Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis


  • This topic is locked This topic is locked
17 replies to this topic

#1 BazzaBea

BazzaBea

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 26 January 2012 - 04:44 AM

My Internet search browser (Google via firefox) has started redirecting me... Please help???

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:29:11, on 26/01/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 5] "C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1326085718-1019920-1365629292-1006\..\Run: [Advanced SystemCare 5] "C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Advanced SystemCare Service 5 (AdvancedSystemCareService5) - IObit - C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7248 bytes

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 26 January 2012 - 08:42 PM

Hi

Please do the following:

  • Open HiJackThis
  • Click on Do a system scan only
  • Check the boxes next to ONLY the entries listed below (if still present):


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O3 - Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - (no file)

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.


NEXT

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 BazzaBea

BazzaBea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 27 January 2012 - 07:01 AM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by trevor at 11:19:36 on 2012-01-27
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3B10DE00-0D31-46E8-BDD2-510F1B5AE8A0} : DhcpNameServer = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\trevor\application data\mozilla\firefox\profiles\jq8n3l3h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\documents and settings\trevor\application data\mozilla\firefox\profiles\jq8n3l3h.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\firefoxextension\components\FirefoxExtension.dll
FF - plugin: c:\documents and settings\trevor\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\trevor\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\Npgfxv.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108298
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 6c5a7e3100000000000000106064e6f0
FF - user.js: extensions.BabylonToolbar_i.hardId - 6c5a7e3100000000000000106064e6f0
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15353
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1715:46:57
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-01-26 01:14:12 388096 ----a-r- c:\documents and settings\trevor\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-01-26 01:14:11 -------- d-----w- c:\program files\Trend Micro
2012-01-25 23:58:29 -------- d-----w- c:\program files\AVG
2012-01-24 18:28:46 126976 --sha-r- c:\windows\system32\ole2nlsd.dll
2012-01-18 11:44:22 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-01-15 08:17:11 2400 ----a-w- c:\windows\system32\ASOROSet.bin
2012-01-14 20:18:00 -------- d-----w- C:\found.001
2012-01-14 15:46:38 -------- d-----w- c:\documents and settings\trevor\local settings\application data\Babylon
2012-01-14 15:46:37 -------- d-----w- c:\documents and settings\all users\application data\Babylon
2012-01-14 15:46:36 -------- d-----w- c:\documents and settings\trevor\application data\Systweak
2012-01-14 15:46:35 -------- d-----w- c:\documents and settings\trevor\application data\Babylon
2012-01-14 15:46:25 17280 ----a-w- c:\windows\system32\roboot.exe
2012-01-07 20:31:54 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-07 20:31:54 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-07 20:31:54 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-07 20:31:54 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-01-01 13:36:54 -------- dc----w- c:\documents and settings\all users\application data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-01 13:36:17 -------- d-----w- c:\program files\iLivid
.
==================== Find3M ====================
.
2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-17 09:45:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 05:54:13 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-11-10 03:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
.
============= FINISH: 11:20:52.12 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2)
Advanced SystemCare 5
Apple Application Support
Apple Software Update
Ask Toolbar
Athlon 64 Processor Driver
ATI Control Panel
BT Voyager USB Driver
BTHomeHub
BufferChm
CCleaner
Coupon Printer for Windows
D1600
DeviceDiscovery
DJ_SF_06_D1600_SW_Min
Facebook Plug-In
FastStone Image Viewer 4.1 Beta 2
GoToAssist Corporate
GPBaseService2
GrafixView Netscape Plugin
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
HP Customer Participation Program 14.0
HP Deskjet D1600 Printer Driver Software 14.0 Rel. 6
HP Imaging Device Functions 14.0
HP Photo Creations
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
hpPrintProjects
HPProductAssistant
HPSSupply
hpWLPGInstaller
Internet Explorer (Enable DEP)
IObit Security 360
Java Auto Updater
Java™ 6 Update 30
Junk Mail filter update
Macromedia Shockwave Player
Malwarebytes Anti-Malware version 1.60.0.1800
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 9.0.1 (x86 en-GB)
MSVC80_x86
MSVC80_x86_v2
MSVC90_x86
MSVCRT
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nokia Connectivity Cable Driver
Nokia Ovi Suite
Nokia Ovi Suite Software Updater
Nokia_Multimedia_Common_Components_2_5
Octoshape add-in for Adobe Flash Player
OOo-dev 3.4
OpenOffice.org 3.1
Ovi Desktop Sync Engine
OviMPlatform
PC Connectivity Solution
QuickTime
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2511455)
Segoe UI
Shop for HP Supplies
SmartWebPrinting
Soft Data Fax Modem with SmartCP
SolutionCenter
Status
Toolbox
TrayApp
ULi LAN Driver
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
WebFldrs XP
WebReg
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Xvid Video Codec
.
==== End Of File ===========================
aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-27 11:26:11
-----------------------------
11:26:11.468 OS Version: Windows 5.1.2600 Service Pack 3
11:26:11.468 Number of processors: 1 586 0x2C02
11:26:11.468 ComputerName: TREV UserName:
11:26:15.156 Initialize success
11:32:49.156 AVAST engine defs: 12012700
11:32:59.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:32:59.890 Disk 0 Vendor: ST950814A 3.06 Size: 47701MB BusType: 3
11:32:59.921 Disk 0 MBR read successfully
11:32:59.921 Disk 0 MBR scan
11:33:00.093 Disk 0 unknown MBR code
11:33:00.140 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 47692 MB offset 63
11:33:00.187 Disk 0 scanning sectors +97675200
11:33:00.609 Disk 0 scanning C:\WINDOWS\system32\drivers
11:33:29.671 Service scanning
11:33:32.468 Modules scanning
11:34:12.187 Disk 0 trace - called modules:
11:34:12.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys aliide.sys PCIIDEX.SYS
11:34:12.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8313c908]
11:34:12.296 3 CLASSPNP.SYS[f7696fd7] -> nt!IofCallDriver -> \Device\00000085[0x831ce448]
11:34:12.296 5 ACPI.sys[f74ad620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x831ce6f8]
11:34:14.531 AVAST engine scan C:\WINDOWS
11:34:18.796 AVAST engine scan C:\WINDOWS\system32
11:35:44.000 File: C:\WINDOWS\system32\ole2nlsd.dll **INFECTED** Win32:Diller-E [Trj]
11:37:51.187 AVAST engine scan C:\WINDOWS\system32\drivers
11:38:12.078 AVAST engine scan C:\Documents and Settings\trevor
11:46:47.906 AVAST engine scan C:\Documents and Settings\All Users
11:48:15.156 Scan finished successfully
11:55:18.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\trevor\Desktop\MBR.dat"
11:55:18.078 The log file has been saved successfully to "C:\Documents and Settings\trevor\Desktop\aswMBR.txt"


