Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown virus/worm


  • This topic is locked This topic is locked
18 replies to this topic

#1 virado

virado

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 20 January 2012 - 05:57 AM

For the last few days I have had a problem where malwarebytes would bring up a message saying that svchost.exe was trying to do something bad and needed to be quarantined. However when i go to click quarantine everything that is not minimized will be frozen. The taskbar as well as ctrl-alt-del and alt-tab will not respond anymore and the warning window that first popped up will become unresponsive. I've scanned numerous times with malwarebytes, spybot, and avg but only malwarebytes will show that svchost.exe is infected. I've run Rkill and then scanned with malwarebytes again but nothing changed. I've even uninstalled and reinstalled to make sure that malwarebytes itself was not compromised. The people who I've talked too think that this may be a bootfile. Other than the freezing I seem to have a memory leak eating away at my physical memory. Most of the time I can run firefox, steam, skype and a few other programs and not exceed more than 30% of the 8gb of RAM however as of writing this I only have firefox open and the usage is at 41%. I am running 64-bit windows 7 with 8bg of RAM.

Rkill Log (run after reinstalling malwarebytes.
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/20/2012 at 1:13:40.
Operating System: Windows 7 Home Premium


Processes terminated by Rkill or while it was running:

\\.\globalroot\systemroot\svchost.exe


--- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is:

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.


Rkill completed on 01/20/2012 at 1:13:41.


Malwarebytes Log

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.20.01

Windows 7 Service Pack 1 x64 FAT (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Geoffrey Sakai :: GLADOS [administrator]

Protection: Disabled

1/20/2012 1:16:40 AM
mbam-log-2012-01-20 (01-23-10).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 357349
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 932 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:56:36 AM, on 1/20/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
E:\Programs\Steam\Steam.exe
E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
E:\Programs\AVG anti-virus\avgtray.exe
E:\Programs\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: PC Tools Browser Defender - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: 46.4.179.109 google.com
O1 - Hosts: 46.4.179.109 yahoo.com
O1 - Hosts: 46.4.179.109 bing.com
O1 - Hosts: 46.4.179.109 facebook.com
O1 - Hosts: 46.4.179.84 yahoo.com
O1 - Hosts: 212.124.122.156 google.com
O1 - Hosts: 46.4.179.84 myspace.com
O1 - Hosts: 212.124.122.156 msn.com
O1 - Hosts: 46.4.179.84 ebay.com
O1 - Hosts: 46.4.179.84 amazon.com
O1 - Hosts: 212.124.122.156 youtube.com
O1 - Hosts: 46.4.179.84 craigslist.org
O1 - Hosts: 212.124.122.156 wikipedia.org
O1 - Hosts: 46.4.179.110 cnn.com
O1 - Hosts: 46.4.179.84 facebook.com
O1 - Hosts: 46.4.179.110 go.com
O1 - Hosts: 46.4.179.84 live.com
O1 - Hosts: 46.4.179.84 blogger.com
O1 - Hosts: 46.4.179.110 aol.com
O1 - Hosts: 46.4.179.84 microsoft.com
O1 - Hosts: 46.4.179.110 comcast.net
O1 - Hosts: 46.4.179.84 imdb.com
O1 - Hosts: 46.4.179.84 digg.com
O1 - Hosts: 46.4.179.84 flickr.com
O1 - Hosts: 46.4.179.84 Expedia.com
O1 - Hosts: 46.4.179.84 Monster.com
O1 - Hosts: 212.124.122.156 Paypal.com
O1 - Hosts: 46.4.179.84 Weather.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Programs\AVG anti-virus\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Programs\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: PC Tools Browser Defender - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (file missing)
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Programs\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "E:\Programs\AVG anti-virus\avgtray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "E:\Programs\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [Steam] "E:\Programs\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MediaGet2] C:\Users\Geoffrey Sakai\AppData\Local\MediaGet2\mediaget.exe --minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2161452833-1771019687-3850249851-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2161452833-1771019687-3850249851-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Rainmeter.lnk = E:\Programs\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Programs\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\Programs\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\Programs\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programs\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Programs\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Programs\AVG anti-virus\avgpp.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - E:\Programs\AVG anti-virus\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - E:\Programs\AVG anti-virus\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe (file missing)
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - e:\programs\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - E:\Programs\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11587 bytes

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:16 PM

Posted 22 January 2012 - 01:17 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 virado

virado
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 22 January 2012 - 05:45 AM

The problems I've listed above are the main things. However recently I had a suspicion that malwarebytes was compromised so i deinstalled it and the messages that would lock up my computer at times stopped coming. Also I think the virus might be imitating windows updates because i've changed the settings to update at a specified time and it still updates around the same time which is much different than what i set it to. Thanks for helping.

DDS log

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_27
Run by Geoffrey Sakai at 2:34:24 on 2012-01-22
Microsoft Windows 7 Home Premium

6.1.7601.1.1252.1.1033.18.8175.5561 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-

930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-

20B7-BB05-914135DA5160}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-

A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-

2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-

DA132C1ACF46}
.
============== Running Processes ===============
.
E:\Programs\AVGANT~1\avgrsa.exe
E:\Programs\AVG anti-virus\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor

\BelkinService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support

\AppleMobileDeviceService.exe
E:\Programs\AVG anti-virus\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live

\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live

\WLIDSvcM.exe
E:\Programs\AVG anti-virus\AVGIDSAgent.exe
E:\Programs\AVG anti-virus\avgnsa.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
E:\Programs\Rainmeter\Rainmeter.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Windows\system32\SearchIndexer.exe
E:\Programs\pidgin.exe
E:\Programs\AVG anti-virus\avgtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
E:\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8

-83d1e48cc825} - C:\Program Files (x86)\PC Tools\PC Tools Security

\BDT\PCTBrowserDefender.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} -

C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

\AcroIEHelperShim.dll
BHO: PC Tools Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-

609cce6054e7} - C:\Program Files (x86)\PC Tools\PC Tools Security

\BDT\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - E:

\Programs\AVG anti-virus\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f}

- E:\Programs\SPYBOT~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-

0bbc1d38a37e} - E:\Programs\Microsoft Office

\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-

5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared

\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-

9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825}

- C:\Program Files (x86)\PC Tools\PC Tools Security\BDT

\PCTBrowserDefender.dll
uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks

\Media Booster\PMB.exe
uRun: [Steam] "E:\Programs\Steam\Steam.exe" -silent
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [MediaGet2] C:\Users\Geoffrey Sakai\AppData\Local

\MediaGet2\mediaget.exe --minimized
uRun: [SpybotSD TeaTimer] E:\Programs\Spybot - Search & Destroy

\TeaTimer.exe
mRun: [GrooveMonitor] "E:\Programs\Microsoft Office

\Office12\GrooveMonitor.exe"
mRun: [AVG_TRAY] "E:\Programs\AVG anti-virus\avgtray.exe"
StartupFolder: C:\Users\GEOFFR~1\AppData\Roaming\MICROS~1\Windows

\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files

(x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs

\Startup\RAINME~1.LNK - E:\Programs\Rainmeter\Rainmeter.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: E&xport to Microsoft Excel - E:\Programs

\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-

914C-F5F514E3486C} - E:\Programs\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-

BF3B-96E929D65503} - E:\Programs\MICROS~2\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-

2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B27449D0-1098-43A7-A7F9-DD7730E62B02} :

DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B27449D0-1098-43A7-A7F9-

DD7730E62B02}\2375942554131323 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B27449D0-1098-43A7-A7F9-DD7730E62B02}\25C40284F6D656

: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{B27449D0-1098-43A7-A7F9-

DD7730E62B02}\25C40284F6D656D27657563747 : DhcpNameServer =

68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{B27449D0-1098-43A7-A7F9-

DD7730E62B02}\351696C667965677D416E6F627 : DhcpNameServer =

68.94.156.1 68.94.157.1
TCP: Interfaces\{D717BADC-02FA-4425-8C64-4D1A1E6020B4} :

DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

E:\Programs\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:

\Programs\AVG anti-virus\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-

52453494e6cd} - E:\Programs\Microsoft Office

\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-

FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat

\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: PC Tools Browser Defender BHO: {2A0F3D1B-0909-4FF4-B272-

609CCE6054E7} - C:\Program Files (x86)\PC Tools\PC Tools Security

\BDT\PCTBrowserDefender.dll
BHO-X64: Browser Defender BHO - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

E:\Programs\AVG anti-virus\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-

