Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access rootkit infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 bottleneck

bottleneck

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 28 January 2012 - 10:20 PM

Hello,

I was directed to post a new topic in this forum by Distinguished Member narenxp in this previous post: http://www.bleepingcomputer.com/forums/topic440265.html

It looks like I have a Zero Access rootkit infection :(


What I have done so far:

I followed narenxp's instructions and ran the following scans and posted the logs at the post linked above: Malwarebytes, TDSSkiller, aswMBR. The logs are available in the above link. Please let me know if I should post them in this topic too.

After seeing these logs, narenxp instructed that I follow the "Preparation guide for use before using malware removal tools and requesting help". I ran DeFogger and DDS (please see attachment and the log below). I didn't create a GMRE log because the infected computer runs Windows Vista Home Premium 64 bit.

Where should I proceed from here? I feel so helpless...


:::::::::::::::: DDS log

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_20
Run by David at 19:57:43 on 2012-01-28
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6108.5384 [GMT -7:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;192.168.*.*
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MI1933~1\Office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MI1933~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MI1933~1\Office14\EXCEL.EXE/3000
LSP: mswsock.dll
LSP: %SystemRoot%\system32\vsocklib.dll
Trusted Zone: intuit.com\ttlc
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{19F42413-39A9-4A72-A84B-B46C3006CF80} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{99E86E7D-9440-411D-8C06-C29C675C07F7} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs: acaptuser32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MI1933~1\Office14\GROOVEEX.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MI1933~1\Office14\GROOVEEX.DLL
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MI1933~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [(Default)]
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
AppInit_DLLs-X64: acaptuser32.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MI1933~1\Office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\i1neg7g9.default\
FF - prefs.js: browser.startup.homepage - hxxps://weblogin.asu.edu/cgi-bin/login?callapp=https%3A%2F%2Fweblogin.asu.edu%2Fgoogle-sso%2FAuthn%3Finit%3Dfalse%26SAMLRequest%3DfVLJTsMwEL0j8Q%252BW79nKgcpqggoIUYklooEDN9eepi6ObTx2C39PmlIBB3p9fvOW8UwuPjpNNuBRWVPSIs0pASOsVKYt6XNzk4zpRXV6MkHeacemMazME7xHwED6SYNseChp9IZZjgqZ4R0gC4LNp%252Fd3bJTmzHkbrLCaktl1Sd9ct9ByJZ10SqxgwVut3Fo6q1tnxUKJ9ZuRZq0oeTnEGu1izRAjzAwGbkIP5fk4KUZJcdbk5ywv2Nn4lZL62%252BlSmX2DY7EWexKy26apk%252Fpx3gwCGyXBP%252FTskrbWthpSYbudfc0R1aaHl1wjUDJFBB%252F6gFfWYOzAz8FvlIDnp7uSrkJwyLJsu92mPzIZzzjGFGTMuEBaDWtlQzP%252Fa5%252FHc%252FODL61%252BlCfZL6nq%252B7t2LWbXtdVKfJKp1nZ75YGHvkLwsW9wY33Hw%252F9uRVoMiJLJcqCyaNCBUEsFkpKs2rv%252BvYv%252BWr4A%26RelayState%3Dhttps%253A%252F%252Fwww.google.com%252Fa%252Fasu.edu%252FServiceLogin%253Fservice%253Dmail%2526passive%253Dtrue%2526rm%253Dfalse%2526continue%253Dhttps%25253A%25252F%25252Fmail.google.com%25252Fa%25252Fasu.edu%25252F%2526bsv%253D1k96igf4806cy%2526ss%253D1%2526ltmpl%253Ddefault%2526ltmplcache%253D2
FF - plugin: C:\PROGRA~2\MI1933~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MI1933~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.71\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\David\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\David\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\David\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 vmci;VMware VMCI Bus Driver;C:\Windows\system32\DRIVERS\vmci.sys --> C:\Windows\system32\DRIVERS\vmci.sys [?]
S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [?]
S2 ArcGIS License Manager;ArcGIS License Manager;C:\Program Files (x86)\ArcGIS\License10.0\bin\lmgrd.exe [2008-11-6 1500424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-8 136176]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]
S2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-8-29 846448]
S2 VMwareHostd;VMware Workstation Server;C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2011-11-13 11839488]