Attached File  MBR.zip   490bytes   0 downloads

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 27 January 2012 - 09:10 AM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 BazzaBea

BazzaBea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 27 January 2012 - 10:16 AM

Combofix seems to have stalled at
Completed Stage_48

#6 BazzaBea

BazzaBea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 27 January 2012 - 10:37 AM

14:33:18.0671 3072 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
14:33:18.0875 3072 ============================================================
14:33:18.0875 3072 Current date / time: 2012/01/27 14:33:18.0875
14:33:18.0875 3072 SystemInfo:
14:33:18.0875 3072
14:33:18.0890 3072 OS Version: 5.1.2600 ServicePack: 3.0
14:33:18.0890 3072 Product type: Workstation
14:33:18.0890 3072 ComputerName: TREV
14:33:18.0890 3072 UserName: trevor
14:33:18.0890 3072 Windows directory: C:\WINDOWS
14:33:18.0890 3072 System windows directory: C:\WINDOWS
14:33:18.0890 3072 Processor architecture: Intel x86
14:33:18.0890 3072 Number of processors: 1
14:33:18.0890 3072 Page size: 0x1000
14:33:18.0890 3072 Boot type: Normal boot
14:33:18.0890 3072 ============================================================
14:33:21.0921 3072 Drive \Device\Harddisk0\DR0 - Size: 0xBA5541C00 (46.58 Gb), SectorSize: 0x200, Cylinders: 0x17C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:33:22.0015 3072 Initialize success
14:33:55.0453 3456 ============================================================
14:33:55.0453 3456 Scan started
14:33:55.0453 3456 Mode: Manual;
14:33:55.0453 3456 ============================================================
14:33:56.0062 3456 Abiosdsk - ok
14:33:56.0609 3456 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:33:56.0609 3456 abp480n5 - ok
14:33:56.0734 3456 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:33:56.0765 3456 ACPI - ok
14:33:56.0843 3456 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
14:33:56.0843 3456 ACPIEC - ok
14:33:56.0921 3456 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:33:56.0937 3456 adpu160m - ok
14:33:57.0000 3456 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:33:57.0031 3456 aec - ok
14:33:57.0187 3456 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:33:57.0281 3456 AFD - ok
14:33:57.0828 3456 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
14:33:57.0859 3456 agp440 - ok
14:33:58.0281 3456 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:33:58.0312 3456 agpCPQ - ok
14:33:58.0703 3456 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:33:58.0734 3456 Aha154x - ok
14:33:58.0937 3456 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:33:58.0953 3456 aic78u2 - ok
14:33:59.0406 3456 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:33:59.0406 3456 aic78xx - ok
14:34:00.0531 3456 ALCXWDM (9a8aa4df3999bd7c60b90a4e799b1cd0) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
14:34:01.0703 3456 ALCXWDM - ok
14:34:02.0296 3456 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
14:34:02.0296 3456 AliIde - ok
14:34:02.0640 3456 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:34:02.0671 3456 alim1541 - ok
14:34:03.0546 3456 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:34:03.0546 3456 amdagp - ok
14:34:03.0906 3456 AmdK8 (e6a2299284013ec4de3419481a62069f) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
14:34:03.0906 3456 AmdK8 - ok
14:34:04.0000 3456 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
14:34:04.0000 3456 amsint - ok
14:34:04.0125 3456 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
14:34:04.0125 3456 asc - ok
14:34:04.0453 3456 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:34:04.0468 3456 asc3350p - ok
14:34:04.0812 3456 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:34:04.0828 3456 asc3550 - ok
14:34:05.0187 3456 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:34:05.0187 3456 AsyncMac - ok
14:34:05.0625 3456 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:34:05.0640 3456 atapi - ok
14:34:05.0703 3456 Atdisk - ok
14:34:06.0046 3456 ati2mtag (87a18227992af0ca8d247b8e6addfe56) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:34:06.0250 3456 ati2mtag - ok
14:34:06.0484 3456 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:34:06.0484 3456 Atmarpc - ok
14:34:06.0546 3456 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:34:06.0546 3456 audstub - ok
14:34:06.0609 3456 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:34:06.0609 3456 Beep - ok
14:34:06.0703 3456 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:34:06.0703 3456 cbidf - ok
14:34:06.0890 3456 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:34:06.0890 3456 cbidf2k - ok
14:34:07.0000 3456 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:34:07.0000 3456 cd20xrnt - ok
14:34:07.0078 3456 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:34:07.0078 3456 Cdaudio - ok
14:34:07.0156 3456 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:34:07.0156 3456 Cdfs - ok
14:34:07.0265 3456 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:34:07.0296 3456 Cdrom - ok
14:34:07.0562 3456 Changer - ok
14:34:08.0000 3456 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:34:08.0031 3456 CmBatt - ok
14:34:08.0468 3456 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:34:08.0500 3456 CmdIde - ok
14:34:08.0937 3456 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:34:08.0937 3456 Compbatt - ok
14:34:09.0234 3456 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:34:09.0250 3456 Cpqarray - ok
14:34:09.0515 3456 cpuz134 - ok
