Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avira boo/whistler.a


  • This topic is locked This topic is locked
16 replies to this topic

#1 Destoro

Destoro

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 12 December 2011 - 10:28 PM

Hi, Avira is reporting that I am infected with boo/whistler.a, however the only option it appears to present is deleting my boot records which I am not keen to do if there is another option. The other thing is that after googling the malware, I couldn't locate any of the files or registry entries associated with whistler.a, so perhaps it is a false positive? I have not noticed any symptoms on the system. GMER had many of it's options grayed out and the only scans I could do were services, registry and files.

Thanks in advance!


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_29
Run by Destro at 14:03:00 on 2011-12-13
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.4094.2056 [GMT 11:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: COMODO Defense+ *Disabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
G:\application\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
G:\games 2\hirez\HiPatchService.exe
C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Tray.exe
G:\application\SUPERAntiSpyware.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Destro\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
mWinlogon: Userinit=userinit.exe
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
uRun: [Google Update] "C:\Users\Destro\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [NetBalancer] C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Tray.exe
uRun: [Steam] "G:\games 2\steam\steam.exe" -silent
uRun: [SUPERAntiSpyware] G:\application\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10t_Plugin.exe -update plugin
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [VirtualCloneDrive] "G:\application\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{50657652-6D58-4416-A26D-C8769F1D5067} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~4\Office12\GRA32A~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [VirtualCloneDrive] "G:\application\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
AppInit_DLLs-X64: C:\Windows\SysWOW64\guard32.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Destro\AppData\Roaming\Mozilla\Firefox\Profiles\dph86pf0.default\
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - component: C:\Users\Destro\AppData\Roaming\Mozilla\Firefox\Profiles\dph86pf0.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: C:\Users\Destro\AppData\Roaming\Mozilla\Firefox\Profiles\dph86pf0.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Destro\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\Destro\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
R1 SASDIFSV;SASDIFSV;G:\application\sasdifsv64.sys [2010-2-18 14920]
R1 SASKUTIL;SASKUTIL;G:\application\saskutil64.sys [2010-2-18 12360]
R2 !SASCORE;SAS Core Service;G:\application\SASCore64.exe [2010-6-30 128752]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-8-20 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-8-20 269480]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;G:\games 2\hirez\HiPatchService.exe [2011-11-16 8704]
R2 NetBalancer Windows Service;NetBalancer Windows Service;C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe [2010-9-23 10240]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 Nbdrv;NetBalancer Service;C:\Windows\system32\DRIVERS\nbdrv.sys --> C:\Windows\system32\DRIVERS\nbdrv.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-13 01:10:16 -------- d-----w- C:\Users\Destro\AppData\Local\{F3CBCE61-5EF9-43A1-B097-5E07D30F4D6D}
2011-12-13 01:08:48 -------- d-----w- C:\Users\Destro\AppData\Local\{5BF8B530-31E7-4F56-AC88-C31FBCE202D6}
2011-12-11 15:10:09 -------- d-----w- C:\Users\Destro\AppData\Roaming\IrfanView
2011-12-11 15:10:09 -------- d-----w- C:\Program Files (x86)\IrfanView
2011-12-10 13:49:15 -------- d-----w- C:\Program Files (x86)\ProFantasy
2011-12-04 13:23:30 -------- d-----w- C:\Users\Destro\AppData\Local\{A3CE2734-AD8F-43DF-8B6E-76C9F0453224}
2011-12-04 13:23:19 -------- d-----w- C:\Users\Destro\AppData\Local\{BC0BCFBE-1C2D-4DD9-A7B2-A3327EB7EBD4}
2011-12-02 02:41:44 -------- d-----w- C:\Users\Destro\AppData\Local\{3C1F1741-F4EE-4851-8CB4-8A0814F4CA9D}
2011-12-02 02:41:29 -------- d-----w- C:\Users\Destro\AppData\Local\{871E06AE-8C67-43F4-AE6B-9D66F7E6C10A}
2011-11-25 03:42:30 -------- d-----w- C:\Program Files (x86)\AMD APP
2011-11-18 20:47:49 -------- d-----w- C:\Users\Destro\AppData\Local\{349164A3-D993-4004-AA3C-743B08CA8063}
2011-11-18 20:47:37 -------- d-----w- C:\Users\Destro\AppData\Local\{D893E8DF-8465-4FEE-A2AC-235335F1C5D5}
2011-11-16 01:39:07 -------- d-----w- C:\Users\Destro\AppData\Local\Chromium
2011-11-15 23:59:32 -------- d-----w- C:\ProgramData\Hi-Rez Studios
.
==================== Find3M ====================
.
2011-11-05 17:36:05 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-26 03:05:10 10496512 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-10-26 02:16:06 24866816 ----a-w- C:\Windows\System32\atio6axx.dll
2011-10-26 02:06:10 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-10-26 02:05:58 748544 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-10-26 02:04:28 892416 ----a-w- C:\Windows\System32\aticfx64.dll
2011-10-26 02:01:46 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-10-26 02:01:36 517120 ----a-w- C:\Windows\System32\atieclxx.exe
2011-10-26 02:00:58 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-10-26 01:59:48 18757120 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-10-26 01:59:44 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-10-26 01:59:22 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-10-26 01:59:16 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-10-26 01:59:04 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-10-26 01:58:58 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-10-26 01:58:54 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-10-26 01:58:48 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-10-26 01:55:48 4292096 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-10-26 01:46:12 5041664 ----a-w- C:\Windows\System32\atidxx64.dll
2011-10-26 01:43:48 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-10-26 01:43:24 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-10-26 01:43:12 4044288 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-10-26 01:38:32 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-10-26 01:38:30 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-10-26 01:38:20 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-10-26 01:38:18 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-10-26 01:38:08 9978880 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-10-26 01:35:38 4353536 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-10-26 01:34:56 8449024 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-10-26 01:32:30 4189184 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-10-26 01:29:32 5510144 ----a-w- C:\Windows\System32\atiumd64.dll
2011-10-26 01:29:24 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-10-26 01:22:38 486912 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-10-26 01:22:30 339968 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-10-26 01:22:20 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-10-26 01:22:16 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-10-26 01:22:16 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-10-26 01:22:12 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-10-26 01:22:06 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-10-26 01:21:58 326656 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-10-26 01:21:12 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-10-26 01:21:06 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-10-26 01:21:00 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-10-26 01:20:52 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-10-26 01:20:20 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-10-26 01:16:06 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2011-10-26 01:16:06 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-10-26 01:15:58 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-10-26 01:15:58 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-10-25 10:21:54 66560 ----a-w- C:\Windows\System32\OpenVideo64.dll
2011-10-25 10:21:48 56832 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2011-10-25 10:21:40 66560 ----a-w- C:\Windows\System32\OVDecoder64.dll
2011-10-25 10:21:34 56832 ----a-w- C:\Windows\SysWow64\OVDecoder.dll
2011-10-25 10:21:24 16991744 ----a-w- C:\Windows\System32\amdocl64.dll
2011-10-25 10:20:42 13950464 ----a-w- C:\Windows\SysWow64\amdocl.dll
2011-10-25 10:19:56 51200 ----a-w- C:\Windows\System32\OpenCL.dll
2011-10-25 10:19:50 44032 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2011-10-07 10:01:10 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-10-07 10:01:10 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-10-07 04:36:29 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-10-02 18:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-30 16:06:06 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2006-05-03 10:06:54 163328 --sh--r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- C:\Windows\SysWOW64\nbDX.dll
.
============= FINISH: 14:03:40.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:58 PM

Posted 15 December 2011 - 12:30 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Destoro

Destoro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 16 December 2011 - 04:19 AM

Computer is running as normal. I had to reboot a few times when combofix rebooted my computer to get to windows, it was reporting that the disk could not be read, but appears to be operating fine now. Avira still reports the virus in the boot sector. Thanks again.

c:\combofix\ping.3xe asked for internet access during the process sometime but I wasn't at my computer at the time so my firewall blocked it. Did not seem to have any impact on the scanning process.


