Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PING.EXE, GMER positive; post-"System Fix / TDSS"


  • This topic is locked This topic is locked
14 replies to this topic

#1 rodneystubbs

rodneystubbs

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 01 December 2011 - 12:32 PM

Hello,

In the past few days, I have been dealing with an absolute mess of malicious programs, beginning with what seemed to be a bundle of "System Fix" and TDSS (TrendMicro claimed to have caught Alureon, but unfortunately I still had to use TDSSKiller). I am still seeing odd behavior - occasional massive popups in Firefox (~ a dozen tabs) and PING.EXE is running compulsively and taking up huge amounts of CPU usage. MalwareBytes is finding nothing, but GMER indicates rootkit activity. also DDS log below, attach.txt and ark.txt attached. What should be my next move?

-J

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by JSirk at 11:03:50 on 2011-12-01
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3536.1276 [GMT -6:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE
C:\Windows\System32\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\prevhost.exe
C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.geosyntec.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;192.168.*.*
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [Google Update] "c:\users\jsirk\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [hpOQBlGcuNj.exe] c:\programdata\hpOQBlGcuNj.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\jsirk\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\jsirk\appdata\local\temp\_uninst_81224168.bat
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://oakbrook-01.geosyntec.net:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://oakbrook-01:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {11E93902-B6FD-11D7-A642-00C04F57E4DC} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0010.CAB
DPF: {2961B151-8F4A-4C9E-8287-D59FAA6C959D} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0060.CAB
DPF: {2A00324E-751C-11D3-A5D3-00C04F7F81E2} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0040.CAB
DPF: {2FC291D0-5814-4658-9680-4DAD4DD3F330} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTRCM0030.CAB
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://oakbrook-01:4343/officescan/console/html/root/AtxEnc.cab
DPF: {4004B4D0-7D66-11D5-A55B-00B0D07DCA5B} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0090.CAB
DPF: {4E096548-B6FC-11D7-A642-00C04F57E4DC} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0030.CAB
DPF: {815E0702-E4CA-11D3-81ED-00C04F8DF62C} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0080.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {90C8812D-81C2-45EA-8101-6C6F29835AE8} - hxxp://bst.geosyntec.com/auroraweb/BSTeInstaller.CAB
DPF: {ACCB32DB-F2C9-46C3-A215-21F805657765} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0050.CAB
DPF: {AD46BB36-7741-11D3-81B8-00C04F8DF62C} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0030.CAB
DPF: {B3A8D7A2-B7E1-11D3-81E2-00C04F8DF62C} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0050.CAB
DPF: {C4060AFD-381B-4D34-AECF-B99421B30E2F} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTGUI000006.CAB
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D9EE5A5C-AF15-11D3-81E0-00C04F8DF62C} - hxxp://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0010.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T27L10NSP11EP14/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} - hxxp://bst.geosyntec.com/auroraweb/AuroraShell.CAB
TCP: DhcpNameServer = 10.163.20.5 10.156.20.5
TCP: Interfaces\{55949B84-4B84-47E0-BF8D-E39047F6DC4A} : DhcpNameServer = 10.163.20.5 10.156.20.5
TCP: Interfaces\{E86917EB-9159-4873-B81F-7EA2690DDBF9}\8686F6E6F62737 : DhcpNameServer = 65.106.1.196 65.106.7.196
TCP: Interfaces\{E86917EB-9159-4873-B81F-7EA2690DDBF9}\C416155796E64716 : DhcpNameServer = 4.2.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jsirk\appdata\roaming\mozilla\firefox\profiles\0u9473ez.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://home.geosyntec.com/SitePages/Home.aspx
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\jsirk\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 81224168;81224168;c:\windows\system32\drivers\81224168.sys [2011-12-1 133208]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2010-3-23 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2010-3-23 27040]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-6-15 57424]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2010-10-20 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2010-10-20 36624]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2009-11-3 33832]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-6-13 221912]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
RUnknown 7367637drv;7367637drv; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-5-25 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-25 52224]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
.
=============== Created Last 30 ================
.
2011-12-01 16:29:49 133208 ----a-w- c:\windows\system32\drivers\81224168.sys
2011-11-29 21:13:51 343 ----a-w- C:\Start_.cmd
2011-11-29 18:33:32 -------- d-----w- c:\users\jsirk\appdata\roaming\C87BCAE8
2011-11-29 11:53:23 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{565e7811-7475-49f2-b785-d7560a0d6766}\mpengine.dll
2011-11-20 01:32:54 -------- d-----w- c:\programdata\Kaspersky Lab
2011-11-20 01:17:13 -------- d-----w- C:\$RECYCLE.BIN
2011-11-20 01:15:08 -------- d-----w- c:\users\jsirk\appdata\local\temp
2011-11-20 01:02:56 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-11-20 01:01:26 98816 ----a-w- c:\windows\sed.exe
2011-11-20 01:01:26 518144 ----a-w- c:\windows\SWREG.exe
2011-11-20 01:01:26 256000 ----a-w- c:\windows\PEV.exe
2011-11-20 01:01:26 208896 ----a-w- c:\windows\MBR.exe
2011-11-20 01:01:22 -------- d-----w- C:\Combo-Fix
2011-11-19 23:59:47 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-19 23:59:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-18 14:54:21 102400 ----a-w- c:\windows\RegBootClean.exe
.
==================== Find3M ====================
.
2011-10-03 11:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 11:04:48.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:51 AM

Posted 02 December 2011 - 03:10 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Looks like we maybe dealing with a case of ZeroAccess here.

Please run a scan with TDSSKiller by when it detects something choose to SKIP it rather than take an action on it.

Running OTM

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Processes
    :Services
    :Reg
    :Files
    c:\programdata\hpOQBlGcuNj.exe
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [resethosts]
    [createrestorepoint]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

NEXT:


Looks like we maybe dealing with a case of ZeroAccess here.

Please run a scan with TDSSKiller by when it detects something choose to SKIP it rather than take an action on it.

Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:


OTS Scan
Download OTS to your Desktop
  • Double-click on OTS.exe to start the program. Make sure you close all other programs.
  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please copy and paste the contents of the OTS report into your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 rodneystubbs

rodneystubbs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 02 December 2011 - 09:13 AM

First of all, thanks so much for your help (and your prompt response)! If we (you) can figure this out then you're really gonna save my bacon.

A couple of notes that may or may not be relevant to this process:
1. the PING symptoms, etc, seemed to stop when I came home from work last night. Before your post last night I seemed to have significantly reduced symptoms at home as opposed to at work - this has been par for the course since about Tuesday. Still get some pccasional popup/redirect activity here, but it seems as though at work something is different (that's also where 100% of the problems have initiated) - would there be any reason that running these at home would yield different results?

2. When I did come home last night, my computer bluescreened (I was away from it at the time and couldn't read the message) and couldn't restart and went into some kind of system repair. No similar problems since that incident.

3. Last, you mentioned zeroaccess - I did run into that before thanksgiving and thought I had eradicated it. Sorry, I probably should have advised of some of these prior conditions. The logs:




1. OTM:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\programdata\hpOQBlGcuNj.exe not found.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?
C:\Users\jsirk\Desktop\cmd.bat deleted successfully.
C:\Users\jsirk\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\jsirk\Desktop\cmd.bat deleted successfully.
C:\Users\jsirk\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: jsirk
->Temp folder emptied: 8942756 bytes
->Temporary Internet Files folder emptied: 197903174 bytes
->Java cache emptied: 21416971 bytes
->FireFox cache emptied: 41206048 bytes
->Google Chrome cache emptied: 6413305 bytes
->Flash cache emptied: 25990 bytes

User: Public
->Temp folder emptied: 0 bytes

User: support
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Flash cache emptied: 732 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4009137 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 267.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: jsirk
->Flash cache emptied: 0 bytes

User: Public

User: support
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

HOSTS file reset successfully


OTM by OldTimer - Version 3.1.19.0 log created on 12022011_073624

Files moved on Reboot...
File move failed. C:\Windows\temp\tm_icrcL_A606D985_38CA_41ab_BCD9_60F771CF800D scheduled to be moved on reboot.

Registry entries deleted on Reboot...