14:34:09.0906 3456 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:34:09.0906 3456 dac2w2k - ok
14:34:10.0140 3456 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:34:10.0156 3456 dac960nt - ok
14:34:11.0578 3456 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:34:11.0593 3456 Disk - ok
14:34:12.0421 3456 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:34:12.0531 3456 dmboot - ok
14:34:12.0984 3456 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:34:13.0015 3456 dmio - ok
14:34:13.0437 3456 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:34:13.0437 3456 dmload - ok
14:34:13.0640 3456 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:34:13.0640 3456 DMusic - ok
14:34:13.0875 3456 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:34:13.0906 3456 dpti2o - ok
14:34:14.0750 3456 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:34:14.0781 3456 drmkaud - ok
14:34:15.0484 3456 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:34:15.0515 3456 Fastfat - ok
14:34:16.0187 3456 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:34:16.0203 3456 Fdc - ok
14:34:16.0625 3456 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:34:16.0625 3456 Fips - ok
14:34:17.0062 3456 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:34:17.0062 3456 Flpydisk - ok
14:34:17.0953 3456 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:34:17.0984 3456 FltMgr - ok
14:34:18.0593 3456 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
14:34:18.0687 3456 fssfltr - ok
14:34:19.0437 3456 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:34:19.0468 3456 Fs_Rec - ok
14:34:20.0203 3456 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:34:20.0203 3456 Ftdisk - ok
14:34:20.0578 3456 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:34:20.0609 3456 Gpc - ok
14:34:21.0187 3456 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:34:21.0203 3456 HidUsb - ok
14:34:21.0656 3456 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
14:34:21.0656 3456 hpn - ok
14:34:22.0000 3456 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:34:22.0015 3456 HPZid412 - ok
14:34:22.0437 3456 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:34:22.0437 3456 HPZipr12 - ok
14:34:22.0671 3456 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:34:22.0703 3456 HPZius12 - ok
14:34:23.0093 3456 HSFHWALI (4c3b1a18ab9171fc80aeede79813015b) C:\WINDOWS\system32\DRIVERS\HSFHWALI.sys
14:34:23.0109 3456 HSFHWALI - ok
14:34:23.0296 3456 HSF_DPV (6f2249232b55a7fdf0cbd9b2739c0ec5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
14:34:23.0468 3456 HSF_DPV - ok
14:34:23.0718 3456 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:34:23.0765 3456 HTTP - ok
14:34:24.0031 3456 hwdatacard (53f1160666435151b6fcf89d015fe620) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
14:34:24.0062 3456 hwdatacard - ok
14:34:24.0218 3456 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
14:34:24.0218 3456 i2omgmt - ok
14:34:24.0265 3456 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:34:24.0265 3456 i2omp - ok
14:34:24.0484 3456 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:34:24.0531 3456 i8042prt - ok
14:34:25.0031 3456 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:34:25.0031 3456 Imapi - ok
14:34:25.0328 3456 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:34:25.0343 3456 ini910u - ok
14:34:25.0453 3456 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:34:25.0468 3456 IntelIde - ok
14:34:25.0750 3456 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:34:25.0765 3456 Ip6Fw - ok
14:34:25.0906 3456 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:34:25.0921 3456 IpFilterDriver - ok
14:34:26.0359 3456 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:34:26.0359 3456 IpInIp - ok
14:34:26.0906 3456 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:34:27.0000 3456 IpNat - ok
14:34:27.0359 3456 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:34:27.0390 3456 IPSec - ok
14:34:27.0843 3456 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:34:27.0859 3456 IRENUM - ok
14:34:28.0312 3456 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:34:28.0312 3456 isapnp - ok
14:34:28.0750 3456 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:34:28.0765 3456 Kbdclass - ok
14:34:29.0234 3456 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:34:29.0250 3456 kbdhid - ok
14:34:29.0781 3456 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:34:29.0859 3456 kmixer - ok
14:34:30.0234 3456 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:34:30.0281 3456 KSecDD - ok
14:34:30.0515 3456 lbrtfdc - ok
14:34:31.0109 3456 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:34:31.0109 3456 mdmxsdk - ok
14:34:31.0609 3456 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:34:31.0625 3456 mnmdd - ok
14:34:31.0953 3456 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:34:31.0968 3456 Modem - ok
14:34:32.0156 3456 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:34:32.0156 3456 Mouclass - ok
14:34:32.0218 3456 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:34:32.0218 3456 mouhid - ok
14:34:32.0234 3456 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:34:32.0234 3456 MountMgr - ok
14:34:32.0265 3456 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:34:32.0265 3456 mraid35x - ok
14:34:32.0390 3456 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
14:34:32.0421 3456 MREMP50 - ok
14:34:32.0437 3456 MREMPR5 - ok
14:34:32.0453 3456 MRENDIS5 - ok
14:34:32.0500 3456 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
