Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.ZeroAccess.B Win7 removal problems


  • This topic is locked This topic is locked
31 replies to this topic

#1 Mootelp

Mootelp

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 22 January 2012 - 07:56 PM

My computer is infected with Trojan.ZeroAccess.B. No matter what I do, it keeps coming back, so finally as a last straw effort, I reformated my computer using the tools HP has installed on the Laptop, and even after that was done when I did a norton Scan, all the viruses and trojans that I have come to suspect are associated with Trojan.ZeroAccess.B were there but were deleted and Trojan.ZeroAccess.B was found yet it requires manual removal, which is the notifcation I always get, no matter how many times I've tried to remove it.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Christa at 16:38:34 on 2012-01-22
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2667.690 [GMT -8:00]
.
AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Windows\system32\SearchIndexer.exe
-netsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe
C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10m_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Hewlett-Packard\Setup Manager\hpDST.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=C:\Windows\SysWOW64\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{03BC1ECE-6C87-44E2-A992-35F19316B5B0} : DhcpNameServer = 192.168.24.2
TCP: Interfaces\{130F8DB0-88DE-4538-9461-77498D05AB04} : DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20111223.001\BHDrvx64.sys [2011-12-23 1157240]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120120.002\IDSviA64.sys [2012-1-20 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-6-10 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-3-4 354304]
R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-16 682040]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-2-4 92216]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-6-10 1817088]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [2012-1-22 130008]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
.
=============== Created Last 30 ================
.
2012-01-22 21:38:04 -------- d-----w- C:\HP_TOOLS_mountHPSF
2012-01-22 10:34:18 -------- d-----w- C:\Users\Christa\AppData\Local\CrashDumps
2012-01-22 10:15:30 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-01-22 10:13:25 386168 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\symnets.sys
2012-01-22 10:13:24 912504 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\symefa64.sys
2012-01-22 10:13:24 744568 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\srtsp64.sys
2012-01-22 10:13:24 450680 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\symds64.sys
2012-01-22 10:13:24 40568 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\srtspx64.sys
2012-01-22 10:13:24 171128 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\ironx64.sys
2012-01-22 10:13:04 -------- d-----w- C:\Windows\System32\drivers\NISx64\1206000.01D
2012-01-22 10:10:44 -------- d-----we C:\Windows\system64
2012-01-22 10:09:10 -------- d-----w- C:\Users\Christa\AppData\Local\AMD
2012-01-22 10:08:32 -------- d-----w- C:\Users\Christa\AppData\Local\ATI
2012-01-22 10:08:29 -------- d-----w- C:\Users\Christa\AppData\Roaming\PictureMover
2012-01-22 10:07:29 -------- d-----w- C:\Users\Christa\AppData\Roaming\hpqLog
2012-01-22 10:07:18 -------- d-----w- C:\Users\Christa\AppData\Roaming\Synaptics
2012-01-22 10:04:55 -------- d-----w- C:\Users\Christa\AppData\Local\RemEngine
2012-01-22 09:53:15 -------- d-----w- C:\Users\Christa\AppData\Local\Hewlett-Packard
2012-01-22 09:53:03 -------- d-----w- C:\Users\Christa\AppData\Local\VirtualStore
2012-01-22 09:52:13 -------- d-----w- C:\Users\Christa\AppData\Local\Hewlett-Packard_Company
2012-01-22 02:33:11 20480 ----a-w- C:\Windows\svchost.exe
.
==================== Find3M ====================
.
2012-01-22 10:13:28 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
.
============= FINISH: 16:40:37.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:29 PM

Posted 28 January 2012 - 07:52 PM

Hello Mootelp,

My name is ratman and and I will be helping you with your computer problems.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.

====================================================================================


Thanks for posting your log. Logs take a while to process due to intensive research that must be done. Please give me some time to look over your logs and I will post back soon.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#3 Mootelp

Mootelp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 28 January 2012 - 08:36 PM

Hello Ratman,
Thanks for taking the time to help me with my problem. A lot has happened since the post, I had a windows update, which after the update finished, I logged on to find that all my icons and things in my start menu went missing, so I restored to a previous restore point. So I don't know if I should make another log or not? So I'll just wait for you to tell me what to do.

#4 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:29 PM

Posted 29 January 2012 - 06:19 AM

Hello Mootelp,

Please download ComboFix from here:

Link


* IMPORTANT !!! Save ComboFix.exe to your Desktop.

  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Right click on ComboFix icon Posted Image and run as admin then follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please copy/paste the contents of the following:
  • C:\Combofix.txt

How is your machine running now? Please describe any issues you may be having?

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#5 Mootelp

Mootelp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 29 January 2012 - 08:35 PM

After I ran CheckFix with admin rights, and restarted, I was unable to open up of my internet browers, as well as when I tired to install firefox from my firefox setup I was unable to, due to them "tampering with keys registered for deletion" so I had to copy the log onto an external and I'm pasting this from my main computer. I haven't checked any of my other files but seeing as the computer was reformatted to factory settings when I first tried to clear the trojan before seeking help, there isn't much to check with. So here is the log:

ComboFix 12-01-29.02 - Christa 01/29/2012 10:46:22.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2667.1412 [GMT -8:00]
Running from: c:\users\Christa\Downloads\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Internet Explorer\6469.tmp
c:\program files (x86)\Internet Explorer\9E9C.tmp
c:\program files (x86)\Internet Explorer\C627.tmp
c:\program files (x86)\LP
c:\program files (x86)\LP\2AB2\2D5E.tmp
c:\program files (x86)\LP\2AB2\8F5C.tmp
c:\program files (x86)\LP\2AB2\A049.tmp
c:\program files (x86)\LP\2AB2\E6BC.tmp
c:\programdata\configremote.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-29 )))))))))))))))))))))))))))))))
.
.
2012-01-29 18:57 . 2012-01-29 18:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-29 07:16 . 2012-01-17 12:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0480277C-D444-47EB-845C-0DEB32718932}\mpengine.dll
2012-01-29 06:58 . 2010-11-16 20:01 8199504 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5AD075E-AC44-4042-BA71-9210F45EC85A}\mpengine.dll
2012-01-27 21:49 . 2012-01-27 21:49 -------- d-----w- C:\2A42D
2012-01-26 23:12 . 2012-01-29 07:06 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-01-26 21:04 . 2010-11-16 20:01 8199504 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B579CF8A-CEF2-4498-87CB-FD8EC4CBF9FA}\mpengine.dll
2012-01-25 04:24 . 2012-01-26 07:33 -------- d--h--w- c:\program files (x86)\2DAFC
2012-01-24 21:44 . 2012-01-24 21:45 -------- d--h--w- c:\programdata\VirtualizedApplications
2012-01-23 11:00 . 2012-01-23 11:00 -------- d--h--w- c:\program files (x86)\Microsoft.NET
2012-01-23 09:35 . 2012-01-23 09:35 -------- d-----w- c:\windows\SysWow64\Wat
2012-01-23 09:35 . 2012-01-23 09:35 -------- d-----w- c:\windows\system32\Wat
2012-01-23 09:09 . 2012-01-23 09:09 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-23 09:08 . 2012-01-23 09:08 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{88821770-BC3F-4CF3-A7CC-C0933D2DAD24}\offreg.dll
2012-01-23 09:00 . 2009-05-18 21:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-01-23 09:00 . 2008-04-17 20:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-01-23 09:00 . 2008-04-17 20:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-01-23 08:58 . 2012-01-26 09:55 -------- d-----w- c:\program files\iPod
2012-01-23 08:58 . 2012-01-29 06:54 -------- d-----w- c:\program files (x86)\iTunes
2012-01-23 08:58 . 2012-01-26 09:55 -------- d-----w- c:\programdata\Apple Computer
2012-01-23 08:58 . 2012-01-26 09:55 -------- d-----w- c:\program files\iTunes
2012-01-23 08:58 . 2012-01-26 09:37 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-23 08:54 . 2012-01-26 09:53 -------- d-----w- c:\program files (x86)\Apple Software Update
2012-01-23 08:49 . 2012-01-26 09:55 -------- d-----w- c:\program files\Common Files\Apple
2012-01-23 08:43 . 2012-01-26 09:55 -------- d-----w- c:\program files\Bonjour
2012-01-23 08:43 . 2012-01-26 09:53 -------- d-----w- c:\program files (x86)\Bonjour
2012-01-23 08:41 . 2012-01-26 09:55 -------- d-----w- c:\programdata\Apple
2012-01-23 08:41 . 2012-01-26 09:32 -------- d-----w- c:\program files (x86)\Common Files\Apple
2012-01-23 07:58 . 2011-11-17 05:35 314880 ----a-w- c:\windows\SysWow64\webio.dll
2012-01-23 07:36 . 2011-04-22 22:15 27520 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-01-23 07:35 . 2011-04-25 02:34 499200 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-23 07:34 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2012-01-23 07:21 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-23 07:21 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-23 07:21 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-01-23 07:21 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-01-23 07:21 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-01-23 07:17 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-23 07:17 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-23 01:16 . 2012-01-26 07:05 -------- d-----r- C:\MSOCache
2012-01-23 01:14 . 2012-01-23 01:14 -------- d--h--w- c:\program files (x86)\MSXML 4.0
2012-01-23 01:09 . 2012-01-29 07:24 -------- d-----w- c:\program files (x86)\Microsoft Application Virtualization Client
2012-01-22 21:38 . 2012-01-22 21:38 -------- d-----w- C:\HP_TOOLS_mountHPSF
2012-01-22 10:15 . 2012-01-22 10:15 -------- d--h--w- c:\program files (x86)\Common Files\Symantec Shared
2012-01-22 10:10 . 2012-01-22 10:10 -------- d-----we c:\windows\system64
2012-01-22 09:53 . 2012-01-22 09:53 -------- d--h--w- c:\users\Public\Symantec
2012-01-22 09:47 . 2012-01-29 06:56 -------- d-----w- c:\users\Christa
2012-01-22 09:47 . 2012-01-22 09:47 -------- d--h--w- c:\windows\Sun
2012-01-22 02:33 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-22 09:50 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-12-07 18:39 . 2010-11-21 03:27 279096 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-04 336384]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2010-12-13 318520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-17 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2010-11-18 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx64.sys [2010-08-09 945200]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1201000.025\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1201000.025\SYMEFA64.SYS [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVia64.sys [2010-06-27 463408]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1201000.025\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NISx64\1201000.025\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-03-04 354304]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-04 92216]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2010-12-28 1817088]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe [2010-07-23 126904]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\HPCeeScheduleForChrista.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-01-11 6602856]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\users\Christa\AppData\Roaming\Mozilla\Firefox\Profiles\5k3az8zg.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-configremote - c:\programdata\configremote.exe
Wow6432Node-HKLM-Run-krnlhtml - c:\users\Christa\AppData\Roaming\krnlhtml.exe
Wow6432Node-HKLM-Run-dplaysvr - %LOCALAPPDATA%\dplaysvr.exe
Wow6432Node-HKU-Default-Run-configremote - c:\programdata\configremote.exe
Wow6432Node-HKU-Default-Run-krnlhtml - c:\users\Christa\AppData\Roaming\krnlhtml.exe
Wow6432Node-HKU-Default-Run-dplaysvr - %LOCALAPPDATA%\dplaysvr.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{9FEFA8C2-80EB-4B7A-BDE0-E077D94C36C4} - c:\program files (x86)\InstallShield Installation Information\{9FEFA8C2-80EB-4B7A-BDE0-E077D94C36C4}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.1.0.37\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\\.\globalroot\systemroot\svchost.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
.
**************************************************************************
.
Completion time: 2012-01-29 11:10:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-29 19:10
.
Pre-Run: 270,472,704,000 bytes free
Post-Run: 271,233,163,264 bytes free
.
- - End Of File - - 614A578A7F842836468764849057D148

#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:29 PM

Posted 30 January 2012 - 09:27 AM

Hello Mootelp,

I want you to run TDSSKiller:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

===================================================================================



In your next reply, please copy/paste the contents of the following:
  • TDSSKiller Log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#7 Mootelp

Mootelp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 30 January 2012 - 04:03 PM