ComboFix 11-12-16.01 - Destro 16/12/2011 19:30:24.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.4094.2926 [GMT 11:00]
Running from: c:\users\Destro\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: COMODO Defense+ *Disabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Destro\AppData\Roaming\Love
c:\users\Destro\AppData\Roaming\Love\TSW\data.lua
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-16 09:01 . 2011-12-16 09:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-11 15:10 . 2011-12-11 15:10 -------- d-----w- c:\users\Destro\AppData\Roaming\IrfanView
2011-12-11 15:10 . 2011-12-11 15:10 -------- d-----w- c:\program files (x86)\IrfanView
2011-12-10 13:49 . 2011-12-10 13:51 -------- d-----w- c:\program files (x86)\ProFantasy
2011-11-27 10:54 . 2011-11-27 10:54 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-11-25 03:42 . 2011-11-25 03:42 -------- d-----w- c:\programdata\ATI
2011-11-25 03:42 . 2011-11-25 03:42 -------- d-----w- c:\program files (x86)\AMD APP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-05 17:36 . 2011-05-18 04:10 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-26 03:05 . 2011-10-26 03:05 10496512 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-10-26 02:16 . 2011-10-26 02:16 24866816 ----a-w- c:\windows\system32\atio6axx.dll
2011-10-26 02:06 . 2011-10-26 02:06 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-10-26 02:05 . 2011-01-05 03:02 748544 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-10-26 02:04 . 2011-10-26 02:04 892416 ----a-w- c:\windows\system32\aticfx64.dll
2011-10-26 02:01 . 2011-10-26 02:01 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-10-26 02:01 . 2011-10-26 02:01 517120 ----a-w- c:\windows\system32\atieclxx.exe
2011-10-26 02:00 . 2011-10-26 02:00 204288 ----a-w- c:\windows\system32\atiesrxx.exe
2011-10-26 01:59 . 2011-10-26 01:59 18757120 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-10-26 01:59 . 2011-10-26 01:59 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-10-26 01:59 . 2011-10-26 01:59 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-10-26 01:59 . 2011-10-26 01:59 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-10-26 01:59 . 2011-10-26 01:59 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-10-26 01:58 . 2011-10-26 01:58 21504 ----a-w- c:\windows\system32\atimuixx.dll
2011-10-26 01:58 . 2011-10-26 01:58 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-10-26 01:58 . 2011-10-26 01:58 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-10-26 01:55 . 2011-01-05 02:52 4292096 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-10-26 01:46 . 2011-10-26 01:46 5041664 ----a-w- c:\windows\system32\atidxx64.dll
2011-10-26 01:43 . 2011-10-26 01:43 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-10-26 01:43 . 2011-10-26 01:43 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-10-26 01:43 . 2011-10-26 01:43 4044288 ----a-w- c:\windows\system32\atiumd6a.dll
2011-10-26 01:38 . 2011-10-26 01:38 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-10-26 01:38 . 2011-10-26 01:38 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-10-26 01:38 . 2011-10-26 01:38 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-10-26 01:38 . 2011-10-26 01:38 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-10-26 01:38 . 2011-10-26 01:38 9978880 ----a-w- c:\windows\system32\aticaldd64.dll
2011-10-26 01:35 . 2011-01-05 02:33 4353536 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-10-26 01:34 . 2011-10-26 01:34 8449024 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-10-26 01:32 . 2011-01-05 02:25 4189184 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-10-26 01:29 . 2011-10-26 01:29 5510144 ----a-w- c:\windows\system32\atiumd64.dll
2011-10-26 01:29 . 2011-01-05 02:28 58880 ----a-w- c:\windows\system32\coinst.dll
2011-10-26 01:22 . 2011-10-26 01:22 486912 ----a-w- c:\windows\system32\atiadlxx.dll
2011-10-26 01:22 . 2011-10-26 01:22 339968 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-10-26 01:22 . 2011-10-26 01:22 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2011-10-26 01:22 . 2011-10-26 01:22 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-10-26 01:22 . 2011-10-26 01:22 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-10-26 01:22 . 2011-10-26 01:22 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-10-26 01:22 . 2011-10-26 01:22 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-10-26 01:21 . 2011-10-26 01:21 326656 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-10-26 01:21 . 2011-01-05 02:18 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-10-26 01:21 . 2011-01-05 02:18 31744 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-10-26 01:21 . 2011-01-05 02:18 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-10-26 01:20 . 2011-01-05 02:18 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-10-26 01:20 . 2011-10-26 01:20 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-10-26 01:16 . 2011-10-26 01:16 54784 ----a-w- c:\windows\system32\atimpc64.dll
2011-10-26 01:16 . 2011-10-26 01:16 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2011-10-26 01:15 . 2011-10-26 01:15 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-10-26 01:15 . 2011-10-26 01:15 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-10-25 10:21 . 2011-10-25 10:21 66560 ----a-w- c:\windows\system32\OpenVideo64.dll
2011-10-25 10:21 . 2011-10-25 10:21 56832 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2011-10-25 10:21 . 2011-10-25 10:21 66560 ----a-w- c:\windows\system32\OVDecoder64.dll
2011-10-25 10:21 . 2011-10-25 10:21 56832 ----a-w- c:\windows\SysWow64\OVDecoder.dll
2011-10-25 10:21 . 2011-10-25 10:21 16991744 ----a-w- c:\windows\system32\amdocl64.dll
2011-10-25 10:20 . 2011-10-25 10:20 13950464 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-10-25 10:19 . 2011-10-25 10:19 51200 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-25 10:19 . 2011-10-25 10:19 44032 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-10-07 10:01 . 2010-10-20 03:47 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-10-07 10:01 . 2010-10-19 06:06 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-07 04:36 . 2010-10-19 06:06 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-10-02 18:06 . 2011-04-07 12:34 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-09-30 16:06 . 2010-10-19 06:06 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-09-20 22:00 . 2011-10-02 01:05 9049936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2ECE1BDF-2E7F-49BF-9EAC-C8C66C41BBCA}\mpengine.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\SysWOW64\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\SysWOW64\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\SysWOW64\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 01:51 3911776 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 01:51 3911776 ----a-w- c:\program files (x86)\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetBalancer"="c:\program files\NetBalancer\SeriousBit.NetBalancer.Tray.exe" [2010-07-23 60928]
"Steam"="g:\games 2\steam\steam.exe" [2011-08-25 1242448]
"SUPERAntiSpyware"="g:\application\SUPERAntiSpyware.exe" [2011-01-13 2988784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"VirtualCloneDrive"="g:\application\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-25 343168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 cpuz130;cpuz130;c:\users\Destro\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 SASDIFSV;SASDIFSV;g:\application\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;g:\application\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;g:\application\SASCORE64.EXE [2010-06-29 128752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-28 136360]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;g:\games 2\hirez\HiPatchService.exe [2011-12-02 8704]
S2 NetBalancer Windows Service;NetBalancer Windows Service;c:\program files\NetBalancer\SeriousBit.NetBalancer.Service.exe [2010-07-23 10240]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 Nbdrv;NetBalancer Service;c:\windows\system32\DRIVERS\nbdrv.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3364944025-1602117460-2571459387-1001Core.job
- c:\users\Destro\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-20 06:37]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3364944025-1602117460-2571459387-1001UA.job
- c:\users\Destro\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-20 06:37]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-02-17 8866120]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Destro\AppData\Roaming\Mozilla\Firefox\Profiles\dph86pf0.default\
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
AddRemove-BattlEye A2 Free - g:\games 2\steam\steamapps\common\arma 2 freeBattlEye\UnInstallBE.exe
AddRemove-ESN Sonar-0.70.0 - c:\program files (x86)\Battlelog Web Plugins\Sonar\esnsonar_uninstall.exe
AddRemove-FastCAD - c:\program files (x86)\ProFantasy\CC3\UNINST.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-12-16 20:10:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 09:10
.
Pre-Run: 3,481,395,200 bytes free
Post-Run: 2,081,157,120 bytes free
.
- - End Of File - - 8E3DED6C26DC0E1605CF631E3667EDD6

Edited by Destoro, 16 December 2011 - 04:23 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:58 PM

Posted 16 December 2011 - 01:03 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Destoro

Destoro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 16 December 2011 - 11:53 PM