206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-

0BBC1D38A37E} - E:\Programs\Microsoft Office

\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-

5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared

\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-

9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: PC Tools Browser Defender: {472734EA-242A-422B-ADF8-

83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security

\BDT\PCTBrowserDefender.dll
mRun-x64: [GrooveMonitor] "E:\Programs\Microsoft Office

\Office12\GrooveMonitor.exe"
mRun-x64: [AVG_TRAY] "E:\Programs\AVG anti-virus\avgtray.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-

52453494E6CD} - E:\Programs\Microsoft Office

\Office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Geoffrey Sakai\AppData\Roaming\Mozilla

\Firefox\Profiles\e5do5yaa.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR

\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin

\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight

\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster

\npPandoWebPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: E:\Programs\Itunes\Mozilla Plugins\npitunes.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:

\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS

\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys -->

C:\Windows\system32\drivers\PCTCore64.sys [?]
R0 pctDS;PC Tools Data Store;C:\Windows\system32\drivers\pctDS64.sys

--> C:\Windows\system32\drivers\pctDS64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS

\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows

\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS

\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys -->

C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows

\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS

\MpFilter.sys [?]
R1 PCTSD;PC Tools Spyware Doctor Driver;C:\Windows\system32\Drivers

\PCTSD64.sys --> C:\Windows\system32\Drivers\PCTSD64.sys [?]
R2 AVGIDSAgent;AVGIDSAgent;E:\Programs\AVG anti-virus\AVGIDSAgent.exe

[2011-10-12 4433248]
R2 avgwd;AVG WatchDog;E:\Programs\AVG anti-virus\avgwdsvc.exe [2011-

8-2 192776]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files

(x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15

2214504]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program

Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-5-20

378472]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer

\Version6\TeamViewer_Service.exe [2011-10-16 2358656]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS

\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys

[?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS

\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys

[?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows

\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS

\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows

\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers

\nvhda64v.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS

\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows

\system32\DRIVERS\WPN111vx.sys --> C:\Windows\system32\DRIVERS

\WPN111vx.sys [?]
S2 Browser Defender Update Service;Browser Defender Update

Service;"C:\Program Files (x86)\PC Tools\PC Tools Security\BDT

\BDTUpdateService.exe" --> C:\Program Files (x86)\PC Tools\PC Tools

Security\BDT\BDTUpdateService.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework

\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN

v4.0.30319_X64;C:\Windows\Microsoft.NET

\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;E:\Programs

\Steam\steamapps\common\dragon age ultimate edition\bin_ship

\DAUpdaterSvc.Service.exe [2011-12-13 25832]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows

\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS

\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows

\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS

\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft

Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 PCTBD;PC Tools Browser Defender Driver;C:\Windows

\system32\Drivers\PCTBD64.sys --> C:\Windows\system32\Drivers

\PCTBD64.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:

\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows

\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers

\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows

\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat

\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-01-20 10:00:09 -------- d-----w- C:\Users

\Geoffrey Sakai\AppData\Local\ElevatedDiagnostics
2012-01-20 09:47:25 -------- d-sh--w- C:\Windows

\SysWow64\%USERPROFILE%
2012-01-19 05:01:10 -------- d-----w- C:\Program

Files (x86)\PC Tools
2012-01-16 21:29:49 514560 ----a-w- C:\Windows

\SysWow64\qdvd.dll
2012-01-16 21:29:49 366592 ----a-w- C:\Windows

\System32\qdvd.dll
2012-01-16 21:29:49 1572864 ----a-w- C:\Windows

\System32\quartz.dll
2012-01-16 21:29:49 1328128 ----a-w- C:\Windows

\SysWow64\quartz.dll
2012-01-16 21:29:46 1731920 ----a-w- C:\Windows

\System32\ntdll.dll
2012-01-16 21:29:46 1292080 ----a-w- C:\Windows

\SysWow64\ntdll.dll
2012-01-16 21:29:31 77312 ----a-w- C:\Windows

\System32\packager.dll
2012-01-16 21:29:31 67072 ----a-w- C:\Windows

\SysWow64\packager.dll
2012-01-13 06:02:06 -------- d-sh--w- C:\Windows

\SysWow64\%APPDATA%
2012-01-13 05:52:12 20480 ----a-w- C:\Windows

\svchost.exe
2012-01-05 07:42:41 -------- d-----w- C:\Program

Files (x86)\Common Files\Wise Installation Wizard
2012-01-05 04:49:42 -------- d-----w- C:\Users

\Geoffrey Sakai\AppData\Roaming\RenPy
2012-01-03 21:35:37 626688 ----a-w- C:\Program Files

(x86)\Mozilla Firefox\msvcr80.dll
2012-01-03 21:35:37 548864 ----a-w- C:\Program Files

(x86)\Mozilla Firefox\msvcp80.dll
2012-01-03 21:35:37 479232 ----a-w- C:\Program Files

(x86)\Mozilla Firefox\msvcm80.dll
2012-01-03 21:35:37 43992 ----a-w- C:\Program Files

(x86)\Mozilla Firefox\mozutils.dll
2011-12-27 21:38:21 -------- d-----w- C:\Users

\Geoffrey Sakai\AppData\Roaming\OpenOffice.org
2011-12-27 21:37:29 -------- d-----w- C:\Program

Files (x86)\OpenOffice.org 3
2011-12-24 06:56:42 -------- d-----w- C:\Users

\Geoffrey Sakai\AppData\Roaming\Red Alert 3
2011-12-24 06:56:35 178800 ----a-w- C:\Windows

\SysWow64\CmdLineExt_x64.dll
.
==================== Find3M ====================
.
2011-12-20 23:18:17 466456 ----a-w- C:\Windows

\System32\wrap_oal.dll
2011-12-20 23:18:17 444952 ----a-w- C:\Windows

\SysWow64\wrap_oal.dll
2011-12-20 23:18:17 122904 ----a-w- C:\Windows

\System32\OpenAL32.dll
2011-12-20 23:18:17 109080 ----a-w- C:\Windows

\SysWow64\OpenAL32.dll
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows

\System32\win32k.sys
2011-11-17 06:49:14 95600 ----a-w- C:\Windows

\System32\drivers\ksecdd.sys
2011-11-17 06:49:14 152432 ----a-w- C:\Windows

\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43 459232 ----a-w- C:\Windows

\System32\drivers\cng.sys
2011-11-17 06:35:28 395776 ----a-w- C:\Windows

\System32\webio.dll
2011-11-17 06:35:26 29184 ----a-w- C:\Windows

\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\Windows

\System32\sspicli.dll
2011-11-17 06:35:25 340992 ----a-w- C:\Windows

\System32\schannel.dll
2011-11-17 06:35:25 28160 ----a-w- C:\Windows

\System32\secur32.dll
2011-11-17 06:35:19 1447936 ----a-w- C:\Windows

\System32\lsasrv.dll
2011-11-17 06:33:55 31232 ----a-w- C:\Windows

\System32\lsass.exe
2011-11-17 05:35:02 314880 ----a-w- C:\Windows

\SysWow64\webio.dll
2011-11-17 05:34:52 224768 ----a-w- C:\Windows

\SysWow64\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- C:\Windows

\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\Windows

\SysWow64\sspicli.dll
2011-11-12 00:51:16 286208 ----a-w- C:\Users\Geoffrey

Sakai\AppData\Roaming\trz2967.tmp
2011-11-05 05:32:50 2048 ----a-w- C:\Windows

\System32\tzres.dll
2011-11-05 04:26:03 2048 ----a-w- C:\Windows

\SysWow64\tzres.dll
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows

\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows

\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows

\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows

\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows

\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows

\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows

\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows

\SysWow64\mshtml.tlb
2011-10-28 19:03:24 92896 ----a-w- C:\Windows

\System32\drivers\pctplsg64.sys
2011-10-28 19:03:00 230952 ----a-w- C:\Windows

\System32\drivers\PCTSD64.sys
2011-10-28 19:01:36 14776 ----a-w- C:\Windows

\System32\drivers\pctBTFix64.sys
2011-10-28 18:41:16 141312 ----a-w- C:\Windows

\System32\drivers\pctwfpfilter64.sys
2011-10-28 18:41:12 336512 ----a-w- C:\Windows

\System32\drivers\pctgntdi64.sys
2011-10-26 05:21:20 43520 ----a-w- C:\Windows

\System32\csrsrv.dll
2011-10-25 21:38:20 149456 ----a-w- C:\Windows

\SGDetectionTool.dll
2011-10-25 21:38:18 2291664 ----a-w- C:\Windows

\PCTBDCore.dll
2011-10-25 21:38:18 1681360 ----a-w- C:\Windows

\PCTBDRes.dll
2011-10-25 21:38:08 767952 ----a-w- C:\Windows

\BDTSupport.dll
.
============= FINISH: 2:35:00.35 ===============

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:16 PM

Posted 22 January 2012 - 11:25 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 virado

virado
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 22 January 2012 - 03:35 PM

So far there have been no signs of the virus. Heres the log.