12:55:24.0215 4840 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
12:55:24.0652 4840 ============================================================
12:55:24.0652 4840 Current date / time: 2012/01/30 12:55:24.0652
12:55:24.0652 4840 SystemInfo:
12:55:24.0652 4840
12:55:24.0652 4840 OS Version: 6.1.7601 ServicePack: 1.0
12:55:24.0652 4840 Product type: Workstation
12:55:24.0652 4840 ComputerName: CREATIVESEXBOT2
12:55:24.0652 4840 UserName: Christa
12:55:24.0652 4840 Windows directory: C:\Windows
12:55:24.0652 4840 System windows directory: C:\Windows
12:55:24.0652 4840 Running under WOW64
12:55:24.0652 4840 Processor architecture: Intel x64
12:55:24.0652 4840 Number of processors: 2
12:55:24.0652 4840 Page size: 0x1000
12:55:24.0652 4840 Boot type: Normal boot
12:55:24.0652 4840 ============================================================
12:55:27.0007 4840 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
12:55:27.0038 4840 Drive \Device\Harddisk1\DR1 - Size: 0x7470C05E00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
12:55:27.0413 4840 \Device\Harddisk0\DR0:
12:55:27.0428 4840 MBR used
12:55:27.0428 4840 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x63800
12:55:27.0428 4840 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x64000, BlocksNum 0x2381D000
12:55:27.0428 4840 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x23881000, BlocksNum 0x1B79800
12:55:27.0428 4840 \Device\Harddisk0\DR0\Partition3: MBR, Type 0xC, StartLBA 0x253FA800, BlocksNum 0x33AB0
12:55:27.0428 4840 \Device\Harddisk1\DR1:
12:55:27.0428 4840 MBR used
12:55:27.0428 4840 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C41
12:55:27.0600 4840 Initialize success
12:55:27.0600 4840 ============================================================
12:55:35.0197 4932 ============================================================
12:55:35.0197 4932 Scan started
12:55:35.0197 4932 Mode: Manual;
12:55:35.0197 4932 ============================================================
12:55:36.0102 4932 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
12:55:36.0102 4932 1394ohci - ok
12:55:36.0164 4932 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
12:55:36.0180 4932 ACPI - ok
12:55:36.0289 4932 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
12:55:36.0289 4932 AcpiPmi - ok
12:55:36.0383 4932 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
12:55:36.0414 4932 adp94xx - ok
12:55:36.0554 4932 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
12:55:36.0554 4932 adpahci - ok
12:55:36.0695 4932 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
12:55:36.0695 4932 adpu320 - ok
12:55:36.0804 4932 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
12:55:36.0820 4932 AFD - ok
12:55:36.0929 4932 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
12:55:36.0944 4932 agp440 - ok
12:55:36.0991 4932 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
12:55:37.0007 4932 aliide - ok
12:55:37.0100 4932 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
12:55:37.0116 4932 amdide - ok
12:55:37.0163 4932 amdiox64 (6a2eeb0c4133b20773bb3dd0b7b377b4) C:\Windows\system32\DRIVERS\amdiox64.sys
12:55:37.0163 4932 amdiox64 - ok
12:55:37.0241 4932 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
12:55:37.0241 4932 AmdK8 - ok
12:55:37.0568 4932 amdkmdag (e93230b4214a90854be7f27e61c1e8fd) C:\Windows\system32\DRIVERS\atikmdag.sys
12:55:37.0787 4932 amdkmdag - ok
12:55:37.0849 4932 amdkmdap (2b614a1cb27f36c5b2d96e554472a809) C:\Windows\system32\DRIVERS\atikmpag.sys
12:55:37.0865 4932 amdkmdap - ok
12:55:37.0912 4932 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
12:55:37.0927 4932 AmdPPM - ok
12:55:37.0958 4932 amdsata (6ec6d772eae38dc17c14aed9b178d24b) C:\Windows\system32\drivers\amdsata.sys
12:55:37.0974 4932 amdsata - ok
12:55:38.0099 4932 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
12:55:38.0114 4932 amdsbs - ok
12:55:38.0146 4932 amdxata (1142a21db581a84ea5597b03a26ebaa0) C:\Windows\system32\drivers\amdxata.sys
12:55:38.0146 4932 amdxata - ok
12:55:38.0177 4932 amd_sata (80a508d0c7a21bc13c01d4c671541203) C:\Windows\system32\DRIVERS\amd_sata.sys
12:55:38.0177 4932 amd_sata - ok
12:55:38.0208 4932 amd_xata (2be940f3a632a1a301b22b096bf221f1) C:\Windows\system32\DRIVERS\amd_xata.sys
12:55:38.0208 4932 amd_xata - ok
12:55:38.0270 4932 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
12:55:38.0270 4932 AppID - ok
12:55:38.0426 4932 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
12:55:38.0426 4932 arc - ok
12:55:38.0442 4932 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
12:55:38.0442 4932 arcsas - ok
12:55:38.0536 4932 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
12:55:38.0536 4932 AsyncMac - ok
12:55:38.0629 4932 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
12:55:38.0629 4932 atapi - ok
12:55:38.0816 4932 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
12:55:38.0848 4932 b06bdrv - ok
12:55:38.0926 4932 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
12:55:38.0941 4932 b57nd60a - ok
12:55:39.0097 4932 BCM43XX (9e84a931dbee0292e38ed672f6293a99) C:\Windows\system32\DRIVERS\bcmwl664.sys
12:55:39.0144 4932 BCM43XX - ok
12:55:39.0222 4932 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
12:55:39.0238 4932 Beep - ok
12:55:39.0378 4932 BHDrvx64 (95da658498248d5832aa240850706150) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx64.sys
12:55:39.0394 4932 BHDrvx64 - ok
12:55:39.0550 4932 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\drivers\blbdrive.sys
12:55:39.0550 4932 blbdrive - ok
12:55:39.0628 4932 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
12:55:39.0643 4932 bowser - ok
12:55:39.0721 4932 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
12:55:39.0737 4932 BrFiltLo - ok
12:55:39.0768 4932 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
12:55:39.0768 4932 BrFiltUp - ok
12:55:39.0815 4932 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
12:55:39.0830 4932 BridgeMP - ok
12:55:39.0877 4932 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
12:55:39.0893 4932 Brserid - ok
12:55:39.0940 4932 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
12:55:39.0940 4932 BrSerWdm - ok
12:55:39.0971 4932 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
12:55:39.0971 4932 BrUsbMdm - ok
12:55:40.0018 4932 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
12:55:40.0018 4932 BrUsbSer - ok
12:55:40.0049 4932 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
12:55:40.0049 4932 BTHMODEM - ok
12:55:40.0080 4932 catchme - ok
12:55:40.0158 4932 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
12:55:40.0158 4932 cdfs - ok
12:55:40.0267 4932 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
12:55:40.0267 4932 cdrom - ok
12:55:40.0423 4932 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
