Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by TDSS/Alureon rootkit


  • This topic is locked This topic is locked
18 replies to this topic

#1 Guil50

Guil50

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 09 January 2012 - 12:47 AM

Hi everyone,

While trying to fix an unrelated problem I attempted a system restoration under Windows 7 64 bits. Windows said the system couldn't be restored because of my antivirus, so I disabled it (it still didn't work), forgot to turn it back on, and quickly got infected by TDSS/Rootkit/Alureon. The main symptom is that my Google searches get redirected.

I've downloaded both Kasperksy's TDSSKiller and Avast's aswMBR, which according to what I've read are able to fix this problem, but I can't run them. I save the .exe to my desktop, run it, I see a process start, but it closes on its own (even in safe mode). DDS logs are as follows; GMER logs could not be created because of 64 bit OS.

Anyone who can help me with this will have my eternal gratitude.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Guil at 0:29:23 on 2012-01-09
Microsoft Windows 7 Édition Familiale Premium 6.1.7601.1.1252.2.1036.18.6126.4054 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxdjcoms.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Lexmark 1400 Series\lxdjamon.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://gateway.msn.com
uDefault_Page_URL = hxxp://gateway.msn.com
mDefault_Page_URL = hxxp://gateway.msn.com
mStart Page = hxxp://gateway.msn.com
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1E0C7D4C-48FC-4228-A398-5A61C2FB11AB} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{EC21D03C-6BAB-4762-8E8E-7BB27DD17D49} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
{53707962-6F74-2D53-2644-206D7942484F}
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{B4F3A835-0E21-4959-BA22-42B3008E02FF}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD}: Groove GFS Stub Execution Hook
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Guil\AppData\Roaming\Mozilla\Firefox\Profiles\38riohlt.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-1-6 44768]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-1 13336]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-5-31 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-8-6 235624]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Service Windows Activation Technologies;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-01-09 00:41:34 -------- d-----w- C:\Users\Guil\AppData\Local\{D26FB650-E9E8-40ED-BAD7-678D43294F8B}
2012-01-09 00:41:22 -------- d-----w- C:\Users\Guil\AppData\Local\{2DC4BCC6-D317-4CAC-AF5F-52BC4FA4889D}
2012-01-08 12:41:03 -------- d-----w- C:\Users\Guil\AppData\Local\{891401FB-3EDE-457A-A8DE-DDA6552D2D1C}
2012-01-08 12:40:42 -------- d-----w- C:\Users\Guil\AppData\Local\{0FC29B37-21C8-40A1-8149-526D3D06D813}
2012-01-08 02:53:56 133632 ----a-w- C:\MbrFix64.exe
2012-01-07 23:28:29 -------- d-----w- C:\Users\Guil\AppData\Local\{0E87CB94-DCB0-42B1-AA06-3783771B6AFB}
2012-01-07 23:28:02 -------- d-----w- C:\Users\Guil\AppData\Local\{7277EBE4-067F-4420-A702-2A49D093BB5B}
2012-01-07 04:51:07 -------- d-----w- C:\Users\Guil\AppData\Local\{FD93609C-B865-4E19-B7D9-EEF50AD9E7CB}
2012-01-07 04:50:40 -------- d-----w- C:\Users\Guil\AppData\Local\{EE7A1907-E48A-4888-85EC-BC06B7EFC843}
2012-01-06 15:57:11 -------- d-----w- C:\Users\Guil\AppData\Local\{0753E816-3DFE-4964-8C3A-EB68C38D0433}
2012-01-06 15:57:00 -------- d-----w- C:\Users\Guil\AppData\Local\{81EFE799-FD91-442A-A658-98D1E5528AC1}
2012-01-06 10:37:30 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A8AD1D13-CAB3-401E-A165-064068604BF2}\mpengine.dll
2012-01-06 05:08:35 -------- d-----w- C:\Users\Guil\AppData\Local\{6E5C8F83-A243-4C8F-9FFC-B1F0AB375C66}
2012-01-04 23:00:30 -------- d-----w- C:\Users\Guil\AppData\Local\{AA9D1A6D-BC94-4503-A24B-42EAD88486F6}
2012-01-04 23:00:03 -------- d-----w- C:\Users\Guil\AppData\Local\{7951303E-3823-40AF-A464-614B6DF9BA6D}
2012-01-04 06:41:17 -------- d-----w- C:\Users\Guil\AppData\Roaming\Malwarebytes
2012-01-04 06:41:07 -------- d-----w- C:\ProgramData\Malwarebytes
2012-01-04 06:41:07 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-01-04 06:38:05 6189952 ----a-w- C:\ARO2011_bt.exe
2012-01-04 06:35:21 -------- d-----w- C:\MGtools
2012-01-04 06:35:14 2448941 ----a-w- C:\MGtools.exe
2012-01-04 06:21:01 -------- d-----w- C:\Users\Guil\AppData\Local\{8B93659C-E38C-4EA8-B186-7A81716A7063}
2012-01-04 06:20:33 -------- d-----w- C:\Users\Guil\AppData\Local\{32379A7F-916E-44EC-A8F1-3E9959F7306B}
2011-12-31 04:46:34 -------- d-----w- C:\Program Files (x86)\PC Tools Security
2011-12-31 04:46:34 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2011-12-31 04:03:10 -------- d-----w- C:\ProgramData\PC Tools
2011-12-31 04:01:26 -------- d-----w- C:\Users\Guil\AppData\Local\{DE6B4CE6-7A65-4E53-A2FC-93850AB3F1F9}
2011-12-31 04:01:09 -------- d-----w- C:\Users\Guil\AppData\Local\{3E7D0B1C-0F6A-4A76-B78E-D48C9D7EE6D8}
2011-12-30 16:00:36 -------- d-----w- C:\Users\Guil\AppData\Local\{E0668F49-DE7C-4C65-8384-4514D763CA78}
2011-12-30 16:00:00 -------- d-----w- C:\Users\Guil\AppData\Local\{B816C32C-9E22-4F37-B903-6A2F1033F6C0}
2011-12-29 22:10:44 -------- d-----w- C:\Users\Guil\AppData\Local\{0230414A-1670-4FC0-9B34-445A7E81C8E8}
2011-12-29 22:10:17 -------- d-----w- C:\Users\Guil\AppData\Local\{FE39AAB0-3305-47E8-AF79-47760162CD99}
2011-12-29 21:54:25 -------- d-----w- C:\Program Files (x86)\NirSoft
2011-12-29 21:47:00 -------- d-----w- C:\Users\Guil\AppData\Local\{7569C851-01C4-4FA8-B30B-4BF0E25DCBAA}
2011-12-29 21:46:49 -------- d-----w- C:\Users\Guil\AppData\Local\{CFCAE92F-2787-4BDF-B156-5773EE4398BA}
2011-12-29 08:36:58 -------- d-----w- C:\Users\Guil\AppData\Local\{E6F1F0B4-9C23-4CB8-95D9-5852330753A5}
2011-12-29 08:36:47 -------- d-----w- C:\Users\Guil\AppData\Local\{D16CCD4B-CFB0-4573-9BCC-0AA82EE3CE48}
2011-12-28 20:36:34 -------- d-----w- C:\Users\Guil\AppData\Local\{375FDF42-1756-4447-99DF-3EFC22C57500}
2011-12-28 20:36:22 -------- d-----w- C:\Users\Guil\AppData\Local\{1B347D23-BF6D-4683-88FF-12F5D9142093}
2011-12-28 02:14:22 -------- d-----w- C:\Users\Guil\AppData\Local\{FA520722-AA8B-41D7-A9BE-079F67A25920}
2011-12-28 02:14:11 -------- d-----w- C:\Users\Guil\AppData\Local\{67BCE994-3277-4391-91BF-E3F70D8A579F}
2011-12-27 14:13:45 -------- d-----w- C:\Users\Guil\AppData\Local\{559F80FB-654C-48CE-9897-F9FED9325044}
2011-12-27 14:13:18 -------- d-----w- C:\Users\Guil\AppData\Local\{AE07AACD-0161-44B0-AB06-07DB535E3447}