14:34:32.0500 3456 MRESP50 - ok
14:34:32.0625 3456 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:34:32.0656 3456 MRxDAV - ok
14:34:32.0734 3456 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:34:32.0750 3456 MRxSmb - ok
14:34:32.0812 3456 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:34:32.0812 3456 Msfs - ok
14:34:32.0875 3456 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:34:32.0875 3456 MSKSSRV - ok
14:34:32.0921 3456 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:34:32.0921 3456 MSPCLOCK - ok
14:34:32.0953 3456 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:34:32.0953 3456 MSPQM - ok
14:34:33.0015 3456 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:34:33.0015 3456 mssmbios - ok
14:34:33.0093 3456 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:34:33.0093 3456 Mup - ok
14:34:33.0187 3456 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:34:33.0187 3456 NDIS - ok
14:34:33.0250 3456 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:34:33.0250 3456 NdisTapi - ok
14:34:33.0296 3456 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:34:33.0296 3456 Ndisuio - ok
14:34:33.0328 3456 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:34:33.0328 3456 NdisWan - ok
14:34:33.0390 3456 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:34:33.0390 3456 NDProxy - ok
14:34:33.0437 3456 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:34:33.0437 3456 NetBIOS - ok
14:34:33.0484 3456 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:34:33.0484 3456 NetBT - ok
14:34:33.0640 3456 nmwcd (cfe3462a9e94a57dcd9676f6b7fe7f67) C:\WINDOWS\system32\drivers\ccdcmb.sys
14:34:33.0640 3456 nmwcd - ok
14:34:33.0687 3456 nmwcdc (8f2a94f991f8c73cec26b4b5620d1edc) C:\WINDOWS\system32\drivers\ccdcmbo.sys
14:34:33.0703 3456 nmwcdc - ok
14:34:33.0750 3456 nmwcdnsu (99145c5d4b6c4d6f5ce83ee6abffe294) C:\WINDOWS\system32\drivers\nmwcdnsu.sys
14:34:33.0765 3456 nmwcdnsu - ok
14:34:33.0828 3456 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:34:33.0828 3456 Npfs - ok
14:34:33.0921 3456 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:34:33.0921 3456 Ntfs - ok
14:34:34.0046 3456 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:34:34.0046 3456 Null - ok
14:34:34.0093 3456 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:34:34.0093 3456 NwlnkFlt - ok
14:34:34.0140 3456 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:34:34.0140 3456 NwlnkFwd - ok
14:34:34.0234 3456 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
14:34:34.0234 3456 Parport - ok
14:34:34.0281 3456 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:34:34.0281 3456 PartMgr - ok
14:34:34.0328 3456 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:34:34.0328 3456 ParVdm - ok
14:34:34.0390 3456 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
14:34:34.0390 3456 pccsmcfd - ok
14:34:34.0453 3456 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:34:34.0453 3456 PCI - ok
14:34:34.0484 3456 PCIDump - ok
14:34:34.0515 3456 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:34:34.0515 3456 PCIIde - ok
14:34:34.0562 3456 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:34:34.0562 3456 Pcmcia - ok
14:34:34.0593 3456 PDCOMP - ok
14:34:34.0609 3456 PDFRAME - ok
14:34:34.0640 3456 PDRELI - ok
14:34:34.0671 3456 PDRFRAME - ok
14:34:34.0687 3456 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
14:34:34.0687 3456 perc2 - ok
14:34:34.0718 3456 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:34:34.0718 3456 perc2hib - ok
14:34:34.0828 3456 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:34:34.0828 3456 PptpMiniport - ok
14:34:34.0859 3456 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
14:34:34.0859 3456 Processor - ok
14:34:34.0906 3456 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:34:34.0906 3456 PSched - ok
14:34:34.0953 3456 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:34:34.0953 3456 Ptilink - ok
14:34:35.0000 3456 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
14:34:35.0000 3456 ql1080 - ok
14:34:35.0031 3456 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
14:34:35.0031 3456 Ql10wnt - ok
14:34:35.0046 3456 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
14:34:35.0062 3456 ql12160 - ok
14:34:35.0078 3456 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
14:34:35.0078 3456 ql1240 - ok
14:34:35.0109 3456 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
14:34:35.0109 3456 ql1280 - ok
14:34:35.0140 3456 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:34:35.0140 3456 RasAcd - ok
14:34:35.0203 3456 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:34:35.0203 3456 Rasl2tp - ok
14:34:35.0234 3456 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:34:35.0234 3456 RasPppoe - ok
14:34:35.0265 3456 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:34:35.0265 3456 Raspti - ok
14:34:35.0328 3456 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:34:35.0328 3456 Rdbss - ok
14:34:35.0359 3456 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:34:35.0359 3456 RDPCDD - ok
14:34:35.0406 3456 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:34:35.0421 3456 rdpdr - ok
14:34:35.0484 3456 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
14:34:35.0484 3456 RDPWD - ok
14:34:35.0578 3456 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:34:35.0593 3456 redbook - ok
14:34:35.0703 3456 RT2500 (ae1e626f00180bfb3ca5a81fffc65332) C:\WINDOWS\system32\DRIVERS\RT2500.sys
14:34:35.0703 3456 RT2500 - ok
14:34:35.0828 3456 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:34:35.0828 3456 Secdrv - ok