12:55:40.0423 4932 circlass - ok
12:55:40.0470 4932 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
12:55:40.0486 4932 CLFS - ok
12:55:40.0595 4932 clwvd (50f92c943f18b070f166d019dfab3d9a) C:\Windows\system32\DRIVERS\clwvd.sys
12:55:40.0595 4932 clwvd - ok
12:55:40.0688 4932 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\drivers\CmBatt.sys
12:55:40.0688 4932 CmBatt - ok
12:55:40.0720 4932 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
12:55:40.0720 4932 cmdide - ok
12:55:40.0766 4932 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
12:55:40.0766 4932 CNG - ok
12:55:40.0860 4932 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\drivers\compbatt.sys
12:55:40.0860 4932 Compbatt - ok
12:55:40.0891 4932 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
12:55:40.0907 4932 CompositeBus - ok
12:55:40.0954 4932 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
12:55:40.0969 4932 crcdisk - ok
12:55:41.0110 4932 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
12:55:41.0110 4932 DfsC - ok
12:55:41.0172 4932 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
12:55:41.0172 4932 discache - ok
12:55:41.0250 4932 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
12:55:41.0250 4932 Disk - ok
12:55:41.0359 4932 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
12:55:41.0359 4932 drmkaud - ok
12:55:41.0437 4932 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
12:55:41.0453 4932 DXGKrnl - ok
12:55:41.0593 4932 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
12:55:41.0702 4932 ebdrv - ok
12:55:41.0874 4932 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
12:55:41.0905 4932 elxstor - ok
12:55:41.0921 4932 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
12:55:41.0936 4932 ErrDev - ok
12:55:41.0983 4932 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
12:55:41.0999 4932 exfat - ok
12:55:42.0030 4932 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
12:55:42.0030 4932 fastfat - ok
12:55:42.0092 4932 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
12:55:42.0092 4932 fdc - ok
12:55:42.0202 4932 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
12:55:42.0202 4932 FileInfo - ok
12:55:42.0248 4932 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
12:55:42.0248 4932 Filetrace - ok
12:55:42.0326 4932 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
12:55:42.0342 4932 flpydisk - ok
12:55:42.0404 4932 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
12:55:42.0404 4932 FltMgr - ok
12:55:42.0482 4932 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
12:55:42.0482 4932 FsDepends - ok
12:55:42.0514 4932 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
12:55:42.0514 4932 Fs_Rec - ok
12:55:42.0592 4932 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
12:55:42.0592 4932 fvevol - ok
12:55:42.0654 4932 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
12:55:42.0654 4932 gagp30kx - ok
12:55:42.0732 4932 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
12:55:42.0732 4932 GEARAspiWDM - ok
12:55:42.0779 4932 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
12:55:42.0779 4932 hcw85cir - ok
12:55:42.0857 4932 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
12:55:42.0872 4932 HdAudAddService - ok
12:55:42.0919 4932 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
12:55:42.0919 4932 HDAudBus - ok
12:55:42.0966 4932 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
12:55:42.0982 4932 HidBatt - ok
12:55:43.0028 4932 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
12:55:43.0028 4932 HidBth - ok
12:55:43.0091 4932 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
12:55:43.0106 4932 HidIr - ok
12:55:43.0169 4932 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\drivers\hidusb.sys
12:55:43.0169 4932 HidUsb - ok
12:55:43.0356 4932 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
12:55:43.0356 4932 HpSAMD - ok
12:55:43.0528 4932 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
12:55:43.0574 4932 HTTP - ok
12:55:43.0606 4932 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
12:55:43.0606 4932 hwpolicy - ok
12:55:43.0715 4932 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
12:55:43.0715 4932 i8042prt - ok
12:55:43.0762 4932 iaStorV (3df4395a7cf8b7a72a5f4606366b8c2d) C:\Windows\system32\drivers\iaStorV.sys
12:55:43.0777 4932 iaStorV - ok
12:55:43.0902 4932 IDSVia64 (c3292140bf458b46cf8abbfd7e177bbe) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVia64.sys
12:55:43.0902 4932 IDSVia64 - ok
12:55:44.0027 4932 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
12:55:44.0027 4932 iirsp - ok
12:55:44.0167 4932 IntcAzAudAddService (336c3a6bf14d5a9af35af07c6b6b29cd) C:\Windows\system32\drivers\RTKVHD64.sys
12:55:44.0183 4932 IntcAzAudAddService - ok
12:55:44.0214 4932 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
12:55:44.0214 4932 intelide - ok
12:55:44.0261 4932 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\drivers\intelppm.sys
12:55:44.0261 4932 intelppm - ok
12:55:44.0323 4932 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
12:55:44.0323 4932 IpFilterDriver - ok
12:55:44.0370 4932 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
12:55:44.0386 4932 IPMIDRV - ok
12:55:44.0448 4932 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
12:55:44.0448 4932 IPNAT - ok
12:55:44.0557 4932 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
12:55:44.0557 4932 IRENUM - ok
12:55:44.0588 4932 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
12:55:44.0604 4932 isapnp - ok
12:55:44.0635 4932 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
12:55:44.0635 4932 iScsiPrt - ok
12:55:44.0729 4932 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
12:55:44.0729 4932 kbdclass - ok
12:55:44.0776 4932 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
12:55:44.0776 4932 kbdhid - ok
12:55:44.0854 4932 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
12:55:44.0854 4932 KSecDD - ok
12:55:44.0885 4932 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
12:55:44.0885 4932 KSecPkg - ok
12:55:44.0963 4932 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
12:55:44.0963 4932 ksthunk - ok
12:55:45.0103 4932 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
12:55:45.0103 4932 lltdio - ok
12:55:45.0197 4932 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
12:55:45.0197 4932 LSI_FC - ok
12:55:45.0244 4932 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
12:55:45.0259 4932 LSI_SAS - ok
12:55:45.0290 4932 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
12:55:45.0306 4932 LSI_SAS2 - ok
12:55:45.0353 4932 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
12:55:45.0368 4932 LSI_SCSI - ok
12:55:45.0415 4932 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
12:55:45.0431 4932 luafv - ok