2011-12-26 23:55:45 -------- d-----w- C:\Users\Guil\AppData\Local\{4A1EBB79-CDBA-4E9E-9E5C-AF0CF1C001D3}
2011-12-26 23:55:16 -------- d-----w- C:\Users\Guil\AppData\Local\{42F03F94-9061-4F92-A6D3-7E2FCC235490}
2011-12-26 06:26:40 -------- d-----w- C:\Users\Guil\AppData\Local\{2E8FD2FD-6162-4EF5-AD87-EB585931AF4A}
2011-12-26 06:26:13 -------- d-----w- C:\Users\Guil\AppData\Local\{7B2CDA9D-EFA8-4859-94E4-6819B682A522}
2011-12-24 17:03:56 -------- d-----w- C:\Users\Guil\AppData\Local\{22FE3F8A-7AA3-4E7B-A4B6-62CC87EF5B1B}
2011-12-24 17:03:29 -------- d-----w- C:\Users\Guil\AppData\Local\{88165539-38AB-41F1-BFD4-B9D061CF8538}
2011-12-24 04:10:37 -------- d-----w- C:\Users\Guil\AppData\Local\{71C66302-E2E5-4749-AD30-1C1DDD5C1135}
2011-12-24 04:10:16 -------- d-----w- C:\Users\Guil\AppData\Local\{EDFC9DDC-5C7C-4713-A77B-AF5984579A41}
2011-12-23 16:09:51 -------- d-----w- C:\Users\Guil\AppData\Local\{0610D01D-3EA5-4931-B567-51C3CED2FE26}
2011-12-23 16:09:40 -------- d-----w- C:\Users\Guil\AppData\Local\{92F0F111-97B9-48FE-9A93-D93F92E7A988}
2011-12-23 04:09:10 -------- d-----w- C:\Users\Guil\AppData\Local\{D7E0A420-E89A-496B-88EF-9EDE7EC2F945}
2011-12-23 04:08:59 -------- d-----w- C:\Users\Guil\AppData\Local\{18CD7A89-FB2D-401D-84DB-7524934533D3}
2011-12-22 16:28:38 1146984 ----a-w- C:\Windows\System32\RTSnMg64.cpl
2011-12-22 16:28:30 65024 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2011-12-22 16:28:30 1251944 ----a-w- C:\Windows\RtlExUpd.dll
2011-12-22 16:08:31 -------- d-----w- C:\Users\Guil\AppData\Local\{2B7744B2-0570-4FDD-BE2F-CC11F6582E1A}
2011-12-22 16:08:09 -------- d-----w- C:\Users\Guil\AppData\Local\{9434CF4A-F38E-4A35-9818-62EFED1B4A07}
2011-12-22 03:10:28 -------- d-----w- C:\Users\Guil\AppData\Local\{8A2D2CDF-D6BE-460D-83B5-7E6BBE9ADEB5}
2011-12-22 03:10:00 -------- d-----w- C:\Users\Guil\AppData\Local\{3D0B0575-E66F-417C-9A9C-2F97B9B663DA}
2011-12-21 07:04:37 -------- d-----w- C:\Users\Guil\AppData\Local\{7CB5BD39-1CB3-48C9-B833-5B27551536A0}
2011-12-21 07:04:20 -------- d-----w- C:\Users\Guil\AppData\Local\{4EF61ED3-6C40-466D-A948-F521705BAF65}
2011-12-20 19:03:50 -------- d-----w- C:\Users\Guil\AppData\Local\{3D2305A7-1B7C-4901-BF6D-510E1CF9A3F0}
2011-12-20 19:03:23 -------- d-----w- C:\Users\Guil\AppData\Local\{BA3D0298-F29B-4641-B5A1-334D0BB6E378}
2011-12-20 00:34:53 -------- d-----w- C:\Users\Guil\AppData\Local\{8AD3B1FC-232F-4151-942D-5D46C5B39CD7}
2011-12-20 00:34:42 -------- d-----w- C:\Users\Guil\AppData\Local\{90033567-AC23-4A0E-AD6D-60D9474F13BA}
2011-12-19 01:59:46 -------- d-----w- C:\Users\Guil\AppData\Local\{89352EEB-FDEB-4A7C-BA28-FB7F4A590F2F}
2011-12-19 01:59:16 -------- d-----w- C:\Users\Guil\AppData\Local\{83F8C506-92C3-4517-B1F9-E58715B249D3}
2011-12-18 05:08:35 -------- d-----w- C:\Users\Guil\AppData\Local\{551CA179-63DE-4158-B4F2-1EB1939ABDF7}
2011-12-18 05:08:24 -------- d-----w- C:\Users\Guil\AppData\Local\{2026E6A5-45FB-4D22-B4E6-5A9C08C42FE5}
2011-12-18 03:09:09 -------- d-----w- C:\Program Files (x86)\raidcall
2011-12-17 17:16:01 563168 ----a-w- C:\ProgramData\SPLBBDF.tmp
2011-12-17 17:07:57 -------- d-----w- C:\Users\Guil\AppData\Local\{15241DD7-320C-49B6-B249-BEB354D706A0}
2011-12-17 17:07:31 -------- d-----w- C:\Users\Guil\AppData\Local\{F7888F38-BA7E-47DD-8DDD-2D6A8B0B231F}
2011-12-17 04:07:39 -------- d-----w- C:\Users\Guil\AppData\Local\{4A5B1743-9F29-4424-9334-43BACD0B3BB3}
2011-12-17 04:07:28 -------- d-----w- C:\Users\Guil\AppData\Local\{D916104E-8309-4EF5-BAF3-5C97EBF19524}
2011-12-16 16:07:02 -------- d-----w- C:\Users\Guil\AppData\Local\{1D3DF098-C661-41FB-8395-6BB3626C0B34}
2011-12-16 16:06:36 -------- d-----w- C:\Users\Guil\AppData\Local\{416CAF56-2865-470B-B71C-77FF1FE45431}
2011-12-16 03:58:16 -------- d-----w- C:\Users\Guil\AppData\Local\{8CF45DB5-86DF-4852-92D3-56D4C6980C0D}
2011-12-16 03:57:15 -------- d-----w- C:\Users\Guil\AppData\Local\{8F1C2481-9F10-45FC-9C2C-1E00B5AD409D}
2011-12-15 15:56:48 -------- d-----w- C:\Users\Guil\AppData\Local\{E2B972AA-A831-4D7A-BCBB-F9ED728381DF}
2011-12-15 15:56:36 -------- d-----w- C:\Users\Guil\AppData\Local\{AF7845FD-05CC-40BB-A6C4-4B78DC40B2BD}
2011-12-15 03:35:58 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-15 03:35:50 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-15 03:35:50 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-15 03:35:44 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-15 03:35:44 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-15 02:49:00 -------- d-----w- C:\Users\Guil\AppData\Local\{779BD002-24C1-4695-8B57-0685EEB7D388}
2011-12-15 02:48:29 -------- d-----w- C:\Users\Guil\AppData\Local\{80C748A9-3AEE-4BBE-92B8-A3A150B62B1B}
2011-12-14 05:28:37 -------- d-----w- C:\Users\Guil\AppData\Local\{AC26C6E2-C7FA-4790-A033-F8996DE125D9}
2011-12-14 05:28:25 -------- d-----w- C:\Users\Guil\AppData\Local\{C67ED582-05C0-445C-9C99-08DCD83FDD21}
2011-12-13 17:27:55 -------- d-----w- C:\Users\Guil\AppData\Local\{60781A75-ECDD-4B08-9641-F1C02F7B7615}
2011-12-13 17:27:27 -------- d-----w- C:\Users\Guil\AppData\Local\{BEC7EEA6-BBE2-4A11-BE50-9FE07D503CE8}
2011-12-12 20:18:59 -------- d-----w- C:\Users\Guil\AppData\Local\{8CB35BFF-6324-4CA9-B85F-DC20FA664F7C}
2011-12-12 20:18:34 -------- d-----w- C:\Users\Guil\AppData\Local\{F119F42E-9FB0-4F89-BC44-1BF90E475039}
2011-12-11 23:47:15 -------- d-----w- C:\Users\Guil\AppData\Local\{CB80D50B-C779-4BFD-80A1-CF21D124B48C}
2011-12-11 23:46:35 -------- d-----w- C:\Users\Guil\AppData\Local\{06448F9D-9268-4F06-94A0-823969167BB8}
2011-12-11 04:36:07 -------- d-----w- C:\Users\Guil\AppData\Local\{23D166BB-6DA1-45C8-933D-229945DCA50B}
2011-12-11 04:35:41 -------- d-----w- C:\Users\Guil\AppData\Local\{9C98079B-822F-497A-A043-E96A51865FDB}
2011-12-10 16:35:14 -------- d-----w- C:\Users\Guil\AppData\Local\{D773C022-E0F2-46A7-BC15-D69C26C73A2B}
2011-12-10 16:34:42 -------- d-----w- C:\Users\Guil\AppData\Local\{7B3D9E2F-E552-4297-B2D6-43D729F507BF}
.
==================== Find3M ====================
.
2012-01-08 05:37:59 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-28 18:01:25 41184 ----a-w- C:\Windows\avastSS.scr
2011-11-28 17:54:06 591192 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-11-28 17:52:11 66904 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
============= FINISH: 0:40:27,76 ===============

Attached Files


Edited by Guil50, 09 January 2012 - 12:48 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 AM

Posted 10 January 2012 - 12:13 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Guil50

Guil50
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 10 January 2012 - 12:58 AM

Hi Gringo, and thanks for helping me.