S2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-10-9 493248]
S2 wmcmgc;Windows Management Configuration;C:\Windows\System32\svchost.exe -k netsvcs [2008-1-20 21504]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-8 136176]
S3 IDL DicomEx Storage SCP;IDL DicomEx Storage SCP;C:\RSI\IDL63\bin\bin.x86\idl_dicomexstorscp.exe [2006-3-27 49152]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-27 31124344]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-4-24 93184]
.
=============== File Associations ===============
.
.txt=bftxtfile
.
=============== Created Last 30 ================
.
2012-01-27 22:33:31 -------- d-----w- C:\Program Files (x86)\Cobian Backup 8
2012-01-27 06:04:00 -------- d-----we C:\Windows\system64
2012-01-23 23:43:20 -------- d-----w- C:\Users\David\AppData\Local\isaNetTask
2012-01-23 03:48:32 -------- d-----w- C:\Program Files (x86)\Common Files\ResearchSoft
2012-01-23 03:48:04 -------- d-----w- C:\Program Files (x86)\EndNote X5
2012-01-22 18:56:12 -------- d-----w- C:\ProgramData\Thomson.ResearchSoft.Installers
2012-01-22 18:40:39 -------- d--h--w- C:\ProgramData\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}
2012-01-22 18:19:32 -------- d-----w- C:\Windows\AutoKMS
2012-01-22 18:02:43 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2012-01-22 17:50:04 -------- d-----w- C:\Program Files (x86)\Elaborate Bytes
2012-01-19 00:57:06 -------- d-----w- C:\Users\David\AppData\Roaming\Intuit
2012-01-19 00:54:42 -------- d-----w- C:\Users\David\AppData\Local\IsolatedStorage
2012-01-19 00:54:41 -------- d-----w- C:\Program Files (x86)\Common Files\Intuit
2012-01-19 00:51:44 -------- d-----w- C:\Program Files (x86)\TurboTax
2012-01-19 00:48:09 -------- d-----w- C:\ProgramData\Intuit
2012-01-14 23:23:15 -------- d-----w- C:\Users\David\.idl
2012-01-14 23:01:54 -------- d-----w- C:\RSI
2012-01-09 01:54:06 -------- d-----w- C:\Windows\SysWow64\QuickTime
2012-01-09 01:53:40 -------- d-----w- C:\Program Files (x86)\Common Files\TechSmith Shared
2012-01-08 21:26:41 -------- d-----w- C:\Users\David\AppData\Roaming\gedit
2012-01-08 21:11:12 -------- d-----w- C:\Users\David\.gconfd
2012-01-08 21:11:12 -------- d-----w- C:\Users\David\.gconf
2012-01-08 21:10:46 -------- d-----w- C:\Program Files (x86)\gedit
2012-01-07 05:20:26 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-07 05:20:26 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-07 05:20:26 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2012-01-07 05:20:26 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2012-01-06 07:21:24 -------- d-----w- C:\Users\David\AppData\Roaming\Motorola
2012-01-06 07:18:45 -------- d-----w- C:\Program Files\Common Files\Motorola Shared
2012-01-06 07:18:43 -------- d-----w- C:\Program Files (x86)\Motorola
.
==================== Find3M ====================
.
2012-01-02 05:09:10 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-10 22:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-11-14 06:36:56 942192 ----a-w- C:\Windows\System32\vnetlib64.dll
2011-11-14 06:36:54 63088 ----a-w- C:\Windows\System32\drivers\vmx86.sys
2011-11-14 06:36:08 354416 ----a-w- C:\Windows\SysWow64\vmnetdhcp.exe
2011-11-14 06:36:06 433264 ----a-w- C:\Windows\SysWow64\vmnat.exe
2011-11-14 06:35:22 30320 ----a-w- C:\Windows\System32\drivers\vmnetuserif.sys
2011-11-14 04:59:58 252016 ----a-w- C:\Windows\SysWow64\vmnc.dll
2011-11-14 04:33:56 62064 ----a-w- C:\Windows\System32\vmnetbridge.dll
2011-11-14 04:33:56 48752 ----a-w- C:\Windows\System32\vnetinst.dll
2011-11-14 04:33:56 45680 ----a-w- C:\Windows\System32\drivers\vmnetbridge.sys
2011-11-14 04:33:56 24176 ----a-w- C:\Windows\System32\drivers\vmnet.sys
2011-11-14 04:33:56 20080 ----a-w- C:\Windows\System32\drivers\vmnetadapter.sys
.
============= FINISH: 19:59:02.49 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 28 January 2012 - 11:22 PM

Hello bottleneck,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKIller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 bottleneck

bottleneck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 29 January 2012 - 12:20 AM

Thanks for your reply fireman4it!

Before I begin the process, should I perform the scans in Normal Mode or Safe Mode on the infected computer?

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 29 January 2012 - 12:28 AM

Hello,

Before I begin the process, should I perform the scans in Normal Mode or Safe Mode on the infected computer?