12:55:45.0509 4932 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
12:55:45.0509 4932 megasas - ok
12:55:45.0556 4932 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
12:55:45.0571 4932 MegaSR - ok
12:55:45.0618 4932 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
12:55:45.0634 4932 Modem - ok
12:55:45.0680 4932 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
12:55:45.0680 4932 monitor - ok
12:55:45.0712 4932 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\drivers\mouclass.sys
12:55:45.0712 4932 mouclass - ok
12:55:45.0758 4932 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\drivers\mouhid.sys
12:55:45.0758 4932 mouhid - ok
12:55:45.0790 4932 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
12:55:45.0790 4932 mountmgr - ok
12:55:45.0821 4932 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
12:55:45.0821 4932 mpio - ok
12:55:45.0852 4932 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
12:55:45.0852 4932 mpsdrv - ok
12:55:45.0899 4932 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
12:55:45.0899 4932 MRxDAV - ok
12:55:45.0946 4932 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
12:55:45.0961 4932 mrxsmb - ok
12:55:45.0992 4932 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
12:55:46.0008 4932 mrxsmb10 - ok
12:55:46.0024 4932 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
12:55:46.0039 4932 mrxsmb20 - ok
12:55:46.0070 4932 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
12:55:46.0070 4932 msahci - ok
12:55:46.0086 4932 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
12:55:46.0102 4932 msdsm - ok
12:55:46.0148 4932 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
12:55:46.0148 4932 Msfs - ok
12:55:46.0180 4932 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
12:55:46.0180 4932 mshidkmdf - ok
12:55:46.0226 4932 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
12:55:46.0226 4932 msisadrv - ok
12:55:46.0304 4932 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
12:55:46.0304 4932 MSKSSRV - ok
12:55:46.0320 4932 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
12:55:46.0320 4932 MSPCLOCK - ok
12:55:46.0351 4932 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
12:55:46.0351 4932 MSPQM - ok
12:55:46.0382 4932 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
12:55:46.0398 4932 MsRPC - ok
12:55:46.0445 4932 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
12:55:46.0445 4932 mssmbios - ok
12:55:46.0492 4932 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
12:55:46.0492 4932 MSTEE - ok
12:55:46.0523 4932 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
12:55:46.0523 4932 MTConfig - ok
12:55:46.0554 4932 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
12:55:46.0554 4932 Mup - ok
12:55:46.0616 4932 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
12:55:46.0616 4932 NativeWifiP - ok
12:55:46.0726 4932 NAVENG (a507b7d1c5f957a1aab98794eb377654) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\ENG64.SYS
12:55:46.0726 4932 NAVENG - ok
12:55:46.0819 4932 NAVEX15 (0d7d6c0fd46f12780c3bab6af891ede3) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\EX64.SYS
12:55:46.0897 4932 NAVEX15 - ok
12:55:47.0038 4932 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
12:55:47.0084 4932 NDIS - ok
12:55:47.0147 4932 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
12:55:47.0147 4932 NdisCap - ok
12:55:47.0225 4932 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
12:55:47.0240 4932 NdisTapi - ok
12:55:47.0287 4932 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
12:55:47.0287 4932 Ndisuio - ok
12:55:47.0334 4932 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
12:55:47.0334 4932 NdisWan - ok
12:55:47.0365 4932 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
12:55:47.0365 4932 NDProxy - ok
12:55:47.0396 4932 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
12:55:47.0396 4932 NetBIOS - ok
12:55:47.0443 4932 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
12:55:47.0443 4932 NetBT - ok
12:55:47.0584 4932 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
12:55:47.0584 4932 nfrd960 - ok
12:55:47.0662 4932 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
12:55:47.0677 4932 Npfs - ok
12:55:47.0755 4932 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
12:55:47.0771 4932 nsiproxy - ok
12:55:47.0864 4932 Ntfs (05d78aa5cb5f3f5c31160bdb955d0b7c) C:\Windows\system32\drivers\Ntfs.sys
12:55:47.0911 4932 Ntfs - ok
12:55:47.0942 4932 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
12:55:47.0942 4932 Null - ok
12:55:48.0005 4932 NVENETFD (a85b4f2ef3a7304a5399ef0526423040) C:\Windows\system32\DRIVERS\nvm62x64.sys
12:55:48.0020 4932 NVENETFD - ok
12:55:48.0083 4932 nvraid (5d9fd91f3d38dc9da01e3cb5fa89cd48) C:\Windows\system32\drivers\nvraid.sys
12:55:48.0098 4932 nvraid - ok
12:55:48.0145 4932 nvstor (f7cd50fe7139f07e77da8ac8033d1832) C:\Windows\system32\drivers\nvstor.sys
12:55:48.0145 4932 nvstor - ok
12:55:48.0208 4932 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
12:55:48.0208 4932 nv_agp - ok
12:55:48.0254 4932 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
12:55:48.0254 4932 ohci1394 - ok
12:55:48.0317 4932 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
12:55:48.0317 4932 Parport - ok
12:55:48.0395 4932 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
12:55:48.0410 4932 partmgr - ok
12:55:48.0473 4932 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
12:55:48.0473 4932 pci - ok
12:55:48.0520 4932 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
12:55:48.0520 4932 pciide - ok
12:55:48.0551 4932 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
12:55:48.0566 4932 pcmcia - ok
12:55:48.0598 4932 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
12:55:48.0598 4932 pcw - ok
12:55:48.0629 4932 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
12:55:48.0644 4932 PEAUTH - ok
12:55:48.0863 4932 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
12:55:48.0863 4932 PptpMiniport - ok
12:55:48.0894 4932 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
12:55:48.0894 4932 Processor - ok
12:55:48.0956 4932 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
12:55:48.0956 4932 Psched - ok
12:55:49.0034 4932 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
12:55:49.0081 4932 ql2300 - ok
12:55:49.0144 4932 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
12:55:49.0159 4932 ql40xx - ok
12:55:49.0222 4932 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
12:55:49.0222 4932 QWAVEdrv - ok
12:55:49.0237 4932 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
12:55:49.0237 4932 RasAcd - ok
12:55:49.0284 4932 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
12:55:49.0300 4932 RasAgileVpn - ok
12:55:49.0331 4932 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