15:46:39.0095 3472 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
15:46:39.0859 3472 ============================================================
15:46:39.0859 3472 Current date / time: 2011/12/17 15:46:39.0859
15:46:39.0859 3472 SystemInfo:
15:46:39.0859 3472
15:46:39.0859 3472 OS Version: 6.1.7600 ServicePack: 0.0
15:46:39.0859 3472 Product type: Workstation
15:46:39.0859 3472 ComputerName: PC23
15:46:39.0859 3472 UserName: Destro
15:46:39.0859 3472 Windows directory: C:\Windows
15:46:39.0859 3472 System windows directory: C:\Windows
15:46:39.0859 3472 Running under WOW64
15:46:39.0859 3472 Processor architecture: Intel x64
15:46:39.0859 3472 Number of processors: 2
15:46:39.0859 3472 Page size: 0x1000
15:46:39.0859 3472 Boot type: Normal boot
15:46:39.0859 3472 ============================================================
15:46:41.0247 3472 Initialize success
15:46:49.0016 4132 ============================================================
15:46:49.0016 4132 Scan started
15:46:49.0016 4132 Mode: Manual;
15:46:49.0016 4132 ============================================================
15:46:51.0887 4132 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
15:46:51.0887 4132 1394ohci - ok
15:46:51.0918 4132 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
15:46:51.0918 4132 ACPI - ok
15:46:51.0933 4132 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
15:46:51.0933 4132 AcpiPmi - ok
15:46:51.0996 4132 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
15:46:52.0011 4132 adp94xx - ok
15:46:52.0027 4132 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
15:46:52.0027 4132 adpahci - ok
15:46:52.0058 4132 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
15:46:52.0058 4132 adpu320 - ok
15:46:52.0121 4132 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
15:46:52.0136 4132 AFD - ok
15:46:52.0152 4132 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
15:46:52.0152 4132 agp440 - ok
15:46:52.0167 4132 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
15:46:52.0167 4132 aliide - ok
15:46:52.0183 4132 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
15:46:52.0183 4132 amdide - ok
15:46:52.0214 4132 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
15:46:52.0214 4132 AmdK8 - ok
15:46:52.0401 4132 amdkmdag (0415ffe1b6a6ea141feafca57567f57f) C:\Windows\system32\DRIVERS\atikmdag.sys
15:46:52.0511 4132 amdkmdag - ok
15:46:52.0557 4132 amdkmdap (dc24d6f38f17c0d643d9aa8a6852f8d0) C:\Windows\system32\DRIVERS\atikmpag.sys
15:46:52.0573 4132 amdkmdap - ok
15:46:52.0573 4132 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
15:46:52.0573 4132 AmdPPM - ok
15:46:52.0604 4132 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
15:46:52.0604 4132 amdsata - ok
15:46:52.0635 4132 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
15:46:52.0635 4132 amdsbs - ok
15:46:52.0651 4132 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
15:46:52.0651 4132 amdxata - ok
15:46:52.0698 4132 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
15:46:52.0698 4132 AppID - ok
15:46:52.0760 4132 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
15:46:52.0760 4132 arc - ok
15:46:52.0776 4132 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
15:46:52.0776 4132 arcsas - ok
15:46:52.0823 4132 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
15:46:52.0823 4132 AsyncMac - ok
15:46:52.0854 4132 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
15:46:52.0854 4132 atapi - ok
15:46:52.0932 4132 AtiHDAudioService (dbb487d09f56c674430ac454fd8bcab9) C:\Windows\system32\drivers\AtihdW76.sys
15:46:52.0947 4132 AtiHDAudioService - ok
15:46:52.0963 4132 ATITool (b07e6681d303a612680223c729b021e2) C:\Windows\system32\DRIVERS\ATITool64.sys
15:46:52.0979 4132 ATITool - ok
15:46:53.0025 4132 avgntflt (b1224e6b086cd6548315b04ab575a23e) C:\Windows\system32\DRIVERS\avgntflt.sys
15:46:53.0025 4132 avgntflt - ok
15:46:53.0041 4132 avipbb (ed45f12cfa62b83765c9c1496758cc87) C:\Windows\system32\DRIVERS\avipbb.sys
15:46:53.0041 4132 avipbb - ok
15:46:53.0072 4132 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
15:46:53.0088 4132 b06bdrv - ok
15:46:53.0166 4132 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
15:46:53.0166 4132 b57nd60a - ok
15:46:53.0197 4132 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
15:46:53.0197 4132 Beep - ok
15:46:53.0244 4132 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
15:46:53.0244 4132 blbdrive - ok
15:46:53.0275 4132 bowser (19d20159708e152267e53b66677a4995) C:\Windows\system32\DRIVERS\bowser.sys
15:46:53.0275 4132 bowser - ok
15:46:53.0306 4132 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
15:46:53.0306 4132 BrFiltLo - ok
15:46:53.0306 4132 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
15:46:53.0306 4132 BrFiltUp - ok
15:46:53.0337 4132 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
15:46:53.0337 4132 Brserid - ok
15:46:53.0384 4132 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
15:46:53.0384 4132 BrSerWdm - ok
15:46:53.0400 4132 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
15:46:53.0400 4132 BrUsbMdm - ok
15:46:53.0431 4132 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
15:46:53.0431 4132 BrUsbSer - ok
15:46:53.0447 4132 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
15:46:53.0447 4132 BTHMODEM - ok
15:46:53.0493 4132 catchme - ok
15:46:53.0509 4132 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
15:46:53.0509 4132 cdfs - ok
15:46:53.0556 4132 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
15:46:53.0556 4132 cdrom - ok
15:46:53.0571 4132 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
15:46:53.0571 4132 circlass - ok
15:46:53.0634 4132 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
15:46:53.0634 4132 CLFS - ok
15:46:53.0665 4132 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
15:46:53.0665 4132 CmBatt - ok
15:46:53.0727 4132 cmdGuard (f5e7e85bcd94a829eea83819cab7e4df) C:\Windows\system32\DRIVERS\cmdguard.sys
15:46:53.0727 4132 cmdGuard - ok
15:46:53.0759 4132 cmdHlp (77a022dedf973e07f13b377b63ee71aa) C:\Windows\system32\DRIVERS\cmdhlp.sys
15:46:53.0759 4132 cmdHlp - ok
15:46:53.0774 4132 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
15:46:53.0774 4132 cmdide - ok
15:46:53.0805 4132 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
15:46:53.0805 4132 CNG - ok
15:46:53.0821 4132 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
15:46:53.0821 4132 Compbatt - ok
15:46:53.0883 4132 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
15:46:53.0883 4132 CompositeBus - ok
15:46:53.0961 4132 cpuz130 - ok
15:46:54.0039 4132 cpuz135 (262969a3fab32b9e17e63e2d17a57744) C:\Windows\system32\drivers\cpuz135_x64.sys
15:46:54.0039 4132 cpuz135 - ok
15:46:54.0055 4132 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
15:46:54.0055 4132 crcdisk - ok
15:46:54.0086 4132 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
15:46:54.0102 4132 CSC - ok
15:46:54.0164 4132 DfsC (9c253ce7311ca60fc11c774692a13208) C:\Windows\system32\Drivers\dfsc.sys
15:46:54.0164 4132 DfsC - ok
15:46:54.0195 4132 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
15:46:54.0195 4132 discache - ok
15:46:54.0227 4132 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
15:46:54.0227 4132 Disk - ok
15:46:54.0289 4132 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
15:46:54.0289 4132 drmkaud - ok
15:46:54.0336 4132 DXGKrnl (ebce0b0924835f635f620d19f0529dce) C:\Windows\System32\drivers\dxgkrnl.sys
15:46:54.0336 4132 DXGKrnl - ok
15:46:54.0414 4132 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
15:46:54.0445 4132 ebdrv - ok