To list once again the problems that ive had which may not all be related to the virus. If ive placed any new ones or forgotten any I'm sorry

Malwayrebytes giving pop up messages which might crash my computer
Windows updates forcing updates on me at the wrong time.
Trouble waking up from sleep mode or starting up.
Leak in the RAM
Space in the c/: drive being taken up

ComboFix 12-01-21.02 - Geoffrey Sakai 01/22/2012 12:10:35.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8175.4965 [GMT -8:00]
Running from: e:\downloads\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\13xxsp56k201ki4um1qmw86e5o5j54740xmq5632u1qg63
c:\programdata\458ffeq4p6hr700641u
c:\programdata\52423c85
c:\programdata\b4087b46
c:\programdata\ooh5tk7wuomoh17x74ekc46
c:\programdata\sbg377du7qci50le3m354o3pydxyo3vm4sphw
c:\programdata\ux3527cj4aoj03r21r281oh2f7j1mesyb503isya4x71ym
c:\users\Geoffrey Sakai\AppData\Local\Microsoft\MicrosoftData
c:\users\Geoffrey Sakai\AppData\Roaming\Microsoft\Windows\Templates\13xxsp56k201ki4um1qmw86e5o5j54740xmq5632u1qg63
c:\users\Geoffrey Sakai\AppData\Roaming\Microsoft\Windows\Templates\458ffeq4p6hr700641u
c:\users\Geoffrey Sakai\AppData\Roaming\Microsoft\Windows\Templates\ooh5tk7wuomoh17x74ekc46
c:\users\Geoffrey Sakai\AppData\Roaming\Microsoft\Windows\Templates\sbg377du7qci50le3m354o3pydxyo3vm4sphw
c:\users\Geoffrey Sakai\AppData\Roaming\Microsoft\Windows\Templates\ux3527cj4aoj03r21r281oh2f7j1mesyb503isya4x71ym
c:\users\Geoffrey Sakai\AppData\Roaming\Mozilla\Firefox\Profiles\e5do5yaa.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}
c:\users\Geoffrey Sakai\AppData\Roaming\Mozilla\Firefox\Profiles\e5do5yaa.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\chrome.manifest
c:\users\Geoffrey Sakai\AppData\Roaming\Mozilla\Firefox\Profiles\e5do5yaa.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\chrome\xulcache.jar
c:\users\Geoffrey Sakai\AppData\Roaming\Mozilla\Firefox\Profiles\e5do5yaa.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\defaults\preferences\xulcache.js
c:\users\Geoffrey Sakai\AppData\Roaming\Mozilla\Firefox\Profiles\e5do5yaa.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\install.rdf
c:\users\Geoffrey Sakai\AppData\Roaming\trz2967.tmp
c:\users\Liz\AppData\Roaming\bBtzP0ycAiD
c:\users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\rd9bhhqk.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}
c:\users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\rd9bhhqk.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\chrome.manifest
c:\users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\rd9bhhqk.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\chrome\xulcache.jar
c:\users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\rd9bhhqk.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\defaults\preferences\xulcache.js
c:\users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\rd9bhhqk.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\install.rdf
c:\windows\svchost.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\ydsvgd.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 20:15 . 2012-01-22 20:15 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-22 20:15 . 2012-01-22 20:15 -------- d-----w- c:\users\Liz\AppData\Local\temp
2012-01-22 20:15 . 2012-01-22 20:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-20 10:00 . 2012-01-20 10:00 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Local\ElevatedDiagnostics
2012-01-20 09:47 . 2012-01-20 09:47 -------- d-sh--w- c:\windows\SysWow64\%USERPROFILE%
2012-01-19 05:01 . 2012-01-19 05:01 -------- d-----w- c:\program files (x86)\PC Tools
2012-01-16 21:29 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-16 21:29 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-16 21:29 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-16 21:29 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-16 21:29 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-16 21:29 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-16 21:29 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-16 21:29 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-13 06:02 . 2012-01-13 06:02 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-01-13 05:52 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
2012-01-05 07:43 . 2012-01-20 06:31 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Roaming\Ventrilo
2012-01-05 07:42 . 2012-01-20 06:31 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2012-01-05 04:49 . 2012-01-05 04:49 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Roaming\RenPy
2012-01-03 21:35 . 2012-01-03 21:35 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-03 21:35 . 2012-01-03 21:35 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-03 21:35 . 2012-01-03 21:35 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-01-03 21:35 . 2012-01-03 21:35 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-12-27 21:38 . 2011-12-27 21:38 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Roaming\OpenOffice.org
2011-12-27 21:37 . 2011-12-27 21:37 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2011-12-24 06:56 . 2011-12-24 06:56 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Roaming\Red Alert 3
2011-12-24 06:56 . 2011-12-24 06:56 -------- d--h--r- c:\users\Geoffrey Sakai\AppData\Roaming\SecuROM
2011-12-24 06:56 . 2011-12-24 06:56 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 23:18 . 2011-12-20 23:18 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-20 23:18 . 2011-12-20 23:18 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-12-20 23:18 . 2011-12-20 23:18 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-20 23:18 . 2011-12-20 23:18 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-11-24 04:52 . 2011-12-13 19:27 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 05:32 . 2011-12-13 19:27 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 04:26 . 2011-12-13 19:27 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-11-04 01:53 . 2011-12-14 11:00 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-11-04 01:44 . 2011-12-14 11:00 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 01:44 . 2011-12-14 11:00 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 01:34 . 2011-12-14 11:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-03 22:47 . 2011-12-14 11:00 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-11-03 22:40 . 2011-12-14 11:00 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-11-03 22:39 . 2011-12-14 11:00 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-11-03 22:31 . 2011-12-14 11:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-10-28 19:03 . 2011-11-12 20:35 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
2011-10-28 19:03 . 2011-11-12 20:32 230952 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2011-10-28 19:01 . 2011-11-12 20:35 14776 ----a-w- c:\windows\system32\drivers\pctBTFix64.sys
2011-10-28 18:41 . 2011-11-12 20:35 141312 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
2011-10-28 18:41 . 2011-11-12 20:35 336512 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
2011-10-26 05:21 . 2011-12-13 19:27 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 21:38 . 2011-11-12 20:35 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-10-25 21:38 . 2011-11-12 20:35 2291664 ----a-w- c:\windows\PCTBDCore.dll
2011-10-25 21:38 . 2011-11-12 20:35 1681360 ----a-w- c:\windows\PCTBDRes.dll
2011-10-25 21:38 . 2011-11-12 20:35 767952 ----a-w- c:\windows\BDTSupport.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-10-16 3077528]
"Steam"="e:\programs\Steam\Steam.exe" [2011-11-25 1242448]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"SpybotSD TeaTimer"="e:\programs\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="e:\programs\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG_TRAY"="e:\programs\AVG anti-virus\avgtray.exe" [2011-12-03 2415456]
.
c:\users\Geoffrey Sakai\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - e:\programs\Rainmeter\Rainmeter.exe [2011-9-18 102912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0e:\programs\AVGANT~1\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 bbbqvmkb;bbbqvmkb;c:\windows\system32\drivers\bbbqvmkb.sys [x]
R1 ewrairbn;ewrairbn;c:\windows\system32\drivers\ewrairbn.sys [x]
R1 nmjrbegk;nmjrbegk;c:\windows\system32\drivers\nmjrbegk.sys [x]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\programs\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe [2011-12-13 25832]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\Drivers\PCTBD64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 X6va005;X6va005;c:\users\GEOFFR~1\AppData\Local\Temp\00540B9.tmp [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [x]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD64.sys [x]
S2 AVGIDSAgent;AVGIDSAgent;e:\programs\AVG anti-virus\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgwd;AVG WatchDog;e:\programs\AVG anti-virus\avgwdsvc.exe [2011-08-02 192776]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - e:\programs\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Geoffrey Sakai\AppData\Roaming\Mozilla\Firefox\Profiles\e5do5yaa.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-MediaGet2 - c:\users\Geoffrey Sakai\AppData\Local\MediaGet2\mediaget.exe
SafeBoot-MsMpSvc
SafeBoot-sdAuxService
SafeBoot-sdCoreService
AddRemove-Belkin Setup and Router Monitor_is1 - c:\program files (x86)\Belkin\Router Setup and Monitor\unins000.exe
AddRemove-Browser Defender_is1 - c:\program files (x86)\PC Tools\PC Tools Security\BDT\unins000.exe
AddRemove-NVIDIA StereoUSB Driver - c:\program files (x86)\InstallShield Installation Information\{714B9C6C-70FC-4750-98E2-61520B906C45}\setup.exe
AddRemove-NVIDIAStereo - c:\program files (x86)\NVIDIA Corporation\3D Vision\nvStInst.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe
AddRemove-{83BEEFB4-8C28-4F4F-8A9D-E0D1ADCE335B} - c:\program files (x86)\InstallShield Installation Information\{83BEEFB4-8C28-4F4F-8A9D-E0D1ADCE335B}\setup.exe
AddRemove-{8833FFB6-5B0C-4764-81AA-06DFEED9A476} - c:\program files (x86)\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\Setup.exe
AddRemove-{92606477-9366-4D3B-8AE3-6BE4B29727AB} - c:\program files (x86)\InstallShield Installation Information\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\GEOFFR~1\AppData\Local\Temp\00540B9.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2161452833-1771019687-3850249851-1000\Software\SecuROM\License information*]
"datasecu"=hex:fb,e0,0d,bb,fd,bc,73,eb,7b,0c,43,e1,17,ce,4b,24,c0,30,00,0e,9c,
99,01,9d,f4,04,9d,8b,e3,9b,30,77,4a,a5,87,e9,b7,d2,c6,46,8c,cc,b0,68,84,b6,\
"rkeysecu"=hex:2f,ff,fa,b7,a5,db,e8,a7,e6,20,3f,6c,77,0e,d1,e2
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
c:\\.\globalroot\systemroot\svchost.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\\.\globalroot\systemroot\svchost.exe
.
**************************************************************************
.
Completion time: 2012-01-22 12:21:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-22 20:21
.
Pre-Run: 11,238,547,456 bytes free
Post-Run: 13,394,173,952 bytes free
.
- - End Of File - - 0FE69ED1235FEB0E320C80238FDC308A