14:34:35.0906 3456 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:34:35.0906 3456 Serial - ok
14:34:36.0000 3456 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:34:36.0000 3456 Sfloppy - ok
14:34:36.0031 3456 Simbad - ok
14:34:36.0078 3456 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:34:36.0078 3456 sisagp - ok
14:34:36.0125 3456 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
14:34:36.0125 3456 Sparrow - ok
14:34:36.0140 3456 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:34:36.0140 3456 splitter - ok
14:34:36.0171 3456 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:34:36.0171 3456 sr - ok
14:34:36.0250 3456 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:34:36.0265 3456 Srv - ok
14:34:36.0281 3456 StarOpen - ok
14:34:36.0359 3456 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:34:36.0359 3456 swenum - ok
14:34:36.0390 3456 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:34:36.0390 3456 swmidi - ok
14:34:36.0453 3456 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
14:34:36.0453 3456 symc810 - ok
14:34:36.0468 3456 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
14:34:36.0484 3456 symc8xx - ok
14:34:36.0500 3456 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
14:34:36.0500 3456 sym_hi - ok
14:34:36.0531 3456 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
14:34:36.0531 3456 sym_u3 - ok
14:34:36.0593 3456 SynTP (1dbc86da355b5db35174f862c110fd09) C:\WINDOWS\system32\DRIVERS\SynTP.sys
14:34:36.0609 3456 SynTP - ok
14:34:36.0656 3456 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:34:36.0656 3456 sysaudio - ok
14:34:36.0796 3456 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:34:36.0812 3456 Tcpip - ok
14:34:36.0875 3456 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:34:36.0875 3456 TDPIPE - ok
14:34:36.0937 3456 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:34:36.0937 3456 TDTCP - ok
14:34:36.0953 3456 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:34:36.0968 3456 TermDD - ok
14:34:37.0046 3456 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
14:34:37.0046 3456 TosIde - ok
14:34:37.0109 3456 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:34:37.0125 3456 Udfs - ok
14:34:37.0187 3456 ULI5261 (564f1f82fb5c0249be0cfee4c826be95) C:\WINDOWS\system32\DRIVERS\ULILAN.SYS
14:34:37.0187 3456 ULI5261 - ok
14:34:37.0250 3456 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
14:34:37.0250 3456 ultra - ok
14:34:37.0328 3456 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:34:37.0343 3456 Update - ok
14:34:37.0406 3456 upperdev (ec01da44b090d2651fc032c8b9257232) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
14:34:37.0406 3456 upperdev - ok
14:34:37.0453 3456 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:34:37.0453 3456 usbccgp - ok
14:34:37.0484 3456 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:34:37.0484 3456 usbehci - ok
14:34:37.0531 3456 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:34:37.0531 3456 usbhub - ok
14:34:37.0562 3456 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:34:37.0562 3456 usbohci - ok
14:34:37.0609 3456 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:34:37.0625 3456 usbprint - ok
14:34:37.0687 3456 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:34:37.0687 3456 usbscan - ok
14:34:37.0734 3456 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
14:34:37.0750 3456 usbser - ok
14:34:37.0781 3456 UsbserFilt (4abd37cfbd710e64f01f9da8710c73f7) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
14:34:37.0781 3456 UsbserFilt - ok
14:34:37.0828 3456 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:34:37.0843 3456 USBSTOR - ok
14:34:37.0890 3456 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:34:37.0890 3456 VgaSave - ok
14:34:37.0921 3456 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:34:37.0937 3456 viaagp - ok
14:34:37.0968 3456 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:34:37.0968 3456 ViaIde - ok
14:34:38.0015 3456 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:34:38.0031 3456 VolSnap - ok
14:34:38.0093 3456 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:34:38.0093 3456 Wanarp - ok
14:34:38.0187 3456 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
14:34:38.0203 3456 Wdf01000 - ok
14:34:38.0218 3456 WDICA - ok
14:34:38.0281 3456 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:34:38.0296 3456 wdmaud - ok
14:34:38.0406 3456 winachsf (573736cc867f1cf10e0eb676cd590dd8) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:34:38.0437 3456 winachsf - ok
14:34:38.0578 3456 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
14:34:38.0578 3456 WpdUsb - ok
14:34:38.0609 3456 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:34:38.0609 3456 WS2IFSL - ok
14:34:38.0703 3456 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:34:38.0703 3456 WudfPf - ok
14:34:38.0765 3456 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:34:38.0765 3456 WudfRd - ok
14:34:38.0859 3456 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk0\DR0
14:34:39.0234 3456 \Device\Harddisk0\DR0 - ok
14:34:39.0250 3456 Boot (0x1200) (fc8e6948c3e061734f990d129db6b44a) \Device\Harddisk0\DR0\Partition0
14:34:39.0250 3456 \Device\Harddisk0\DR0\Partition0 - ok
14:34:39.0250 3456 ============================================================
14:34:39.0250 3456 Scan finished
14:34:39.0250 3456 ============================================================
14:34:39.0281 3316 Detected object count: 0
14:34:39.0281 3316 Actual detected object count: 0