15:46:54.0476 4132 ElbyCDIO (9a47ac3dfcf81d30922cdaaf1c2d579f) C:\Windows\system32\Drivers\ElbyCDIO.sys
15:46:54.0492 4132 ElbyCDIO - ok
15:46:54.0523 4132 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
15:46:54.0523 4132 elxstor - ok
15:46:54.0539 4132 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
15:46:54.0539 4132 ErrDev - ok
15:46:54.0601 4132 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
15:46:54.0601 4132 exfat - ok
15:46:54.0648 4132 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
15:46:54.0648 4132 fastfat - ok
15:46:54.0663 4132 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
15:46:54.0663 4132 fdc - ok
15:46:54.0710 4132 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
15:46:54.0710 4132 FileInfo - ok
15:46:54.0726 4132 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
15:46:54.0726 4132 Filetrace - ok
15:46:54.0741 4132 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
15:46:54.0741 4132 flpydisk - ok
15:46:54.0757 4132 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
15:46:54.0757 4132 FltMgr - ok
15:46:54.0788 4132 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
15:46:54.0788 4132 FsDepends - ok
15:46:54.0804 4132 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
15:46:54.0804 4132 Fs_Rec - ok
15:46:54.0819 4132 fvevol (b8b2a6e1558f8f5de5ce431c5b2c7b09) C:\Windows\system32\DRIVERS\fvevol.sys
15:46:54.0835 4132 fvevol - ok
15:46:54.0851 4132 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
15:46:54.0851 4132 gagp30kx - ok
15:46:54.0866 4132 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
15:46:54.0866 4132 hcw85cir - ok
15:46:54.0897 4132 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
15:46:54.0913 4132 HdAudAddService - ok
15:46:54.0960 4132 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
15:46:54.0960 4132 HDAudBus - ok
15:46:54.0975 4132 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
15:46:54.0975 4132 HidBatt - ok
15:46:54.0991 4132 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
15:46:55.0007 4132 HidBth - ok
15:46:55.0022 4132 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
15:46:55.0022 4132 HidIr - ok
15:46:55.0053 4132 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
15:46:55.0053 4132 HidUsb - ok
15:46:55.0116 4132 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
15:46:55.0116 4132 HpSAMD - ok
15:46:55.0163 4132 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
15:46:55.0178 4132 HTTP - ok
15:46:55.0194 4132 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
15:46:55.0194 4132 hwpolicy - ok
15:46:55.0209 4132 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
15:46:55.0209 4132 i8042prt - ok
15:46:55.0241 4132 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
15:46:55.0241 4132 iaStorV - ok
15:46:55.0397 4132 igfx (a87261ef1546325b559374f5689cf5bc) C:\Windows\system32\DRIVERS\igdkmd64.sys
15:46:55.0443 4132 igfx - ok
15:46:55.0475 4132 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
15:46:55.0475 4132 iirsp - ok
15:46:55.0521 4132 inspect (cd9a470cd342224b2052e37c907426d0) C:\Windows\system32\DRIVERS\inspect.sys
15:46:55.0537 4132 inspect - ok
15:46:55.0599 4132 IntcAzAudAddService (e8017f1662d9142f45ceab694d013c00) C:\Windows\system32\drivers\RTKVHD64.sys
15:46:55.0615 4132 IntcAzAudAddService - ok
15:46:55.0631 4132 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
15:46:55.0631 4132 intelide - ok
15:46:55.0677 4132 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
15:46:55.0677 4132 intelppm - ok
15:46:55.0693 4132 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
15:46:55.0693 4132 IpFilterDriver - ok
15:46:55.0709 4132 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
15:46:55.0709 4132 IPMIDRV - ok
15:46:55.0740 4132 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
15:46:55.0740 4132 IPNAT - ok
15:46:55.0787 4132 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
15:46:55.0787 4132 IRENUM - ok
15:46:55.0802 4132 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
15:46:55.0802 4132 isapnp - ok
15:46:55.0802 4132 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
15:46:55.0818 4132 iScsiPrt - ok
15:46:55.0833 4132 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
15:46:55.0833 4132 kbdclass - ok
15:46:55.0880 4132 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
15:46:55.0880 4132 kbdhid - ok
15:46:55.0911 4132 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
15:46:55.0911 4132 KSecDD - ok
15:46:55.0943 4132 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
15:46:55.0943 4132 KSecPkg - ok
15:46:55.0974 4132 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
15:46:55.0974 4132 ksthunk - ok
15:46:56.0021 4132 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
15:46:56.0021 4132 lltdio - ok
15:46:56.0052 4132 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
15:46:56.0052 4132 LSI_FC - ok
15:46:56.0067 4132 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
15:46:56.0067 4132 LSI_SAS - ok
15:46:56.0099 4132 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
15:46:56.0099 4132 LSI_SAS2 - ok
15:46:56.0114 4132 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
15:46:56.0114 4132 LSI_SCSI - ok
15:46:56.0145 4132 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
15:46:56.0145 4132 luafv - ok
15:46:56.0161 4132 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
15:46:56.0161 4132 megasas - ok
15:46:56.0192 4132 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
15:46:56.0192 4132 MegaSR - ok
15:46:56.0255 4132 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
15:46:56.0255 4132 Modem - ok
15:46:56.0270 4132 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
15:46:56.0270 4132 monitor - ok
15:46:56.0301 4132 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
15:46:56.0301 4132 mouclass - ok
15:46:56.0317 4132 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
15:46:56.0317 4132 mouhid - ok
15:46:56.0364 4132 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
15:46:56.0364 4132 mountmgr - ok
15:46:56.0379 4132 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
15:46:56.0379 4132 mpio - ok
15:46:56.0411 4132 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
15:46:56.0411 4132 mpsdrv - ok
15:46:56.0426 4132 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
15:46:56.0442 4132 MRxDAV - ok
15:46:56.0489 4132 mrxsmb (040d62a9d8ad28922632137acdd984f2) C:\Windows\system32\DRIVERS\mrxsmb.sys
15:46:56.0489 4132 mrxsmb - ok
15:46:56.0520 4132 mrxsmb10 (f0067552f8f9b33d7c59403ab808a3cb) C:\Windows\system32\DRIVERS\mrxsmb10.sys
15:46:56.0535 4132 mrxsmb10 - ok
15:46:56.0551 4132 mrxsmb20 (3c142d31de9f2f193218a53fe2632051) C:\Windows\system32\DRIVERS\mrxsmb20.sys
15:46:56.0551 4132 mrxsmb20 - ok
15:46:56.0582 4132 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
15:46:56.0582 4132 msahci - ok
15:46:56.0613 4132 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
15:46:56.0613 4132 msdsm - ok
15:46:56.0645 4132 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
15:46:56.0645 4132 Msfs - ok
15:46:56.0660 4132 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
15:46:56.0660 4132 mshidkmdf - ok
15:46:56.0676 4132 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
15:46:56.0691 4132 msisadrv - ok
15:46:56.0738 4132 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
15:46:56.0738 4132 MSKSSRV - ok
15:46:56.0754 4132 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
15:46:56.0754 4132 MSPCLOCK - ok
15:46:56.0769 4132 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
15:46:56.0769 4132 MSPQM - ok
15:46:56.0801 4132 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