Normal mode if they will run.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 bottleneck

bottleneck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 29 January 2012 - 01:11 AM

Thank you.

I have completed the two scans. To answer your last question first, the computer is running better. I tested this out by doing Google searches on the Firefox browser and clicking links at random to see if I get redirected to unwanted website. So far, I haven't been redirected anywhere. Also, I started the Windows Task Manager and I don't see the PING.EXE process which was hogging the CPU usage like crazy (this was one of the first symptoms that first raised my suspicion of being infected!).

Here are the logs as requested:



::::::::::::::::: TDSS log:

22:36:12.0096 2300 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
22:36:12.0455 2300 ============================================================
22:36:12.0455 2300 Current date / time: 2012/01/28 22:36:12.0455
22:36:12.0455 2300 SystemInfo:
22:36:12.0455 2300
22:36:12.0455 2300 OS Version: 6.0.6001 ServicePack: 1.0
22:36:12.0455 2300 Product type: Workstation
22:36:12.0455 2300 ComputerName: DAVID-PC
22:36:12.0455 2300 UserName: David
22:36:12.0455 2300 Windows directory: C:\Windows
22:36:12.0455 2300 System windows directory: C:\Windows
22:36:12.0455 2300 Running under WOW64
22:36:12.0455 2300 Processor architecture: Intel x64
22:36:12.0455 2300 Number of processors: 2
22:36:12.0455 2300 Page size: 0x1000
22:36:12.0455 2300 Boot type: Normal boot
22:36:12.0455 2300 ============================================================
22:36:12.0798 2300 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
22:36:12.0798 2300 Drive \Device\Harddisk1\DR1 - Size: 0x75400000 (1.83 Gb), SectorSize: 0x200, Cylinders: 0xEF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
22:36:13.0110 2300 Initialize success
22:36:20.0413 1084 ============================================================
22:36:20.0413 1084 Scan started
22:36:20.0413 1084 Mode: Manual;
22:36:20.0413 1084 ============================================================
22:36:20.0678 1084 ACPI (af3a1aa81f875169dd9e55b1320057d6) C:\Windows\system32\drivers\acpi.sys
22:36:20.0678 1084 ACPI - ok
22:36:20.0803 1084 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
22:36:20.0803 1084 adp94xx - ok
22:36:20.0866 1084 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
22:36:20.0866 1084 adpahci - ok
22:36:20.0881 1084 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
22:36:20.0897 1084 adpu160m - ok
22:36:20.0913 1084 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
22:36:20.0928 1084 adpu320 - ok
22:36:21.0022 1084 AFD (9bb97042fa331a0fb4bdd98b9280a50a) C:\Windows\system32\drivers\afd.sys
22:36:21.0022 1084 AFD - ok
22:36:21.0084 1084 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
22:36:21.0084 1084 agp440 - ok
22:36:21.0115 1084 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
22:36:21.0115 1084 aic78xx - ok
22:36:21.0162 1084 aliide (9544c2c55541c0c6bfd7b489d0e7d430) C:\Windows\system32\drivers\aliide.sys
22:36:21.0162 1084 aliide - ok
22:36:21.0178 1084 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
22:36:21.0178 1084 amdide - ok
22:36:21.0225 1084 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
22:36:21.0225 1084 AmdK8 - ok
22:36:21.0303 1084 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
22:36:21.0303 1084 arc - ok
22:36:21.0365 1084 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
22:36:21.0365 1084 arcsas - ok
22:36:21.0443 1084 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
22:36:21.0443 1084 AsyncMac - ok
22:36:21.0459 1084 atapi (f988bb0690cd660318037908e9b8dbf7) C:\Windows\system32\drivers\atapi.sys
22:36:21.0459 1084 atapi - ok
22:36:21.0584 1084 atikmdag (cef278088637401f07a0064b0b900a32) C:\Windows\system32\DRIVERS\atikmdag.sys
22:36:21.0708 1084 atikmdag - ok
22:36:21.0755 1084 BCM42RLY (a7c9995ba861fce78b2ceaae61d39fd7) C:\Windows\system32\drivers\BCM42RLY.sys
22:36:21.0755 1084 BCM42RLY - ok
