PM 112936]
S1 MpKsl01f05f3e;MpKsl01f05f3e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9D1E9B9D-E208-4974-B83C-0533F4781FFB}\MpKsl01f05f3e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9D1E9B9D-E208-4974-B83C-0533F4781FFB}\MpKsl01f05f3e.sys [?]
S1 MpKsl24e89010;MpKsl24e89010;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D54B5B-4EEB-4FF1-AABC-CA46FFD710A6}\MpKsl24e89010.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D54B5B-4EEB-4FF1-AABC-CA46FFD710A6}\MpKsl24e89010.sys [?]
S1 MpKsl4540303a;MpKsl4540303a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76F7DB37-5BD8-43D2-B106-E25F6520D684}\MpKsl4540303a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76F7DB37-5BD8-43D2-B106-E25F6520D684}\MpKsl4540303a.sys [?]
S1 MpKsl7cb86acc;MpKsl7cb86acc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7768C778-3850-4FD4-AFC9-447A1514EB9B}\MpKsl7cb86acc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7768C778-3850-4FD4-AFC9-447A1514EB9B}\MpKsl7cb86acc.sys [?]
S1 MpKsla93b85ec;MpKsla93b85ec;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7768C778-3850-4FD4-AFC9-447A1514EB9B}\MpKsla93b85ec.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7768C778-3850-4FD4-AFC9-447A1514EB9B}\MpKsla93b85ec.sys [?]
S1 MpKslc202d5b0;MpKslc202d5b0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1536B829-B650-4B00-86D8-C3BA2B7E789F}\MpKslc202d5b0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1536B829-B650-4B00-86D8-C3BA2B7E789F}\MpKslc202d5b0.sys [?]
S1 MpKsldfb179c9;MpKsldfb179c9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FAB5B5B0-A690-4A5E-BD8D-A48807B395F3}\MpKsldfb179c9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FAB5B5B0-A690-4A5E-BD8D-A48807B395F3}\MpKsldfb179c9.sys [?]
S1 MpKslf0040c87;MpKslf0040c87;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4E74E441-00E0-4C0F-97F9-7D69AD505B4C}\MpKslf0040c87.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4E74E441-00E0-4C0F-97F9-7D69AD505B4C}\MpKslf0040c87.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2011 6:49 PM 136176]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/19/2011 12:33 PM 955816]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [3/3/2010 2:52 PM 20160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2011 6:49 PM 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\50.tmp --> c:\windows\system32\50.tmp [?]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [6/28/2011 10:52 AM 51072]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [11/22/2011 11:05 PM 24416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 12872]
S3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/19/2011 12:33 PM 892336]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/8/2010 3:53 PM 15656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-29 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2011-11-19 20:46]
.
2011-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 23:49]
.
2011-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 23:49]
.
2011-11-29 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]
.
2011-11-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-11-29 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2011-11-19 20:46]
.
2011-11-23 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2011-11-19 20:46]
.
2011-11-29 c:\windows\Tasks\User_Feed_Synchronization-{8410A7B8-9EBE-484D-A78B-B16614BC4DCC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:1044
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{D0A550AE-0745-4D5B-9504-55F8216C9509}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{F985F99A-EA74-4FAD-AB95-1DD04CC1D11F}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4687ves.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com/?pr=vmn&id=pandasecuritytb&v=2_0
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-29 15:37
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\50.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,fc,27,0b,2b,32,2d,4f,b3,62,de,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,fc,27,0b,2b,32,2d,4f,b3,62,de,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
.
- - - - - - - > 'lsass.exe'(1032)
c:\windows\system32\guard32.dll
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
.
- - - - - - - > 'explorer.exe'(5012)
c:\windows\system32\WININET.dll
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
c:\windows\system32\guard32.dll
c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\panda_url_filtering.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'csrss.exe'(948)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\WISPTIS.EXE
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2011-11-29 15:53:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-29 20:53
ComboFix2.txt 2011-11-29 00:02
ComboFix3.txt 2010-06-14 15:16
ComboFix4.txt 2010-03-03 21:34
ComboFix5.txt 2011-11-29 18:21
.
Pre-Run: 172,077,629,440 bytes free
Post-Run: 172,062,490,624 bytes free
.
- - End Of File - - 8275E76849844E047BFC49ACAB60749F

the browser is still redirecting :[

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:36 PM

Posted 29 November 2011 - 06:42 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
CopyFile:
c:\windows\ServicePackFiles\i386\winlogon.exe c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\svchost.exe c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\explorer.exe c:\windows\explorer.exe
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 spangler321

spangler321
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 29 November 2011 - 08:48 PM

Hello!

The browser is no longer redirecting!

Thank you!

Is there anything else I need to do? Like clean up, or virus scans, or anything else of that nature?

here is the blitz log


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\explorer.exe", destinationFile = "\??\c:\windows\system32\dllcache\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\winlogon.exe", destinationFile = "\??\c:\windows\system32\dllcache\winlogon.exe"

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\svchost.exe", destinationFile = "\??\c:\windows\system32\svchost.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users