15:46:56.0801 4132 MsRPC - ok
15:46:56.0816 4132 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
15:46:56.0816 4132 mssmbios - ok
15:46:56.0832 4132 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
15:46:56.0832 4132 MSTEE - ok
15:46:56.0847 4132 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
15:46:56.0847 4132 MTConfig - ok
15:46:56.0863 4132 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
15:46:56.0863 4132 Mup - ok
15:46:56.0894 4132 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
15:46:56.0894 4132 NativeWifiP - ok
15:46:56.0957 4132 Nbdrv (0b5d0dd9fa104ef87801c8f58f068b3e) C:\Windows\system32\DRIVERS\nbdrv.sys
15:46:56.0957 4132 Nbdrv - ok
15:46:57.0003 4132 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
15:46:57.0003 4132 NDIS - ok
15:46:57.0066 4132 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
15:46:57.0081 4132 NdisCap - ok
15:46:57.0097 4132 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
15:46:57.0097 4132 NdisTapi - ok
15:46:57.0128 4132 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
15:46:57.0128 4132 Ndisuio - ok
15:46:57.0144 4132 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
15:46:57.0144 4132 NdisWan - ok
15:46:57.0175 4132 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
15:46:57.0175 4132 NDProxy - ok
15:46:57.0222 4132 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
15:46:57.0222 4132 NetBIOS - ok
15:46:57.0253 4132 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
15:46:57.0253 4132 NetBT - ok
15:46:57.0331 4132 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
15:46:57.0331 4132 nfrd960 - ok
15:46:57.0378 4132 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
15:46:57.0378 4132 Npfs - ok
15:46:57.0393 4132 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
15:46:57.0393 4132 nsiproxy - ok
15:46:57.0456 4132 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
15:46:57.0471 4132 Ntfs - ok
15:46:57.0503 4132 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
15:46:57.0503 4132 Null - ok
15:46:57.0534 4132 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
15:46:57.0534 4132 nvraid - ok
15:46:57.0549 4132 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
15:46:57.0549 4132 nvstor - ok
15:46:57.0565 4132 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
15:46:57.0565 4132 nv_agp - ok
15:46:57.0596 4132 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
15:46:57.0596 4132 ohci1394 - ok
15:46:57.0659 4132 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
15:46:57.0659 4132 Parport - ok
15:46:57.0690 4132 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
15:46:57.0690 4132 partmgr - ok
15:46:57.0721 4132 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
15:46:57.0721 4132 pci - ok
15:46:57.0737 4132 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
15:46:57.0737 4132 pciide - ok
15:46:57.0752 4132 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
15:46:57.0752 4132 pcmcia - ok
15:46:57.0768 4132 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
15:46:57.0768 4132 pcw - ok
15:46:57.0799 4132 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
15:46:57.0815 4132 PEAUTH - ok
15:46:57.0877 4132 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
15:46:57.0877 4132 PptpMiniport - ok
15:46:57.0877 4132 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
15:46:57.0877 4132 Processor - ok
15:46:57.0939 4132 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
15:46:57.0939 4132 Psched - ok
15:46:57.0971 4132 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
15:46:57.0986 4132 ql2300 - ok
15:46:58.0002 4132 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
15:46:58.0017 4132 ql40xx - ok
15:46:58.0017 4132 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
15:46:58.0017 4132 QWAVEdrv - ok
15:46:58.0049 4132 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
15:46:58.0049 4132 RasAcd - ok
15:46:58.0064 4132 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
15:46:58.0064 4132 RasAgileVpn - ok
15:46:58.0095 4132 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
15:46:58.0095 4132 Rasl2tp - ok
15:46:58.0127 4132 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
15:46:58.0127 4132 RasPppoe - ok
15:46:58.0173 4132 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
15:46:58.0173 4132 RasSstp - ok
15:46:58.0189 4132 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
15:46:58.0189 4132 rdbss - ok
15:46:58.0220 4132 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
15:46:58.0220 4132 rdpbus - ok
15:46:58.0236 4132 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
15:46:58.0236 4132 RDPCDD - ok
15:46:58.0267 4132 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
15:46:58.0267 4132 RDPDR - ok
15:46:58.0283 4132 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
15:46:58.0283 4132 RDPENCDD - ok
15:46:58.0298 4132 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
15:46:58.0298 4132 RDPREFMP - ok
15:46:58.0329 4132 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
15:46:58.0329 4132 RDPWD - ok
15:46:58.0361 4132 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
15:46:58.0361 4132 rdyboost - ok
15:46:58.0407 4132 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
15:46:58.0407 4132 rspndr - ok
15:46:58.0423 4132 RTL8167 (baefee35d27a5440d35092ce10267bec) C:\Windows\system32\DRIVERS\Rt64win7.sys
15:46:58.0423 4132 RTL8167 - ok
15:46:58.0439 4132 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
15:46:58.0439 4132 s3cap - ok
15:46:58.0501 4132 SASDIFSV (99df79c258b3342b6c8a5f802998de56) G:\application\SASDIFSV64.SYS
15:46:58.0501 4132 SASDIFSV - ok
15:46:58.0532 4132 SASKUTIL (2859c35c0651e8eb0d86d48e740388f2) G:\application\SASKUTIL64.SYS
15:46:58.0532 4132 SASKUTIL - ok
15:46:58.0563 4132 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
15:46:58.0563 4132 sbp2port - ok
15:46:58.0579 4132 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
15:46:58.0579 4132 scfilter - ok
15:46:58.0610 4132 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
15:46:58.0610 4132 secdrv - ok
15:46:58.0657 4132 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
15:46:58.0657 4132 Serenum - ok
15:46:58.0673 4132 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
15:46:58.0673 4132 Serial - ok
15:46:58.0688 4132 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
15:46:58.0688 4132 sermouse - ok
15:46:58.0735 4132 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
15:46:58.0735 4132 sffdisk - ok
15:46:58.0751 4132 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
15:46:58.0751 4132 sffp_mmc - ok
15:46:58.0782 4132 sffp_sd (5588b8c6193eb1522490c122eb94dffa) C:\Windows\system32\DRIVERS\sffp_sd.sys
15:46:58.0782 4132 sffp_sd - ok
15:46:58.0797 4132 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
15:46:58.0797 4132 sfloppy - ok
15:46:58.0844 4132 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
15:46:58.0844 4132 SiSRaid2 - ok
15:46:58.0860 4132 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
15:46:58.0860 4132 SiSRaid4 - ok
15:46:58.0875 4132 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
15:46:58.0875 4132 Smb - ok
15:46:58.0891 4132 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
15:46:58.0891 4132 spldr - ok
15:46:58.0938 4132 sptd (602884696850c86434530790b110e8eb) C:\Windows\system32\Drivers\sptd.sys
15:46:58.0938 4132 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 602884696850c86434530790b110e8eb
15:46:58.0953 4132 sptd ( LockedFile.Multi.Generic ) - warning
15:46:58.0953 4132 sptd - detected LockedFile.Multi.Generic (1)