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:16 PM

Posted 22 January 2012 - 03:43 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 virado

virado
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 22 January 2012 - 06:00 PM

Here's the log.

14:42:37.0952 8808 TDSS rootkit removing tool 2.7.6.0 Jan 19 2012 13:09:04
14:42:38.0322 8808 ============================================================
14:42:38.0322 8808 Current date / time: 2012/01/22 14:42:38.0322
14:42:38.0322 8808 SystemInfo:
14:42:38.0322 8808
14:42:38.0322 8808 OS Version: 6.1.7601 ServicePack: 1.0
14:42:38.0322 8808 Product type: Workstation
14:42:38.0322 8808 ComputerName: GLADOS
14:42:38.0322 8808 UserName: Geoffrey Sakai
14:42:38.0322 8808 Windows directory: C:\Windows
14:42:38.0322 8808 System windows directory: C:\Windows
14:42:38.0322 8808 Running under WOW64
14:42:38.0322 8808 Processor architecture: Intel x64
14:42:38.0322 8808 Number of processors: 8
14:42:38.0322 8808 Page size: 0x1000
14:42:38.0322 8808 Boot type: Normal boot
14:42:38.0322 8808 ============================================================
14:42:38.0448 8808 Drive \Device\Harddisk1\DR1 - Size: 0xDF99E6000 (55.90 Gb), SectorSize: 0x200, Cylinders: 0x1C81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
14:42:38.0463 8808 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
14:42:38.0490 8808 Initialize success
14:42:39.0544 8592 ============================================================
14:42:39.0544 8592 Scan started
14:42:39.0544 8592 Mode: Manual;
14:42:39.0544 8592 ============================================================
14:42:40.0074 8592 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\DRIVERS\1394ohci.sys
14:42:40.0079 8592 1394ohci - ok
14:42:40.0099 8592 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
14:42:40.0103 8592 ACPI - ok
14:42:40.0118 8592 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
14:42:40.0118 8592 AcpiPmi - ok
14:42:40.0136 8592 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
14:42:40.0140 8592 adp94xx - ok
14:42:40.0156 8592 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
14:42:40.0159 8592 adpahci - ok
14:42:40.0172 8592 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
14:42:40.0174 8592 adpu320 - ok
14:42:40.0196 8592 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
14:42:40.0204 8592 AFD - ok
14:42:40.0218 8592 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
14:42:40.0219 8592 agp440 - ok
14:42:40.0230 8592 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
14:42:40.0231 8592 aliide - ok
14:42:40.0242 8592 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
14:42:40.0243 8592 amdide - ok
14:42:40.0256 8592 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
14:42:40.0257 8592 AmdK8 - ok
14:42:40.0268 8592 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\drivers\amdppm.sys
14:42:40.0269 8592 AmdPPM - ok
14:42:40.0282 8592 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
14:42:40.0284 8592 amdsata - ok
14:42:40.0297 8592 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
14:42:40.0300 8592 amdsbs - ok
14:42:40.0311 8592 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
14:42:40.0312 8592 amdxata - ok
14:42:40.0324 8592 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
14:42:40.0326 8592 AppID - ok
14:42:40.0341 8592 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
14:42:40.0342 8592 arc - ok
14:42:40.0355 8592 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
14:42:40.0357 8592 arcsas - ok
14:42:40.0373 8592 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
14:42:40.0374 8592 AsyncMac - ok
14:42:40.0385 8592 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
14:42:40.0386 8592 atapi - ok
14:42:40.0402 8592 AVGIDSDriver (e29ea1a0ec7ab9fa2dc7e75a03f12a4f) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
14:42:40.0403 8592 AVGIDSDriver - ok
14:42:40.0415 8592 AVGIDSEH (f823d184b8e8ffb8da3ead45dbf5bd6a) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
14:42:40.0416 8592 AVGIDSEH - ok
14:42:40.0427 8592 AVGIDSFilter (ed2b25bd7fe35d1944211968842d30da) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
14:42:40.0428 8592 AVGIDSFilter - ok
14:42:40.0443 8592 Avgldx64 (979cf8912449a10b987218bff80a1fa3) C:\Windows\system32\DRIVERS\avgldx64.sys
14:42:40.0445 8592 Avgldx64 - ok
14:42:40.0457 8592 Avgmfx64 (36b1a5843695766eac714daffc5b84d1) C:\Windows\system32\DRIVERS\avgmfx64.sys
14:42:40.0458 8592 Avgmfx64 - ok
14:42:40.0470 8592 Avgrkx64 (1102239fb724527f1febbbbccf6bf313) C:\Windows\system32\DRIVERS\avgrkx64.sys
14:42:40.0470 8592 Avgrkx64 - ok
14:42:40.0484 8592 Avgtdia (11f36d3ea82d9db9aa05a476a210551b) C:\Windows\system32\DRIVERS\avgtdia.sys
14:42:40.0487 8592 Avgtdia - ok
14:42:40.0505 8592 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
14:42:40.0510 8592 b06bdrv - ok
14:42:40.0524 8592 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
14:42:40.0527 8592 b57nd60a - ok
14:42:40.0539 8592 bbbqvmkb - ok
14:42:40.0553 8592 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
14:42:40.0553 8592 Beep - ok
14:42:40.0567 8592 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
14:42:40.0568 8592 blbdrive - ok
14:42:40.0583 8592 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
14:42:40.0584 8592 bowser - ok
14:42:40.0595 8592 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
14:42:40.0596 8592 BrFiltLo - ok
14:42:40.0607 8592 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
14:42:40.0607 8592 BrFiltUp - ok
14:42:40.0621 8592 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
14:42:40.0623 8592 BridgeMP - ok
14:42:40.0638 8592 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
14:42:40.0641 8592 Brserid - ok
14:42:40.0653 8592 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
14:42:40.0654 8592 BrSerWdm - ok
14:42:40.0666 8592 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
14:42:40.0666 8592 BrUsbMdm - ok
14:42:40.0677 8592 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
14:42:40.0678 8592 BrUsbSer - ok
14:42:40.0691 8592 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
14:42:40.0692 8592 BTHMODEM - ok
14:42:40.0695 8592 catchme - ok
14:42:40.0708 8592 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
14:42:40.0709 8592 cdfs - ok
14:42:40.0721 8592 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
14:42:40.0723 8592 cdrom - ok
14:42:40.0736 8592 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
14:42:40.0737 8592 circlass - ok
14:42:40.0755 8592 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
14:42:40.0760 8592 CLFS - ok
14:42:40.0776 8592 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\drivers\CmBatt.sys
14:42:40.0776 8592 CmBatt - ok
14:42:40.0789 8592 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
14:42:40.0790 8592 cmdide - ok
14:42:40.0805 8592 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
14:42:40.0808 8592 CNG - ok
14:42:40.0820 8592 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\drivers\compbatt.sys
14:42:40.0820 8592 Compbatt - ok
14:42:40.0832 8592 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\DRIVERS\CompositeBus.sys
14:42:40.0833 8592 CompositeBus - ok
14:42:40.0844 8592 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
14:42:40.0845 8592 crcdisk - ok
14:42:40.0863 8592 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
14:42:40.0864 8592 DfsC - ok
14:42:40.0877 8592 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
14:42:40.0877 8592 discache - ok
14:42:40.0891 8592 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
14:42:40.0893 8592 Disk - ok
14:42:40.0907 8592 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
14:42:40.0908 8592 drmkaud - ok
14:42:40.0932 8592 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
14:42:40.0945 8592 DXGKrnl - ok
14:42:40.0982 8592 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
14:42:41.0004 8592 ebdrv - ok
14:42:41.0024 8592 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
14:42:41.0028 8592 elxstor - ok
14:42:41.0039 8592 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
14:42:41.0039 8592 ErrDev - ok
14:42:41.0054 8592 ewrairbn - ok
14:42:41.0068 8592 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
14:42:41.0070 8592 exfat - ok
14:42:41.0083 8592 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
14:42:41.0085 8592 fastfat - ok
14:42:41.0098 8592 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
14:42:41.0098 8592 fdc - ok
14:42:41.0112 8592 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
14:42:41.0114 8592 FileInfo - ok
14:42:41.0126 8592 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
14:42:41.0126 8592 Filetrace - ok
14:42:41.0138 8592 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
14:42:41.0139 8592 flpydisk - ok
14:42:41.0155 8592 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
14:42:41.0160 8592 FltMgr - ok
14:42:41.0173 8592 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
14:42:41.0174 8592 FsDepends - ok
14:42:41.0185 8592 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
14:42:41.0186 8592 Fs_Rec - ok
14:42:41.0201 8592 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
14:42:41.0204 8592 fvevol - ok
14:42:41.0217 8592 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
14:42:41.0219 8592 gagp30kx - ok
14:42:41.0231 8592 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
14:42:41.0231 8592 GEARAspiWDM - ok
14:42:41.0244 8592 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
14:42:41.0245 8592 hcw85cir - ok
14:42:41.0259 8592 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
14:42:41.0262 8592 HdAudAddService - ok
14:42:41.0274 8592 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
14:42:41.0276 8592 HDAudBus - ok
14:42:41.0287 8592 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
14:42:41.0287 8592 HidBatt - ok
14:42:41.0299 8592 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
14:42:41.0300 8592 HidBth - ok