2. TDSS Killer: (note that it did not ask me to reboot)

07:43:58.0879 5816 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
07:43:59.0035 5816 ============================================================
07:43:59.0035 5816 Current date / time: 2011/12/02 07:43:59.0035
07:43:59.0035 5816 SystemInfo:
07:43:59.0035 5816
07:43:59.0035 5816 OS Version: 6.1.7601 ServicePack: 1.0
07:43:59.0035 5816 Product type: Workstation
07:43:59.0035 5816 ComputerName: OKBK-JSIRK-7L
07:43:59.0035 5816 UserName: JSirk
07:43:59.0035 5816 Windows directory: C:\Windows
07:43:59.0035 5816 System windows directory: C:\Windows
07:43:59.0035 5816 Processor architecture: Intel x86
07:43:59.0035 5816 Number of processors: 2
07:43:59.0035 5816 Page size: 0x1000
07:43:59.0035 5816 Boot type: Normal boot
07:43:59.0035 5816 ============================================================
07:43:59.0924 5816 Initialize success
07:44:07.0584 6056 ============================================================
07:44:07.0584 6056 Scan started
07:44:07.0584 6056 Mode: Manual; SigCheck; TDLFS;
07:44:07.0584 6056 ============================================================
07:44:08.0536 6056 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
07:44:08.0598 6056 1394ohci - ok
07:44:08.0660 6056 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
07:44:08.0676 6056 ACPI - ok
07:44:08.0723 6056 acpials (79d6b28027c398b728ce7cd0570248b0) C:\Windows\system32\DRIVERS\acpials.sys
07:44:08.0738 6056 acpials - ok
07:44:08.0770 6056 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
07:44:08.0801 6056 AcpiPmi - ok
07:44:08.0832 6056 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
07:44:08.0848 6056 adp94xx - ok
07:44:08.0879 6056 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
07:44:08.0879 6056 adpahci - ok
07:44:08.0910 6056 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
07:44:08.0926 6056 adpu320 - ok
07:44:08.0972 6056 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
07:44:09.0004 6056 AFD - ok
07:44:09.0019 6056 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
07:44:09.0035 6056 agp440 - ok
07:44:09.0066 6056 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
07:44:09.0066 6056 aic78xx - ok
07:44:09.0097 6056 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
07:44:09.0113 6056 aliide - ok
07:44:09.0128 6056 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
07:44:09.0144 6056 amdagp - ok
07:44:09.0160 6056 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
07:44:09.0175 6056 amdide - ok
07:44:09.0206 6056 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
07:44:09.0222 6056 AmdK8 - ok
07:44:09.0253 6056 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
07:44:09.0269 6056 AmdPPM - ok
07:44:09.0300 6056 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
07:44:09.0316 6056 amdsata - ok
07:44:09.0347 6056 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
07:44:09.0347 6056 amdsbs - ok
07:44:09.0378 6056 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
07:44:09.0378 6056 amdxata - ok
07:44:09.0425 6056 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
07:44:09.0456 6056 AppID - ok
07:44:09.0534 6056 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
07:44:09.0534 6056 arc - ok
07:44:09.0628 6056 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
07:44:09.0643 6056 arcsas - ok
07:44:09.0659 6056 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
07:44:09.0690 6056 AsyncMac - ok
07:44:09.0737 6056 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
07:44:09.0752 6056 atapi - ok
07:44:09.0799 6056 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
07:44:09.0830 6056 b06bdrv - ok
07:44:09.0862 6056 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
07:44:09.0877 6056 b57nd60x - ok
07:44:09.0893 6056 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
07:44:09.0924 6056 Beep - ok
07:44:09.0940 6056 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
07:44:09.0971 6056 blbdrive - ok
07:44:10.0049 6056 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
07:44:10.0064 6056 bowser - ok
07:44:10.0080 6056 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
07:44:10.0096 6056 BrFiltLo - ok
07:44:10.0127 6056 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
07:44:10.0142 6056 BrFiltUp - ok
07:44:10.0158 6056 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
07:44:10.0189 6056 Brserid - ok
07:44:10.0205 6056 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
07:44:10.0220 6056 BrSerWdm - ok
07:44:10.0252 6056 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
07:44:10.0283 6056 BrUsbMdm - ok
07:44:10.0361 6056 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
07:44:10.0376 6056 BrUsbSer - ok
07:44:10.0470 6056 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
07:44:10.0486 6056 BTHMODEM - ok
07:44:10.0579 6056 catchme - ok
07:44:10.0657 6056 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
07:44:10.0673 6056 cdfs - ok
07:44:10.0751 6056 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
07:44:10.0766 6056 cdrom - ok
07:44:10.0813 6056 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
07:44:10.0829 6056 circlass - ok
07:44:10.0876 6056 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
07:44:10.0891 6056 CLFS - ok
07:44:10.0922 6056 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
07:44:10.0938 6056 CmBatt - ok
07:44:11.0000 6056 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
07:44:11.0016 6056 cmdide - ok
07:44:11.0047 6056 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
07:44:11.0063 6056 CNG - ok
07:44:11.0110 6056 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
07:44:11.0110 6056 Compbatt - ok
07:44:11.0156 6056 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
07:44:11.0188 6056 CompositeBus - ok
07:44:11.0344 6056 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
07:44:11.0344 6056 crcdisk - ok
07:44:11.0437 6056 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
07:44:11.0453 6056 CSC - ok
07:44:11.0500 6056 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
07:44:11.0515 6056 CVirtA - ok
07:44:11.0593 6056 CVPNDRVA (d46b2e0eeaf349f2085f8b164e462156) C:\Windows\system32\Drivers\CVPNDRVA.sys
07:44:11.0609 6056 CVPNDRVA ( UnsignedFile.Multi.Generic ) - warning
07:44:11.0609 6056 CVPNDRVA - detected UnsignedFile.Multi.Generic (1)
07:44:11.0656 6056 cvusbdrv (d1697063e2cdb6575aa46d668ffee825) C:\Windows\system32\Drivers\cvusbdrv.sys
07:44:11.0687 6056 cvusbdrv - ok
07:44:11.0749 6056 dc3d (7caaf4af453ef3582fef65dd72caa0aa) C:\Windows\system32\DRIVERS\dc3d.sys
07:44:11.0765 6056 dc3d - ok
07:44:11.0827 6056 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
07:44:11.0858 6056 DfsC - ok
07:44:11.0890 6056 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
07:44:11.0921 6056 discache - ok
07:44:11.0983 6056 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
07:44:11.0999 6056 Disk - ok
07:44:12.0046 6056 DNE (694616f813fb627a32c9e32dec133078) C:\Windows\system32\DRIVERS\dne2000.sys
07:44:12.0061 6056 DNE - ok
07:44:12.0124 6056 Dot4 (b5e479eb83707dd698f66953e922042c) C:\Windows\system32\DRIVERS\Dot4.sys
07:44:12.0155 6056 Dot4 - ok
07:44:12.0202 6056 Dot4Print (caefd09b6a6249c53a67d55a9a9fcabf) C:\Windows\system32\DRIVERS\Dot4Prt.sys
07:44:12.0217 6056 Dot4Print - ok
07:44:12.0280 6056 dot4usb (cf491ff38d62143203c065260567e2f7) C:\Windows\system32\DRIVERS\dot4usb.sys
07:44:12.0295 6056 dot4usb - ok
07:44:12.0358 6056 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
07:44:12.0373 6056 drmkaud - ok
07:44:12.0482 6056 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
07:44:12.0514 6056 DXGKrnl - ok
07:44:12.0576 6056 e1yexpress (44a91d98d6719b49bcd649a863225b5c) C:\Windows\system32\DRIVERS\e1y6232.sys
07:44:12.0592 6056 e1yexpress - ok
07:44:12.0857 6056 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
07:44:12.0888 6056 ebdrv - ok
07:44:12.0966 6056 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
07:44:12.0982 6056 elxstor - ok
07:44:13.0028 6056 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
07:44:13.0044 6056 ErrDev - ok
07:44:13.0091 6056 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
07:44:13.0122 6056 exfat - ok
07:44:13.0216 6056 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
07:44:13.0247 6056 fastfat - ok
07:44:13.0340 6056 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
07:44:13.0356 6056 fdc - ok
07:44:13.0403 6056 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
07:44:13.0403 6056 FileInfo - ok
07:44:13.0528 6056 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
07:44:13.0543 6056 Filetrace - ok
07:44:13.0606 6056 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
07:44:13.0621 6056 flpydisk - ok
07:44:13.0652 6056 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
07:44:13.0652 6056 FltMgr - ok
07:44:13.0746 6056 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
07:44:13.0762 6056 FsDepends - ok
07:44:13.0855 6056 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
07:44:13.0855 6056 Fs_Rec - ok
07:44:13.0964 6056 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
07:44:13.0980 6056 fvevol - ok
07:44:14.0027 6056 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
07:44:14.0042 6056 gagp30kx - ok
07:44:14.0120 6056 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
07:44:14.0120 6056 GEARAspiWDM - ok
07:44:14.0183 6056 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
07:44:14.0198 6056 hcw85cir - ok
07:44:14.0292 6056 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
07:44:14.0308 6056 HdAudAddService - ok
07:44:14.0354 6056 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
07:44:14.0370 6056 HDAudBus - ok
07:44:14.0401 6056 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
07:44:14.0417 6056 HidBatt - ok
07:44:14.0573 6056 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
07:44:14.0588 6056 HidBth - ok
07:44:14.0682 6056 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
07:44:14.0698 6056 HidIr - ok
07:44:14.0776 6056 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
07:44:14.0791 6056 HidUsb - ok
07:44:14.0869 6056 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
07:44:14.0885 6056 HpSAMD - ok
07:44:15.0010 6056 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
07:44:15.0041 6056 HTTP - ok
07:44:15.0197 6056 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
07:44:15.0197 6056 hwpolicy - ok
07:44:15.0275 6056 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
07:44:15.0306 6056 i8042prt - ok
07:44:15.0368 6056 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
07:44:15.0384 6056 iaStorV - ok
07:44:16.0164 6056 igfx (b3a313080b0f73f4c8292290606fc15d) C:\Windows\system32\DRIVERS\igdkmd32.sys
07:44:16.0258 6056 igfx - ok
07:44:16.0476 6056 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
07:44:16.0492 6056 iirsp - ok
07:44:16.0554 6056 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
07:44:16.0554 6056 intelide - ok
07:44:16.0585 6056 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
07:44:16.0601 6056 intelppm - ok
07:44:16.0679 6056 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
07:44:16.0694 6056 IpFilterDriver - ok
07:44:16.0757 6056 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
07:44:16.0788 6056 IPMIDRV - ok
07:44:16.0913 6056 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
07:44:16.0928 6056 IPNAT - ok
07:44:17.0038 6056 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
07:44:17.0053 6056 IRENUM - ok
07:44:17.0116 6056 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
07:44:17.0131 6056 isapnp - ok
07:44:17.0256 6056 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
07:44:17.0272 6056 iScsiPrt - ok
07:44:17.0318 6056 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
07:44:17.0334 6056 kbdclass - ok
07:44:17.0365 6056 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys
07:44:17.0396 6056 kbdhid - ok
07:44:17.0443 6056 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
07:44:17.0459 6056 KSecDD - ok
07:44:17.0584 6056 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
07:44:17.0599 6056 KSecPkg - ok
07:44:17.0662 6056 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
07:44:17.0693 6056 lltdio - ok
07:44:17.0755 6056 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
07:44:17.0755 6056 LSI_FC - ok
07:44:17.0818 6056 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
07:44:17.0818 6056 LSI_SAS - ok
07:44:17.0864 6056 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
07:44:17.0880 6056 LSI_SAS2 - ok
07:44:17.0974 6056 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
07:44:17.0989 6056 LSI_SCSI - ok
07:44:18.0020 6056 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
07:44:18.0052 6056 luafv - ok
07:44:18.0114 6056 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
07:44:18.0130 6056 megasas - ok
07:44:18.0161 6056 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
07:44:18.0176 6056 MegaSR - ok
07:44:18.0223 6056 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
07:44:18.0254 6056 Modem - ok
07:44:18.0286 6056 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
07:44:18.0301 6056 monitor - ok
07:44:18.0364 6056 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
07:44:18.0379 6056 mouclass - ok
07:44:18.0426 6056 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
07:44:18.0442 6056 mouhid - ok
07:44:18.0473 6056 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
07:44:18.0488 6056 mountmgr - ok
07:44:18.0551 6056 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
07:44:18.0566 6056 mpio - ok
07:44:18.0629 6056 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
07:44:18.0660 6056 mpsdrv - ok
07:44:18.0738 6056 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
07:44:18.0754 6056 MRxDAV - ok
07:44:18.0878 6056 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
07:44:18.0894 6056 mrxsmb - ok
07:44:19.0019 6056 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
07:44:19.0034 6056 mrxsmb10 - ok
07:44:19.0128 6056 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
07:44:19.0144 6056 mrxsmb20 - ok
07:44:19.0237 6056 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
07:44:19.0253 6056 msahci - ok
07:44:19.0378 6056 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
07:44:19.0393 6056 msdsm - ok
07:44:19.0456 6056 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
07:44:19.0487 6056 Msfs - ok
07:44:19.0565 6056 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
07:44:19.0596 6056 mshidkmdf - ok
07:44:19.0736 6056 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
07:44:19.0752 6056 msisadrv - ok
07:44:19.0814 6056 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
07:44:19.0846 6056 MSKSSRV - ok
07:44:19.0877 6056 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
07:44:19.0908 6056 MSPCLOCK - ok
07:44:19.0939 6056 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
07:44:19.0970 6056 MSPQM - ok
07:44:20.0002 6056 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
07:44:20.0017 6056 MsRPC - ok
07:44:20.0158 6056 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
07:44:20.0173 6056 mssmbios - ok
07:44:20.0236 6056 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
07:44:20.0267 6056 MSTEE - ok
07:44:20.0345 6056 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
07:44:20.0360 6056 MTConfig - ok
07:44:20.0501 6056 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
07:44:20.0516 6056 Mup - ok
07:44:20.0563 6056 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
07:44:20.0594 6056 NativeWifiP - ok
07:44:20.0704 6056 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
07:44:20.0719 6056 NDIS - ok
07:44:20.0750 6056 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
07:44:20.0782 6056 NdisCap - ok
07:44:20.0875 6056 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
07:44:20.0906 6056 NdisTapi - ok
07:44:21.0031 6056 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
07:44:21.0047 6056 Ndisuio - ok
07:44:21.0187 6056 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
07:44:21.0218 6056 NdisWan - ok
07:44:21.0359 6056 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
07:44:21.0374 6056 NDProxy - ok
07:44:21.0406 6056 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
07:44:21.0437 6056 NetBIOS - ok
07:44:21.0484 6056 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
07:44:21.0499 6056 NetBT - ok
07:44:21.0624 6056 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
07:44:21.0671 6056 netw5v32 - ok
07:44:21.0702 6056 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
07:44:21.0718 6056 nfrd960 - ok
07:44:21.0764 6056 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
07:44:21.0796 6056 Npfs - ok
07:44:21.0811 6056 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
07:44:21.0827 6056 nsiproxy - ok
07:44:21.0967 6056 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
07:44:21.0998 6056 Ntfs - ok
07:44:22.0030 6056 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
07:44:22.0061 6056 Null - ok
07:44:22.0108 6056 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
07:44:22.0123 6056 nvraid - ok
07:44:22.0170 6056 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
07:44:22.0186 6056 nvstor - ok
07:44:22.0232 6056 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
07:44:22.0248 6056 nv_agp - ok
07:44:22.0264 6056 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
07:44:22.0279 6056 ohci1394 - ok
07:44:22.0326 6056 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
07:44:22.0342 6056 Parport - ok
07:44:22.0388 6056 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
07:44:22.0404 6056 partmgr - ok
07:44:22.0435 6056 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
07:44:22.0451 6056 Parvdm - ok
07:44:22.0498 6056 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\Windows\system32\DRIVERS\PBADRV.sys
07:44:22.0513 6056 PBADRV - ok
07:44:22.0591 6056 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
07:44:22.0591 6056 pci - ok
07:44:22.0654 6056 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
07:44:22.0669 6056 pciide - ok
07:44:22.0732 6056 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
07:44:22.0747 6056 pcmcia - ok
07:44:22.0763 6056 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
07:44:22.0778 6056 pcw - ok
07:44:22.0841 6056 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
07:44:22.0872 6056 PEAUTH - ok
07:44:22.0981 6056 Point32 (896d916de06f5502d301e8c4dc442ae8) C:\Windows\system32\DRIVERS\point32.sys
07:44:22.0997 6056 Point32 - ok
07:44:23.0059 6056 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
07:44:23.0090 6056 PptpMiniport - ok
07:44:23.0184 6056 prepdrvr (2a4514a9233d35a355f569ff8b8f6240) C:\Windows\system32\CCM\prepdrv.sys
07:44:23.0200 6056 prepdrvr - ok
07:44:23.0215 6056 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
07:44:23.0231 6056 Processor - ok
07:44:23.0278 6056 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
07:44:23.0309 6056 Psched - ok
07:44:23.0356 6056 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
07:44:23.0387 6056 ql2300 - ok
07:44:23.0465 6056 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
07:44:23.0480 6056 ql40xx - ok
07:44:23.0527 6056 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
07:44:23.0543 6056 QWAVEdrv - ok
07:44:23.0652 6056 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
07:44:23.0683 6056 RasAcd - ok
07:44:23.0777 6056 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
07:44:23.0808 6056 RasAgileVpn - ok
07:44:23.0933 6056 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
07:44:23.0964 6056 Rasl2tp - ok
07:44:24.0011 6056 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
07:44:24.0042 6056 RasPppoe - ok
07:44:24.0276 6056 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
07:44:24.0307 6056 RasSstp - ok
07:44:24.0962 6056 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
07:44:24.0994 6056 rdbss - ok
07:44:25.0103 6056 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
07:44:25.0118 6056 rdpbus - ok
07:44:25.0181 6056 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
07:44:25.0212 6056 RDPCDD - ok
07:44:25.0384 6056 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
07:44:25.0399 6056 RDPDR - ok
07:44:25.0446 6056 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
07:44:25.0477 6056 RDPENCDD - ok
07:44:25.0602 6056 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
07:44:25.0633 6056 RDPREFMP - ok
07:44:25.0696 6056 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
07:44:25.0711 6056 RdpVideoMiniport - ok
07:44:25.0774 6056 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
07:44:25.0805 6056 RDPWD - ok
07:44:25.0867 6056 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
07:44:25.0883 6056 rdyboost - ok
07:44:25.0945 6056 rimmptsk (df672613fbbcd58c38bb0bc2694bcfb0) C:\Windows\system32\DRIVERS\rimmptsk.sys
07:44:25.0961 6056 rimmptsk - ok
07:44:26.0039 6056 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
07:44:26.0054 6056 rspndr - ok
07:44:26.0132 6056 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
07:44:26.0148 6056 s3cap - ok
07:44:26.0195 6056 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
07:44:26.0210 6056 sbp2port - ok
07:44:26.0273 6056 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
07:44:26.0288 6056 scfilter - ok
07:44:26.0351 6056 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
07:44:26.0366 6056 sdbus - ok
07:44:26.0429 6056 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
07:44:26.0460 6056 secdrv - ok
07:44:26.0507 6056 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
07:44:26.0522 6056 Serenum - ok
07:44:26.0538 6056 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
07:44:26.0569 6056 Serial - ok
07:44:26.0616 6056 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
07:44:26.0632 6056 sermouse - ok
07:44:26.0710 6056 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
07:44:26.0725 6056 sffdisk - ok
07:44:26.0850 6056 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
07:44:26.0866 6056 sffp_mmc - ok
07:44:26.0944 6056 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\DRIVERS\sffp_sd.sys
07:44:26.0959 6056 sffp_sd - ok
07:44:27.0006 6056 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
07:44:27.0022 6056 sfloppy - ok
07:44:27.0068 6056 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
07:44:27.0084 6056 sisagp - ok
07:44:27.0115 6056 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
07:44:27.0131 6056 SiSRaid2 - ok
07:44:27.0146 6056 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
07:44:27.0162 6056 SiSRaid4 - ok
07:44:27.0209 6056 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
07:44:27.0240 6056 Smb - ok
07:44:27.0287 6056 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
07:44:27.0302 6056 spldr - ok
07:44:27.0334 6056 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
07:44:27.0349 6056 srv - ok
07:44:27.0427 6056 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
07:44:27.0443 6056 srv2 - ok
07:44:27.0505 6056 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
07:44:27.0521 6056 srvnet - ok
07:44:27.0568 6056 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
07:44:27.0568 6056 stexstor - ok
07:44:27.0614 6056 StillCam (edb05bd63148796f23ea78506404a538) C:\Windows\system32\DRIVERS\serscan.sys
07:44:27.0630 6056 StillCam - ok
07:44:27.0677 6056 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
07:44:27.0692 6056 storflt - ok
07:44:27.0755 6056 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
07:44:27.0755 6056 storvsc - ok
07:44:27.0848 6056 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
07:44:27.0864 6056 swenum - ok
07:44:27.0911 6056 Synth3dVsc - ok
07:44:27.0989 6056 Tcpip (04e4a7d53a7ace02e8c55b17a498f631) C:\Windows\system32\drivers\tcpip.sys
07:44:28.0020 6056 Tcpip - ok
07:44:28.0082 6056 TCPIP6 (04e4a7d53a7ace02e8c55b17a498f631) C:\Windows\system32\DRIVERS\tcpip.sys
07:44:28.0114 6056 TCPIP6 - ok
07:44:28.0254 6056 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
07:44:28.0285 6056 tcpipreg - ok
07:44:28.0441 6056 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
07:44:28.0457 6056 TDPIPE - ok
07:44:28.0597 6056 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
07:44:28.0613 6056 TDTCP - ok
07:44:28.0800 6056 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
07:44:28.0816 6056 tdx - ok
07:44:28.0894 6056 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
07:44:28.0909 6056 TermDD - ok
07:44:29.0003 6056 tmactmon (d4b828ac85827f3e48dcb4f55d686ae6) C:\Windows\system32\DRIVERS\tmactmon.sys
07:44:29.0018 6056 tmactmon - ok
07:44:29.0065 6056 tmcomm (36411a1874ee29c005a1de559d96bfe1) C:\Windows\system32\DRIVERS\tmcomm.sys
07:44:29.0081 6056 tmcomm - ok
07:44:29.0112 6056 tmevtmgr (4dc486b36c75f30eff9e5c46a110f171) C:\Windows\system32\DRIVERS\tmevtmgr.sys
07:44:29.0128 6056 tmevtmgr - ok
07:44:29.0206 6056 TmFilter (717e406972bbc07f8fb2a989416cab73) C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
07:44:29.0221 6056 TmFilter - ok
07:44:29.0252 6056 TmPreFilter (379c4f99994a56b66e11d1e32bb22a1c) C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
07:44:29.0268 6056 TmPreFilter - ok
07:44:29.0330 6056 tmtdi (aed2f6998e0c9f14e00cccc6db800617) C:\Windows\system32\DRIVERS\tmtdi.sys
07:44:29.0346 6056 tmtdi - ok
07:44:29.0393 6056 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
07:44:29.0424 6056 tssecsrv - ok
07:44:29.0533 6056 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
07:44:29.0549 6056 TsUsbFlt - ok
07:44:29.0580 6056 tsusbhub - ok
07:44:29.0658 6056 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
07:44:29.0689 6056 tunnel - ok
07:44:29.0798 6056 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
07:44:29.0814 6056 uagp35 - ok
07:44:29.0892 6056 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
07:44:29.0923 6056 udfs - ok
07:44:29.0986 6056 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
07:44:30.0001 6056 uliagpkx - ok
07:44:30.0048 6056 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
07:44:30.0064 6056 umbus - ok
07:44:30.0110 6056 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
07:44:30.0126 6056 UmPass - ok
07:44:30.0188 6056 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
07:44:30.0204 6056 usbccgp - ok
07:44:30.0313 6056 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
07:44:30.0329 6056 usbcir - ok
07:44:30.0391 6056 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
07:44:30.0407 6056 usbehci - ok
07:44:30.0485 6056 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
07:44:30.0500 6056 usbhub - ok
07:44:30.0547 6056 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
07:44:30.0563 6056 usbohci - ok
07:44:30.0610 6056 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
07:44:30.0625 6056 usbprint - ok
07:44:30.0703 6056 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
07:44:30.0734 6056 usbscan - ok
07:44:30.0859 6056 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
07:44:30.0875 6056 USBSTOR - ok
07:44:30.0937 6056 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\DRIVERS\usbuhci.sys
07:44:30.0953 6056 usbuhci - ok
07:44:31.0093 6056 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
07:44:31.0109 6056 vdrvroot - ok
07:44:31.0156 6056 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
07:44:31.0171 6056 vga - ok
07:44:31.0280 6056 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
07:44:31.0312 6056 VgaSave - ok
07:44:31.0390 6056 VGPU - ok
07:44:31.0546 6056 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
07:44:31.0561 6056 vhdmp - ok
07:44:31.0608 6056 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
07:44:31.0624 6056 viaagp - ok
07:44:31.0702 6056 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
07:44:31.0717 6056 ViaC7 - ok
07:44:31.0780 6056 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
07:44:31.0795 6056 viaide - ok
07:44:31.0936 6056 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
07:44:31.0951 6056 vmbus - ok
07:44:32.0138 6056 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
07:44:32.0154 6056 VMBusHID - ok
07:44:32.0185 6056 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
07:44:32.0201 6056 volmgr - ok
07:44:32.0310 6056 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
07:44:32.0326 6056 volmgrx - ok
07:44:32.0435 6056 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
07:44:32.0450 6056 volsnap - ok
07:44:32.0653 6056 VSApiNt (642eb152cb980ad9181b2161066be629) C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
07:44:32.0684 6056 VSApiNt - ok
07:44:32.0794 6056 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
07:44:32.0809 6056 vsmraid - ok
07:44:32.0856 6056 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
07:44:32.0872 6056 vwifibus - ok
07:44:32.0981 6056 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
07:44:32.0996 6056 WacomPen - ok
07:44:33.0043 6056 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
07:44:33.0074 6056 WANARP - ok
07:44:33.0074 6056 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
07:44:33.0106 6056 Wanarpv6 - ok
07:44:33.0152 6056 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
07:44:33.0168 6056 Wd - ok
07:44:33.0277 6056 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
07:44:33.0293 6056 Wdf01000 - ok
07:44:33.0355 6056 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
07:44:33.0371 6056 WfpLwf - ok
07:44:33.0402 6056 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
07:44:33.0418 6056 WIMMount - ok
07:44:33.0511 6056 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
07:44:33.0542 6056 WinUsb - ok
07:44:33.0620 6056 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
07:44:33.0636 6056 WmiAcpi - ok
07:44:33.0698 6056 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
07:44:33.0730 6056 ws2ifsl - ok
07:44:33.0776 6056 WSDPrintDevice (553f6ccd7c58eb98d4a8fbdaf283d7a9) C:\Windows\system32\DRIVERS\WSDPrint.sys
07:44:33.0808 6056 WSDPrintDevice - ok
07:44:33.0854 6056 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
07:44:33.0886 6056 WudfPf - ok
07:44:33.0964 6056 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
07:44:33.0995 6056 WUDFRd - ok
07:44:34.0042 6056 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
07:44:34.0213 6056 \Device\Harddisk0\DR0 - ok
07:44:34.0213 6056 Boot (0x1200) (13c285f32b5867a15aeafa1c9d8a5678) \Device\Harddisk0\DR0\Partition0
07:44:34.0229 6056 \Device\Harddisk0\DR0\Partition0 - ok
07:44:34.0260 6056 Boot (0x1200) (280003304fe774a3366945d369e2a1cd) \Device\Harddisk0\DR0\Partition1
07:44:34.0260 6056 \Device\Harddisk0\DR0\Partition1 - ok
07:44:34.0260 6056 ============================================================
07:44:34.0260 6056 Scan finished
07:44:34.0260 6056 ============================================================
07:44:34.0307 5960 Detected object count: 1
07:44:34.0307 5960 Actual detected object count: 1
07:44:58.0424 5960 CVPNDRVA ( UnsignedFile.Multi.Generic ) - skipped by user
07:44:58.0424 5960 CVPNDRVA ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:45:22.0839 5804 Deinitialize success