15:46:58.0985 4132 srv (2408c0366d96bcdf63e8f1c78e4a29c5) C:\Windows\system32\DRIVERS\srv.sys
15:46:58.0985 4132 srv - ok
15:46:59.0063 4132 srv2 (76548f7b818881b47d8d1ae1be9c11f8) C:\Windows\system32\DRIVERS\srv2.sys
15:46:59.0063 4132 srv2 - ok
15:46:59.0109 4132 srvnet (0af6e19d39c70844c5caa8fb0183c36e) C:\Windows\system32\DRIVERS\srvnet.sys
15:46:59.0109 4132 srvnet - ok
15:46:59.0156 4132 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
15:46:59.0156 4132 stexstor - ok
15:46:59.0187 4132 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
15:46:59.0187 4132 storflt - ok
15:46:59.0203 4132 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
15:46:59.0219 4132 storvsc - ok
15:46:59.0219 4132 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
15:46:59.0234 4132 swenum - ok
15:46:59.0297 4132 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys
15:46:59.0312 4132 Tcpip - ok
15:46:59.0343 4132 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys
15:46:59.0359 4132 TCPIP6 - ok
15:46:59.0390 4132 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
15:46:59.0390 4132 tcpipreg - ok
15:46:59.0406 4132 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
15:46:59.0406 4132 TDPIPE - ok
15:46:59.0421 4132 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
15:46:59.0421 4132 TDTCP - ok
15:46:59.0437 4132 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
15:46:59.0437 4132 tdx - ok
15:46:59.0453 4132 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
15:46:59.0453 4132 TermDD - ok
15:46:59.0484 4132 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
15:46:59.0484 4132 tssecsrv - ok
15:46:59.0531 4132 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
15:46:59.0531 4132 tunnel - ok
15:46:59.0546 4132 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
15:46:59.0546 4132 uagp35 - ok
15:46:59.0609 4132 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
15:46:59.0609 4132 udfs - ok
15:46:59.0640 4132 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
15:46:59.0640 4132 uliagpkx - ok
15:46:59.0671 4132 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
15:46:59.0671 4132 umbus - ok
15:46:59.0702 4132 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
15:46:59.0702 4132 UmPass - ok
15:46:59.0733 4132 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
15:46:59.0733 4132 usbccgp - ok
15:46:59.0765 4132 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
15:46:59.0765 4132 usbcir - ok
15:46:59.0780 4132 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
15:46:59.0780 4132 usbehci - ok
15:46:59.0811 4132 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
15:46:59.0811 4132 usbhub - ok
15:46:59.0811 4132 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
15:46:59.0827 4132 usbohci - ok
15:46:59.0843 4132 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
15:46:59.0843 4132 usbprint - ok
15:46:59.0858 4132 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
15:46:59.0874 4132 USBSTOR - ok
15:46:59.0874 4132 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
15:46:59.0874 4132 usbuhci - ok
15:46:59.0952 4132 VClone (84bb306b7863883018d7f3eb0c453bd5) C:\Windows\system32\DRIVERS\VClone.sys
15:46:59.0952 4132 VClone - ok
15:46:59.0983 4132 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
15:46:59.0999 4132 vdrvroot - ok
15:47:00.0014 4132 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
15:47:00.0014 4132 vga - ok
15:47:00.0030 4132 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
15:47:00.0030 4132 VgaSave - ok
15:47:00.0045 4132 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
15:47:00.0045 4132 vhdmp - ok
15:47:00.0077 4132 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
15:47:00.0077 4132 viaide - ok
15:47:00.0108 4132 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
15:47:00.0108 4132 vmbus - ok
15:47:00.0123 4132 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
15:47:00.0139 4132 VMBusHID - ok
15:47:00.0155 4132 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
15:47:00.0155 4132 volmgr - ok
15:47:00.0201 4132 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
15:47:00.0201 4132 volmgrx - ok
15:47:00.0233 4132 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
15:47:00.0233 4132 volsnap - ok
15:47:00.0264 4132 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
15:47:00.0264 4132 vsmraid - ok
15:47:00.0279 4132 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
15:47:00.0279 4132 vwifibus - ok
15:47:00.0295 4132 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
15:47:00.0295 4132 WacomPen - ok
15:47:00.0342 4132 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
15:47:00.0342 4132 WANARP - ok
15:47:00.0342 4132 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
15:47:00.0342 4132 Wanarpv6 - ok
15:47:00.0389 4132 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
15:47:00.0389 4132 Wd - ok
15:47:00.0420 4132 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
15:47:00.0435 4132 Wdf01000 - ok
15:47:00.0467 4132 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
15:47:00.0467 4132 WfpLwf - ok
15:47:00.0482 4132 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
15:47:00.0482 4132 WIMMount - ok
15:47:00.0560 4132 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
15:47:00.0560 4132 WinUsb - ok
15:47:00.0607 4132 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
15:47:00.0607 4132 WmiAcpi - ok
15:47:00.0638 4132 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
15:47:00.0638 4132 ws2ifsl - ok
15:47:00.0669 4132 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
15:47:00.0669 4132 WudfPf - ok
15:47:00.0685 4132 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
15:47:00.0701 4132 WUDFRd - ok
15:47:00.0716 4132 MBR (0x1B8) (9c32257e883943e100ef0e0595efe321) \Device\Harddisk0\DR0
15:47:00.0716 4132 \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - infected
15:47:00.0716 4132 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Wistler.a (0)
15:47:00.0716 4132 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk1\DR1
15:47:00.0732 4132 \Device\Harddisk1\DR1 - ok
15:47:00.0732 4132 Boot (0x1200) (913665b3ee1bbe0a532cfed90c941e3e) \Device\Harddisk0\DR0\Partition0
15:47:00.0732 4132 \Device\Harddisk0\DR0\Partition0 - ok
15:47:00.0747 4132 Boot (0x1200) (b8b6acf5edcdfd4253bef73aedd26618) \Device\Harddisk0\DR0\Partition1
15:47:00.0747 4132 \Device\Harddisk0\DR0\Partition1 - ok
15:47:00.0747 4132 Boot (0x1200) (607e635de27e30908c78cb7fed85ccc9) \Device\Harddisk1\DR1\Partition0
15:47:00.0747 4132 \Device\Harddisk1\DR1\Partition0 - ok
15:47:00.0763 4132 Boot (0x1200) (bdbebb55cd6204217f76d740963de7e3) \Device\Harddisk1\DR1\Partition1
15:47:00.0763 4132 \Device\Harddisk1\DR1\Partition1 - ok
15:47:00.0763 4132 Boot (0x1200) (9b8e1329a8047c52b6688c6760cdcafd) \Device\Harddisk1\DR1\Partition2
15:47:00.0763 4132 \Device\Harddisk1\DR1\Partition2 - ok
15:47:00.0763 4132 ============================================================
15:47:00.0763 4132 Scan finished
15:47:00.0763 4132 ============================================================
15:47:00.0779 4160 Detected object count: 2
15:47:00.0779 4160 Actual detected object count: 2
15:47:17.0923 4160 sptd ( LockedFile.Multi.Generic ) - skipped by user
15:47:17.0923 4160 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
15:47:17.0923 4160 \Device\Harddisk0\DR0 - processing error
15:48:08.0576 4160 \Device\Harddisk0\DR0 - will be restored on reboot
15:48:08.0576 4160 \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - User select action: Cure Restore
15:48:12.0461 4720 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:58 PM