12:55:49.0331 4932 Rasl2tp - ok
12:55:49.0362 4932 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
12:55:49.0378 4932 RasPppoe - ok
12:55:49.0393 4932 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
12:55:49.0393 4932 RasSstp - ok
12:55:49.0424 4932 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
12:55:49.0440 4932 rdbss - ok
12:55:49.0471 4932 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\drivers\rdpbus.sys
12:55:49.0487 4932 rdpbus - ok
12:55:49.0549 4932 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
12:55:49.0549 4932 RDPCDD - ok
12:55:49.0580 4932 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
12:55:49.0596 4932 RDPENCDD - ok
12:55:49.0643 4932 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
12:55:49.0643 4932 RDPREFMP - ok
12:55:49.0674 4932 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
12:55:49.0674 4932 RDPWD - ok
12:55:49.0721 4932 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
12:55:49.0736 4932 rdyboost - ok
12:55:49.0908 4932 RSPCIESTOR (546d7f426776090b90ef5f195b6ae662) C:\Windows\system32\DRIVERS\RtsPStor.sys
12:55:49.0924 4932 RSPCIESTOR - ok
12:55:49.0970 4932 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
12:55:49.0970 4932 rspndr - ok
12:55:50.0017 4932 RTL8167 (3372196f61af48503656ef6aa3e92d1b) C:\Windows\system32\DRIVERS\Rt64win7.sys
12:55:50.0017 4932 RTL8167 - ok
12:55:50.0095 4932 RTL8192Ce (fa088015155c4c6dab5d1d9e68eb9d6b) C:\Windows\system32\DRIVERS\rtl8192Ce.sys
12:55:50.0111 4932 RTL8192Ce - ok
12:55:50.0142 4932 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
12:55:50.0142 4932 sbp2port - ok
12:55:50.0189 4932 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
12:55:50.0189 4932 scfilter - ok
12:55:50.0267 4932 sdbus (111e0ebc0ad79cb0fa014b907b231cf0) C:\Windows\system32\DRIVERS\sdbus.sys
12:55:50.0267 4932 sdbus - ok
12:55:50.0360 4932 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
12:55:50.0360 4932 secdrv - ok
12:55:50.0438 4932 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\drivers\serenum.sys
12:55:50.0438 4932 Serenum - ok
12:55:50.0516 4932 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\drivers\serial.sys
12:55:50.0516 4932 Serial - ok
12:55:50.0594 4932 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
12:55:50.0594 4932 sermouse - ok
12:55:50.0657 4932 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
12:55:50.0657 4932 sffdisk - ok
12:55:50.0672 4932 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
12:55:50.0672 4932 sffp_mmc - ok
12:55:50.0688 4932 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
12:55:50.0704 4932 sffp_sd - ok
12:55:50.0719 4932 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
12:55:50.0735 4932 sfloppy - ok
12:55:50.0797 4932 Sftfs (d5183ed285d2795491dc15bddcbee5ad) C:\Windows\system32\DRIVERS\Sftfslh.sys
12:55:50.0797 4932 Sftfs - ok
12:55:50.0860 4932 Sftplay (00f118b68c50d2206dd51634f9142b83) C:\Windows\system32\DRIVERS\Sftplaylh.sys
12:55:50.0860 4932 Sftplay - ok
12:55:50.0953 4932 Sftredir (76a827df5640bfe16a0cdbb4108adeca) C:\Windows\system32\DRIVERS\Sftredirlh.sys
12:55:50.0953 4932 Sftredir - ok
12:55:51.0000 4932 Sftvol (1b4c9701645086bab8cafffce30ed284) C:\Windows\system32\DRIVERS\Sftvollh.sys
12:55:51.0000 4932 Sftvol - ok
12:55:51.0109 4932 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
12:55:51.0125 4932 SiSRaid2 - ok
12:55:51.0140 4932 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
12:55:51.0140 4932 SiSRaid4 - ok
12:55:51.0203 4932 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
12:55:51.0203 4932 Smb - ok
12:55:51.0281 4932 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
12:55:51.0281 4932 spldr - ok
12:55:51.0374 4932 SRTSP (0793ee947caa85e41f4606e8caca5fb3) C:\Windows\system32\drivers\NISx64\1201000.025\SRTSP64.SYS
12:55:51.0406 4932 SRTSP - ok
12:55:51.0530 4932 SRTSPX (d22ec4fbf847d23994186b301063d4cd) C:\Windows\system32\drivers\NISx64\1201000.025\SRTSPX64.SYS
12:55:51.0530 4932 SRTSPX - ok
12:55:51.0624 4932 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
12:55:51.0640 4932 srv - ok
12:55:51.0702 4932 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
12:55:51.0718 4932 srv2 - ok
12:55:51.0827 4932 SrvHsfHDA (0c4540311e11664b245a263e1154cef8) C:\Windows\system32\DRIVERS\VSTAZL6.SYS
12:55:51.0827 4932 SrvHsfHDA - ok
12:55:51.0905 4932 SrvHsfV92 (02071d207a9858fbe3a48cbfd59c4a04) C:\Windows\system32\DRIVERS\VSTDPV6.SYS
12:55:51.0952 4932 SrvHsfV92 - ok
12:55:52.0014 4932 SrvHsfWinac (18e40c245dbfaf36fd0134a7ef2df396) C:\Windows\system32\DRIVERS\VSTCNXT6.SYS
12:55:52.0030 4932 SrvHsfWinac - ok
12:55:52.0108 4932 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
12:55:52.0123 4932 srvnet - ok
12:55:52.0186 4932 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
12:55:52.0186 4932 stexstor - ok
12:55:52.0232 4932 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
12:55:52.0232 4932 swenum - ok
12:55:52.0310 4932 SymDS (c11f054e0bf9d233a59805d4ba17f882) C:\Windows\system32\drivers\NISx64\1201000.025\SYMDS64.SYS
12:55:52.0326 4932 SymDS - ok
12:55:52.0451 4932 SymEFA (82d0f3950fa03116c99016e35f42c4c1) C:\Windows\system32\drivers\NISx64\1201000.025\SYMEFA64.SYS
12:55:52.0482 4932 SymEFA - ok
12:55:52.0591 4932 SymEvent (84e27ca1a5af320a705e767ea53086e5) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
12:55:52.0591 4932 SymEvent - ok
12:55:52.0685 4932 SymIRON (53a3805411d3cec1402a315e7aab5dc8) C:\Windows\system32\drivers\NISx64\1201000.025\Ironx64.SYS
12:55:52.0685 4932 SymIRON - ok
12:55:52.0841 4932 SymNetS (60cc03da318435300ab2e59ad2afe2d9) C:\Windows\system32\drivers\NISx64\1201000.025\SYMNETS.SYS
12:55:52.0856 4932 SymNetS - ok
12:55:53.0012 4932 SynTP (ec4dca6539eb97376f1a1743d209d842) C:\Windows\system32\DRIVERS\SynTP.sys
12:55:53.0044 4932 SynTP - ok
12:55:53.0153 4932 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
12:55:53.0215 4932 Tcpip - ok
12:55:53.0340 4932 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
12:55:53.0356 4932 TCPIP6 - ok
12:55:53.0402 4932 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
12:55:53.0402 4932 tcpipreg - ok
12:55:53.0434 4932 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
12:55:53.0449 4932 TDPIPE - ok
12:55:53.0465 4932 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
12:55:53.0465 4932 TDTCP - ok
12:55:53.0480 4932 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
12:55:53.0496 4932 tdx - ok
12:55:53.0543 4932 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
12:55:53.0543 4932 TermDD - ok
12:55:53.0652 4932 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
12:55:53.0668 4932 tssecsrv - ok
12:55:53.0699 4932 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
12:55:53.0699 4932 TsUsbFlt - ok
12:55:53.0730 4932 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