14:42:41.0312 8592 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
14:42:41.0313 8592 HidIr - ok
14:42:41.0326 8592 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
14:42:41.0326 8592 HidUsb - ok
14:42:41.0341 8592 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
14:42:41.0342 8592 HpSAMD - ok
14:42:41.0365 8592 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
14:42:41.0376 8592 HTTP - ok
14:42:41.0388 8592 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
14:42:41.0389 8592 hwpolicy - ok
14:42:41.0401 8592 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
14:42:41.0403 8592 i8042prt - ok
14:42:41.0419 8592 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
14:42:41.0424 8592 iaStorV - ok
14:42:41.0437 8592 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
14:42:41.0439 8592 iirsp - ok
14:42:41.0454 8592 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
14:42:41.0455 8592 intelide - ok
14:42:41.0467 8592 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
14:42:41.0468 8592 intelppm - ok
14:42:41.0481 8592 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
14:42:41.0482 8592 IpFilterDriver - ok
14:42:41.0495 8592 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
14:42:41.0496 8592 IPMIDRV - ok
14:42:41.0510 8592 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
14:42:41.0512 8592 IPNAT - ok
14:42:41.0526 8592 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
14:42:41.0527 8592 IRENUM - ok
14:42:41.0539 8592 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
14:42:41.0540 8592 isapnp - ok
14:42:41.0553 8592 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
14:42:41.0556 8592 iScsiPrt - ok
14:42:41.0569 8592 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
14:42:41.0571 8592 kbdclass - ok
14:42:41.0583 8592 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
14:42:41.0584 8592 kbdhid - ok
14:42:41.0596 8592 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
14:42:41.0597 8592 KSecDD - ok
14:42:41.0609 8592 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
14:42:41.0611 8592 KSecPkg - ok
14:42:41.0623 8592 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
14:42:41.0624 8592 ksthunk - ok
14:42:41.0639 8592 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
14:42:41.0640 8592 lltdio - ok
14:42:41.0655 8592 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
14:42:41.0656 8592 LSI_FC - ok
14:42:41.0669 8592 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
14:42:41.0670 8592 LSI_SAS - ok
14:42:41.0683 8592 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
14:42:41.0684 8592 LSI_SAS2 - ok
14:42:41.0696 8592 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
14:42:41.0697 8592 LSI_SCSI - ok
14:42:41.0711 8592 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
14:42:41.0714 8592 luafv - ok
14:42:41.0726 8592 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
14:42:41.0727 8592 megasas - ok
14:42:41.0741 8592 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
14:42:41.0744 8592 MegaSR - ok
14:42:41.0755 8592 MEIx64 (a6518dcc42f7a6e999bb3bea8fd87567) C:\Windows\system32\DRIVERS\HECIx64.sys
14:42:41.0756 8592 MEIx64 - ok
14:42:41.0770 8592 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
14:42:41.0771 8592 Modem - ok
14:42:41.0784 8592 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
14:42:41.0785 8592 monitor - ok
14:42:41.0797 8592 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
14:42:41.0799 8592 mouclass - ok
14:42:41.0811 8592 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
14:42:41.0812 8592 mouhid - ok
14:42:41.0824 8592 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
14:42:41.0826 8592 mountmgr - ok
14:42:41.0839 8592 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
14:42:41.0841 8592 MpFilter - ok
14:42:41.0854 8592 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
14:42:41.0855 8592 mpio - ok
14:42:41.0867 8592 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
14:42:41.0868 8592 MpNWMon - ok
14:42:41.0881 8592 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
14:42:41.0883 8592 mpsdrv - ok
14:42:41.0896 8592 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
14:42:41.0898 8592 MRxDAV - ok
14:42:41.0912 8592 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
14:42:41.0915 8592 mrxsmb - ok
14:42:41.0933 8592 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
14:42:41.0938 8592 mrxsmb10 - ok
14:42:41.0951 8592 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
14:42:41.0952 8592 mrxsmb20 - ok
14:42:41.0965 8592 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
14:42:41.0966 8592 msahci - ok
14:42:41.0979 8592 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
14:42:41.0981 8592 msdsm - ok
14:42:41.0996 8592 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
14:42:41.0997 8592 Msfs - ok
14:42:42.0008 8592 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
14:42:42.0009 8592 mshidkmdf - ok
14:42:42.0021 8592 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
14:42:42.0021 8592 msisadrv - ok
14:42:42.0035 8592 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
14:42:42.0035 8592 MSKSSRV - ok
14:42:42.0047 8592 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
14:42:42.0048 8592 MSPCLOCK - ok
14:42:42.0060 8592 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
14:42:42.0061 8592 MSPQM - ok
14:42:42.0078 8592 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
14:42:42.0083 8592 MsRPC - ok
14:42:42.0096 8592 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
14:42:42.0097 8592 mssmbios - ok
14:42:42.0109 8592 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
14:42:42.0110 8592 MSTEE - ok
14:42:42.0123 8592 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
14:42:42.0123 8592 MTConfig - ok
14:42:42.0136 8592 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
14:42:42.0138 8592 Mup - ok
14:42:42.0154 8592 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
14:42:42.0157 8592 NativeWifiP - ok
14:42:42.0184 8592 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
14:42:42.0199 8592 NDIS - ok
14:42:42.0212 8592 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
14:42:42.0213 8592 NdisCap - ok
14:42:42.0224 8592 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
14:42:42.0225 8592 NdisTapi - ok
14:42:42.0238 8592 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
14:42:42.0239 8592 Ndisuio - ok
14:42:42.0252 8592 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
14:42:42.0254 8592 NdisWan - ok
14:42:42.0267 8592 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
14:42:42.0269 8592 NDProxy - ok
14:42:42.0281 8592 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
14:42:42.0282 8592 NetBIOS - ok
14:42:42.0298 8592 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
14:42:42.0301 8592 NetBT - ok
14:42:42.0322 8592 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
14:42:42.0323 8592 nfrd960 - ok
14:42:42.0335 8592 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
14:42:42.0336 8592 NisDrv - ok
14:42:42.0348 8592 nmjrbegk - ok
14:42:42.0361 8592 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
14:42:42.0362 8592 Npfs - ok
14:42:42.0374 8592 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
14:42:42.0375 8592 nsiproxy - ok
14:42:42.0401 8592 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
14:42:42.0414 8592 Ntfs - ok
14:42:42.0425 8592 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
14:42:42.0426 8592 Null - ok
14:42:42.0439 8592 NVHDA (960e39a54e525df58cb29193147dffa1) C:\Windows\system32\drivers\nvhda64v.sys
14:42:42.0441 8592 NVHDA - ok
14:42:42.0657 8592 nvlddmkm (b34e9bfbd9c61048ef6281c3e7ec210a) C:\Windows\system32\DRIVERS\nvlddmkm.sys
14:42:42.0856 8592 nvlddmkm - ok
14:42:42.0874 8592 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
14:42:42.0877 8592 nvraid - ok
14:42:42.0890 8592 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
14:42:42.0892 8592 nvstor - ok
14:42:42.0906 8592 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
14:42:42.0907 8592 nv_agp - ok
14:42:42.0919 8592 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
14:42:42.0920 8592 ohci1394 - ok
14:42:42.0936 8592 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
14:42:42.0937 8592 Parport - ok
14:42:42.0949 8592 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
14:42:42.0950 8592 partmgr - ok
14:42:42.0965 8592 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
14:42:42.0969 8592 pci - ok
14:42:42.0981 8592 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
14:42:42.0981 8592 pciide - ok
14:42:42.0994 8592 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
14:42:42.0996 8592 pcmcia - ok
14:42:43.0008 8592 PCTBD (7b92f2574a45a99da507a153c7920e8a) C:\Windows\system32\Drivers\PCTBD64.sys
14:42:43.0009 8592 PCTBD - ok
14:42:43.0025 8592 PCTCore (b34958cf94a8e924e8870ea6fb5b1923) C:\Windows\system32\drivers\PCTCore64.sys
14:42:43.0028 8592 PCTCore - ok
14:42:43.0044 8592 pctDS (00cdbcb3178668c780a0c186b958a433) C:\Windows\system32\drivers\pctDS64.sys
14:42:43.0047 8592 pctDS - ok
14:42:43.0061 8592 PCTSD (2ab248581631e918b37b630516b005e7) C:\Windows\system32\Drivers\PCTSD64.sys
14:42:43.0063 8592 PCTSD - ok
14:42:43.0075 8592 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
14:42:43.0076 8592 pcw - ok
14:42:43.0097 8592 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
14:42:43.0104 8592 PEAUTH - ok
14:42:43.0129 8592 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
14:42:43.0132 8592 PptpMiniport - ok
14:42:43.0144 8592 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
14:42:43.0145 8592 Processor - ok
14:42:43.0159 8592 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
14:42:43.0161 8592 Psched - ok
14:42:43.0186 8592 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
14:42:43.0197 8592 ql2300 - ok
14:42:43.0210 8592 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