3. OTS:

OTS logfile created on: 12/2/2011 7:50:25 AM - Run 1
OTS by OldTimer - Version 3.1.46.0     Folder = C:\Users\jsirk\Desktop
 Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 72.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.79 Gb Total Space | 185.35 Gb Free Space | 79.62% Space Free | Partition Type: NTFS
Drive D: | 4.38 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: OKBK-JSIRK-7L
Current User Name: JSirk
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Users\jsirk\Desktop\OTS.exe -> [2011/12/02 07:47:06 | 000,646,144 | ---- | M] (OldTimer Tools)
communicator.exe -> C:\Program Files\Microsoft Office Communicator\communicator.exe -> [2011/09/06 13:47:44 | 005,152,096 | ---- | M] (Microsoft Corporation)
acrotray.exe -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe -> [2011/09/05 11:04:58 | 002,904,984 | ---- | M] (Adobe Systems Inc.)
conhost.exe -> C:\Windows\System32\conhost.exe -> [2011/06/23 22:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation)
winpatrol.exe -> C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe -> [2011/05/15 13:53:20 | 000,325,512 | ---- | M] (BillP Studios)
explorer.exe -> C:\Windows\explorer.exe -> [2011/02/24 23:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation)
motohelperservice.exe -> C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe -> [2010/12/02 13:45:18 | 000,218,432 | ---- | M] ()
motohelperagent.exe -> C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe -> [2010/12/02 13:45:06 | 000,664,896 | ---- | M] ()
taskhost.exe -> C:\Windows\System32\taskhost.exe -> [2010/11/20 06:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation)
schtasks.exe -> C:\Windows\System32\schtasks.exe -> [2010/11/20 06:17:36 | 000,179,712 | ---- | M] (Microsoft Corporation)
pccntmon.exe -> C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe -> [2010/08/12 17:39:50 | 000,870,712 | ---- | M] (Trend Micro Inc.)
tmlisten.exe -> C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe -> [2010/08/04 22:04:36 | 001,580,640 | ---- | M] (Trend Micro Inc.)
ntrtscan.exe -> C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe -> [2010/08/04 21:57:30 | 001,459,872 | ---- | M] (Trend Micro Inc.)
tmbmsrv.exe -> C:\Program Files\Trend Micro\BM\TMBMSRV.exe -> [2010/06/15 10:34:30 | 000,345,424 | ---- | M] (Trend Micro Inc.)
hostcontrolservice.exe -> C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -> [2010/03/23 23:09:28 | 000,812,448 | ---- | M] (Broadcom Corporation)
hoststorageservice.exe -> C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -> [2010/03/23 23:09:28 | 000,027,040 | ---- | M] (Broadcom Corporation)
msosync.exe -> C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE -> [2010/03/16 01:58:36 | 000,718,208 | ---- | M] (Microsoft Corporation)
namecontrolserver.exe -> C:\Program Files\Microsoft Office\Office14\NAMECONTROLSERVER.EXE -> [2010/03/02 08:51:54 | 000,088,960 | ---- | M] (Microsoft Corporation)
ccmexec.exe -> C:\Windows\System32\CCM\CcmExec.exe -> [2009/09/18 03:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation)
cntaosmgr.exe -> C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe -> [2009/04/03 12:44:08 | 000,435,584 | ---- | M] (Trend Micro Inc.)
brmfimon.exe -> C:\Program Files\Brother\Brmfcmon\BrMfimon.exe -> [2009/02/24 14:47:06 | 000,143,360 | ---- | M] (Brother Industries, Ltd.)
cvpnd.exe -> C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -> [2009/01/13 10:28:46 | 001,528,608 | ---- | M] (Cisco Systems, Inc.)
 