12:55:53.0746 4932 TsUsbGD - ok
12:55:53.0792 4932 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
12:55:53.0792 4932 tunnel - ok
12:55:53.0839 4932 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
12:55:53.0855 4932 uagp35 - ok
12:55:53.0886 4932 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
12:55:53.0902 4932 udfs - ok
12:55:53.0995 4932 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
12:55:53.0995 4932 uliagpkx - ok
12:55:54.0042 4932 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
12:55:54.0042 4932 umbus - ok
12:55:54.0089 4932 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
12:55:54.0104 4932 UmPass - ok
12:55:54.0151 4932 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
12:55:54.0167 4932 USBAAPL64 - ok
12:55:54.0198 4932 usbccgp (481dff26b4dca8f4cbac1f7dce1d6829) C:\Windows\system32\DRIVERS\usbccgp.sys
12:55:54.0198 4932 usbccgp - ok
12:55:54.0245 4932 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
12:55:54.0245 4932 usbcir - ok
12:55:54.0276 4932 usbehci (74ee782b1d9c241efe425565854c661c) C:\Windows\system32\drivers\usbehci.sys
12:55:54.0292 4932 usbehci - ok
12:55:54.0307 4932 usbfilter (76e2ffad301490ba27b947c6507752fb) C:\Windows\system32\DRIVERS\usbfilter.sys
12:55:54.0307 4932 usbfilter - ok
12:55:54.0370 4932 usbhub (dc96bd9ccb8403251bcf25047573558e) C:\Windows\system32\drivers\usbhub.sys
12:55:54.0385 4932 usbhub - ok
12:55:54.0401 4932 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\drivers\usbohci.sys
12:55:54.0416 4932 usbohci - ok
12:55:54.0463 4932 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\drivers\usbprint.sys
12:55:54.0463 4932 usbprint - ok
12:55:54.0494 4932 USBSTOR (d76510cfa0fc09023077f22c2f979d86) C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:55:54.0494 4932 USBSTOR - ok
12:55:54.0526 4932 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\drivers\usbuhci.sys
12:55:54.0526 4932 usbuhci - ok
12:55:54.0572 4932 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\system32\Drivers\usbvideo.sys
12:55:54.0572 4932 usbvideo - ok
12:55:54.0666 4932 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
12:55:54.0666 4932 vdrvroot - ok
12:55:54.0728 4932 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
12:55:54.0744 4932 vga - ok
12:55:54.0791 4932 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
12:55:54.0791 4932 VgaSave - ok
12:55:54.0822 4932 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
12:55:54.0853 4932 vhdmp - ok
12:55:54.0884 4932 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
12:55:54.0900 4932 viaide - ok
12:55:54.0931 4932 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
12:55:54.0931 4932 volmgr - ok
12:55:54.0978 4932 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
12:55:54.0994 4932 volmgrx - ok
12:55:55.0025 4932 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
12:55:55.0040 4932 volsnap - ok
12:55:55.0072 4932 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
12:55:55.0072 4932 vsmraid - ok
12:55:55.0150 4932 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
12:55:55.0150 4932 vwifibus - ok
12:55:55.0196 4932 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
12:55:55.0196 4932 vwififlt - ok
12:55:55.0259 4932 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
12:55:55.0259 4932 WacomPen - ok
12:55:55.0321 4932 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
12:55:55.0321 4932 WANARP - ok
12:55:55.0337 4932 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
12:55:55.0337 4932 Wanarpv6 - ok
12:55:55.0446 4932 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
12:55:55.0446 4932 Wd - ok
12:55:55.0508 4932 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
12:55:55.0524 4932 Wdf01000 - ok
12:55:55.0602 4932 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
12:55:55.0602 4932 WfpLwf - ok
12:55:55.0633 4932 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
12:55:55.0633 4932 WIMMount - ok
12:55:55.0820 4932 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
12:55:55.0820 4932 WmiAcpi - ok
12:55:55.0914 4932 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
12:55:55.0914 4932 ws2ifsl - ok
12:55:55.0976 4932 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
12:55:55.0976 4932 WudfPf - ok
12:55:56.0039 4932 MBR (0x1B8) (c0dcf0ac171db02db8b0014c5d767cf1) \Device\Harddisk0\DR0
12:55:56.0070 4932 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
12:55:56.0070 4932 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
12:55:56.0366 4932 MBR (0x1B8) (739b36f7a373fc81121d831231b6d311) \Device\Harddisk1\DR1
12:55:57.0458 4932 \Device\Harddisk1\DR1 - ok
12:55:57.0490 4932 Boot (0x1200) (a02fe0c1242d03710d159e9a40b50d1d) \Device\Harddisk0\DR0\Partition0
12:55:57.0490 4932 \Device\Harddisk0\DR0\Partition0 - ok
12:55:57.0505 4932 Boot (0x1200) (179dfeee8d0889ed17c6bd164809b178) \Device\Harddisk0\DR0\Partition1
12:55:57.0505 4932 \Device\Harddisk0\DR0\Partition1 - ok
12:55:57.0536 4932 Boot (0x1200) (933821e6eef96fb29e05d0eba7832a70) \Device\Harddisk0\DR0\Partition2
12:55:57.0552 4932 \Device\Harddisk0\DR0\Partition2 - ok
12:55:57.0568 4932 Boot (0x1200) (81e9d1632f828b3fecc0d7bcdde01f62) \Device\Harddisk0\DR0\Partition3
12:55:57.0568 4932 \Device\Harddisk0\DR0\Partition3 - ok
12:55:57.0583 4932 Boot (0x1200) (c30968361d25273473f2fb14f8c4b6ca) \Device\Harddisk1\DR1\Partition0
12:55:57.0583 4932 \Device\Harddisk1\DR1\Partition0 - ok
12:55:57.0583 4932 ============================================================
12:55:57.0583 4932 Scan finished
12:55:57.0583 4932 ============================================================
12:55:57.0599 4920 Detected object count: 1
12:55:57.0599 4920 Actual detected object count: 1
12:56:26.0303 4920 \Device\Harddisk0\DR0\# - copied to quarantine
12:56:26.0303 4920 \Device\Harddisk0\DR0 - copied to quarantine
12:56:26.0599 4920 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
12:56:26.0599 4920 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
12:56:26.0615 4920 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
12:56:26.0615 4920 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
12:56:26.0630 4920 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
12:56:26.0677 4920 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
12:56:26.0693 4920 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
12:56:26.0771 4920 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
12:56:26.0771 4920 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
12:56:26.0786 4920 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
12:56:26.0849 4920 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
12:56:26.0849 4920 \Device\Harddisk0\DR0 - ok
12:56:26.0849 4920 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
12:56:38.0675 4832 Deinitialize success