Posted 17 December 2011 - 12:03 AM

Hello


Is Avira still reporting?


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Destoro

Destoro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 December 2011 - 01:50 AM

No problems with ComboFix this time, computer booted correctly the first time. Avira is no longer reporting the virus after running TDSSkiller. Thanks!

ComboFix 11-12-16.03 - Destro 17/12/2011 17:31:06.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.4094.3058 [GMT 11:00]
Running from: c:\users\Destro\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: COMODO Defense+ *Disabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-11-17 to 2011-12-17 )))))))))))))))))))))))))))))))
.
.
2011-12-17 06:41 . 2011-12-17 06:41 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2ECE1BDF-2E7F-49BF-9EAC-C8C66C41BBCA}\offreg.dll
2011-12-17 06:37 . 2011-12-17 06:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-17 04:56 . 2011-12-17 06:26 -------- d-----w- c:\users\Destro\AppData\Roaming\X-Chat 2
2011-12-17 04:56 . 2011-12-17 04:56 -------- d-----w- c:\program files (x86)\xchat
2011-12-17 04:25 . 2011-12-17 04:25 -------- d-----w- c:\users\Destro\AppData\Roaming\Canneverbe Limited
2011-12-17 04:25 . 2011-12-17 04:25 -------- d-----w- c:\programdata\Canneverbe Limited
2011-12-17 04:25 . 2011-12-17 04:25 -------- d-----w- c:\program files (x86)\CDBurnerXP
2011-12-11 15:10 . 2011-12-11 15:10 -------- d-----w- c:\users\Destro\AppData\Roaming\IrfanView
2011-12-11 15:10 . 2011-12-11 15:10 -------- d-----w- c:\program files (x86)\IrfanView
2011-12-10 13:49 . 2011-12-10 13:51 -------- d-----w- c:\program files (x86)\ProFantasy
2011-11-27 10:54 . 2011-11-27 10:54 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-11-25 03:42 . 2011-11-25 03:42 -------- d-----w- c:\programdata\ATI
2011-11-25 03:42 . 2011-11-25 03:42 -------- d-----w- c:\program files (x86)\AMD APP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-05 17:36 . 2011-05-18 04:10 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-26 03:05 . 2011-10-26 03:05 10496512 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-10-26 02:16 . 2011-10-26 02:16 24866816 ----a-w- c:\windows\system32\atio6axx.dll
2011-10-26 02:06 . 2011-10-26 02:06 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-10-26 02:05 . 2011-01-05 03:02 748544 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-10-26 02:04 . 2011-10-26 02:04 892416 ----a-w- c:\windows\system32\aticfx64.dll
2011-10-26 02:01 . 2011-10-26 02:01 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-10-26 02:01 . 2011-10-26 02:01 517120 ----a-w- c:\windows\system32\atieclxx.exe
2011-10-26 02:00 . 2011-10-26 02:00 204288 ----a-w- c:\windows\system32\atiesrxx.exe
2011-10-26 01:59 . 2011-10-26 01:59 18757120 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-10-26 01:59 . 2011-10-26 01:59 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-10-26 01:59 . 2011-10-26 01:59 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-10-26 01:59 . 2011-10-26 01:59 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-10-26 01:59 . 2011-10-26 01:59 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-10-26 01:58 . 2011-10-26 01:58 21504 ----a-w- c:\windows\system32\atimuixx.dll
2011-10-26 01:58 . 2011-10-26 01:58 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-10-26 01:58 . 2011-10-26 01:58 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-10-26 01:55 . 2011-01-05 02:52 4292096 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-10-26 01:46 . 2011-10-26 01:46 5041664 ----a-w- c:\windows\system32\atidxx64.dll
2011-10-26 01:43 . 2011-10-26 01:43 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-10-26 01:43 . 2011-10-26 01:43 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-10-26 01:43 . 2011-10-26 01:43 4044288 ----a-w- c:\windows\system32\atiumd6a.dll
2011-10-26 01:38 . 2011-10-26 01:38 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-10-26 01:38 . 2011-10-26 01:38 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-10-26 01:38 . 2011-10-26 01:38 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-10-26 01:38 . 2011-10-26 01:38 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-10-26 01:38 . 2011-10-26 01:38 9978880 ----a-w- c:\windows\system32\aticaldd64.dll
2011-10-26 01:35 . 2011-01-05 02:33 4353536 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-10-26 01:34 . 2011-10-26 01:34 8449024 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-10-26 01:32 . 2011-01-05 02:25 4189184 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-10-26 01:29 . 2011-10-26 01:29 5510144 ----a-w- c:\windows\system32\atiumd64.dll
2011-10-26 01:29 . 2011-01-05 02:28 58880 ----a-w- c:\windows\system32\coinst.dll
2011-10-26 01:22 . 2011-10-26 01:22 486912 ----a-w- c:\windows\system32\atiadlxx.dll
2011-10-26 01:22 . 2011-10-26 01:22 339968 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-10-26 01:22 . 2011-10-26 01:22 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2011-10-26 01:22 . 2011-10-26 01:22 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-10-26 01:22 . 2011-10-26 01:22 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-10-26 01:22 . 2011-10-26 01:22 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-10-26 01:22 . 2011-10-26 01:22 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-10-26 01:21 . 2011-10-26 01:21 326656 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-10-26 01:21 . 2011-01-05 02:18 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-10-26 01:21 . 2011-01-05 02:18 31744 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-10-26 01:21 . 2011-01-05 02:18 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-10-26 01:20 . 2011-01-05 02:18 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-10-26 01:20 . 2011-10-26 01:20 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-10-26 01:16 . 2011-10-26 01:16 54784 ----a-w- c:\windows\system32\atimpc64.dll
2011-10-26 01:16 . 2011-10-26 01:16 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2011-10-26 01:15 . 2011-10-26 01:15 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-10-26 01:15 . 2011-10-26 01:15 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-10-25 10:21 . 2011-10-25 10:21 66560 ----a-w- c:\windows\system32\OpenVideo64.dll
2011-10-25 10:21 . 2011-10-25 10:21 56832 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2011-10-25 10:21 . 2011-10-25 10:21 66560 ----a-w- c:\windows\system32\OVDecoder64.dll
2011-10-25 10:21 . 2011-10-25 10:21 56832 ----a-w- c:\windows\SysWow64\OVDecoder.dll
2011-10-25 10:21 . 2011-10-25 10:21 16991744 ----a-w- c:\windows\system32\amdocl64.dll
2011-10-25 10:20 . 2011-10-25 10:20 13950464 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-10-25 10:19 . 2011-10-25 10:19 51200 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-25 10:19 . 2011-10-25 10:19 44032 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-10-07 10:01 . 2010-10-20 03:47 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-10-07 10:01 . 2010-10-19 06:06 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-07 04:36 . 2010-10-19 06:06 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-10-02 18:06 . 2011-04-07 12:34 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-09-30 16:06 . 2010-10-19 06:06 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-09-20 22:00 . 2011-10-02 01:05 9049936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2ECE1BDF-2E7F-49BF-9EAC-C8C66C41BBCA}\mpengine.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\SysWOW64\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\SysWOW64\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\SysWOW64\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-16_09.07.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-20 09:43 . 2011-12-17 04:51 44716 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-12-15 01:12 41008 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-17 04:51 41008 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-08-20 07:26 . 2011-12-17 04:51 15094 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3364944025-1602117460-2571459387-1001_UserData.bin
- 2010-08-20 02:53 . 2011-12-16 09:06 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-20 02:53 . 2011-12-17 06:41 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-20 02:53 . 2011-12-16 09:06 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-20 02:53 . 2011-12-17 06:41 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-17 06:41 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-16 09:06 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-20 03:13 . 2011-12-17 06:41 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-20 03:13 . 2011-12-16 09:07 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-20 03:13 . 2011-12-16 09:07 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-20 03:13 . 2011-12-17 06:41 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-20 03:13 . 2011-12-17 06:41 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-20 03:13 . 2011-12-16 09:07 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-20 03:13 . 2011-12-16 09:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-20 03:13 . 2011-12-17 06:41 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-20 03:13 . 2011-12-17 06:41 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-20 03:13 . 2011-12-16 09:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-12-16 09:06 . 2011-12-16 09:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-17 06:39 . 2011-12-17 06:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-16 09:06 . 2011-12-16 09:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-17 06:39 . 2011-12-17 06:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-12-15 01:13 664478 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-17 06:43 664478 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-15 01:13 125214 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-12-17 06:43 125214 c:\windows\system32\perfc009.dat
- 2009-07-14 05:12 . 2011-12-15 01:09 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2011-12-17 06:41 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-02-08 14:04 . 2011-12-17 06:37 840016 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-02-08 14:04 . 2011-12-16 09:02 840016 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 02:34 . 2011-12-15 16:48 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-12-17 05:03 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 01:51 3911776 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 01:51 3911776 ----a-w- c:\program files (x86)\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetBalancer"="c:\program files\NetBalancer\SeriousBit.NetBalancer.Tray.exe" [2010-07-23 60928]
"Steam"="g:\games 2\steam\steam.exe" [2011-08-25 1242448]
"SUPERAntiSpyware"="g:\application\SUPERAntiSpyware.exe" [2011-01-13 2988784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"VirtualCloneDrive"="g:\application\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-25 343168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 cpuz130;cpuz130;c:\users\Destro\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 SASDIFSV;SASDIFSV;g:\application\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;g:\application\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;g:\application\SASCORE64.EXE [2010-06-29 128752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-28 136360]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;g:\games 2\hirez\HiPatchService.exe [2011-12-02 8704]
S2 NetBalancer Windows Service;NetBalancer Windows Service;c:\program files\NetBalancer\SeriousBit.NetBalancer.Service.exe [2010-07-23 10240]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 Nbdrv;NetBalancer Service;c:\windows\system32\DRIVERS\nbdrv.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3364944025-1602117460-2571459387-1001Core.job
- c:\users\Destro\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-20 06:37]
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3364944025-1602117460-2571459387-1001UA.job
- c:\users\Destro\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-20 06:37]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-02-17 8866120]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Destro\AppData\Roaming\Mozilla\Firefox\Profiles\dph86pf0.default\
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-12-17 17:48:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-17 06:48
ComboFix2.txt 2011-12-16 09:10
.
Pre-Run: 5,182,779,392 bytes free
Post-Run: 5,100,969,984 bytes free
.
- - End Of File - - 6CF394289BCE9E23F3AA5C1AFD9AD4A1

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:58 PM

Posted 17 December 2011 - 02:02 AM

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Destoro

Destoro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 December 2011 - 02:18 AM

I have attempted to run TFC.exe twice (from the desktop as instructed) as soon as I click the start button to begin the process my computer gives a BSOD. I have not proceeded with the other tests at this time, I shall away your instruction.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:58 PM

Posted 17 December 2011 - 02:31 AM

skip it and move to the next items (it is not important)


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Destoro

Destoro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 December 2011 - 02:44 AM

No further problems, system still running as normal.


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8384

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

17/12/2011 6:36:01 PM
mbam-log-2011-12-17 (18-36-01).txt

Scan type: Quick scan
Objects scanned: 175269
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)









Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:42:26 PM, on 17/12/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16839)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [VirtualCloneDrive] "G:\application\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [NetBalancer] C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Tray.exe
O4 - HKCU\..\Run: [Steam] "G:\games 2\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\application\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~4\Office12\GRA32A~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - G:\application\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Hi-Rez Studios Authenticate and Update Service (HiPatchService) - Hi-Rez Studios - G:\games 2\hirez\HiPatchService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8397 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:58 PM

Posted 17 December 2011 - 02:51 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [VirtualCloneDrive] "G:\application\VirtualCloneDrive\VCDDaemon.exe" /s
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
      O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
      O4 - HKCU\..\Run: [NetBalancer] C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Tray.exe
      O4 - HKCU\..\Run: [Steam] "G:\games 2\steam\steam.exe" -silent
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Destoro

Destoro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 December 2011 - 09:14 AM

Finished at last. C:\ is my current OS drive, D:\ is from an old XP install that I no longer use.