14:42:43.0212 8592 ql40xx - ok
14:42:43.0224 8592 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
14:42:43.0225 8592 QWAVEdrv - ok
14:42:43.0236 8592 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
14:42:43.0237 8592 RasAcd - ok
14:42:43.0249 8592 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
14:42:43.0251 8592 RasAgileVpn - ok
14:42:43.0264 8592 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
14:42:43.0266 8592 Rasl2tp - ok
14:42:43.0279 8592 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
14:42:43.0280 8592 RasPppoe - ok
14:42:43.0293 8592 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
14:42:43.0294 8592 RasSstp - ok
14:42:43.0310 8592 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
14:42:43.0315 8592 rdbss - ok
14:42:43.0327 8592 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\drivers\rdpbus.sys
14:42:43.0327 8592 rdpbus - ok
14:42:43.0339 8592 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
14:42:43.0339 8592 RDPCDD - ok
14:42:43.0352 8592 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
14:42:43.0353 8592 RDPENCDD - ok
14:42:43.0364 8592 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
14:42:43.0365 8592 RDPREFMP - ok
14:42:43.0381 8592 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
14:42:43.0385 8592 RDPWD - ok
14:42:43.0399 8592 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
14:42:43.0401 8592 rdyboost - ok
14:42:43.0418 8592 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
14:42:43.0418 8592 rspndr - ok
14:42:43.0435 8592 RTL8167 (f4c374b1c46de294b573bb43723ac3f6) C:\Windows\system32\DRIVERS\Rt64win7.sys
14:42:43.0438 8592 RTL8167 - ok
14:42:43.0451 8592 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
14:42:43.0453 8592 sbp2port - ok
14:42:43.0466 8592 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
14:42:43.0467 8592 scfilter - ok
14:42:43.0481 8592 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
14:42:43.0482 8592 secdrv - ok
14:42:43.0496 8592 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
14:42:43.0497 8592 Serenum - ok
14:42:43.0509 8592 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
14:42:43.0510 8592 Serial - ok
14:42:43.0522 8592 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
14:42:43.0523 8592 sermouse - ok
14:42:43.0537 8592 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
14:42:43.0538 8592 sffdisk - ok
14:42:43.0549 8592 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
14:42:43.0550 8592 sffp_mmc - ok
14:42:43.0561 8592 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
14:42:43.0562 8592 sffp_sd - ok
14:42:43.0573 8592 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
14:42:43.0573 8592 sfloppy - ok
14:42:43.0587 8592 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
14:42:43.0588 8592 SiSRaid2 - ok
14:42:43.0600 8592 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
14:42:43.0602 8592 SiSRaid4 - ok
14:42:43.0614 8592 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
14:42:43.0616 8592 Smb - ok
14:42:43.0630 8592 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
14:42:43.0631 8592 spldr - ok
14:42:43.0652 8592 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
14:42:43.0659 8592 srv - ok
14:42:43.0676 8592 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
14:42:43.0682 8592 srv2 - ok
14:42:43.0696 8592 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
14:42:43.0699 8592 srvnet - ok
14:42:43.0715 8592 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
14:42:43.0716 8592 stexstor - ok
14:42:43.0729 8592 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
14:42:43.0729 8592 swenum - ok
14:42:43.0761 8592 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
14:42:43.0774 8592 Tcpip - ok
14:42:43.0800 8592 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
14:42:43.0806 8592 TCPIP6 - ok
14:42:43.0819 8592 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
14:42:43.0820 8592 tcpipreg - ok
14:42:43.0832 8592 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
14:42:43.0833 8592 TDPIPE - ok
14:42:43.0845 8592 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
14:42:43.0846 8592 TDTCP - ok
14:42:43.0858 8592 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
14:42:43.0860 8592 tdx - ok
14:42:43.0874 8592 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\DRIVERS\termdd.sys
14:42:43.0875 8592 TermDD - ok
14:42:43.0891 8592 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
14:42:43.0893 8592 tssecsrv - ok
14:42:43.0905 8592 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
14:42:43.0907 8592 TsUsbFlt - ok
14:42:43.0919 8592 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
14:42:43.0919 8592 TsUsbGD - ok
14:42:43.0933 8592 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
14:42:43.0934 8592 tunnel - ok
14:42:43.0946 8592 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
14:42:43.0947 8592 uagp35 - ok
14:42:43.0962 8592 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
14:42:43.0966 8592 udfs - ok
14:42:43.0980 8592 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
14:42:43.0981 8592 uliagpkx - ok
14:42:43.0994 8592 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
14:42:43.0994 8592 umbus - ok
14:42:44.0006 8592 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
14:42:44.0007 8592 UmPass - ok
14:42:44.0021 8592 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
14:42:44.0024 8592 usbccgp - ok
14:42:44.0036 8592 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
14:42:44.0037 8592 usbcir - ok
14:42:44.0050 8592 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
14:42:44.0051 8592 usbehci - ok
14:42:44.0069 8592 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
14:42:44.0075 8592 usbhub - ok
14:42:44.0087 8592 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
14:42:44.0090 8592 usbohci - ok
14:42:44.0102 8592 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\drivers\usbprint.sys
14:42:44.0102 8592 usbprint - ok
14:42:44.0115 8592 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:42:44.0116 8592 USBSTOR - ok
14:42:44.0128 8592 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
14:42:44.0129 8592 usbuhci - ok
14:42:44.0143 8592 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
14:42:44.0144 8592 vdrvroot - ok
14:42:44.0157 8592 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
14:42:44.0157 8592 vga - ok
14:42:44.0169 8592 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
14:42:44.0170 8592 VgaSave - ok
14:42:44.0184 8592 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
14:42:44.0186 8592 vhdmp - ok
14:42:44.0197 8592 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
14:42:44.0198 8592 viaide - ok
14:42:44.0211 8592 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
14:42:44.0212 8592 volmgr - ok
14:42:44.0231 8592 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
14:42:44.0237 8592 volmgrx - ok
14:42:44.0254 8592 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
14:42:44.0259 8592 volsnap - ok
14:42:44.0273 8592 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
14:42:44.0275 8592 vsmraid - ok
14:42:44.0288 8592 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
14:42:44.0289 8592 vwifibus - ok
14:42:44.0303 8592 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
14:42:44.0303 8592 WacomPen - ok
14:42:44.0317 8592 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
14:42:44.0318 8592 WANARP - ok
14:42:44.0321 8592 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
14:42:44.0322 8592 Wanarpv6 - ok
14:42:44.0338 8592 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
14:42:44.0339 8592 Wd - ok
14:42:44.0360 8592 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
14:42:44.0369 8592 Wdf01000 - ok
14:42:44.0386 8592 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
14:42:44.0387 8592 WfpLwf - ok
14:42:44.0399 8592 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
14:42:44.0400 8592 WIMMount - ok
14:42:44.0421 8592 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
14:42:44.0421 8592 WmiAcpi - ok
14:42:44.0446 8592 WPN111 (788914c42ad8318f1dd7a565eaffb049) C:\Windows\system32\DRIVERS\WPN111vx.sys
14:42:44.0454 8592 WPN111 - ok
14:42:44.0466 8592 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
14:42:44.0467 8592 ws2ifsl - ok
14:42:44.0484 8592 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
14:42:44.0485 8592 WudfPf - ok
14:42:44.0499 8592 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
14:42:44.0501 8592 WUDFRd - ok
14:42:44.0516 8592 X6va005 - ok
14:42:44.0521 8592 MBR (0x1B8) (c0dcf0ac171db02db8b0014c5d767cf1) \Device\Harddisk1\DR1
14:42:44.0522 8592 \Device\Harddisk1\DR1 ( Rootkit.Boot.Pihar.b ) - infected
14:42:44.0522 8592 \Device\Harddisk1\DR1 - detected Rootkit.Boot.Pihar.b (0)
14:42:44.0532 8592 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
14:42:44.0534 8592 \Device\Harddisk0\DR0 - ok
14:42:44.0535 8592 Boot (0x1200) (890d01c1580708c2a1a3b85d513f58ea) \Device\Harddisk1\DR1\Partition0
14:42:44.0536 8592 \Device\Harddisk1\DR1\Partition0 - ok
14:42:44.0537 8592 Boot (0x1200) (ba74bab7dcb90957bcf8775028699b6b) \Device\Harddisk1\DR1\Partition1
14:42:44.0538 8592 \Device\Harddisk1\DR1\Partition1 - ok
14:42:44.0547 8592 Boot (0x1200) (23aa9b65709af3878e04e9149b60c999) \Device\Harddisk0\DR0\Partition0
14:42:44.0548 8592 \Device\Harddisk0\DR0\Partition0 - ok
14:42:44.0548 8592 ============================================================
14:42:44.0548 8592 Scan finished
14:42:44.0548 8592 ============================================================
14:42:44.0554 7592 Detected object count: 1
14:42:44.0554 7592 Actual detected object count: 1
14:43:02.0077 7592 \Device\Harddisk1\DR1 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
14:43:02.0077 7592 \Device\Harddisk1\DR1 - ok
14:43:02.0078 7592 \Device\Harddisk1\DR1 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
14:43:28.0760 5780 Deinitialize success