I find myself unable to run combofix; when I run the .exe, I see the program installing (screen with green text on a black background), then a popup telling me not to run combofix in safe mode (which I am not), then nothing. No process is left running, which is the same problem I had with other tools I had tried before. I disabled my security software (Avast antivirus, Spybot, and Windows firewall), and tried rebooting.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 AM

Posted 10 January 2012 - 09:20 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Guil50

Guil50
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 10 January 2012 - 04:15 PM

Hi,

I was able to run TDSSkiller (which surprised me, since I had tried this before and had the same problem as with combofix, where the process would start but then close on its own). The scan detected one rootkit, I selected Cure and rebooted, and now the redirects appear to have stopped. I suspect that not everything is removed though, as all my Desktop icons are Hidden, and I can't see anything in my Start menu or Windows taskbar either (this problem first appeared today when I booted my computer for the first time).

TDSSkiller log is as follows.

16:02:07.0653 4192 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26
16:02:07.0933 4192 ============================================================
16:02:07.0933 4192 Current date / time: 2012/01/10 16:02:07.0933
16:02:07.0933 4192 SystemInfo:
16:02:07.0933 4192
16:02:07.0933 4192 OS Version: 6.1.7601 ServicePack: 1.0
16:02:07.0933 4192 Product type: Workstation
16:02:07.0933 4192 ComputerName: GATEWAY-DE-GUIL
16:02:07.0933 4192 UserName: Guil
16:02:07.0933 4192 Windows directory: C:\Windows
16:02:07.0933 4192 System windows directory: C:\Windows
16:02:07.0933 4192 Running under WOW64
16:02:07.0933 4192 Processor architecture: Intel x64
16:02:07.0933 4192 Number of processors: 4
16:02:07.0933 4192 Page size: 0x1000
16:02:07.0933 4192 Boot type: Normal boot
16:02:07.0933 4192 ============================================================
16:02:08.0245 4192 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000, SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000040
16:02:08.0323 4192 Initialize success
16:02:20.0460 4652 ============================================================
16:02:20.0460 4652 Scan started
16:02:20.0460 4652 Mode: Manual;
16:02:20.0460 4652 ============================================================
16:02:21.0895 4652 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
16:02:21.0927 4652 1394ohci - ok
16:02:22.0129 4652 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
16:02:22.0129 4652 ACPI - ok
16:02:22.0161 4652 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
16:02:22.0176 4652 AcpiPmi - ok
16:02:22.0223 4652 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
16:02:22.0223 4652 adp94xx - ok
16:02:22.0239 4652 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
16:02:22.0254 4652 adpahci - ok
16:02:22.0254 4652 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
16:02:22.0254 4652 adpu320 - ok
16:02:22.0332 4652 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
16:02:22.0348 4652 AFD - ok
16:02:22.0379 4652 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
16:02:22.0379 4652 agp440 - ok
16:02:22.0395 4652 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
16:02:22.0395 4652 aliide - ok
16:02:22.0410 4652 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
16:02:22.0410 4652 amdide - ok
16:02:22.0441 4652 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
16:02:22.0441 4652 AmdK8 - ok
16:02:22.0441 4652 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
16:02:22.0441 4652 AmdPPM - ok
16:02:22.0473 4652 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
16:02:22.0473 4652 amdsata - ok
16:02:22.0488 4652 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
16:02:22.0488 4652 amdsbs - ok
16:02:22.0504 4652 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
16:02:22.0504 4652 amdxata - ok
16:02:22.0551 4652 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
16:02:22.0551 4652 AppID - ok
16:02:22.0566 4652 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
16:02:22.0566 4652 arc - ok
16:02:22.0566 4652 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
16:02:22.0566 4652 arcsas - ok
16:02:22.0644 4652 aswFsBlk (ce6d8bcc4787704ea4feeb92b0d0caf8) C:\Windows\system32\drivers\aswFsBlk.sys
16:02:22.0660 4652 aswFsBlk - ok
16:02:22.0675 4652 aswMonFlt (0debeb2e3fbd0bf5343125cce617f105) C:\Windows\system32\drivers\aswMonFlt.sys
16:02:22.0675 4652 aswMonFlt - ok
16:02:22.0707 4652 aswRdr (952edc2e81f85d1781958d4128bf59f8) C:\Windows\system32\drivers\aswRdr.sys
16:02:22.0707 4652 aswRdr - ok
16:02:22.0769 4652 aswSnx (dd383e2ac941c545a85ab72503da6c12) C:\Windows\system32\drivers\aswSnx.sys
16:02:22.0769 4652 aswSnx - ok
16:02:22.0816 4652 aswSP (ef5403fb8b2dcb791ec365fdf6040a4a) C:\Windows\system32\drivers\aswSP.sys
16:02:22.0816 4652 aswSP - ok
16:02:22.0847 4652 aswTdi (34165da5c6b30c0f9d61246bf8a28040) C:\Windows\system32\drivers\aswTdi.sys
16:02:22.0847 4652 aswTdi - ok
16:02:22.0894 4652 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
16:02:22.0894 4652 AsyncMac - ok
16:02:22.0925 4652 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
16:02:22.0925 4652 atapi - ok
16:02:22.0956 4652 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
16:02:22.0956 4652 b06bdrv - ok
16:02:22.0972 4652 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
16:02:22.0972 4652 b57nd60a - ok
16:02:23.0019 4652 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
16:02:23.0019 4652 Beep - ok
16:02:23.0034 4652 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
16:02:23.0034 4652 blbdrive - ok
16:02:23.0081 4652 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
16:02:23.0081 4652 bowser - ok
16:02:23.0081 4652 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
16:02:23.0081 4652 BrFiltLo - ok
16:02:23.0097 4652 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
16:02:23.0097 4652 BrFiltUp - ok
16:02:23.0128 4652 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
16:02:23.0128 4652 Brserid - ok
16:02:23.0128 4652 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
16:02:23.0128 4652 BrSerWdm - ok
16:02:23.0143 4652 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
16:02:23.0143 4652 BrUsbMdm - ok
16:02:23.0143 4652 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
16:02:23.0143 4652 BrUsbSer - ok
16:02:23.0159 4652 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
16:02:23.0159 4652 BTHMODEM - ok
16:02:23.0190 4652 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
16:02:23.0190 4652 cdfs - ok
16:02:23.0206 4652 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
16:02:23.0206 4652 cdrom - ok
16:02:23.0221 4652 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
16:02:23.0221 4652 circlass - ok
16:02:23.0268 4652 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
16:02:23.0268 4652 CLFS - ok
16:02:23.0299 4652 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
16:02:23.0299 4652 CmBatt - ok
16:02:23.0315 4652 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
16:02:23.0315 4652 cmdide - ok
16:02:23.0362 4652 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
16:02:23.0362 4652 CNG - ok
16:02:23.0377 4652 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
16:02:23.0377 4652 Compbatt - ok
16:02:23.0409 4652 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
16:02:23.0409 4652 CompositeBus - ok
16:02:23.0424 4652 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
16:02:23.0424 4652 crcdisk - ok
16:02:23.0471 4652 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
16:02:23.0471 4652 DfsC - ok
16:02:23.0487 4652 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
16:02:23.0487 4652 discache - ok
16:02:23.0502 4652 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
16:02:23.0502 4652 Disk - ok
16:02:23.0518 4652 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
16:02:23.0518 4652 drmkaud - ok
16:02:23.0549 4652 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
16:02:23.0549 4652 DXGKrnl - ok
16:02:23.0596 4652 e1cexpress (6bafd9819d9fec2edbaebc8493c711a4) C:\Windows\system32\DRIVERS\e1c62x64.sys
16:02:23.0611 4652 e1cexpress - ok
16:02:23.0674 4652 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
16:02:23.0721 4652 ebdrv - ok
16:02:23.0767 4652 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
16:02:23.0767 4652 elxstor - ok
16:02:23.0892 4652 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
16:02:23.0908 4652 ErrDev - ok
16:02:23.0923 4652 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
16:02:23.0939 4652 exfat - ok
16:02:23.0986 4652 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
16:02:23.0986 4652 fastfat - ok
16:02:24.0001 4652 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
16:02:24.0001 4652 fdc - ok
16:02:24.0017 4652 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
16:02:24.0017 4652 FileInfo - ok
16:02:24.0048 4652 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
16:02:24.0048 4652 Filetrace - ok
16:02:24.0048 4652 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
16:02:24.0048 4652 flpydisk - ok
16:02:24.0095 4652 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
16:02:24.0095 4652 FltMgr - ok
16:02:24.0134 4652 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
16:02:24.0135 4652 FsDepends - ok
16:02:24.0146 4652 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
16:02:24.0146 4652 Fs_Rec - ok
16:02:24.0176 4652 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
16:02:24.0186 4652 fvevol - ok
16:02:24.0206 4652 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
16:02:24.0206 4652 gagp30kx - ok
16:02:24.0226 4652 GEARAspiWDM - ok