C:\Users\Destro\Downloads\cnet2_partition_recovery_exe.exe a variant of Win32/InstallCore.D application
C:\Users\Destro\Downloads\MediaInfo_GUI_0.7.37_Windows_i386.exe Win32/OpenCandy application
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\10\35ace28a-3c2dbfa6 probably a variant of Win32/Agent.LMMBFXF trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\12\14eab74c-7a3887b8 a variant of Win32/Unruy.AA trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\13\2dd3754d-3175a490 a variant of Java/TrojanDownloader.Agent.NAI trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\14\34524d4e-20d84bc1 multiple threats
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\16\d1c5590-582dc5e2 Java/Exploit.CVE-2009-2843.B trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\20\19e4c9d4-5d68dd09 probably a variant of Java/Agent.BR trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\26\56bf0f5a-73c20aa7 Java/Exploit.CVE-2009-3867.AL trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\26\77ca675a-7a54e7d2 a variant of Java/Agent.BR trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\41\6e8e58e9-29594eca a variant of Win32/TrojanDownloader.Unruy.CC trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\41\6e8e58e9-3bbce930 a variant of Win32/TrojanDownloader.Unruy.CC trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\43\3647d36b-21aafd33 multiple threats
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\45\43154c6d-33b112dd a variant of Win32/Unruy.AA trojan
D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\8\4cafbd48-5b365a5e probably a variant of Win32/Agent.LMMBFXF trojan
D:\Documents and Settings\Destroid\Local Settings\Application Data\yawucesew\lwbwjuishdw.exe Win32/Adware.SpywareProtect2009 application
D:\Documents and Settings\Destroid\Local Settings\Temp\jar_cache583531033419103035.tmp a variant of OSX/Exploit.Smid.D trojan
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\G5QZGDIR\axoiq[1].htm a variant of Win32/Cimag.DF trojan
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\G5QZGDIR\newsecureapp70700[2].exe a variant of Win32/Kryptik.GDP trojan
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\OTIVK9MB\oytnvg[1].htm a variant of Win32/Kryptik.GCY trojan
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\OTIVK9MB\vmdkfnhp[1].htm Win32/Adware.SpywareProtect2009 application
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\OTIVK9MB\vmdkfnhp[2].htm Win32/Adware.SpywareProtect2009 application
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\UNP9GCVT\qghoquc[1].htm Win32/Adware.SpywareProtect2009 application
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\WXMBS5U3\axoiq[1].htm a variant of Win32/Cimag.DF trojan
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\WXMBS5U3\evwdlf[1].htm Win32/Agent.QNF trojan
D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\WXMBS5U3\qghoquc[1].htm Win32/Adware.SpywareProtect2009 application
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CHY7KLQ7\C0[1].php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan
D:\WINDOWS\Ldomea.exe a variant of Win32/Kryptik.GGS trojan
D:\WINDOWS\unusatoxolib.dll a variant of Win32/Cimag.CK trojan
D:\WINDOWS\wunvfpx.dll.virus a variant of Win32/Cimag.DF trojan
D:\WINDOWS\system32\ahanalum.ini Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\system32\efadujoh.ini Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\system32\idetaduv.ini Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\system32\ojenulih.ini Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\system32\olonojen.ini Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\system32\ulobamov.ini Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\system32\uvosuyih.ini Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\system32\drivers\kyejq.sys a variant of Win32/Bubnix.AZ trojan
D:\WINDOWS\system32\spool\prtprocs\w32x86\C5sK5.dll a variant of Win32/Kryptik.FGR trojan
D:\WINDOWS\system32\spool\prtprocs\w32x86\O5oC5.dll a variant of Win32/Kryptik.FGR trojan
E:\downloads\soldat15\soldatsetup15.exe Win32/OpenCandy application
E:\games\Soldat\OpenCandy\OCSetupHlp.dll Win32/OpenCandy application
E:\old drive\archive\games\emulators\neorage\NeoRAGEx.zip a variant of Win32/Packed.PECrypt32.A application
E:\old drive\archive\games\emulators\neorage\NeoRAGEx\NeoRAGEx.exe a variant of Win32/Packed.PECrypt32.A application
E:\random\freeripmp3.exe multiple threats
G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfattachtest.exe probably a variant of Win32/Agent.DDQVISQ trojan
G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfexpbench.exe probably a variant of Win32/Agent.JYJXQJM trojan
G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfflows.exe probably a variant of Win32/Agent.LPEXIVA trojan
G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dflair.exe probably a variant of Win32/Agent.MBFCHKH trojan
G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfmode.exe probably a variant of Win32/Agent.GNTAXU trojan
G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfpause.exe probably a variant of Win32/Agent.MSCYHJA trojan
G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfposition.exe probably a variant of Win32/Agent.HMIAGON trojan

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:58 PM

Posted 17 December 2011 - 11:35 AM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q C:\Users\Destro\Downloads\cnet2_partition_recovery_exe.exe"
    del /f /s /q C:\Users\Destro\Downloads\MediaInfo_GUI_0.7.37_Windows_i386.exe"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\10\35ace28a-3c2dbfa6"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\12\14eab74c-7a3887b8"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\13\2dd3754d-3175a490"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\14\34524d4e-"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\16\d1c5590-582dc5e2"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\20\19e4c9d4-5d68dd09"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\26\56bf0f5a-73c20aa7"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\26\77ca675a-7a54e7d2"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\41\6e8e58e9-29594eca"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\41\6e8e58e9-3bbce930"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\43\3647d36b-21aafd33"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\45\43154c6d-33b112dd"
    del /f /s /q D:\Documents and Settings\Destroid\Application Data\Sun\Java\Deployment\cache\6.0\8\4cafbd48-5b365a5e"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Application Data\yawucesew\lwbwjuishdw.exe"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temp\jar_cache583531033419103035.tmp"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\G5QZGDIR\axoiq[1].htm"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\G5QZGDIR\newsecureapp70700[2].exe"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\OTIVK9MB\oytnvg[1].htm"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\OTIVK9MB\vmdkfnhp[1].htm"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\OTIVK9MB\vmdkfnhp[2].htm"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\UNP9GCVT\qghoquc[1].htm"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\WXMBS5U3\axoiq[1].htm"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\WXMBS5U3\evwdlf[1].htm"
    del /f /s /q D:\Documents and Settings\Destroid\Local Settings\Temporary Internet Files\Content.IE5\WXMBS5U3\qghoquc[1].htm"
    del /f /s /q D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CHY7KLQ7\C0[1].php"
    del /f /s /q D:\WINDOWS\Ldomea.exe"
    del /f /s /q D:\WINDOWS\unusatoxolib.dll"
    del /f /s /q D:\WINDOWS\wunvfpx.dll.virus"
    del /f /s /q D:\WINDOWS\system32\ahanalum.ini"
    del /f /s /q D:\WINDOWS\system32\efadujoh.ini"
    del /f /s /q D:\WINDOWS\system32\idetaduv.ini"
    del /f /s /q D:\WINDOWS\system32\ojenulih.ini"
    del /f /s /q D:\WINDOWS\system32\olonojen.ini"
    del /f /s /q D:\WINDOWS\system32\ulobamov.ini"
    del /f /s /q D:\WINDOWS\system32\uvosuyih.ini"
    del /f /s /q D:\WINDOWS\system32\drivers\kyejq.sys"
    del /f /s /q D:\WINDOWS\system32\spool\prtprocs\w32x86\C5sK5.dll"
    del /f /s /q D:\WINDOWS\system32\spool\prtprocs\w32x86\O5oC5.dll"
    del /f /s /q E:\downloads\soldat15\soldatsetup15.exe/OpenCandy application"
    del /f /s /q E:\games\Soldat\OpenCandy\OCSetupHlp.dll/OpenCandy application"
    del /f /s /q E:\old drive\archive\games\emulators\neorage\NeoRAGEx.zip"
    del /f /s /q E:\old drive\archive\games\emulators\neorage\NeoRAGEx\NeoRAGEx.exe"
    del /f /s /q E:\random\freeripmp3.exe"
    del /f /s /q G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfattachtest.exe"
    del /f /s /q G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfexpbench.exe"
    del /f /s /q G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfflows.exe"
    del /f /s /q G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dflair.exe"
    del /f /s /q G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfmode.exe"
    del /f /s /q G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfpause.exe"
    del /f /s /q G:\games 2\LazyNewbPack[0.31.25][V9.1]\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfposition.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Destoro

Destoro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 December 2011 - 09:00 PM

I have completed the steps, every running as normal, thank you so much for your assistance!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users