#8 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:29 PM

Posted 31 January 2012 - 03:32 PM

How is your machine behaving now?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#9 Mootelp

Mootelp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 February 2012 - 12:24 PM

Eveytime I log on to my laptop I get a message from the Catalyst Control, saying Home Application has stopped working.

#10 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:29 PM

Posted 01 February 2012 - 12:59 PM

Hi,

Is the message:

"Catalyst Control Centre: Host application has stopped working"

Can you connect to the the internet now via your browsers?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#11 Mootelp

Mootelp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 February 2012 - 11:04 PM

Yep that's the message.
I can connect to the internet with my browsers now. Also I just discovered my Norton doesn't seem to respond.

Edited by Mootelp, 01 February 2012 - 11:13 PM.


#12 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:29 PM

Posted 02 February 2012 - 05:50 AM

Hello Mootelp,

Backdoor Warning

One or more of the identified infections (Rootkit.Boot.Pihar.b ) is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

====================================================================================


I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

I'd like you to run a scan with MBAM:

Please download Malwarebytes' Anti-Malware and save it to your desktop.

Download Link 1

Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

===================================================================================




In your next reply, please copy/paste the contents of the following:
  • aswMBR Log
  • MBAM Log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#13 Mootelp

Mootelp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 02 February 2012 - 06:27 AM

This is the aswMBR log. It asked if I wanted to install Avast definitions, since you didn't say so I didn't.
aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-02 03:02:24
-----------------------------
03:02:24.502 OS Version: Windows x64 6.1.7601 Service Pack 1
03:02:24.502 Number of processors: 2 586 0x100
03:02:24.517 ComputerName: CREATIVESEXBOT2 UserName: Christa
03:02:26.951 Initialize success
03:02:46.935 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
03:02:46.950 Disk 0 Vendor: ST932032 0005 Size: 305245MB BusType: 11
03:02:46.981 Disk 0 MBR read successfully
03:02:46.981 Disk 0 MBR scan
03:02:46.981 Disk 0 Windows 7 default MBR code
03:02:46.997 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
03:02:47.013 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 290874 MB offset 409600
03:02:47.044 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14067 MB offset 596119552
03:02:47.075 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 624928768
03:02:47.075 Service scanning
03:02:48.744 Modules scanning
03:02:48.760 Disk 0 trace - called modules:
03:02:48.838 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
03:02:48.853 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003030060]
03:02:49.384 3 CLASSPNP.SYS[fffff88001bce43f] -> nt!IofCallDriver -> [0xfffffa8002f10040]
03:02:49.399 5 amd_xata.sys[fffff880010a7900] -> nt!IofCallDriver -> \Device\00000069[0xfffffa8002a547e0]
03:02:49.431 Scan finished successfully
03:03:13.985 Disk 0 MBR has been saved successfully to "C:\Users\Christa\Documents\MBR.dat"
03:03:14.016 The log file has been saved successfully to "C:\Users\Christa\Documents\aswMBR.txt"

The MBAM log
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.02.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Christa :: CREATIVESEXBOT2 [administrator]

Protection: Enabled

2/2/2012 3:21:04 AM
mbam-log-2012-02-02 (03-25-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183190
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Christa\AppData\Roaming\Microsoft\2AB2\D58A.tmp (Trojan.Dropper.PE4) -> No action taken.
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)

#14 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:29 PM

Posted 02 February 2012 - 10:53 AM

Hi Mootelp,

MBAM scan picked up 2 infected files:

Files Detected: 2
C:\Users\Christa\AppData\Roaming\Microsoft\2AB2\D58A.tmp (Trojan.Dropper.PE4) -> No action taken.
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.


Did you have MBAM remove them?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#15 Mootelp

Mootelp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 02 February 2012 - 02:14 PM

Yes they were removed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users