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 27 January 2012 - 11:30 AM

Hi

Please delete the copy of ComboFix that you have on your desktop and download a fresh copy > rename it to svchost.exe (how hidden file extensions first) then boot into safe mode and run it


post the resulting log (give it lots of time)


  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Click Apply, and then click OK.


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 BazzaBea

BazzaBea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 27 January 2012 - 12:59 PM

ComboFix 12-01-27.01 - trevor 27/01/2012 16:07:07.2.1 - x86
Running from: c:\documents and settings\trevor\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\trevor\Application Data\OfferBox
c:\documents and settings\trevor\Application Data\OfferBox\config.xml
c:\documents and settings\trevor\Local Settings\Application Data\assembly\tmp
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\SET183.tmp
c:\windows\system32\SET184.tmp
c:\windows\system32\SET185.tmp
c:\windows\system32\SET18A.tmp
c:\windows\system32\SET18B.tmp
c:\windows\system32\SET18C.tmp
c:\windows\system32\SET190.tmp
c:\windows\system32\SET191.tmp
c:\windows\system32\SET192.tmp
c:\windows\system32\SET196.tmp
c:\windows\system32\SET198.tmp
c:\windows\system32\SET1D2.tmp
c:\windows\system32\SET2A.tmp
c:\windows\system32\SET40.tmp
c:\windows\system32\SET45.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-26 01:14 . 2012-01-26 01:14 388096 ----a-r- c:\documents and settings\trevor\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-26 01:14 . 2012-01-26 01:14 -------- d-----w- c:\program files\Trend Micro
2012-01-25 23:58 . 2012-01-25 23:58 -------- d-----w- c:\program files\AVG
2012-01-24 18:28 . 2012-01-24 18:28 126976 --sha-r- c:\windows\system32\ole2nlsd.dll
2012-01-18 11:44 . 2011-10-14 14:47 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-01-15 08:17 . 2012-01-15 08:21 2400 ----a-w- c:\windows\system32\ASOROSet.bin
2012-01-14 20:18 . 2012-01-20 16:15 -------- d-----w- C:\found.001
2012-01-14 15:47 . 2012-01-14 15:47 237 ----a-w- C:\user.js
2012-01-14 15:46 . 2012-01-14 15:46 -------- d-----w- c:\documents and settings\trevor\Local Settings\Application Data\Babylon
2012-01-14 15:46 . 2012-01-14 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2012-01-14 15:46 . 2012-01-15 08:25 -------- d-----w- c:\documents and settings\trevor\Application Data\Systweak
2012-01-14 15:46 . 2012-01-14 15:46 -------- d-----w- c:\documents and settings\trevor\Application Data\Babylon
2012-01-14 15:46 . 2011-11-19 11:52 17280 ----a-w- c:\windows\system32\roboot.exe
2012-01-07 20:31 . 2011-12-21 07:42 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-07 20:31 . 2011-12-21 04:29 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-07 20:31 . 2011-12-21 04:29 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-07 20:31 . 2011-12-21 04:29 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-07 19:44 . 2012-01-07 19:54 -------- d-s---w- c:\documents and settings\Administrator.TREV
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-01 13:36 . 2012-01-07 20:04 -------- dc----w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-01 13:36 . 2012-01-07 20:04 -------- d-----w- c:\program files\iLivid
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2011-10-15 15:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-10 16:38 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-10 16:38 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 16:38 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-17 09:45 . 2011-08-15 07:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 05:54 . 2010-05-01 21:05 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-11-10 03:27 . 2008-02-24 09:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2004-08-10 16:38 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 16:37 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 16:37 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 16:37 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 16:38 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 16:38 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 16:38 1288704 ----a-w- c:\windows\system32\ole32.dll