16:02:24.0246 4652 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
16:02:24.0256 4652 hcw85cir - ok
16:02:24.0296 4652 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
16:02:24.0296 4652 HdAudAddService - ok
16:02:24.0326 4652 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
16:02:24.0326 4652 HDAudBus - ok
16:02:24.0336 4652 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
16:02:24.0336 4652 HidBatt - ok
16:02:24.0346 4652 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
16:02:24.0346 4652 HidBth - ok
16:02:24.0356 4652 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
16:02:24.0356 4652 HidIr - ok
16:02:24.0386 4652 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
16:02:24.0396 4652 HidUsb - ok
16:02:24.0416 4652 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
16:02:24.0426 4652 HpSAMD - ok
16:02:24.0456 4652 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
16:02:24.0466 4652 HTTP - ok
16:02:24.0486 4652 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
16:02:24.0486 4652 hwpolicy - ok
16:02:24.0516 4652 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
16:02:24.0516 4652 i8042prt - ok
16:02:24.0546 4652 iaStor (f7ce9be72edac499b713eca6dae5d26f) C:\Windows\system32\DRIVERS\iaStor.sys
16:02:24.0546 4652 iaStor - ok
16:02:24.0586 4652 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
16:02:24.0596 4652 iaStorV - ok
16:02:24.0636 4652 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
16:02:24.0636 4652 iirsp - ok
16:02:24.0716 4652 IntcAzAudAddService (491dadcc74327fabc85e0ab80af8f204) C:\Windows\system32\drivers\RTKVHD64.sys
16:02:24.0766 4652 IntcAzAudAddService - ok
16:02:24.0786 4652 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
16:02:24.0786 4652 intelide - ok
16:02:24.0806 4652 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
16:02:24.0806 4652 intelppm - ok
16:02:24.0826 4652 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
16:02:24.0826 4652 IpFilterDriver - ok
16:02:24.0846 4652 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
16:02:24.0846 4652 IPMIDRV - ok
16:02:24.0856 4652 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
16:02:24.0856 4652 IPNAT - ok
16:02:24.0886 4652 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
16:02:24.0886 4652 IRENUM - ok
16:02:24.0906 4652 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
16:02:24.0906 4652 isapnp - ok
16:02:24.0926 4652 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
16:02:24.0936 4652 iScsiPrt - ok
16:02:24.0946 4652 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
16:02:24.0946 4652 kbdclass - ok
16:02:24.0966 4652 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
16:02:24.0966 4652 kbdhid - ok
16:02:24.0986 4652 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
16:02:24.0986 4652 KSecDD - ok
16:02:24.0996 4652 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
16:02:25.0006 4652 KSecPkg - ok
16:02:25.0026 4652 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
16:02:25.0026 4652 ksthunk - ok
16:02:25.0036 4652 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
16:02:25.0046 4652 lltdio - ok
16:02:25.0076 4652 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
16:02:25.0076 4652 LSI_FC - ok
16:02:25.0086 4652 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
16:02:25.0086 4652 LSI_SAS - ok
16:02:25.0096 4652 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
16:02:25.0096 4652 LSI_SAS2 - ok
16:02:25.0106 4652 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
16:02:25.0106 4652 LSI_SCSI - ok
16:02:25.0166 4652 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
16:02:25.0166 4652 luafv - ok
16:02:25.0216 4652 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
16:02:25.0216 4652 megasas - ok
16:02:25.0226 4652 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
16:02:25.0226 4652 MegaSR - ok
16:02:25.0246 4652 MEIx64 (a6518dcc42f7a6e999bb3bea8fd87567) C:\Windows\system32\DRIVERS\HECIx64.sys
16:02:25.0246 4652 MEIx64 - ok
16:02:25.0266 4652 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
16:02:25.0266 4652 Modem - ok
16:02:25.0286 4652 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
16:02:25.0286 4652 monitor - ok
16:02:25.0306 4652 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
16:02:25.0306 4652 mouclass - ok
16:02:25.0316 4652 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
16:02:25.0316 4652 mouhid - ok
16:02:25.0336 4652 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
16:02:25.0336 4652 mountmgr - ok
16:02:25.0366 4652 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
16:02:25.0366 4652 mpio - ok
16:02:25.0496 4652 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
16:02:25.0506 4652 mpsdrv - ok
16:02:25.0526 4652 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
16:02:25.0536 4652 MRxDAV - ok
16:02:25.0583 4652 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
16:02:25.0583 4652 mrxsmb - ok
16:02:25.0630 4652 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
16:02:25.0645 4652 mrxsmb10 - ok
16:02:25.0661 4652 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
16:02:25.0661 4652 mrxsmb20 - ok
16:02:25.0677 4652 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
16:02:25.0677 4652 msahci - ok
16:02:25.0708 4652 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
16:02:25.0708 4652 msdsm - ok
16:02:25.0739 4652 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
16:02:25.0739 4652 Msfs - ok
16:02:25.0755 4652 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
16:02:25.0755 4652 mshidkmdf - ok
16:02:25.0770 4652 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
16:02:25.0770 4652 msisadrv - ok
16:02:25.0786 4652 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
16:02:25.0786 4652 MSKSSRV - ok
16:02:25.0801 4652 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
16:02:25.0801 4652 MSPCLOCK - ok
16:02:25.0801 4652 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
16:02:25.0801 4652 MSPQM - ok
16:02:25.0864 4652 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
16:02:25.0879 4652 MsRPC - ok
16:02:25.0895 4652 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
16:02:25.0895 4652 mssmbios - ok
16:02:25.0895 4652 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
16:02:25.0895 4652 MSTEE - ok
16:02:25.0911 4652 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
16:02:25.0911 4652 MTConfig - ok
16:02:25.0942 4652 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
16:02:25.0942 4652 Mup - ok
16:02:25.0957 4652 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
16:02:25.0973 4652 NativeWifiP - ok
16:02:26.0035 4652 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
16:02:26.0067 4652 NDIS - ok
16:02:26.0082 4652 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
16:02:26.0082 4652 NdisCap - ok
16:02:26.0098 4652 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
16:02:26.0098 4652 NdisTapi - ok
16:02:26.0113 4652 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
16:02:26.0129 4652 Ndisuio - ok
16:02:26.0160 4652 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
16:02:26.0160 4652 NdisWan - ok
16:02:26.0176 4652 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
16:02:26.0176 4652 NDProxy - ok
16:02:26.0207 4652 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
16:02:26.0207 4652 NetBIOS - ok
16:02:26.0254 4652 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
16:02:26.0254 4652 NetBT - ok
16:02:26.0316 4652 netr28x (af5f224a600f50b7d2b77f4ae59c1abe) C:\Windows\system32\DRIVERS\netr28x.sys
16:02:26.0332 4652 netr28x - ok
16:02:26.0379 4652 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
16:02:26.0379 4652 nfrd960 - ok
16:02:26.0410 4652 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
16:02:26.0410 4652 Npfs - ok
16:02:26.0425 4652 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
16:02:26.0425 4652 nsiproxy - ok
16:02:26.0472 4652 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
16:02:26.0503 4652 Ntfs - ok
16:02:26.0535 4652 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
16:02:26.0535 4652 Null - ok
16:02:26.0535 4652 NVHDA - ok
16:02:26.0784 4652 nvlddmkm (fa54c3710a7dade01eb5e816795a5970) C:\Windows\system32\DRIVERS\nvlddmkm.sys
16:02:26.0987 4652 nvlddmkm - ok
16:02:27.0018 4652 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
16:02:27.0018 4652 nvraid - ok
16:02:27.0034 4652 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
16:02:27.0034 4652 nvstor - ok
16:02:27.0065 4652 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
16:02:27.0065 4652 nv_agp - ok
16:02:27.0096 4652 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
16:02:27.0096 4652 ohci1394 - ok
16:02:27.0143 4652 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
16:02:27.0143 4652 Parport - ok
16:02:27.0190 4652 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
16:02:27.0190 4652 partmgr - ok
16:02:27.0205 4652 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
16:02:27.0221 4652 pci - ok
16:02:27.0237 4652 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
16:02:27.0237 4652 pciide - ok
16:02:27.0252 4652 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
16:02:27.0252 4652 pcmcia - ok
16:02:27.0268 4652 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
16:02:27.0283 4652 pcw - ok
16:02:27.0315 4652 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
16:02:27.0315 4652 PEAUTH - ok
16:02:27.0377 4652 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
16:02:27.0377 4652 PptpMiniport - ok
16:02:27.0393 4652 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
16:02:27.0393 4652 Processor - ok
16:02:27.0424 4652 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
16:02:27.0424 4652 Psched - ok
16:02:27.0455 4652 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
16:02:27.0486 4652 ql2300 - ok
16:02:27.0486 4652 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