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:16 PM

Posted 22 January 2012 - 09:35 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 virado

virado
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 22 January 2012 - 09:58 PM

Heres the log

When i tried to run combofix it said tha avast antivirus was active. Which it wasnt. I havn't had avast installed for almost 4 months now.

Nothing out of the ordinary so far.

ComboFix 12-01-23.01 - Geoffrey Sakai 01/22/2012 18:49:27.2.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8175.5681 [GMT -8:00]
Running from: e:\downloads\ComboFix.exe
Command switches used :: c:\users\Geoffrey Sakai\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-23 to 2012-01-23 )))))))))))))))))))))))))))))))
.
.
2012-01-23 02:53 . 2012-01-23 02:53 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-23 02:53 . 2012-01-23 02:53 -------- d-----w- c:\users\Liz\AppData\Local\temp
2012-01-23 02:53 . 2012-01-23 02:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-20 10:00 . 2012-01-20 10:00 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Local\ElevatedDiagnostics
2012-01-20 09:47 . 2012-01-20 09:47 -------- d-sh--w- c:\windows\SysWow64\%USERPROFILE%
2012-01-19 05:01 . 2012-01-19 05:01 -------- d-----w- c:\program files (x86)\PC Tools
2012-01-16 21:29 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-16 21:29 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-16 21:29 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-16 21:29 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-16 21:29 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-16 21:29 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-16 21:29 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-16 21:29 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-13 06:02 . 2012-01-13 06:02 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-01-05 07:43 . 2012-01-20 06:31 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Roaming\Ventrilo
2012-01-05 07:42 . 2012-01-20 06:31 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2012-01-05 04:49 . 2012-01-05 04:49 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Roaming\RenPy
2012-01-03 21:35 . 2012-01-03 21:35 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-03 21:35 . 2012-01-03 21:35 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-03 21:35 . 2012-01-03 21:35 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-01-03 21:35 . 2012-01-03 21:35 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-12-27 21:38 . 2011-12-27 21:38 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Roaming\OpenOffice.org
2011-12-27 21:37 . 2011-12-27 21:37 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2011-12-24 06:56 . 2011-12-24 06:56 -------- d-----w- c:\users\Geoffrey Sakai\AppData\Roaming\Red Alert 3
2011-12-24 06:56 . 2011-12-24 06:56 -------- d--h--r- c:\users\Geoffrey Sakai\AppData\Roaming\SecuROM
2011-12-24 06:56 . 2011-12-24 06:56 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 23:18 . 2011-12-20 23:18 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-20 23:18 . 2011-12-20 23:18 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-12-20 23:18 . 2011-12-20 23:18 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-20 23:18 . 2011-12-20 23:18 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-11-24 04:52 . 2011-12-13 19:27 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 05:32 . 2011-12-13 19:27 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 04:26 . 2011-12-13 19:27 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-11-04 01:53 . 2011-12-14 11:00 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-11-04 01:44 . 2011-12-14 11:00 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 01:44 . 2011-12-14 11:00 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 01:34 . 2011-12-14 11:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-03 22:47 . 2011-12-14 11:00 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-11-03 22:40 . 2011-12-14 11:00 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-11-03 22:39 . 2011-12-14 11:00 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-11-03 22:31 . 2011-12-14 11:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-10-28 19:03 . 2011-11-12 20:35 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
2011-10-28 19:03 . 2011-11-12 20:32 230952 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2011-10-28 19:01 . 2011-11-12 20:35 14776 ----a-w- c:\windows\system32\drivers\pctBTFix64.sys
2011-10-28 18:41 . 2011-11-12 20:35 141312 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
2011-10-28 18:41 . 2011-11-12 20:35 336512 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
2011-10-26 05:21 . 2011-12-13 19:27 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 21:38 . 2011-11-12 20:35 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-10-25 21:38 . 2011-11-12 20:35 2291664 ----a-w- c:\windows\PCTBDCore.dll
2011-10-25 21:38 . 2011-11-12 20:35 1681360 ----a-w- c:\windows\PCTBDRes.dll
2011-10-25 21:38 . 2011-11-12 20:35 767952 ----a-w- c:\windows\BDTSupport.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-22_20.19.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-14 04:30 . 2012-01-22 20:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-01-14 04:30 . 2012-01-22 19:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-01-22 20:57 . 2012-01-22 20:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012012220120123\index.dat
- 2012-01-13 06:03 . 2012-01-22 19:42 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-01-13 06:03 . 2012-01-22 20:19 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-11-21 03:09 . 2012-01-22 23:00 45334 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-22 23:00 36928 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-01-22 19:42 36928 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:46 . 2012-01-22 20:26 92960 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-10-15 23:58 . 2012-01-22 23:00 8328 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2161452833-1771019687-3850249851-1000_UserData.bin
+ 2012-01-22 22:59 . 2012-01-22 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-22 22:59 . 2012-01-22 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-22 20:19 . 2012-01-22 20:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-01-22 20:19 180224 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-22 19:42 180224 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 02:36 . 2012-01-22 20:13 665110 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-22 23:03 665110 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-22 23:03 122878 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-01-22 20:13 122878 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-01-22 22:58 437112 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-01-22 20:18 437112 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-01-22 20:19 5390336 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-22 19:42 5390336 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-22 20:19 9535488 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-22 19:42 9535488 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-13 11:17 . 2012-01-22 22:43 1336140 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2012-01-13 11:17 . 2012-01-22 20:18 1336140 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2011-10-16 00:31 . 2012-01-22 20:18 37826980 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2161452833-1771019687-3850249851-1000-12288.dat
+ 2011-10-16 00:31 . 2012-01-22 22:58 37826980 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2161452833-1771019687-3850249851-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-10-16 3077528]
"Steam"="e:\programs\Steam\Steam.exe" [2011-11-25 1242448]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"SpybotSD TeaTimer"="e:\programs\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="e:\programs\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG_TRAY"="e:\programs\AVG anti-virus\avgtray.exe" [2011-12-03 2415456]
.
c:\users\Geoffrey Sakai\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - e:\programs\Rainmeter\Rainmeter.exe [2011-9-18 102912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0e:\programs\AVGANT~1\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 bbbqvmkb;bbbqvmkb;c:\windows\system32\drivers\bbbqvmkb.sys [x]