1997-07-25 17:11 . 2011-11-22 13:50 304128 ----a-w- c:\program files\mozilla firefox\plugins\Pngdll.dll
2011-12-21 07:42 . 2011-06-22 15:51 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-11 619352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AvgUninstallURL]
start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVORUYtUEI2M0YtWDlaQVMtQU8zVEItSEk5Sk8tM0xQMkM&inst=NzctNzM4NTUzMTU1LUJBKzEtWEwrMS1UMy1FVUxBKzEtU1QxMkZBUFArMS1ERFQrMA&prod=90&ver=2012.0.1809&mid=a4f2c1e45b6047d6b3bbd15926800f03-cd32dbdcbae9c59551ab0670d587d5b90af898d2 [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 5]
2011-12-11 23:34 619352 ----a-w- c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 15:50 54576 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 cpuz134;cpuz134;c:\docume~1\trevor\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [x]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-05-18 137600]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 ULI5261;ULi Based Ethernet NT Driver;c:\windows\system32\DRIVERS\ULILAN.SYS [2004-12-31 28160]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-11 494424]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 16541070
*Deregistered* - 16541070
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-27 c:\windows\Tasks\KDQPXJQE.job
- c:\windows\system32\ole2nlsd.dll [2012-01-24 18:28]
.
2012-01-27 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-08-23 20:20]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\trevor\Application Data\Mozilla\Firefox\Profiles\jq8n3l3h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108298
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 6c5a7e3100000000000000106064e6f0
FF - user.js: extensions.BabylonToolbar_i.hardId - 6c5a7e3100000000000000106064e6f0
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15353
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1715:46
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-Wdf01000.sys
MSConfigStartUp-Advanced SystemCare 4 - c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
MSConfigStartUp-MobileConnect - c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\trevor\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 17:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3800)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\wdsShell.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\IObit\Advanced SystemCare 5\ASCv5ExtMenu.dll
c:\program files\IObit\IObit Security 360\IS360Ext.dll
.
Completion time: 2012-01-27 17:17:46
ComboFix-quarantined-files.txt 2012-01-27 17:17
.
Pre-Run: 28,463,443,968 bytes free
Post-Run: 28,459,040,768 bytes free
.
- - End Of File - - 451B2C6F4D6504B04952739191976D9C

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 27 January 2012 - 01:14 PM

Hi


The following entries aren't necessarily malware, but you may not be aware you have them as they are often installed when you install other software. If you don't want these items, please do the following:

Please go to Start > Control Panel > Add/Remove programs

a list of installed programs will populate

scroll down and remove the following entries

ilivid toolbar

Babylon toolbar



NEXT


This seems to an odd entry to me

2012-01-27 c:\windows\Tasks\KDQPXJQE.job
- c:\windows\system32\ole2nlsd.dll [2012-01-24 18:28]


I'd like to check it out further, are you familiar with it?

Please do the following:


submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\windows\system32\ole2nlsd.dll
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


NEXT


Cryptography Services Error !!


that entry indicates your cryptographic Service isn't running


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :service
    CryptSvc
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 BazzaBea

BazzaBea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 27 January 2012 - 01:59 PM

Tried the control panel to remove
Babylon toolbar
&
ilivid toolbar
Neither are there however
Ask support toolbar is there
But will not allow removal
------
I am not familiar with..