[Modules - No Company Name]
sqlite3.dll -> C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll -> [2011/04/14 19:01:33 | 000,548,854 | ---- | M] ()
office.odf -> C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF -> [2011/03/15 06:13:46 | 004,254,560 | ---- | M] ()
motohelperagent.exe -> C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe -> [2010/12/02 13:45:06 | 000,664,896 | ---- | M] ()
grooveintlresource.dll -> C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll -> [2010/03/24 20:17:36 | 008,794,464 | ---- | M] ()
zlib1.dll -> C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll -> [2010/03/15 15:57:20 | 000,067,872 | ---- | M] ()
brlogapi.dll -> C:\Program Files\Brother\BrUtilities\BrLogAPI.dll -> [2009/02/27 15:38:20 | 000,139,264 | R--- | M] ()
 
[Win32 Services - Safe List]
(intelusb3) Intel USB3 Device Service [Auto | Stopped] ->  -> File not found
(Microsoft SharePoint Workspace Audit Service) Microsoft SharePoint Workspace Audit Service [On_Demand | Stopped] -> C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -> [2011/06/12 10:15:00 | 031,125,880 | ---- | M] (Microsoft Corporation)
(MotoHelper) MotoHelper Service [Auto | Running] -> C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe -> [2010/12/02 13:45:18 | 000,218,432 | ---- | M] ()
(tmlisten) OfficeScan NT Listener [Auto | Running] -> C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe -> [2010/08/04 22:04:36 | 001,580,640 | ---- | M] (Trend Micro Inc.)
(ntrtscan) OfficeScan NT RealTime Scan [Auto | Running] -> C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe -> [2010/08/04 21:57:30 | 001,459,872 | ---- | M] (Trend Micro Inc.)
(WatAdminSvc) Windows Activation Technologies Service [Unknown | Stopped] -> C:\Windows\System32\Wat\WatAdminSvc.exe -> [2010/06/17 11:23:54 | 001,343,400 | ---- | M] (Microsoft Corporation)
(TMBMServer) Trend Micro Unauthorized Change Prevention Service [On_Demand | Running] -> C:\Program Files\Trend Micro\BM\TMBMSRV.exe -> [2010/06/15 10:34:30 | 000,345,424 | ---- | M] (Trend Micro Inc.)
(TmProxy) OfficeScan NT Proxy Service [On_Demand | Stopped] -> C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe -> [2010/04/24 23:36:36 | 000,689,416 | ---- | M] (Trend Micro Inc.)
(Credential Vault Host Control Service) Credential Vault Host Control Service [Auto | Running] -> C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -> [2010/03/23 23:09:28 | 000,812,448 | ---- | M] (Broadcom Corporation)
(Credential Vault Host Storage) Credential Vault Host Storage [Auto | Running] -> C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -> [2010/03/23 23:09:28 | 000,027,040 | ---- | M] (Broadcom Corporation)
(CcmExec) SMS Agent Host [Auto | Running] -> C:\Windows\System32\CCM\CcmExec.exe -> [2009/09/18 03:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation)
(smstsmgr) SMS Task Sequence Agent [On_Demand | Stopped] -> C:\Windows\System32\CCM\TSManager.exe -> [2009/09/18 03:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation)
(StorSvc) Storage Service [On_Demand | Stopped] -> C:\Windows\System32\StorSvc.dll -> [2009/07/13 19:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation)
(SensrSvc) Adaptive Brightness [On_Demand | Stopped] -> C:\Windows\System32\sensrsvc.dll -> [2009/07/13 19:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation)
(PeerDistSvc) BranchCache [On_Demand | Stopped] -> C:\Windows\System32\PeerDistSvc.dll -> [2009/07/13 19:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation)
(CVPND) Cisco Systems, Inc. VPN Service [Auto | Running] -> C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -> [2009/01/13 10:28:46 | 001,528,608 | ---- | M] (Cisco Systems, Inc.)
 
[Driver Services - Safe List]
(TmFilter) Trend Micro Filter [Kernel | Auto | Running] -> C:\Program Files\Trend Micro\OfficeScan Client\TmXpflt.sys -> [2011/07/12 09:44:10 | 000,262,416 | ---- | M] (Trend Micro Inc.)
(TmPreFilter) Trend Micro PreFilter [Kernel | Auto | Running] -> C:\Program Files\Trend Micro\OfficeScan Client\TmPreflt.sys -> [2011/07/12 09:43:58 | 000,036,624 | ---- | M] (Trend Micro Inc.)
(VSApiNt) Trend Micro VSAPI NT [Kernel | Auto | Running] -> C:\Program Files\Trend Micro\OfficeScan Client\vsapiNT.sys -> [2011/07/12 09:09:32 | 001,405,720 | ---- | M] (Trend Micro Inc.)
(dc3d) MS Hardware Device Detection Driver (USB) [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\dc3d.sys -> [2011/05/18 07:09:04 | 000,040,320 | ---- | M] (Microsoft Corporation)
(vmbus) Virtual Machine Bus [Kernel | Boot | Running] -> C:\Windows\system32\drivers\vmbus.sys -> [2010/11/20 06:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation)
(storflt) Disk Virtual Machine Bus Acceleration Filter Driver [Kernel | Boot | Running] -> C:\Windows\system32\drivers\vmstorfl.sys -> [2010/11/20 06:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation)
(storvsc) storvsc [Kernel | On_Demand | Stopped] -> C:\Windows\system32\drivers\storvsc.sys -> [2010/11/20 06:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation)
(TsUsbFlt) TsUsbFlt [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\TsUsbFlt.sys -> [2010/11/20 04:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation)
(RdpVideoMiniport) Remote Desktop Video Miniport Driver [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\rdpvideominiport.sys -> [2010/11/20 04:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation)
(WinUsb) WinUSB Driver [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\winusb.sys -> [2010/11/20 03:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation)
(VMBusHID) VMBusHID [Kernel | On_Demand | Stopped] -> C:\Windows\system32\drivers\VMBusHID.sys -> [2010/11/20 03:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation)
(s3cap) s3cap [Kernel | On_Demand | Stopped] -> C:\Windows\system32\drivers\vms3cap.sys -> [2010/11/20 03:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation)
(tmactmon) tmactmon [Kernel | Auto | Running] -> C:\Windows\System32\drivers\tmactmon.sys -> [2010/06/15 10:26:56 | 000,067,664 | ---- | M] (Trend Micro Inc.)
(tmevtmgr) tmevtmgr [Kernel | Auto | Running] -> C:\Windows\System32\drivers\tmevtmgr.sys -> [2010/06/15 10:26:20 | 000,057,424 | ---- | M] (Trend Micro Inc.)
(tmcomm) tmcomm [Kernel | Auto | Running] -> C:\Windows\System32\drivers\tmcomm.sys -> [2010/06/15 10:25:42 | 000,177,232 | ---- | M] (Trend Micro Inc.)
(tmtdi) Trend Micro TDI Driver [Kernel | System | Running] -> C:\Windows\System32\drivers\tmtdi.sys -> [2010/04/24 23:36:50 | 000,090,256 | ---- | M] (Trend Micro Inc.)
(cvusbdrv) Dell ControlVault [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\cvusbdrv.sys -> [2009/11/03 16:40:42 | 000,033,832 | ---- | M] (Broadcom Corporation)
(prepdrvr) SMS Process Event Driver [Kernel | On_Demand | Running] -> C:\Windows\System32\CCM\PrepDrv.sys -> [2009/09/18 03:00:00 | 000,020,848 | ---- | M] (Microsoft Corporation)
(WSDPrintDevice) WSD Print Support via UMB [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\WSDPrint.sys -> [2009/07/13 18:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation)
(acpials) ALS Sensor Filter [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\acpials.sys -> [2009/07/13 17:45:20 | 000,007,680 | ---- | M] (Microsoft Corporation)
(netw5v32) Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\netw5v32.sys -> [2009/07/13 16:02:51 | 004,231,168 | ---- | M] (Intel Corporation)
(rimmptsk) rimmptsk [Kernel | Auto | Running] -> C:\Windows\System32\drivers\rimmptsk.sys -> [2009/06/25 15:58:10 | 000,048,128 | ---- | M] (REDC)
(e1yexpress) Intel(R) Gigabit Network Connections Driver [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\e1y6232.sys -> [2009/06/13 00:20:02 | 000,221,912 | ---- | M] (Intel Corporation)
(CVPNDRVA) Cisco Systems Inc. IPSec Driver [Kernel | Auto | Running] -> C:\Windows\System32\drivers\CVPNDRVA.sys -> [2009/01/13 10:27:38 | 000,306,811 | ---- | M] (Cisco Systems, Inc.)
(DNE) Deterministic Network Enhancer Miniport [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\dne2000.sys -> [2008/08/28 16:17:38 | 000,131,856 | ---- | M] (Deterministic Networks, Inc.)
(PBADRV) PBADRV [Kernel | Boot | Running] -> C:\Windows\system32\DRIVERS\PBADRV.sys -> [2008/06/04 13:14:00 | 000,026,608 | ---- | M] (Dell Inc)
(CVirtA) Cisco Systems VPN Adapter [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\CVirtA.sys -> [2007/01/18 18:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> about:blank -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://home.geosyntec.com/ -> 
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2008/07/28 04:47:40 | 000,882,416 | ---- | M] (Yahoo! Inc.)
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local;192.168.*.* -> 
< FireFox Settings [Prefs.js] > -> C:\Users\jsirk\AppData\Roaming\Mozilla\FireFox\Profiles\0u9473ez.default\prefs.js -> 
browser.search.selectedEngine -> "Wikipedia (en)" ->
browser.startup.homepage -> "http://home.geosyntec.com/SitePages/Home.aspx" ->
extensions.enabledItems -> {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [C:\PROGRAM FILES\ADOBE\ACROBAT 10.0\ACROBAT\BROWSER\WCFIREFOXEXTN] -> [2011/09/16 05:42:36 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com -> C:\Program Files\HP\Digital Imaging\smart web printing\MozillaAddOn3 [C:\PROGRAM FILES\HP\DIGITAL IMAGING\SMART WEB PRINTING\MOZILLAADDON3] -> [2011/10/31 21:00:15 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 8.0.1\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2011/11/30 08:41:30 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2011/09/16 05:42:44 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
  -> C:\Users\jsirk\AppData\Roaming\mozilla\Extensions -> [2010/09/22 07:30:00 | 000,000,000 | ---D | M]
  -> C:\Users\jsirk\AppData\Roaming\mozilla\Firefox\Profiles\0u9473ez.default\extensions -> [2011/11/30 08:44:33 | 000,000,000 | ---D | M]
DownloadHelper   -> C:\Users\jsirk\AppData\Roaming\mozilla\Firefox\Profiles\0u9473ez.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} -> [2011/11/30 08:44:33 | 000,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > -> 
  -> C:\Program Files\Mozilla Firefox\extensions -> [2011/12/01 08:52:05 | 000,000,000 | ---D | M]
Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} -> [2011/12/01 08:52:06 | 000,000,000 | ---D | M]
No name found -> C:\USERS\JSIRK\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0U9473EZ.DEFAULT\EXTENSIONS\WEBMASTER@KEEP-TUBE.COM.XPI -> ()
< HOSTS File > ([2011/12/02 07:37:20 | 000,000,098 | ---- | M] - 2 lines) -> C:\Windows\System32\drivers\etc\Hosts -> 
Reset Hosts
127.0.0.1       localhost
::1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [&Yahoo! Toolbar Helper] -> [2008/07/28 04:47:40 | 000,882,416 | ---- | M] (Yahoo! Inc.)
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} [HKLM] -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [Groove GFS Browser Helper] -> [2011/06/12 10:15:00 | 004,221,328 | ---- | M] (Microsoft Corporation)
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> [2011/09/05 11:05:06 | 000,339,872 | ---- | M] (Adobe Systems Incorporated)
{B4F3A835-0E21-4959-BA22-42B3008E02FF} [HKLM] -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [Office Document Cache Handler] -> [2010/02/28 01:20:14 | 000,561,552 | ---- | M] (Microsoft Corporation)
{F4971EE7-DAA0-4053-9964-665D8EE6A077} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [SmartSelect Class] -> [2011/09/05 11:05:06 | 000,339,872 | ---- | M] (Adobe Systems Incorporated)
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} [HKLM] -> C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [SingleInstance Class] -> [2008/07/28 04:47:42 | 000,160,496 | ---- | M] (Yahoo! Inc)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF] -> [2011/09/05 11:05:06 | 000,339,872 | ---- | M] (Adobe Systems Incorporated)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2008/07/28 04:47:40 | 000,882,416 | ---- | M] (Yahoo! Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF] -> [2011/09/05 11:05:06 | 000,339,872 | ---- | M] (Adobe Systems Incorporated)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"Acrobat Assistant 8.0" -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe ["C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"] -> [2011/09/05 11:04:58 | 002,904,984 | ---- | M] (Adobe Systems Inc.)
"Adobe Acrobat Speed Launcher" -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe ["C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"] -> [2011/09/05 11:04:58 | 000,036,760 | ---- | M] (Adobe Systems Incorporated)
"BCSSync" -> C:\Program Files\Microsoft Office\Office14\BCSSync.exe ["C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices] -> [2010/03/13 13:54:26 | 000,091,520 | ---- | M] (Microsoft Corporation)
"Communicator" -> C:\Program Files\Microsoft Office Communicator\communicator.exe ["C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey] -> [2011/09/06 13:47:44 | 005,152,096 | ---- | M] (Microsoft Corporation)
"ControlCenter3" -> C:\Program Files\Brother\ControlCenter3\brctrcen.exe [C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun] -> [2008/12/24 09:26:54 | 000,114,688 | ---- | M] (Brother Industries, Ltd.)
"hpOQBlGcuNj.exe" ->  [C:\ProgramData\hpOQBlGcuNj.exe] -> File not found
"OfficeScanNT Monitor" -> C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe ["C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow] -> [2010/08/12 17:39:50 | 000,870,712 | ---- | M] (Trend Micro Inc.)
"WinPatrol" -> C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot] -> [2011/05/15 13:53:20 | 000,325,512 | ---- | M] (BillP Studios)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"OfficeSyncProcess" -> C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE ["C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"] -> [2010/03/16 01:58:36 | 000,718,208 | ---- | M] (Microsoft Corporation)
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
\Infodelivery\Restrictions\\"NoUpdateCheck" ->  [1] -> File not found
\Infodelivery\Restrictions\\"NoSplash" ->  [1] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main
\Main\\"DisableFirstRunCustomize" ->  [1] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows
\New Windows\\"ListBox_Support_Allow" ->  [1] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow
\New Windows\Allow\\"*.adp.com" ->  [*.adp.com] -> File not found
\New Windows\Allow\\"*.geosyntec.com" ->  [*.geosyntec.com] -> File not found
\New Windows\Allow\\"*.geosyntec.net" ->  [*.geosyntec.net] -> File not found
\New Windows\Allow\\"*.geosyntec.us" ->  [*.geosyntec.us] -> File not found
\New Windows\Allow\\"*.swfwmd.state.fl.us" ->  [*.swfwmd.state.fl.us] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter
\PhishingFilter\\"Enabled" ->  [0] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM
\SQM\\"DisableCustomerImprovementProgram" ->  [1] -> File not found
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Main
\Main\\"DisableFirstRunCustomize" ->  [1] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Recovery
\Recovery\\"NoReopenLastSession" ->  [1] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Suggested Sites
\Suggested Sites\\"Enabled" ->  [1] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoWelcomeScreen" ->  [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"ConsentPromptBehaviorUser" ->  [3] -> File not found
\\"ConsentPromptBehaviorAdmin" ->  [5] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [255] -> File not found
\\"NoDesktopCleanupWizard" ->  [1] -> File not found
\\"ForceStartMenuLogOff" ->  [1] -> File not found
\\"NoWelcomeScreen" ->  [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
Append Link Target to Existing PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html] -> [2011/09/05 11:05:06 | 000,339,872 | ---- | M] (Adobe Systems Incorporated)
Append to Existing PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html] -> [2011/09/05 11:05:06 | 000,339,872 | ---- | M] (Adobe Systems Incorporated)
Convert Link Target to Adobe PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html] -> [2011/09/05 11:05:06 | 000,339,872 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html] -> [2011/09/05 11:05:06 | 000,339,872 | ---- | M] (Adobe Systems Incorporated)
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\Office14\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000] -> [2011/07/20 16:21:06 | 020,767,072 | ---- | M] (Microsoft Corporation)
Se&nd to OneNote -> C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll [res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105] -> [2010/02/28 03:41:04 | 000,643,472 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll [Button: Send to OneNote] -> [2010/02/28 03:41:04 | 000,643,472 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll [Menu: Se&nd to OneNote] -> [2010/02/28 03:41:04 | 000,643,472 | ---- | M] (Microsoft Corporation)
{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}:{FFFDC614-B694-4AE6-AB38-5D6374584B52} [HKLM] -> C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll [Button: OneNote Lin&ked Notes] -> [2010/02/28 03:41:04 | 000,496,528 | ---- | M] (Microsoft Corporation)
{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}:{FFFDC614-B694-4AE6-AB38-5D6374584B52} [HKLM] -> C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll [Menu: OneNote Lin&ked Notes] -> [2010/02/28 03:41:04 | 000,496,528 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{00134F72-5284-44F7-95A8-52A619F70751} [HKLM] -> https://oakbrook-01.geosyntec.net:4343/officescan/console/html/ClientInstall/WinNTChk.cab [ObjWinNTCheck Class] -> 
{02BCC737-B171-4746-94C9-0D8A0B2C0089} [HKLM] -> http://office.microsoft.com/sites/production/ieawsdc32.cab [Microsoft Office Template and Media Control] -> 
{08D75BC1-D2B5-11D1-88FC-0080C859833B} [HKLM] -> https://oakbrook-01:4343/officescan/console/html/ClientInstall/setup.cab [OfficeScan Corp Edition Web-Deployment SetupCtrl Class] -> 
{11E93902-B6FD-11D7-A642-00C04F57E4DC} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0010.CAB [Reg Error: Key error.] -> 
{2961B151-8F4A-4C9E-8287-D59FAA6C959D} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0060.CAB [Reg Error: Key error.] -> 
{2A00324E-751C-11D3-A5D3-00C04F7F81E2} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0040.CAB [Reg Error: Key error.] -> 
{2FC291D0-5814-4658-9680-4DAD4DD3F330} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTRCM0030.CAB [Reg Error: Key error.] -> 
{35C3D91E-401A-4E45-88A5-F3B32CD72DF4} [HKLM] -> https://oakbrook-01:4343/officescan/console/html/root/AtxEnc.cab [Encrypt Class] -> 
{4004B4D0-7D66-11D5-A55B-00B0D07DCA5B} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0090.CAB [Reg Error: Key error.] -> 
{4E096548-B6FC-11D7-A642-00C04F57E4DC} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0030.CAB [Reg Error: Key error.] -> 
{815E0702-E4CA-11D3-81ED-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0080.CAB [Reg Error: Key error.] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab [Java Plug-in 1.6.0_29] -> 
{90C8812D-81C2-45EA-8101-6C6F29835AE8} [HKLM] -> http://bst.geosyntec.com/auroraweb/BSTeInstaller.CAB [BSTEnterpriseInstaller.clsBSTeInstaller] -> 
{ACCB32DB-F2C9-46C3-A215-21F805657765} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0050.CAB [Reg Error: Key error.] -> 
{AD46BB36-7741-11D3-81B8-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0030.CAB [Reg Error: Key error.] -> 
{B3A8D7A2-B7E1-11D3-81E2-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0050.CAB [Reg Error: Key error.] -> 
{C4060AFD-381B-4D34-AECF-B99421B30E2F} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTGUI000006.CAB [Reg Error: Key error.] -> 
{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab [Java Plug-in 1.6.0_29] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab [Java Plug-in 1.6.0_29] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
{D9EE5A5C-AF15-11D3-81E0-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0010.CAB [Reg Error: Key error.] -> 
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> https://premconf.webex.com/client/T27L10NSP11EP14/webex/ieatgpc1.cab [GpcContainer Class] -> 
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Key error.] -> 
{E6671596-1F52-11D3-8162-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/AuroraShell.CAB [AuroraShell.ShellControl] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.254 -> 
Domain -> GeoSyntec.net -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{E86917EB-9159-4873-B81F-7EA2690DDBF9}\\DhcpNameServer -> 192.168.1.254   (Intel(R) WiFi Link 5100 AGN) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\Windows\explorer.exe -> [2011/02/24 23:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\Windows\system32\userinit.exe -> C:\Windows\System32\userinit.exe -> [2010/11/20 06:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
SystemPropertiesPerformance.exe -> C:\Windows\System32\SystemPropertiesPerformance.exe -> [2009/07/13 19:14:42 | 000,081,920 | ---- | M] (Microsoft Corporation)
/pagefile ->  -> File not found
*MultiFile Done* -> -> 
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" [HKLM] -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [Groove GFS Stub Execution Hook] -> [2011/06/12 10:15:00 | 004,221,328 | ---- | M] (Microsoft Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> C:\Windows\system32\drivers\cdrom.sys [\SystemRoot\system32\drivers\cdrom.sys] -> [2010/11/20 02:38:10 | 000,108,544 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  -> 
C:\autoexec.bat [REM Dummy file for NTVDM | ] -> C:\autoexec.bat [ NTFS ] -> [2009/06/10 15:42:20 | 000,000,024 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
 