16:02:27.0486 4652 ql40xx - ok
16:02:27.0517 4652 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
16:02:27.0517 4652 QWAVEdrv - ok
16:02:27.0517 4652 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
16:02:27.0517 4652 RasAcd - ok
16:02:27.0564 4652 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
16:02:27.0564 4652 RasAgileVpn - ok
16:02:27.0611 4652 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
16:02:27.0611 4652 Rasl2tp - ok
16:02:27.0627 4652 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
16:02:27.0627 4652 RasPppoe - ok
16:02:27.0658 4652 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
16:02:27.0658 4652 RasSstp - ok
16:02:27.0720 4652 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
16:02:27.0720 4652 rdbss - ok
16:02:27.0751 4652 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
16:02:27.0751 4652 rdpbus - ok
16:02:27.0783 4652 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
16:02:27.0783 4652 RDPCDD - ok
16:02:27.0798 4652 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
16:02:27.0798 4652 RDPENCDD - ok
16:02:27.0814 4652 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
16:02:27.0814 4652 RDPREFMP - ok
16:02:27.0845 4652 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
16:02:27.0845 4652 RDPWD - ok
16:02:27.0892 4652 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
16:02:27.0892 4652 rdyboost - ok
16:02:27.0923 4652 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
16:02:27.0923 4652 rspndr - ok
16:02:27.0954 4652 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
16:02:27.0970 4652 sbp2port - ok
16:02:28.0017 4652 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
16:02:28.0017 4652 scfilter - ok
16:02:28.0048 4652 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
16:02:28.0048 4652 secdrv - ok
16:02:28.0079 4652 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
16:02:28.0079 4652 Serenum - ok
16:02:28.0079 4652 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
16:02:28.0079 4652 Serial - ok
16:02:28.0095 4652 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
16:02:28.0095 4652 sermouse - ok
16:02:28.0141 4652 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
16:02:28.0141 4652 sffdisk - ok
16:02:28.0157 4652 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
16:02:28.0157 4652 sffp_mmc - ok
16:02:28.0173 4652 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
16:02:28.0173 4652 sffp_sd - ok
16:02:28.0188 4652 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
16:02:28.0188 4652 sfloppy - ok
16:02:28.0219 4652 Sftfs (a40abfdcb75f835fdf3ce0cc64e4250d) C:\Windows\system32\DRIVERS\Sftfslh.sys
16:02:28.0235 4652 Sftfs - ok
16:02:28.0266 4652 Sftplay (411769ed1cb12d2b44217734347bdb7a) C:\Windows\system32\DRIVERS\Sftplaylh.sys
16:02:28.0282 4652 Sftplay - ok
16:02:28.0297 4652 Sftredir (a14d0df34bbb00ea94da16193d0c7957) C:\Windows\system32\DRIVERS\Sftredirlh.sys
16:02:28.0297 4652 Sftredir - ok
16:02:28.0329 4652 Sftvol (393b22addd89979eb1c60898f51c3648) C:\Windows\system32\DRIVERS\Sftvollh.sys
16:02:28.0329 4652 Sftvol - ok
16:02:28.0344 4652 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
16:02:28.0344 4652 SiSRaid2 - ok
16:02:28.0360 4652 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
16:02:28.0360 4652 SiSRaid4 - ok
16:02:28.0375 4652 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
16:02:28.0375 4652 Smb - ok
16:02:28.0391 4652 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
16:02:28.0391 4652 spldr - ok
16:02:28.0469 4652 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
16:02:28.0469 4652 srv - ok
16:02:28.0500 4652 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
16:02:28.0500 4652 srv2 - ok
16:02:28.0547 4652 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
16:02:28.0547 4652 srvnet - ok
16:02:28.0578 4652 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
16:02:28.0578 4652 stexstor - ok
16:02:28.0594 4652 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
16:02:28.0594 4652 swenum - ok
16:02:28.0672 4652 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
16:02:28.0703 4652 Tcpip - ok
16:02:28.0750 4652 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
16:02:28.0765 4652 TCPIP6 - ok
16:02:28.0781 4652 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
16:02:28.0781 4652 tcpipreg - ok
16:02:28.0812 4652 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
16:02:28.0812 4652 TDPIPE - ok
16:02:28.0812 4652 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
16:02:28.0828 4652 TDTCP - ok
16:02:28.0843 4652 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
16:02:28.0843 4652 tdx - ok
16:02:28.0859 4652 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
16:02:28.0859 4652 TermDD - ok
16:02:28.0890 4652 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
16:02:28.0890 4652 tssecsrv - ok
16:02:28.0953 4652 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
16:02:28.0953 4652 TsUsbFlt - ok
16:02:28.0984 4652 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
16:02:28.0984 4652 tunnel - ok
16:02:28.0999 4652 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
16:02:28.0999 4652 uagp35 - ok
16:02:29.0031 4652 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
16:02:29.0046 4652 udfs - ok
16:02:29.0077 4652 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
16:02:29.0077 4652 uliagpkx - ok
16:02:29.0093 4652 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
16:02:29.0093 4652 umbus - ok
16:02:29.0109 4652 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
16:02:29.0109 4652 UmPass - ok
16:02:29.0124 4652 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
16:02:29.0124 4652 usbccgp - ok
16:02:29.0155 4652 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
16:02:29.0155 4652 usbcir - ok
16:02:29.0171 4652 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\drivers\usbehci.sys
16:02:29.0171 4652 usbehci - ok
16:02:29.0202 4652 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
16:02:29.0202 4652 usbhub - ok
16:02:29.0218 4652 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
16:02:29.0218 4652 usbohci - ok
16:02:29.0233 4652 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
16:02:29.0233 4652 usbprint - ok
16:02:29.0249 4652 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:02:29.0249 4652 USBSTOR - ok
16:02:29.0280 4652 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
16:02:29.0280 4652 usbuhci - ok
16:02:29.0296 4652 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
16:02:29.0296 4652 vdrvroot - ok
16:02:29.0311 4652 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
16:02:29.0311 4652 vga - ok
16:02:29.0327 4652 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
16:02:29.0327 4652 VgaSave - ok
16:02:29.0343 4652 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
16:02:29.0358 4652 vhdmp - ok
16:02:29.0358 4652 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
16:02:29.0358 4652 viaide - ok
16:02:29.0389 4652 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
16:02:29.0389 4652 volmgr - ok
16:02:29.0436 4652 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
16:02:29.0436 4652 volmgrx - ok
16:02:29.0467 4652 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
16:02:29.0467 4652 volsnap - ok
16:02:29.0499 4652 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
16:02:29.0499 4652 vsmraid - ok
16:02:29.0514 4652 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
16:02:29.0514 4652 vwifibus - ok
16:02:29.0530 4652 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
16:02:29.0530 4652 vwififlt - ok
16:02:29.0545 4652 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
16:02:29.0561 4652 WacomPen - ok
16:02:29.0577 4652 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
16:02:29.0577 4652 WANARP - ok
16:02:29.0577 4652 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
16:02:29.0577 4652 Wanarpv6 - ok
16:02:29.0592 4652 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
16:02:29.0592 4652 Wd - ok
16:02:29.0623 4652 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
16:02:29.0623 4652 Wdf01000 - ok
16:02:29.0655 4652 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
16:02:29.0655 4652 WfpLwf - ok
16:02:29.0670 4652 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
16:02:29.0670 4652 WIMMount - ok
16:02:29.0717 4652 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
16:02:29.0717 4652 WmiAcpi - ok
16:02:29.0733 4652 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
16:02:29.0733 4652 ws2ifsl - ok
16:02:29.0779 4652 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
16:02:29.0779 4652 WudfPf - ok
16:02:29.0826 4652 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
16:02:29.0842 4652 WUDFRd - ok
16:02:29.0857 4652 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
16:02:29.0951 4652 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
16:02:29.0951 4652 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
16:02:29.0982 4652 Boot (0x1200) (b21b2b542c9efa19de5cac9b72f3f4bb) \Device\Harddisk0\DR0\Partition0
16:02:29.0982 4652 \Device\Harddisk0\DR0\Partition0 - ok
16:02:30.0013 4652 Boot (0x1200) (e101e74d0125e796eeb0b0e838312ced) \Device\Harddisk0\DR0\Partition1
16:02:30.0013 4652 \Device\Harddisk0\DR0\Partition1 - ok
16:02:30.0013 4652 ============================================================
16:02:30.0013 4652 Scan finished
16:02:30.0013 4652 ============================================================
16:02:30.0029 4892 Detected object count: 1
16:02:30.0029 4892 Actual detected object count: 1
16:02:38.0827 4892 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
16:02:38.0827 4892 \Device\Harddisk0\DR0 - ok
16:02:38.0827 4892 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
16:02:44.0599 4740 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 AM