2012-01-27 c:\windows\Tasks\KDQPXJQE.job
- c:\windows\system32\ole2nlsd.dll [2012-01-24 18:28]

& i am unable to find it to scan it on virustotal
------



SystemLook 30.07.11 by jpshortstuff
Log created at 18:57 on 27/01/2012 by trevor
Administrator - Elevation successful

========== service ==========

CryptSvc
CryptSvc
"Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
Current Status: Started
Startup Type: Automatic
Error Control: Severe
Binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
Group: (none)
SafeBoot: Minimal Network
Dependencies:
->RpcSs
Dependant Services:
(none)

-= EOF =-

I have noticed an improvement in speed though being slightly quicker...

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 27 January 2012 - 02:20 PM

Hi

Tried the control panel to remove
Babylon toolbar &ilivid toolbar
Neither are there however
Ask support toolbar is there
But will not allow removal

I'll see if I can script out those entries for you

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic439966.html/page__pid__2573502#entry2573502

Folder::
c:\documents and settings\trevor\Local Settings\Application Data\Babylon
c:\documents and settings\All Users\Application Data\Babylon
c:\documents and settings\trevor\Application Data\Systweak
c:\documents and settings\trevor\Application Data\Babylon
c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
c:\program files\iLivid
c:\program files\Ask.com

Collect::
c:\windows\system32\ole2nlsd.dll
c:\windows\Tasks\KDQPXJQE.job

FireFox::
FF - ProfilePath - c:\documents and settings\trevor\Application Data\Mozilla\Firefox\Profiles\jq8n3l3h.default\
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108298
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 6c5a7e3100000000000000106064e6f0
FF - user.js: extensions.BabylonToolbar_i.hardId - 6c5a7e3100000000000000106064e6f0
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15353
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1715:46
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

File::
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


I'll have to do a little more research on the cryptographic service error in the log as SystemLook shows it is working properly, so there may be an issue with your catroot or WMI

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 27 January 2012 - 03:01 PM

Hi

If you haven't already run the script I gave you

please run this first:

Click Start > Run and then copy and paste the following line into the run box:

NET START "Windows Management Instrumentation"

Then click OK

----------------------------

Then run the script

(if you've already run the script > that's OK, just run the above command anyway)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 BazzaBea

BazzaBea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 28 January 2012 - 06:04 AM

Please find attached the latest Combofix.txt file ran after carrying out the other instructions.
I did notice that Combofix was alot quicker in operation than before, this time only taking around 30min (before was over 1 hour)

Attached Files



#14 BazzaBea

BazzaBea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 28 January 2012 - 06:28 AM

PS I've just tried it & it is still re-directing from google (firefox)

i.e Open Google & search for a page & when you try to open that page it re-directs itself & opens a completely diferent page.

Also noticed it is still 'Not Responding' at times although not as often & not for as long as it was.

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 28 January 2012 - 10:02 AM

You still have a number of different issues going on with the machine, that script doesn't appear to have worked


are you able to manually locate the following:

c:\windows\Tasks\KDQPXJQE.job (you may need to unhide files)

if so > please delete it.

there are a couple of nasty infections out there now that hide from our tools while Windows is running, so i would like to get some offline scans

Please read through all the instructions before beginning, you may wish to print them out, if you have any questions, please ask before you ask.

Please run the following:
  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\WINDOWS).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply


NEXT


Try this please. You will need a USB drive and a CD.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.

  • Next download driver.sh to your USB drive
  • Remove the USB and insert it in the infected computer
  • Boot the infected computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Click on File
  • Expand mnt
  • sda1 or sda2 will usually correspond to your HDD
  • sdb1 is likely your USB
  • Expand your USB (sdb1)
  • Confirm that you see the file driver.sh that you previously downloaded
  • Press Tool on the top menu bar
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • If successful, the script will check all the drivers on the machine
  • After it has finished a report will be located in the USB drive as report.txt

Please attach the report.txt for my review


while in xpud please do this additional scan - I need an offline dump of the MBR

download and save dumpit to the same usb device.

This can be done at the same time you download and save driver.sh to the USB

  • so leave the usb device attached to the computer once you have completed the driver search
  • Click on File
  • Expand mnt
  • sda1,or sda2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
    (you will be able to tell if it the right one as the screen will populate with your files)
  • Locate the file you downloaded and saved earlier, dumpit
  • double click it to run it
  • a black window will open, follow the instructions to close the window when it's finished
  • a file called MBR.zip should now be placed in the right hand panel
  • Click the Home icon at top
  • Remove the CD and click Power off
  • Click restart(remove the xPud CD so the machine will boot normally)

Once the computer has rebooted open the usb device and attach the previously saved "report.txt" and the MBR.zip file to your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users