[Files/Folders - Created Within 30 Days]
 OTS.exe -> C:\Users\jsirk\Desktop\OTS.exe -> [2011/12/02 07:47:02 | 000,646,144 | ---- | C] (OldTimer Tools)
 tdsskiller.exe -> C:\Users\jsirk\Desktop\tdsskiller.exe -> [2011/12/02 07:41:25 | 001,566,512 | ---- | C] (Kaspersky Lab ZAO)
 _OTM -> C:\_OTM -> [2011/12/02 07:36:24 | 000,000,000 | ---D | C]
 OTM.exe -> C:\Users\jsirk\Desktop\OTM.exe -> [2011/12/02 07:30:24 | 000,523,264 | ---- | C] (OldTimer Tools)
 WinPatrol -> C:\Users\jsirk\AppData\Roaming\WinPatrol -> [2011/12/02 01:10:27 | 000,000,000 | ---D | C]
 InstallMate -> C:\ProgramData\InstallMate -> [2011/12/02 01:10:15 | 000,000,000 | ---D | C]
 BillP Studios -> C:\Program Files\BillP Studios -> [2011/12/02 01:10:15 | 000,000,000 | ---D | C]
 VirtualStore -> C:\Users\jsirk\AppData\Local\VirtualStore -> [2011/12/01 23:58:58 | 000,000,000 | ---D | C]
 For Evening -> C:\Users\jsirk\Desktop\For Evening -> [2011/12/01 14:03:36 | 000,000,000 | ---D | C]
 Google Chrome -> C:\Users\jsirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome -> [2011/12/01 09:21:40 | 000,000,000 | ---D | C]
 Java -> C:\Program Files\Common Files\Java -> [2011/12/01 08:52:19 | 000,000,000 | ---D | C]
 javaws.exe -> C:\Windows\System32\javaws.exe -> [2011/12/01 08:52:02 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.)
 javaw.exe -> C:\Windows\System32\javaw.exe -> [2011/12/01 08:52:02 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.)
 java.exe -> C:\Windows\System32\java.exe -> [2011/12/01 08:52:02 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.)
 32788R22FWJFW -> C:\32788R22FWJFW -> [2011/11/29 15:07:46 | 000,000,000 | --SD | C]
 C87BCAE8 -> C:\Users\jsirk\AppData\Roaming\C87BCAE8 -> [2011/11/29 12:33:32 | 000,000,000 | ---D | C]
 Kaspersky Lab -> C:\ProgramData\Kaspersky Lab -> [2011/11/19 19:32:54 | 000,000,000 | ---D | C]
 $RECYCLE.BIN -> C:\$RECYCLE.BIN -> [2011/11/19 19:17:13 | 000,000,000 | ---D | C]
 temp -> C:\Users\jsirk\AppData\Local\temp -> [2011/11/19 19:15:08 | 000,000,000 | ---D | C]
 SWREG.exe -> C:\Windows\SWREG.exe -> [2011/11/19 19:01:26 | 000,518,144 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\Windows\SWSC.exe -> [2011/11/19 19:01:26 | 000,406,528 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\Windows\NIRCMD.exe -> [2011/11/19 19:01:26 | 000,060,416 | ---- | C] (NirSoft)
 Combo-Fix -> C:\Combo-Fix -> [2011/11/19 19:01:22 | 000,000,000 | ---D | C]
 Spybot - Search & Destroy -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy -> [2011/11/19 17:59:52 | 000,000,000 | ---D | C]
 Spybot - Search & Destroy -> C:\ProgramData\Spybot - Search & Destroy -> [2011/11/19 17:59:47 | 000,000,000 | ---D | C]
 Spybot - Search & Destroy -> C:\Program Files\Spybot - Search & Destroy -> [2011/11/19 17:59:47 | 000,000,000 | ---D | C]
 ERDNT -> C:\Windows\ERDNT -> [2011/11/19 17:11:08 | 000,000,000 | ---D | C]
 Qoobox -> C:\Qoobox -> [2011/11/19 16:54:36 | 000,000,000 | ---D | C]
 Google Earth -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth -> [2011/11/12 14:03:08 | 000,000,000 | ---D | C]
 IGFXDEVLib.dll -> C:\Windows\System32\IGFXDEVLib.dll -> [2010/02/20 14:35:06 | 000,004,096 | ---- | C] ( )
 