R1 ewrairbn;ewrairbn;c:\windows\system32\drivers\ewrairbn.sys [x]
R1 nmjrbegk;nmjrbegk;c:\windows\system32\drivers\nmjrbegk.sys [x]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\programs\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe [2011-12-13 25832]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\Drivers\PCTBD64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 X6va005;X6va005;c:\users\GEOFFR~1\AppData\Local\Temp\00540B9.tmp [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [x]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD64.sys [x]
S2 AVGIDSAgent;AVGIDSAgent;e:\programs\AVG anti-virus\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgwd;AVG WatchDog;e:\programs\AVG anti-virus\avgwdsvc.exe [2011-08-02 192776]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [x]
.
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - e:\programs\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Geoffrey Sakai\AppData\Roaming\Mozilla\Firefox\Profiles\e5do5yaa.default\
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\GEOFFR~1\AppData\Local\Temp\00540B9.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2161452833-1771019687-3850249851-1000\Software\SecuROM\License information*]
"datasecu"=hex:fb,e0,0d,bb,fd,bc,73,eb,7b,0c,43,e1,17,ce,4b,24,c0,30,00,0e,9c,
99,01,9d,f4,04,9d,8b,e3,9b,30,77,4a,a5,87,e9,b7,d2,c6,46,8c,cc,b0,68,84,b6,\
"rkeysecu"=hex:2f,ff,fa,b7,a5,db,e8,a7,e6,20,3f,6c,77,0e,d1,e2
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-22 18:54:14
ComboFix-quarantined-files.txt 2012-01-23 02:54
ComboFix2.txt 2012-01-22 20:21
.
Pre-Run: 13,659,000,832 bytes free
Post-Run: 13,624,553,472 bytes free
.
- - End Of File - - 632B9B3518D79CA6262FFD483D9D16B0

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:16 PM

Posted 22 January 2012 - 10:06 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 virado

virado
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 22 January 2012 - 11:42 PM

There you go

Update for Microsoft Office 2007 (KB2508958)
AaaaaAAaaaAAAaaAAAAaAAAAA!!! for the Awesome
Achron
Adobe Reader 9.4.6
Aliens vs. Predator
Apple Application Support
Apple Software Update
Audacity 1.2.6
Audiosurf
Bastion
Battlefield: Bad Company 2
Belkin Setup and Router Monitor
BitTorrent
Browser Defender 4.0
Command & Conquer™ Red Alert™ 3
Company of Heroes
D3DX10
Dragon Age: Origins - Ultimate Edition
Fallout 3 - Game of the Year Edition
Half-Life
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 27
Katawa Shoujo
Killing Floor
League of Legends
Left 4 Dead 2
Metro 2033
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
Mozilla Firefox 9.0.1 (x86 en-US)
MSVCRT
Notepad++
NVIDIA 3D Vision Controller Driver
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OpenAL
OpenOffice.org 3.3
Orcs Must Die! Demo
Origin
Pando Media Booster
Pidgin
Portal 2
PunkBuster Services
Rainmeter
Realtek Ethernet Controller Driver
RGSS-RTP Standard
RPGXP
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 5.5
Spybot - Search & Destroy
Star Wars - Jedi Knight II: Jedi Outcast
Star Wars - Jedi Knight: Mysteries of the Sith
Star Wars Jedi Knight: Dark Forces II
Star Wars Jedi Knight: Jedi Academy
Star Wars: Dark Forces
Star Wars: Empire at War Gold
Star Wars: Knights of the Old Republic
Star Wars: The Old Republic
Steam
Team Fortress 2
Terraria
The Longest Journey Demo
The Sims Medieval
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual Studio 2008 x64 Redistributables
VLC media player 1.1.11
Warhammer 40,000: Dawn of War – Soulstorm
Warhammer® 40,000®: Dawn of War® II – Retribution™
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:16 PM

Posted 22 January 2012 - 11:58 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.6
BitTorrent
Java™ 6 Update 22
Java™ 6 Update 27


and click on remove

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 virado

virado
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 23 January 2012 - 01:02 AM

I was unable to uninstall the java update 27. When i tried it returned this error

Java 6 update 27

Error 1723: There is a problem with this Windows Installer package.
A DLL required for this install to complete cold not be run. Contact your support personnel or package vendor.

Other than that no changes

Malwarebytes log

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.23.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Geoffrey Sakai :: GLADOS [administrator]

Protection: Disabled

1/22/2012 9:58:38 PM
mbam-log-2012-01-22 (21-58-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214970
Time elapsed: 1 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hijack this log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:00:45 PM, on 1/22/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
E:\Programs\Steam\Steam.exe
E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
E:\Programs\AVG anti-virus\avgtray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
E:\Programs\pidgin.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
E:\Programs\Malwarebytes' Anti-Malware\mbam.exe
E:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: PC Tools Browser Defender - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Programs\AVG anti-virus\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Programs\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: PC Tools Browser Defender - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (file missing)
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Programs\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "E:\Programs\AVG anti-virus\avgtray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] E:\Programs\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [Steam] "E:\Programs\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2161452833-1771019687-3850249851-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2161452833-1771019687-3850249851-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Rainmeter.lnk = E:\Programs\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Programs\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\Programs\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\Programs\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programs\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Programs\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Programs\AVG anti-virus\avgpp.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - E:\Programs\AVG anti-virus\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - E:\Programs\AVG anti-virus\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe (file missing)
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - e:\programs\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9957 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:16 PM

Posted 23 January 2012 - 01:06 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [GrooveMonitor] "E:\Programs\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
      O4 - HKCU\..\Run: [Steam] "E:\Programs\Steam\Steam.exe" -silent
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKUS\S-1-5-21-2161452833-1771019687-3850249851-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
      O4 - HKUS\S-1-5-21-2161452833-1771019687-3850249851-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
      O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
      O4 - Global Startup: Rainmeter.lnk = E:\Programs\Rainmeter\Rainmeter.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 virado

virado
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 23 January 2012 - 04:48 AM

C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\Users\Geoffrey Sakai\AppData\Roaming\Mozilla\Firefox\Profiles\e5do5yaa.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\rd9bhhqk.default\extensions\{9ed404c1-082c-4489-a445-2c5b00467412}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
E:\Downloads\jq_warhammer_40krar.exe a variant of Win32/MediaGet application


The E:\Downloads\jq_warhammer_40krar.exe is a file i downloaded myself. It is a file containing a mod for a game




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users