Posted 10 January 2012 - 06:50 PM

Hello


Run this first - http://download.bleepingcomputer.com/grinler/unhide.exe


then try and run combofix again for me


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Guil50

Guil50
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 10 January 2012 - 07:01 PM

Hi,

Unhide made my desktop items visible, but I'm still missing my start menu and taskbar items (even after running it with security programs disabled).

Combofix will still not run (same problem as before); aswmbr can run now though, I can try this if you need me to.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 AM

Posted 10 January 2012 - 07:12 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Guil50

Guil50
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 11 January 2012 - 01:50 AM

You're good; running combofix in safe mode worked. My start menu items are back, my taskbar items aren't (although I can easily add them back if that's the only problem left). Log is as follows (my version of Windows is in French, so combofix ran in French as well).

ComboFix 12-01-09.07 - Guil 2012-01-11 1:36.1.4 - x64 MINIMAL
Microsoft Windows 7 Édition Familiale Premium 6.1.7601.1.1252.2.1036.18.6126.4770 [GMT -5:00]
Lancé depuis: c:\users\Guil\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Un nouveau point de restauration a été créé
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\bdEiobTK5jmLkc.exe
c:\programdata\SPL78D7.tmp
c:\programdata\SPLBBDF.tmp
c:\programdata\trzD789.tmp
c:\windows\system32\java.exe
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-12-11 au 2012-01-11 ))))))))))))))))))))))))))))))))))))
.
.
2012-01-08 02:53 . 2009-08-06 02:55 133632 ----a-w- C:\MbrFix64.exe
2012-01-06 10:37 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A8AD1D13-CAB3-401E-A165-064068604BF2}\mpengine.dll
2012-01-05 07:41 . 2012-01-05 07:41 -------- d-----w- c:\programdata\McAfee
2012-01-05 07:41 . 2012-01-05 07:41 -------- d-----w- c:\windows\system32\Macromed
2012-01-04 06:41 . 2012-01-04 06:41 -------- d-----w- c:\users\Guil\AppData\Roaming\Malwarebytes
2012-01-04 06:41 . 2012-01-08 01:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-04 06:41 . 2012-01-04 06:41 -------- d-----w- c:\programdata\Malwarebytes
2012-01-04 06:38 . 2012-01-04 06:38 6189952 ----a-w- C:\ARO2011_bt.exe
2012-01-04 06:35 . 2012-01-08 01:40 -------- d-----w- C:\MGtools
2011-12-31 04:46 . 2012-01-08 01:40 -------- d-----w- c:\program files (x86)\PC Tools Security
2011-12-31 04:46 . 2012-01-08 01:40 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2011-12-31 04:03 . 2012-01-08 01:40 -------- d-----w- c:\programdata\PC Tools
2011-12-29 22:07 . 2011-09-06 20:36 76632 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-12-29 21:54 . 2011-12-29 21:54 -------- d-----w- c:\program files (x86)\NirSoft
2011-12-22 16:28 . 2010-09-03 21:18 1146984 ----a-w- c:\windows\system32\RTSnMg64.cpl
2011-12-22 16:28 . 2010-08-31 21:28 1251944 ----a-w- c:\windows\RtlExUpd.dll
2011-12-22 16:28 . 2006-02-07 20:44 65024 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2011-12-18 03:09 . 2012-01-08 01:21 -------- d-----w- c:\program files (x86)\raidcall
2011-12-15 03:35 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 03:35 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 03:35 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-15 03:35 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 03:35 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-08 05:37 . 2011-06-04 06:39 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-04 06:36 . 2012-01-04 06:35 28638 ----a-w- C:\MGlogs.zip
2011-11-28 18:01 . 2011-05-31 16:55 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2011-05-31 16:55 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-11-28 18:01 . 2011-05-31 16:55 256960 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:54 . 2011-05-31 16:55 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2011-05-31 16:55 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2011-05-31 16:55 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2011-05-31 16:55 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2011-05-31 16:55 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-28 17:51 . 2011-05-31 16:55 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 13336]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-08-06 235624]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdjamon"="c:\program files (x86)\Lexmark 1400 Series\lxdjamon.exe" [2009-04-27 25256]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-09-03 11464296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://gateway.msn.com
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://gateway.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Guil\AppData\Roaming\Mozilla\Firefox\Profiles\38riohlt.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHELINS SUPPRIMES - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_USERS\S-1-5-21-2557333657-3286338570-306650650-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2557333657-3286338570-306650650-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Heure de fin: 2012-01-11 01:45:12 - La machine a redémarré
ComboFix-quarantined-files.txt 2012-01-11 06:45
.
Avant-CF: 800 085 704 704 octets libres
Après-CF: 800 064 225 280 octets libres
.
- - End Of File - - 84C3EFD7C4EC96FBC489097F33C3C57B

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 AM

Posted 11 January 2012 - 08:35 AM

Greetings

I want you to run this in normal mode (if it does not run in normal mode then do it in safe mode).

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Guil50

Guil50
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 11 January 2012 - 06:17 PM

Hello,

I had to run the script + combofix from safe mode again. Computer is still performing as it was yesterday (no redirects). Log is as follows.