[Files/Folders - Modified Within 30 Days]
 OTS.exe -> C:\Users\jsirk\Desktop\OTS.exe -> [2011/12/02 07:47:06 | 000,646,144 | ---- | M] (OldTimer Tools)
 perfh009.dat -> C:\Windows\System32\perfh009.dat -> [2011/12/02 07:46:44 | 000,675,074 | ---- | M] ()
 perfc009.dat -> C:\Windows\System32\perfc009.dat -> [2011/12/02 07:46:44 | 000,123,152 | ---- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 -> [2011/12/02 07:45:32 | 000,012,080 | ---- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 -> [2011/12/02 07:45:32 | 000,012,080 | ---- | M] ()
 tdsskiller.exe -> C:\Users\jsirk\Desktop\tdsskiller.exe -> [2011/12/02 07:41:28 | 001,566,512 | ---- | M] (Kaspersky Lab ZAO)
 SMSCFG.ini -> C:\Windows\SMSCFG.ini -> [2011/12/02 07:40:51 | 000,000,497 | ---- | M] ()
 GoogleUpdateTaskMachineCore.job -> C:\Windows\tasks\GoogleUpdateTaskMachineCore.job -> [2011/12/02 07:38:43 | 000,000,880 | ---- | M] ()
 bootstat.dat -> C:\Windows\bootstat.dat -> [2011/12/02 07:38:08 | 000,067,584 | --S- | M] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2011/12/02 07:38:01 | 2780,745,728 | -HS- | M] ()
 Hosts -> C:\Windows\System32\drivers\etc\Hosts -> [2011/12/02 07:37:20 | 000,000,098 | ---- | M] ()
 OTM.exe -> C:\Users\jsirk\Desktop\OTM.exe -> [2011/12/02 07:30:27 | 000,523,264 | ---- | M] (OldTimer Tools)
 GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675UA.job -> C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675UA.job -> [2011/12/02 07:26:00 | 000,000,908 | ---- | M] ()
 GoogleUpdateTaskMachineUA.job -> C:\Windows\tasks\GoogleUpdateTaskMachineUA.job -> [2011/12/02 07:16:38 | 000,000,884 | ---- | M] ()
 MEMORY.DMP -> C:\Windows\MEMORY.DMP -> [2011/12/02 00:36:06 | 114,487,704 | ---- | M] ()
 cfgall.ini -> C:\Windows\cfgall.ini -> [2011/12/01 09:37:20 | 000,008,862 | ---- | M] ()
 GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675Core.job -> C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675Core.job -> [2011/12/01 09:26:02 | 000,000,856 | ---- | M] ()
 Google Chrome.lnk -> C:\Users\jsirk\Desktop\Google Chrome.lnk -> [2011/12/01 09:21:44 | 000,002,274 | ---- | M] ()
 ntuser.pol -> C:\Users\jsirk\ntuser.pol -> [2011/11/30 15:22:16 | 000,010,128 | RHS- | M] ()
 RegBootClean.exe -> C:\Windows\RegBootClean.exe -> [2011/11/30 13:26:14 | 000,102,400 | ---- | M] ()
 Start_.cmd -> C:\Start_.cmd -> [2011/11/29 15:15:36 | 000,000,343 | ---- | M] ()
 it3p228k.dat -> C:\ProgramData\it3p228k.dat -> [2011/11/19 14:21:38 | 000,000,112 | ---- | M] ()
 itusbcore.dat -> C:\Windows\System32\itusbcore.dat -> [2011/11/18 09:01:09 | 000,100,702 | ---- | M] ()
 itlsvc.dat -> C:\Windows\System32\itlsvc.dat -> [2011/11/18 09:01:09 | 000,000,195 | ---- | M] ()
 Google Earth.lnk -> C:\Users\Public\Desktop\Google Earth.lnk -> [2011/11/12 14:03:09 | 000,002,170 | ---- | M] ()
 ntuser.pol -> C:\ProgramData\ntuser.pol -> [2011/11/07 11:56:46 | 000,043,271 | RHS- | M] ()
 MSDOS.SYS -> C:\MSDOS.SYS -> [2011/11/06 22:12:29 | 000,000,000 | RHS- | M] ()
 IO.SYS -> C:\IO.SYS -> [2011/11/06 22:12:29 | 000,000,000 | RHS- | M] ()
 FNTCACHE.DAT -> C:\Windows\System32\FNTCACHE.DAT -> [2011/11/02 15:58:32 | 000,491,664 | ---- | M] ()
 
[Files - No Company Name]
 Google Chrome.lnk -> C:\Users\jsirk\Desktop\Google Chrome.lnk -> [2011/12/01 09:21:44 | 000,002,274 | ---- | C] ()
 GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675UA.job -> C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675UA.job -> [2011/12/01 09:21:12 | 000,000,908 | ---- | C] ()
 GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675Core.job -> C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675Core.job -> [2011/12/01 09:21:11 | 000,000,856 | ---- | C] ()
 Google Earth.lnk -> C:\Users\Public\Desktop\Google Earth.lnk -> [2011/11/29 15:40:34 | 000,002,170 | ---- | C] ()
 HP Photosmart Essential 3.5.lnk -> C:\Users\Public\Desktop\HP Photosmart Essential 3.5.lnk -> [2011/11/29 15:40:34 | 000,002,125 | ---- | C] ()
 HP Solution Center.lnk -> C:\Users\Public\Desktop\HP Solution Center.lnk -> [2011/11/29 15:40:34 | 000,001,273 | ---- | C] ()
 Adobe Acrobat X Standard.lnk -> C:\Users\Public\Desktop\Adobe Acrobat X Standard.lnk -> [2011/11/29 15:40:33 | 000,002,014 | ---- | C] ()
 VPN Client.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk -> [2011/11/29 15:40:29 | 000,002,641 | ---- | C] ()
 HP Digital Imaging Monitor.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk -> [2011/11/29 15:40:29 | 000,002,069 | ---- | C] ()
 Microsoft Office Communicator 2007 R2.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Communicator 2007 R2.lnk -> [2011/11/29 15:40:26 | 000,002,613 | ---- | C] ()
 Windows Media Player.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk -> [2011/11/29 15:40:26 | 000,001,515 | ---- | C] ()
 Media Center.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk -> [2011/11/29 15:40:26 | 000,001,345 | ---- | C] ()
 Sidebar.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk -> [2011/11/29 15:40:26 | 000,001,330 | ---- | C] ()
 Windows DVD Maker.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk -> [2011/11/29 15:40:26 | 000,001,326 | ---- | C] ()
 XPS Viewer.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk -> [2011/11/29 15:40:26 | 000,001,246 | ---- | C] ()
 Windows Fax and Scan.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk -> [2011/11/29 15:40:26 | 000,001,210 | ---- | C] ()
 Mozilla Firefox.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> [2011/11/29 15:40:26 | 000,001,104 | ---- | C] ()
 I.R.I.S. OCR Registration.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\I.R.I.S. OCR Registration.lnk -> [2011/11/29 15:40:26 | 000,001,024 | ---- | C] ()
 Apple Software Update.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk -> [2011/11/29 15:40:25 | 000,002,519 | ---- | C] ()
 Adobe Acrobat X Standard.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat X Standard.lnk -> [2011/11/29 15:40:25 | 000,002,507 | ---- | C] ()
 Adobe Acrobat Distiller X.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller X.lnk -> [2011/11/29 15:40:25 | 000,002,465 | ---- | C] ()
 Start_.cmd -> C:\Start_.cmd -> [2011/11/29 15:13:51 | 000,000,343 | ---- | C] ()
 PEV.exe -> C:\Windows\PEV.exe -> [2011/11/19 19:01:26 | 000,256,000 | ---- | C] ()
 MBR.exe -> C:\Windows\MBR.exe -> [2011/11/19 19:01:26 | 000,208,896 | ---- | C] ()
 sed.exe -> C:\Windows\sed.exe -> [2011/11/19 19:01:26 | 000,098,816 | ---- | C] ()
 grep.exe -> C:\Windows\grep.exe -> [2011/11/19 19:01:26 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\Windows\zip.exe -> [2011/11/19 19:01:26 | 000,068,096 | ---- | C] ()
 it3p228k.dat -> C:\ProgramData\it3p228k.dat -> [2011/11/19 12:19:23 | 000,000,112 | ---- | C] ()
 itusbcore.dat -> C:\Windows\System32\itusbcore.dat -> [2011/11/18 09:01:09 | 000,100,702 | ---- | C] ()
 itlsvc.dat -> C:\Windows\System32\itlsvc.dat -> [2011/11/18 09:01:09 | 000,000,195 | ---- | C] ()
 RegBootClean.exe -> C:\Windows\RegBootClean.exe -> [2011/11/18 08:54:21 | 000,102,400 | ---- | C] ()
 MSDOS.SYS -> C:\MSDOS.SYS -> [2011/11/06 22:12:29 | 000,000,000 | RHS- | C] ()
 IO.SYS -> C:\IO.SYS -> [2011/11/06 22:12:29 | 000,000,000 | RHS- | C] ()
 hpoins19.dat -> C:\Windows\hpoins19.dat -> [2011/10/31 20:51:50 | 000,221,492 | ---- | C] ()
 hpomdl19.dat -> C:\Windows\hpomdl19.dat -> [2011/10/31 20:51:50 | 000,013,898 | ---- | C] ()
 Brpfx04a.ini -> C:\Windows\Brpfx04a.ini -> [2011/06/28 08:32:04 | 000,000,244 | ---- | C] ()
 brpcfx.ini -> C:\Windows\brpcfx.ini -> [2011/06/28 08:32:04 | 000,000,093 | ---- | C] ()
 bridf08a.dat -> C:\Windows\System32\bridf08a.dat -> [2011/06/28 08:22:29 | 000,000,050 | ---- | C] ()
 Brfaxrx.ini -> C:\Windows\Brfaxrx.ini -> [2011/06/28 08:22:20 | 000,000,066 | ---- | C] ()
 brdfxspd.dat -> C:\Windows\brdfxspd.dat -> [2011/06/28 08:22:19 | 000,000,000 | ---- | C] ()
 BrMuSNMP.dll -> C:\Windows\System32\BrMuSNMP.dll -> [2011/06/28 08:22:18 | 000,106,496 | ---- | C] ()
 RDVGHelper.exe -> C:\Windows\System32\RDVGHelper.exe -> [2011/05/25 15:44:47 | 000,080,896 | ---- | C] ()
 PrintBrmUi.exe -> C:\Windows\System32\PrintBrmUi.exe -> [2011/05/25 15:43:13 | 000,066,048 | ---- | C] ()
 jestertb.dll -> C:\Windows\jestertb.dll -> [2011/04/24 09:13:46 | 000,021,504 | ---- | C] ()
 ODBC.INI -> C:\Windows\ODBC.INI -> [2011/02/14 12:38:19 | 000,000,028 | ---- | C] ()
 Jakes Alarm Clock.INI -> C:\Windows\Jakes Alarm Clock.INI -> [2010/12/07 05:43:54 | 000,000,229 | ---- | C] ()
 CcmFramework.ini -> C:\Windows\System32\CcmFramework.ini -> [2010/09/22 10:42:44 | 000,004,764 | ---- | C] ()
 SMSCFG.ini -> C:\Windows\SMSCFG.ini -> [2010/09/22 10:42:15 | 000,000,497 | ---- | C] ()
 nsreg.dat -> C:\Windows\nsreg.dat -> [2010/09/22 07:29:48 | 000,000,000 | ---- | C] ()
 BRWMARK.INI -> C:\Windows\BRWMARK.INI -> [2010/07/23 11:10:32 | 000,000,419 | ---- | C] ()
 BRPP2KA.INI -> C:\Windows\BRPP2KA.INI -> [2010/07/23 11:10:32 | 000,000,027 | ---- | C] ()
 error.dat -> C:\Program Files\error.dat -> [2010/07/23 11:10:22 | 000,000,000 | ---- | C] ()
 brmx2001.ini -> C:\Windows\brmx2001.ini -> [2010/07/23 11:10:22 | 000,000,000 | ---- | C] ()
 Brownie.ini -> C:\Windows\Brownie.ini -> [2010/07/23 11:08:42 | 000,000,074 | ---- | C] ()
 ccolwiz.ini -> C:\Windows\ccolwiz.ini -> [2010/07/14 13:29:45 | 000,000,077 | ---- | C] ()
 cfgall.ini -> C:\Windows\cfgall.ini -> [2010/06/17 11:54:56 | 000,008,862 | ---- | C] ()
 postie.exe -> C:\Windows\System32\postie.exe -> [2010/06/17 10:06:47 | 000,368,640 | ---- | C] ()
 ntuser.pol -> C:\ProgramData\ntuser.pol -> [2010/06/17 09:43:12 | 000,043,271 | RHS- | C] ()
 brcmbsp.dll -> C:\Windows\System32\brcmbsp.dll -> [2010/06/17 09:24:32 | 000,308,624 | ---- | C] ()
 bipbsp.dll -> C:\Windows\System32\bipbsp.dll -> [2010/06/17 09:24:32 | 000,206,216 | ---- | C] ()
 pbadrvdll.dll -> C:\Windows\System32\pbadrvdll.dll -> [2010/06/17 09:24:09 | 000,080,368 | ---- | C] ()
 igcompkrng500.bin -> C:\Windows\System32\igcompkrng500.bin -> [2010/02/20 15:16:10 | 000,439,308 | ---- | C] ()
 igkrng500.bin -> C:\Windows\System32\igkrng500.bin -> [2010/02/20 15:16:08 | 000,982,240 | ---- | C] ()
 igfcg500m.bin -> C:\Windows\System32\igfcg500m.bin -> [2010/02/20 15:16:08 | 000,092,356 | ---- | C] ()
 GfxUI.exe.config -> C:\Windows\System32\GfxUI.exe.config -> [2010/02/20 14:32:46 | 000,000,151 | ---- | C] ()
 iglhsip32.dll -> C:\Windows\System32\iglhsip32.dll -> [2010/02/20 14:27:38 | 000,208,896 | ---- | C] ()
 iglhcp32.dll -> C:\Windows\System32\iglhcp32.dll -> [2010/02/20 14:27:38 | 000,143,360 | ---- | C] ()
 BSTRegIT.dll -> C:\Windows\System32\BSTRegIT.dll -> [2009/11/10 09:45:02 | 000,028,672 | ---- | C] ()
 Fsclient.ini -> C:\Windows\System32\Fsclient.ini -> [2009/11/10 09:44:54 | 000,002,098 | ---- | C] ()
 OGACheckControl.dll -> C:\Windows\System32\OGACheckControl.dll -> [2009/08/03 14:07:42 | 000,403,816 | ---- | C] ()
 OGAEXEC.exe -> C:\Windows\System32\OGAEXEC.exe -> [2009/08/03 14:07:42 | 000,230,768 | ---- | C] ()
 bootstat.dat -> C:\Windows\bootstat.dat -> [2009/07/13 22:57:37 | 000,067,584 | --S- | C] ()
 FNTCACHE.DAT -> C:\Windows\System32\FNTCACHE.DAT -> [2009/07/13 22:33:53 | 000,491,664 | ---- | C] ()
 perfh009.dat -> C:\Windows\System32\perfh009.dat -> [2009/07/13 20:05:48 | 000,675,074 | ---- | C] ()
 perfi009.dat -> C:\Windows\System32\perfi009.dat -> [2009/07/13 20:05:48 | 000,291,294 | ---- | C] ()
 perfc009.dat -> C:\Windows\System32\perfc009.dat -> [2009/07/13 20:05:48 | 000,123,152 | ---- | C] ()
 perfd009.dat -> C:\Windows\System32\perfd009.dat -> [2009/07/13 20:05:48 | 000,031,548 | ---- | C] ()
 NOISE.DAT -> C:\Windows\System32\NOISE.DAT -> [2009/07/13 20:05:05 | 000,000,741 | ---- | C] ()
 dssec.dat -> C:\Windows\System32\dssec.dat -> [2009/07/13 20:04:11 | 000,215,943 | ---- | C] ()
 mib.bin -> C:\Windows\mib.bin -> [2009/07/13 17:55:01 | 000,043,131 | ---- | C] ()
 BthpanContextHandler.dll -> C:\Windows\System32\BthpanContextHandler.dll -> [2009/07/13 17:51:43 | 000,073,728 | ---- | C] ()
 BWContextHandler.dll -> C:\Windows\System32\BWContextHandler.dll -> [2009/07/13 17:42:10 | 000,064,000 | ---- | C] ()
 igfcg500.bin -> C:\Windows\System32\igfcg500.bin -> [2009/07/13 16:09:19 | 000,139,824 | ---- | C] ()
 mlang.dat -> C:\Windows\System32\mlang.dat -> [2009/06/10 15:26:10 | 000,673,088 | ---- | C] ()
 vpnapi.dll -> C:\Windows\System32\vpnapi.dll -> [2009/01/13 10:29:00 | 000,197,408 | ---- | C] ()
 bioapi_mds300.dll -> C:\Windows\System32\bioapi_mds300.dll -> [2006/06/30 11:58:44 | 000,176,128 | ---- | C] ()
 bioapi100.dll -> C:\Windows\System32\bioapi100.dll -> [2006/06/30 11:58:44 | 000,126,976 | ---- | C] ()
< End of report >


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:51 AM

Posted 03 December 2011 - 02:24 AM

Hello rodneystubbs!

First of all, thanks so much for your help (and your prompt response)! If we (you) can figure this out then you're really gonna save my bacon.

You're very welcome! I'll do my best to try and eradicate this monster of an infection.

1. the PING symptoms, etc, seemed to stop when I came home from work last night. Before your post last night I seemed to have significantly reduced symptoms at home as opposed to at work - this has been par for the course since about Tuesday. Still get some pccasional popup/redirect activity here, but it seems as though at work something is different (that's also where 100% of the problems have initiated) - would there be any reason that running these at home would yield different results?

Yes, there is always a possibility that a network at work may have been comprimised by malware. How big of a company do you work for? For my own knowledge, does the company have an IT department? Does this happen to be a company computer?

3. Last, you mentioned zeroaccess - I did run into that before thanksgiving and thought I had eradicated it. Sorry, I probably should have advised of some of these prior conditions. The logs:

ZeroAccess can be a fairly stubborn infection and if it's not removed properly can come back again.

Running OTS Fix
Start OTS Copy/Paste the information inside the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "hpOQBlGcuNj.exe" -> [C:\ProgramData\hpOQBlGcuNj.exe]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {11E93902-B6FD-11D7-A642-00C04F57E4DC} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0010.CAB [Reg Error: Key error.]
YN -> {2961B151-8F4A-4C9E-8287-D59FAA6C959D} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0060.CAB [Reg Error: Key error.]
YN -> {2A00324E-751C-11D3-A5D3-00C04F7F81E2} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0040.CAB [Reg Error: Key error.]
YN -> {2FC291D0-5814-4658-9680-4DAD4DD3F330} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTRCM0030.CAB [Reg Error: Key error.]
YN -> {4004B4D0-7D66-11D5-A55B-00B0D07DCA5B} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0090.CAB [Reg Error: Key error.]
YN -> {4E096548-B6FC-11D7-A642-00C04F57E4DC} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0030.CAB [Reg Error: Key error.]
YN -> {815E0702-E4CA-11D3-81ED-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0080.CAB [Reg Error: Key error.]
YN -> {8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab [Java Plug-in 1.6.0_29]
YN -> {ACCB32DB-F2C9-46C3-A215-21F805657765} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIX0050.CAB [Reg Error: Key error.]
YN -> {AD46BB36-7741-11D3-81B8-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0030.CAB [Reg Error: Key error.]
YN -> {B3A8D7A2-B7E1-11D3-81E2-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0050.CAB [Reg Error: Key error.]
YN -> {C4060AFD-381B-4D34-AECF-B99421B30E2F} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTGUI000006.CAB [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab [Java Plug-in 1.6.0_29]
YN -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab [Java Plug-in 1.6.0_29]
YN -> {D9EE5A5C-AF15-11D3-81E0-00C04F8DF62C} [HKLM] -> http://bst.geosyntec.com/auroraweb/ClientComponents/BSTEIT0010.CAB [Reg Error: Key error.]
YN -> {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  C87BCAE8 -> C:\Users\jsirk\AppData\Roaming\C87BCAE8
[Files/Folders - Modified Within 30 Days]
NY ->  cfgall.ini -> C:\Windows\cfgall.ini
NY ->  Start_.cmd -> C:\Start_.cmd
NY ->  it3p228k.dat -> C:\ProgramData\it3p228k.dat
NY ->  itusbcore.dat -> C:\Windows\System32\itusbcore.dat
NY ->  itlsvc.dat -> C:\Windows\System32\itlsvc.dat
[Files - No Company Name]
NY ->  it3p228k.dat -> C:\ProgramData\it3p228k.dat
NY ->  itusbcore.dat -> C:\Windows\System32\itusbcore.dat
NY ->  itlsvc.dat -> C:\Windows\System32\itlsvc.dat
[EmptyFlash]
[CreateRestorePoint]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.


NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 rodneystubbs

rodneystubbs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 03 December 2011 - 10:56 AM

1. the PING symptoms, etc, seemed to stop when I came home from work last night. Before your post last night I seemed to have significantly reduced symptoms at home as opposed to at work - this has been par for the course since about Tuesday. Still get some pccasional popup/redirect activity here, but it seems as though at work something is different (that's also where 100% of the problems have initiated) - would there be any reason that running these at home would yield different results?

Yes, there is always a possibility that a network at work may have been comprimised by malware. How big of a company do you work for? For my own knowledge, does the company have an IT department? Does this happen to be a company computer?

I work for a medium-sized company (~2000 employees); we do have an IT department, and yes, it is a company computer in the sense that I do not own it, but it is "mine", if that makes sense. I take it everywhere and no one else uses it.

OTS ran and rebooted, but did not provide a log (notepad did not open). Checked around and all I could find was the log from the last run of OTS yesterday.

Combofix ran, indicated rootkit presence, rebooted and completed. log below:

ComboFix 11-12-03.01 - JSirk 12/03/2011 9:31.2.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3536.2745 [GMT -6:00]
Running from: c:\users\jsirk\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB36435$
c:\windows\$NtUninstallKB36435$\3003923807\@
c:\windows\$NtUninstallKB36435$\3003923807\bckfg.tmp
c:\windows\$NtUninstallKB36435$\3003923807\cfg.ini
c:\windows\$NtUninstallKB36435$\3003923807\Desktop.ini
c:\windows\$NtUninstallKB36435$\3003923807\keywords
c:\windows\$NtUninstallKB36435$\3003923807\kwrd.dll
c:\windows\$NtUninstallKB36435$\3003923807\L\xadqgnnk
c:\windows\$NtUninstallKB36435$\3003923807\lsflt7.ver
c:\windows\$NtUninstallKB36435$\3003923807\U\00000001.@
c:\windows\$NtUninstallKB36435$\3003923807\U\00000002.@
c:\windows\$NtUninstallKB36435$\3003923807\U\00000004.@
c:\windows\$NtUninstallKB36435$\3003923807\U\80000000.@
c:\windows\$NtUninstallKB36435$\3003923807\U\80000004.@
c:\windows\$NtUninstallKB36435$\3003923807\U\80000032.@
c:\windows\$NtUninstallKB36435$\337019940
.
.
((((((((((((((((((((((((( Files Created from 2011-11-03 to 2011-12-03 )))))))))))))))))))))))))))))))
.
.
2011-12-03 15:40 . 2011-12-03 15:42 -------- d-----w- c:\users\jsirk\AppData\Local\temp
2011-12-03 15:40 . 2011-12-03 15:40 -------- d-----w- c:\users\support\AppData\Local\temp
2011-12-03 15:40 . 2011-12-03 15:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-03 15:26 . 2011-12-02 08:33 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-03 15:06 . 2011-12-03 15:06 -------- d-----w- C:\_OTS
2011-12-02 13:36 . 2011-12-02 13:36 -------- d-----w- C:\_OTM
2011-12-02 07:10 . 2011-12-02 07:10 -------- d-----w- c:\users\jsirk\AppData\Roaming\WinPatrol
2011-12-02 07:10 . 2011-12-02 07:10 -------- d-----w- c:\programdata\InstallMate
2011-12-02 07:10 . 2011-12-02 07:10 -------- d-----w- c:\program files\BillP Studios
2011-12-02 05:58 . 2011-12-02 05:58 -------- d-----w- c:\users\jsirk\AppData\Local\VirtualStore
2011-12-01 14:52 . 2011-12-01 14:52 -------- d-----w- c:\program files\Common Files\Java
2011-11-29 11:53 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{565E7811-7475-49F2-B785-D7560A0D6766}\mpengine.dll
2011-11-20 01:32 . 2011-11-20 01:32 -------- d-----w- c:\programdata\Kaspersky Lab
2011-11-20 01:02 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-11-20 01:01 . 2011-11-20 01:23 -------- d-----w- C:\Combo-Fix
2011-11-19 23:59 . 2011-12-01 16:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-19 23:59 . 2011-11-20 00:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-18 14:54 . 2011-11-30 19:26 102400 ----a-w- c:\windows\RegBootClean.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 11:06 . 2010-06-17 16:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-30 14:41 . 2011-04-17 22:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2011-09-06 5152096]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-20 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-20 167960]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-08-12 870712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2010-6-17 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 5 (0x5)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 136176]
R2 intelusb3;Intel USB3 Device Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2010-04-25 689416]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-17 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-03-24 812448]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-03-24 27040]
S2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [2010-12-02 218432]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-06-15 57424]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2011-07-12 262416]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2011-07-12 36624]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-11-03 33832]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-13 221912]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
intelusbs3 REG_MULTI_SZ intelusb3
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 17:28]
.
2011-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 17:28]
.
2011-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675Core.job
- c:\users\jsirk\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-01 11:55]
.
2011-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675UA.job
- c:\users\jsirk\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-01 11:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.geosyntec.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
DPF: {90C8812D-81C2-45EA-8101-6C6F29835AE8} - hxxp://bst.geosyntec.com/auroraweb/BSTeInstaller.CAB
DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} - hxxp://bst.geosyntec.com/auroraweb/AuroraShell.CAB
FF - ProfilePath - c:\users\jsirk\AppData\Roaming\Mozilla\Firefox\Profiles\0u9473ez.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://home.geosyntec.com/SitePages/Home.aspx
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility]
"ServiceDll"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\program files\Motorola\MotoHelper\MotoHelperAgent.exe
c:\windows\system32\schtasks.exe
c:\windows\system32\conhost.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\conhost.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\conhost.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\wbem\WmiApSrv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-12-03 09:46:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-03 15:46
ComboFix2.txt 2011-11-20 01:23
.
Pre-Run: 198,596,993,024 bytes free
Post-Run: 198,227,185,664 bytes free
.
- - End Of File - - B32D421931CBF92909EA9CE8B5D02E44