ComboFix 12-01-09.07 - Guil 2012-01-11 18:01:30.2.4 - x64 MINIMAL
Microsoft Windows 7 Édition Familiale Premium 6.1.7601.1.1252.2.1036.18.6126.4830 [GMT -5:00]
Lancé depuis: c:\users\Guil\Desktop\ComboFix.exe
Commutateurs utilisés :: c:\users\Guil\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Un nouveau point de restauration a été créé
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-12-11 au 2012-01-11 ))))))))))))))))))))))))))))))))))))
.
.
2012-01-11 23:07 . 2012-01-11 23:07 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-01-11 23:07 . 2012-01-11 23:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-11 21:34 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 21:34 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-11 21:34 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 21:34 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 21:34 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 21:34 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 21:34 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 21:34 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-08 02:53 . 2009-08-06 02:55 133632 ----a-w- C:\MbrFix64.exe
2012-01-05 07:41 . 2012-01-05 07:41 -------- d-----w- c:\programdata\McAfee
2012-01-05 07:41 . 2012-01-05 07:41 -------- d-----w- c:\windows\system32\Macromed
2012-01-04 06:41 . 2012-01-04 06:41 -------- d-----w- c:\users\Guil\AppData\Roaming\Malwarebytes
2012-01-04 06:41 . 2012-01-08 01:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-04 06:41 . 2012-01-04 06:41 -------- d-----w- c:\programdata\Malwarebytes
2012-01-04 06:38 . 2012-01-04 06:38 6189952 ----a-w- C:\ARO2011_bt.exe
2012-01-04 06:35 . 2012-01-08 01:40 -------- d-----w- C:\MGtools
2011-12-31 04:46 . 2012-01-08 01:40 -------- d-----w- c:\program files (x86)\PC Tools Security
2011-12-31 04:46 . 2012-01-08 01:40 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2011-12-31 04:03 . 2012-01-08 01:40 -------- d-----w- c:\programdata\PC Tools
2011-12-29 22:07 . 2011-09-06 20:36 76632 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-12-29 21:54 . 2011-12-29 21:54 -------- d-----w- c:\program files (x86)\NirSoft
2011-12-22 16:28 . 2010-09-03 21:18 1146984 ----a-w- c:\windows\system32\RTSnMg64.cpl
2011-12-22 16:28 . 2010-08-31 21:28 1251944 ----a-w- c:\windows\RtlExUpd.dll
2011-12-22 16:28 . 2006-02-07 20:44 65024 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2011-12-18 03:09 . 2012-01-08 01:21 -------- d-----w- c:\program files (x86)\raidcall
2011-12-15 03:35 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 03:35 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 03:35 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-15 03:35 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 03:35 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-08 05:37 . 2011-06-04 06:39 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-04 06:36 . 2012-01-04 06:35 28638 ----a-w- C:\MGlogs.zip
2011-11-28 18:01 . 2011-05-31 16:55 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2011-05-31 16:55 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-11-28 18:01 . 2011-05-31 16:55 256960 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:54 . 2011-05-31 16:55 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2011-05-31 16:55 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2011-05-31 16:55 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2011-05-31 16:55 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2011-05-31 16:55 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-28 17:51 . 2011-05-31 16:55 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-21 11:40 . 2012-01-06 10:37 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A8AD1D13-CAB3-401E-A165-064068604BF2}\mpengine.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-11_06.41.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-11 22:59 . 2012-01-11 22:59 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-01-11 06:31 . 2012-01-11 06:31 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2012-01-11 06:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-11 22:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-11 22:58 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-11 06:31 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-11 22:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-11 06:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-06-02 15:16 . 2011-06-02 15:16 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2011-06-02 15:16 . 2012-01-11 22:56 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2010-11-01 10:48 . 2012-01-11 21:29 48578 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-11 21:29 30998 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-30 09:34 . 2012-01-11 21:29 12766 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2557333657-3286338570-306650650-1000_UserData.bin
- 2011-05-30 09:34 . 2012-01-11 06:22 12766 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2557333657-3286338570-306650650-1000_UserData.bin
+ 2011-03-08 13:52 . 2012-01-11 22:59 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-08 13:52 . 2012-01-10 23:51 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-11 22:59 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-10 23:51 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-30 09:51 . 2012-01-11 21:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-30 09:51 . 2012-01-11 06:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-30 09:51 . 2012-01-11 06:20 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-30 09:51 . 2012-01-11 21:27 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-30 09:51 . 2012-01-11 06:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-30 09:51 . 2012-01-11 21:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-30 09:23 . 2012-01-11 06:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-30 09:23 . 2012-01-11 22:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-30 09:23 . 2012-01-11 06:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-30 09:23 . 2012-01-11 22:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-11-10 20:33 . 2011-12-15 08:05 34144 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 34144 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\oisicon.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 42848 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\msouc.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 42848 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\msouc.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 19296 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 19296 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2012-01-11 22:54 . 2012-01-11 22:56 1900 c:\windows\SoftwareDistribution\PostRebootEventCache\{E7CAA1C8-CDFB-40CC-BFEA-B4A25F7FA42C}.bin
- 2012-01-11 06:41 . 2012-01-11 06:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-11 23:07 . 2012-01-11 23:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-11 06:41 . 2012-01-11 06:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-11 23:07 . 2012-01-11 23:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-11 21:34 . 2011-10-14 04:24 716800 c:\windows\SysWOW64\jscript.dll
- 2011-05-31 16:09 . 2011-02-18 05:41 716800 c:\windows\SysWOW64\jscript.dll
+ 2012-01-11 21:34 . 2011-10-14 05:31 918528 c:\windows\system32\jscript.dll
- 2009-07-14 05:12 . 2012-01-10 22:39 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-01-11 07:17 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:01 . 2012-01-11 22:56 442756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-01-11 06:30 442756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-11-10 20:33 . 2011-12-15 08:05 415584 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\pubs.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 415584 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\pubs.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 303456 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 303456 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 571232 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\misc.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 571232 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\misc.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 326496 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\joticon.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 326496 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
- 2011-06-01 17:24 . 2010-11-20 13:27 465920 c:\windows\ehome\mstvcapn.dll
+ 2012-01-11 21:34 . 2011-10-29 05:23 465920 c:\windows\ehome\mstvcapn.dll
+ 2011-12-12 21:13 . 2011-12-12 21:13 3461120 c:\windows\Installer\516925.msp
+ 2011-11-10 20:33 . 2012-01-11 22:56 1479520 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\xlicons.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 1479520 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 1858400 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 1858400 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 4525408 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\promoicon.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 4525408 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\promoicon.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 3792736 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\pptico.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 3792736 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\pptico.exe
- 2011-11-10 20:33 . 2011-12-15 08:05 1449312 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\accicons.exe
+ 2011-11-10 20:33 . 2012-01-11 22:56 1449312 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\accicons.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-11-08 01:44 . 2012-01-11 22:56 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2011-11-08 01:44 . 2011-12-15 08:05 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2009-07-14 02:34 . 2011-12-15 09:26 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-01-11 22:57 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-06-15 18:24 . 2012-01-11 22:54 54008112 c:\windows\system32\MRT.exe
+ 2011-05-30 17:02 . 2012-01-11 22:56 32742594 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2557333657-3286338570-306650650-1000-12288.dat
- 2011-05-30 17:02 . 2012-01-11 06:30 32742594 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2557333657-3286338570-306650650-1000-12288.dat
.
-- Instantané actualisé --
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 13336]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-08-06 235624]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdjamon"="c:\program files (x86)\Lexmark 1400 Series\lxdjamon.exe" [2009-04-27 25256]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-09-03 11464296]
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://gateway.msn.com
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://gateway.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Guil\AppData\Roaming\Mozilla\Firefox\Profiles\38riohlt.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHELINS SUPPRIMES - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_USERS\S-1-5-21-2557333657-3286338570-306650650-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2557333657-3286338570-306650650-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Heure de fin: 2012-01-11 18:12:25 - La machine a redémarré
ComboFix-quarantined-files.txt 2012-01-11 23:12
ComboFix2.txt 2012-01-11 06:45
.
Avant-CF: 803 242 500 096 octets libres
Après-CF: 802 748 403 712 octets libres
.
- - End Of File - - 9184193E0C8A76CBE1DE146A5A29E3B1

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 AM

Posted 11 January 2012 - 08:31 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Advertising Center

and click on remove



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Guil50

Guil50
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 12 January 2012 - 04:27 AM

Hello Gringo,

Completed these steps without any problems; computer performance is stable. Here are the logs.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Version de la base de données: v2012.01.12.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Guil :: GATEWAY-DE-GUIL [administrateur]

2012-01-12 04:22:36
mbam-log-2012-01-12 (04-22-36).txt

Type d'examen: Examen rapide
Options d'examen activées: Mémoire | Démarrage | Registre | Système de fichiers | Heuristique/Extra | Heuristique/Shuriken | PUP | PUM
Options d'examen désactivées: P2P
Elément(s) analysé(s): 183683
Temps écoulé: 2 minute(s), 44 seconde(s)

Processus mémoire détecté(s): 0
(Aucun élément nuisible détecté)

Module(s) mémoire détecté(s): 0
(Aucun élément nuisible détecté)

Clé(s) du Registre détectée(s): 0
(Aucun élément nuisible détecté)

Valeur(s) du Registre détectée(s): 0
(Aucun élément nuisible détecté)

Elément(s) de données du Registre détecté(s): 0
(Aucun élément nuisible détecté)

Dossier(s) détecté(s): 0
(Aucun élément nuisible détecté)