#6 rodneystubbs

rodneystubbs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 03 December 2011 - 11:01 AM

found the OTS log you instructed:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\hpOQBlGcuNj.exe deleted successfully.
Starting removal of ActiveX control {11E93902-B6FD-11D7-A642-00C04F57E4DC}
C:\Windows\Downloaded Program Files\BSTEIX0010.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11E93902-B6FD-11D7-A642-00C04F57E4DC}\ not found.
Starting removal of ActiveX control {2961B151-8F4A-4C9E-8287-D59FAA6C959D}
C:\Windows\Downloaded Program Files\BSTEIX0060.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2961B151-8F4A-4C9E-8287-D59FAA6C959D}\ not found.
Starting removal of ActiveX control {2A00324E-751C-11D3-A5D3-00C04F7F81E2}
C:\Windows\Downloaded Program Files\BSTEIT0040.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A00324E-751C-11D3-A5D3-00C04F7F81E2}\ not found.
Starting removal of ActiveX control {2FC291D0-5814-4658-9680-4DAD4DD3F330}
C:\Windows\Downloaded Program Files\BSTRCM0030.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2FC291D0-5814-4658-9680-4DAD4DD3F330}\ not found.
Starting removal of ActiveX control {4004B4D0-7D66-11D5-A55B-00B0D07DCA5B}
C:\Windows\Downloaded Program Files\BSTEIT0090.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4004B4D0-7D66-11D5-A55B-00B0D07DCA5B}\ not found.
Starting removal of ActiveX control {4E096548-B6FC-11D7-A642-00C04F57E4DC}
C:\Windows\Downloaded Program Files\BSTEIX0030.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E096548-B6FC-11D7-A642-00C04F57E4DC}\ not found.
Starting removal of ActiveX control {815E0702-E4CA-11D3-81ED-00C04F8DF62C}
C:\Windows\Downloaded Program Files\BSTEIT0080.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{815E0702-E4CA-11D3-81ED-00C04F8DF62C}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Starting removal of ActiveX control {ACCB32DB-F2C9-46C3-A215-21F805657765}
C:\Windows\Downloaded Program Files\BSTEIX0050.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ACCB32DB-F2C9-46C3-A215-21F805657765}\ not found.
Starting removal of ActiveX control {AD46BB36-7741-11D3-81B8-00C04F8DF62C}
C:\Windows\Downloaded Program Files\BSTEIT0030.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD46BB36-7741-11D3-81B8-00C04F8DF62C}\ not found.
Starting removal of ActiveX control {B3A8D7A2-B7E1-11D3-81E2-00C04F8DF62C}
C:\Windows\Downloaded Program Files\BSTEIT0050.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B3A8D7A2-B7E1-11D3-81E2-00C04F8DF62C}\ not found.
Starting removal of ActiveX control {C4060AFD-381B-4D34-AECF-B99421B30E2F}
C:\Windows\Downloaded Program Files\BSTGUI000006.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4060AFD-381B-4D34-AECF-B99421B30E2F}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {D9EE5A5C-AF15-11D3-81E0-00C04F8DF62C}
C:\Windows\Downloaded Program Files\BSTEIT0010.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9EE5A5C-AF15-11D3-81E0-00C04F8DF62C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
[Files/Folders - Created Within 30 Days]
C:\Users\jsirk\AppData\Roaming\C87BCAE8 folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Windows\cfgall.ini moved successfully.
C:\Start_.cmd moved successfully.
C:\ProgramData\it3p228k.dat moved successfully.
C:\Windows\System32\itusbcore.dat moved successfully.
C:\Windows\System32\itlsvc.dat moved successfully.
[Files - No Company Name]
File C:\ProgramData\it3p228k.dat not found!
File C:\Windows\System32\itusbcore.dat not found!
File C:\Windows\System32\itlsvc.dat not found!

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: jsirk
->Flash cache emptied: 2219 bytes

User: Public

User: support
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Cannot create restore point. Unable to start RPC service!
< End of fix log >
OTS by OldTimer - Version 3.1.46.0 fix logfile created on 12032011_090631

#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:51 AM

Posted 04 December 2011 - 01:31 AM

Hello,

I work for a medium-sized company (~2000 employees); we do have an IT department, and yes, it is a company computer in the sense that I do not own it, but it is "mine", if that makes sense. I take it everywhere and no one else uses it.

I just want to ensure that we are not breaking any company policies by fixing the computer ourselves. I know that some companies have a strict policy on infected computers.

But if your company lets you have complete control over it, and handle things like this yourself, than that's perfectly fine with me. I just don't want to be getting anybody in trouble.

It looks like ComboFix did address the ZeroAccess issue.

Which leads me to the following warning:

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Please do me a favor and run a new scan with ComboFix and post the log it produces.

Edited by SweetTech, 04 December 2011 - 01:54 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 rodneystubbs

rodneystubbs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 04 December 2011 - 11:32 AM

Thanks for your continued support! Let's keep going and try to complete the fix to the extent possible. I'll do password changes as a precautionary measure.

This made me think of something, actually. For us, when passwords expire, passwords for a user are updated from the local machine (the ctrl+alt+del "change a password") and this then updates our passwords for network access (internal site and exchange server I think). I'm not positive that this can be done from a different machine. After our work here, is/will it be safe to use this method of change?

Latest CF log:

ComboFix 11-12-04.02 - JSirk 12/04/2011 10:07:08.3.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3536.2375 [GMT -6:00]
Running from: c:\users\jsirk\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))
.
.
2011-12-04 16:14 . 2011-12-04 16:14 -------- d-----w- c:\users\support\AppData\Local\temp
2011-12-04 16:14 . 2011-12-04 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-03 15:40 . 2011-12-04 16:14 -------- d-----w- c:\users\jsirk\AppData\Local\temp
2011-12-03 15:26 . 2011-12-02 08:33 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-03 15:06 . 2011-12-03 15:06 -------- d-----w- C:\_OTS
2011-12-02 13:36 . 2011-12-02 13:36 -------- d-----w- C:\_OTM
2011-12-02 07:10 . 2011-12-02 07:10 -------- d-----w- c:\users\jsirk\AppData\Roaming\WinPatrol
2011-12-02 07:10 . 2011-12-02 07:10 -------- d-----w- c:\programdata\InstallMate
2011-12-02 07:10 . 2011-12-02 07:10 -------- d-----w- c:\program files\BillP Studios
2011-12-02 05:58 . 2011-12-02 05:58 -------- d-----w- c:\users\jsirk\AppData\Local\VirtualStore
2011-12-01 14:52 . 2011-12-01 14:52 -------- d-----w- c:\program files\Common Files\Java
2011-11-29 11:53 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{565E7811-7475-49F2-B785-D7560A0D6766}\mpengine.dll
2011-11-20 01:32 . 2011-11-20 01:32 -------- d-----w- c:\programdata\Kaspersky Lab
2011-11-20 01:02 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-11-20 01:01 . 2011-11-20 01:23 -------- d-----w- C:\Combo-Fix
2011-11-19 23:59 . 2011-12-01 16:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-19 23:59 . 2011-11-20 00:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-18 14:54 . 2011-11-30 19:26 102400 ----a-w- c:\windows\RegBootClean.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 11:06 . 2010-06-17 16:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-30 14:41 . 2011-04-17 22:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2011-09-06 5152096]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-20 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-20 167960]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-08-12 870712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2010-6-17 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 5 (0x5)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 136176]
R2 intelusb3;Intel USB3 Device Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2010-04-25 689416]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-17 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-03-24 812448]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-03-24 27040]
S2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [2010-12-02 218432]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-06-15 57424]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2011-07-12 262416]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2011-07-12 36624]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-11-03 33832]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-13 221912]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
intelusbs3 REG_MULTI_SZ intelusb3
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 17:28]
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 17:28]
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675Core.job
- c:\users\jsirk\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-01 11:55]
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3580985071-834138440-206476188-85675UA.job
- c:\users\jsirk\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-01 11:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.geosyntec.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
DPF: {90C8812D-81C2-45EA-8101-6C6F29835AE8} - hxxp://bst.geosyntec.com/auroraweb/BSTeInstaller.CAB
DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} - hxxp://bst.geosyntec.com/auroraweb/AuroraShell.CAB
FF - ProfilePath - c:\users\jsirk\AppData\Roaming\Mozilla\Firefox\Profiles\0u9473ez.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://home.geosyntec.com/SitePages/Home.aspx
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility]
"ServiceDll"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2628)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
.
Completion time: 2011-12-04 10:17:28
ComboFix-quarantined-files.txt 2011-12-04 16:17
ComboFix2.txt 2011-12-03 15:46
ComboFix3.txt 2011-11-20 01:23
.
Pre-Run: 197,050,560,512 bytes free
Post-Run: 196,815,835,136 bytes free
.
- - End Of File - - 0889C0397B214E6ECE4502789BE453FF

#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:51 AM

Posted 06 December 2011 - 01:20 AM

Good Evening!

Please don't think that I had forgotten about you. My work schedule has been quite hectic lately, so I'm just getting around to getting online to respond to my logs.

Thanks for your continued support! Let's keep going and try to complete the fix to the extent possible. I'll do password changes as a precautionary measure.

Okay, please ensure that when you change the passwords, it's done on a clean computer.

This made me think of something, actually. For us, when passwords expire, passwords for a user are updated from the local machine (the ctrl+alt+del "change a password") and this then updates our passwords for network access (internal site and exchange server I think). I'm not positive that this can be done from a different machine. After our work here, is/will it be safe to use this method of change?

It might be best to contact the person in charge of the network and see if they can allow you to reset it on another machine, it may be possible.


Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 rodneystubbs

rodneystubbs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 06 December 2011 - 10:16 PM

No worries, I completely understand and can't say enough how much i appreciate you sacrificing your time to help!

Ran all three as requested. ESET found no results, which I assume is why it didn't give the option for a log. MBAM and Security Check logs below:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8325

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

12/6/2011 6:57:37 PM
mbam-log-2011-12-06 (18-57-37).txt

Scan type: Quick scan
Objects scanned: 188658
Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SECURITY CHECK

Results of screen317's Security Check version 0.99.28
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

ESET Online Scanner v3
Trend Micro OfficeScan Client
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 29
Adobe Flash Player ( 10.1.85.3) Flash Player out of Date!
Mozilla Firefox (8.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

WinPatrol winpatrol.exe is disabled!
Trend Micro OfficeScan Client pccntmon.exe
Trend Micro OfficeScan Client ntrtscan.exe
Trend Micro OfficeScan Client tmlisten.exe
Trend Micro OfficeScan Client CNTAoSMgr.exe
Trend Micro BM TMBMSRV.exe
``````````End of Log````````````

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:51 AM

Posted 07 December 2011 - 02:27 AM

Good Evening!

Thanks for understanding!

____________________________________________________

From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Your SecurityCheck log indicates that your version of Flash Player is outdated. This is a vulnerability that needs to be addressed. Please remove the outdated version of Flash Player and then install the latest version.

Java Outdated

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform:
    • 32-bit Select: Windows x86 Offline.
    • 64-bit Select: Windows x64.
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTS Scan
Download OTS to your Desktop
  • Double-click on OTS.exe to start the program. Make sure you close all other programs.
  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here as an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 rodneystubbs

rodneystubbs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 07 December 2011 - 10:46 PM

I am no longer seeing symptoms...not observing any unexplainable processes running during use, and am not seeing redirects any more. OTL log pasted below, OTS attached.

OTL log:

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\jsirk\Desktop\cmd.bat deleted successfully.
C:\Users\jsirk\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: jsirk
->Temp folder emptied: 4527119 bytes
->Temporary Internet Files folder emptied: 46887561 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 61907983 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 5130 bytes

User: Public
->Temp folder emptied: 0 bytes

User: support
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 168117 bytes
RecycleBin emptied: 50919 bytes

Total Files Cleaned = 108.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: jsirk
->Flash cache emptied: 0 bytes

User: Public

User: support
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12072011_205413

Files\Folders moved on Reboot...
File\Folder C:\Users\jsirk\AppData\Local\Temp\~DF00E322EAFC65E31D.TMP not found!
File\Folder C:\Users\jsirk\AppData\Local\Temp\~DF107046FF99A4554A.TMP not found!
File\Folder C:\Users\jsirk\AppData\Local\Temp\~DF38A1433D074C781F.TMP not found!
File\Folder C:\Users\jsirk\AppData\Local\Temp\~DF5A1BDFC7A4028933.TMP not found!
File\Folder C:\Users\jsirk\AppData\Local\Temp\~DFA95601E510A08CA7.TMP not found!
File\Folder C:\Users\jsirk\AppData\Local\Temp\~DFC880A8EA560352DC.TMP not found!
C:\Users\jsirk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.
C:\Users\jsirk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZC1ONQCJ\search[1].htm moved successfully.
C:\Users\jsirk\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GXZ8MK3W\page__p__2493108[1].htm moved successfully.
File move failed. C:\Windows\temp\tm_icrcL_A606D985_38CA_41ab_BCD9_60F771CF800D scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Attached Files

  • Attached File  OTS.Txt   94.85KB   1 downloads


#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:51 AM

Posted 08 December 2011 - 04:30 AM

Hello,

Your logs appear to be clean, so if you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.



Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Commands
    [ClearAllRestorePoints]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



OTL Clean-Up

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


NEXT:



All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===



Below I have included a number of recommendations for how to protect your computer against malware infections.


Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives

You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.


Avoid P2P Programs

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

If you have any of these programs installed then I highly suggest you uninstall them.

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Internet Browsers

Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.

Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have great built-in pop-up blockers.

I also suggest you make your Internet Explore more secure.


Make Internet Explorer more secure

  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.



Extra Goodies

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates

  • Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.

  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for Chrome and Opera.
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Cheers,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 rodneystubbs

rodneystubbs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 12 December 2011 - 12:09 AM

Sorry for the delay.

Everything appears to be back to normal (in a good way). I can't thank you enough for all your help...but thank you so much for your assistance. I had seen your work in the forums previously and knew when you responded that things would be all right!

Once again thanks for everything, I'll read over all the advice you provided, and hopefully we won't have meet under these circumstances in the future!

-J

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:51 AM

Posted 12 December 2011 - 12:45 AM

You're more than welcome! I'm glad that we were able to work together to solve the issues you were experiencing with your computer.

Please take care!

Kindest Regards,
SweetTech.

____________________________________________________

Since it appears that the issues you were experiencing with your computer have been resolved, I am going to close this thread. If you should need the thread re-opened please send me a Private Message (PM) with a request to re-open the thread, as well as the link to the thread in question, and I'd be happy to re-open the thread.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users