Fichier(s) détecté(s): 0
(Aucun élément nuisible détecté)

(fin)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 04:26:06, on 2012-01-12
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lexmark 1400 Series\lxdjamon.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Guil\Downloads\HijackThis(1).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Notes &liées OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: Notes &liées OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} (Java Plug-in 1.6.0_27) -
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: @%SystemRoot%\system32\aelupsvc.dll,-1 (AeLookupSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%systemroot%\system32\appidsvc.dll,-100 (AppIDSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\appinfo.dll,-100 (Appinfo) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\audiosrv.dll,-204 (AudioEndpointBuilder) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\audiosrv.dll,-200 (AudioSrv) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\AxInstSV.dll,-103 (AxInstSV) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\bdesvc.dll,-100 (BDESVC) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\bfe.dll,-1001 (BFE) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\qmgr.dll,-1000 (BITS) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\browser.dll,-100 (Browser) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\bthserv.dll,-101 (bthserv) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\certprop.dll,-11 (CertPropSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\cryptsvc.dll,-1001 (CryptSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @oleres.dll,-5012 (DcomLaunch) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\defragsvc.dll,-101 (defragsvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\dhcpcore.dll,-100 (Dhcp) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\dnsapi.dll,-101 (Dnscache) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\dot3svc.dll,-1102 (dot3svc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\dps.dll,-500 (DPS) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\eapsvc.dll,-1 (EapHost) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\ehome\ehrecvr.exe,-101 (ehRecvr) - Unknown owner - C:\Windows\ehome\ehRecvr.exe
O23 - Service: @%SystemRoot%\ehome\ehsched.exe,-101 (ehSched) - Unknown owner - C:\Windows\ehome\ehsched.exe
O23 - Service: @%SystemRoot%\system32\wevtsvc.dll,-200 (eventlog) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @comres.dll,-2450 (EventSystem) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\fdPHost.dll,-100 (fdPHost) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\fdrespub.dll,-100 (FDResPub) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\FntCache.dll,-100 (FontCache) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\hidserv.dll,-101 (hidserv) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\kmsvc.dll,-6 (hkmsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\ListSvc.dll,-100 (HomeGroupListener) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\provsvc.dll,-100 (HomeGroupProvider) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @%SystemRoot%\system32\ikeext.dll,-501 (IKEEXT) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\IPBusEnum.dll,-102 (IPBusEnum) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\iphlpsvc.dll,-500 (iphlpsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: Service de l’iPod (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2946 (KtmRm) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\srvsvc.dll,-100 (LanmanServer) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\wkssvc.dll,-100 (LanmanWorkstation) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\lltdres.dll,-1 (lltdsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\lmhsvc.dll,-101 (lmhosts) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: lxdj_device - - C:\Windows\system32\lxdjcoms.exe
O23 - Service: @%systemroot%\system32\mmcss.dll,-100 (MMCSS) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\FirewallAPI.dll,-23090 (MpsSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\iscsidsc.dll,-5000 (MSiSCSI) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\msimsg.dll,-27 (msiserver) - Unknown owner - C:\Windows\system32\msiexec.exe
O23 - Service: @%SystemRoot%\system32\qagentrt.dll,-6 (napagent) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\netman.dll,-109 (Netman) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\netprofm.dll,-202 (netprofm) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\nlasvc.dll,-1 (NlaSvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\nsisvc.dll,-200 (nsi) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\pnrpsvc.dll,-8004 (p2pimsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\p2psvc.dll,-8006 (p2psvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\pcasvc.dll,-1 (PcaSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\sysWow64\perfhost.exe,-2 (PerfHost) - Unknown owner - C:\Windows\SysWow64\perfhost.exe
O23 - Service: @%systemroot%\system32\pla.dll,-500 (pla) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\umpnpmgr.dll,-100 (PlugPlay) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\pnrpauto.dll,-8002 (PNRPAutoReg) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\pnrpsvc.dll,-8000 (PNRPsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\polstore.dll,-5010 (PolicyAgent) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\umpo.dll,-100 (Power) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\profsvc.dll,-300 (ProfSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%Systemroot%\system32\rasauto.dll,-200 (RasAuto) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%Systemroot%\system32\rasmans.dll,-200 (RasMan) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @regsvc.dll,-1 (RemoteRegistry) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%windir%\system32\RpcEpMap.dll,-1001 (RpcEptMapper) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @oleres.dll,-5010 (RpcSs) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\System32\SCardSvr.dll,-1 (SCardSvr) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\schedsvc.dll,-100 (Schedule) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\certprop.dll,-13 (SCPolicySvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\sdrsvc.dll,-107 (SDRSVC) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\Sens.dll,-200 (SENS) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\sensrsvc.dll,-1000 (SensrSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\SessEnv.dll,-1026 (SessionEnv) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\ipnathlp.dll,-106 (SharedAccess) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\shsvcs.dll,-12288 (ShellHWDetection) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppuinotify.dll,-103 (sppuinotify) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\ssdpsrv.dll,-100 (SSDPSRV) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\sstpsvc.dll,-200 (SstpSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\wiaservc.dll,-9 (stisvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\swprv.dll,-103 (swprv) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\sysmain.dll,-1000 (SysMain) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\TabSvc.dll,-100 (TabletInputService) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\tapisrv.dll,-10100 (TapiSrv) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\tbssvc.dll,-100 (TBS) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\termsrv.dll,-268 (TermService) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\themeservice.dll,-8192 (Themes) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\mmcss.dll,-102 (THREADORDER) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\trkwks.dll,-1 (TrkWks) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\servicing\TrustedInstaller.exe,-100 (TrustedInstaller) - Unknown owner - C:\Windows\servicing\TrustedInstaller.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%systemroot%\system32\upnphost.dll,-213 (upnphost) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\dwm.exe,-2000 (UxSms) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\w32time.dll,-200 (W32Time) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%systemroot%\system32\wbiosrvc.dll,-100 (WbioSrvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wcncsvc.dll,-3 (wcncsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\WcsPlugInService.dll,-200 (WcsPlugInService) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\wdi.dll,-502 (WdiServiceHost) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\wdi.dll,-500 (WdiSystemHost) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\webclnt.dll,-100 (WebClient) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wecsvc.dll,-200 (Wecsvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\wercplsupport.dll,-101 (wercplsupport) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\wersvc.dll,-100 (WerSvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\winhttp.dll,-100 (WinHttpAutoProxySvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%Systemroot%\system32\wbem\wmisvc.dll,-205 (Winmgmt) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%Systemroot%\system32\wsmsvc.dll,-101 (WinRM) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\wlansvc.dll,-257 (Wlansvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: @%SystemRoot%\system32\wpcsvc.dll,-100 (WPCSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wpdbusenum.dll,-100 (WPDBusEnum) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: wscsvc - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\SearchIndexer.exe,-103 (WSearch) - Unknown owner - C:\Windows\system32\SearchIndexer.exe
O23 - Service: @%systemroot%\system32\wuaueng.dll,-105 (wuauserv) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wudfsvc.dll,-1000 (wudfsvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\wwansvc.dll,-257 (WwanSvc) - Unknown owner - C:\Windows\system32\svchost.exe

--
End of file - 22451 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 AM

Posted 12 January 2012 - 06:00 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Guil50

Guil50
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 12 January 2012 - 10:23 PM

Hi,

Here is the log from ESET.

C:\MGtools\Process.exe Win32/PrcView application
C:\Qoobox\Quarantine\C\ProgramData\bdEiobTK5jmLkc.exe.vir a variant of Win32/Kryptik.YRE trojan
C:\Qoobox\Quarantine\C\ProgramData\trzD789.tmp.vir a variant of Win32/Kryptik.YRE trojan
C:\System Volume Information\SystemRestore\FRStaging\Users\Guil\AppData\Local\Temp\ICReinstall\cnet_jre-6u27-windows-x64_exe.exe a variant of Win32/InstallCore.D application
C:\System Volume Information\SystemRestore\FRStaging\Users\Guil\AppData\Local\Temp\is1598539481\MyBabylonTB.exe Win32/Toolbar.Babylon application
C:\System Volume Information\SystemRestore\FRStaging\Users\Guil\AppData\Local\Temp\Rar$EX94.776\Craagle.4.0.FINAL\Craagle 4.0.exe Win32/Adware.Craagle application
C:\Users\Guil\Downloads\cnet_jre-6u27-windows-x64_exe.exe a variant of Win32/InstallCore.D application




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users