22:36:21.0818 1084 BCM43XX (d32f962b71fee6bdaaee630bb2c17280) C:\Windows\system32\DRIVERS\bcmwl664.sys
22:36:21.0833 1084 BCM43XX - ok
22:36:21.0896 1084 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
22:36:21.0896 1084 blbdrive - ok
22:36:21.0942 1084 bowser (f0f035fcec3554cc1b70c5611bd87951) C:\Windows\system32\DRIVERS\bowser.sys
22:36:21.0942 1084 bowser - ok
22:36:21.0989 1084 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
22:36:21.0989 1084 BrFiltLo - ok
22:36:22.0005 1084 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
22:36:22.0005 1084 BrFiltUp - ok
22:36:22.0020 1084 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
22:36:22.0020 1084 Brserid - ok
22:36:22.0052 1084 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
22:36:22.0052 1084 BrSerWdm - ok
22:36:22.0067 1084 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
22:36:22.0067 1084 BrUsbMdm - ok
22:36:22.0098 1084 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
22:36:22.0098 1084 BrUsbSer - ok
22:36:22.0114 1084 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
22:36:22.0114 1084 BTHMODEM - ok
22:36:22.0161 1084 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
22:36:22.0161 1084 cdfs - ok
22:36:22.0176 1084 cdrom (3b2fb35363423ed60c8fbf15fc8680bd) C:\Windows\system32\DRIVERS\cdrom.sys
22:36:22.0176 1084 cdrom - ok
22:36:22.0223 1084 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
22:36:22.0223 1084 circlass - ok
22:36:22.0254 1084 CLFS (c12c4ee07843b595036da0baa6317936) C:\Windows\system32\CLFS.sys
22:36:22.0270 1084 CLFS - ok
22:36:22.0333 1084 CmBatt (b52d9a14ce4101577900a364ba86f3df) C:\Windows\system32\DRIVERS\CmBatt.sys
22:36:22.0333 1084 CmBatt - ok
22:36:22.0364 1084 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
22:36:22.0364 1084 cmdide - ok
22:36:22.0395 1084 Compbatt (34a6aa82aa36c87fc8816f2097efa345) C:\Windows\system32\DRIVERS\compbatt.sys
22:36:22.0395 1084 Compbatt - ok
22:36:22.0395 1084 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
22:36:22.0411 1084 crcdisk - ok
22:36:22.0457 1084 CtClsFlt (0d260d60fc1302e482850bb8f432d8d5) C:\Windows\system32\DRIVERS\CtClsFlt.sys
22:36:22.0457 1084 CtClsFlt - ok
22:36:22.0520 1084 DfsC (3725c43c9e90731eca651d506cc599a3) C:\Windows\system32\Drivers\dfsc.sys
22:36:22.0520 1084 DfsC - ok
22:36:22.0567 1084 disk (2dc415fc05fb8a079f896cbbacb19324) C:\Windows\system32\drivers\disk.sys
22:36:22.0567 1084 disk - ok
22:36:22.0645 1084 drmkaud (97dc2a789c1be458976507846a1a8ced) C:\Windows\system32\drivers\drmkaud.sys
22:36:22.0645 1084 drmkaud - ok
22:36:22.0707 1084 DXGKrnl (412964040ce920ff83aff6b5b551bf99) C:\Windows\System32\drivers\dxgkrnl.sys
22:36:22.0723 1084 DXGKrnl - ok
22:36:22.0785 1084 e1express (17d40652ef3e55eeae187a89df40965a) C:\Windows\system32\DRIVERS\e1e6032e.sys
22:36:22.0801 1084 e1express - ok
22:36:22.0863 1084 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
22:36:22.0863 1084 E1G60 - ok
22:36:22.0925 1084 Ecache (7343d950a34a95dcb7441642e3e6beef) C:\Windows\system32\drivers\ecache.sys
22:36:22.0925 1084 Ecache - ok
22:36:22.0957 1084 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
22:36:22.0972 1084 elxstor - ok
22:36:23.0003 1084 ErrDev (991fab6aa066e1214efb5b496fb7959a) C:\Windows\system32\drivers\errdev.sys
22:36:23.0003 1084 ErrDev - ok
22:36:23.0050 1084 exfat (2a546b9a84658b0554b1ec35cd9adaf5) C:\Windows\system32\drivers\exfat.sys
22:36:23.0050 1084 exfat - ok
22:36:23.0082 1084 fastfat (fe731d345ed9eeabbc72a59b35941834) C:\Windows\system32\drivers\fastfat.sys
22:36:23.0082 1084 fastfat - ok
22:36:23.0128 1084 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
22:36:23.0128 1084 fdc - ok
22:36:23.0144 1084 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
22:36:23.0144 1084 FileInfo - ok
22:36:23.0175 1084 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
22:36:23.0175 1084 Filetrace - ok
22:36:23.0206 1084 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
22:36:23.0222 1084 flpydisk - ok
22:36:23.0238 1084 FltMgr (7dacf1a3a4219575070c6dc7c957428a) C:\Windows\system32\drivers\fltmgr.sys
22:36:23.0253 1084 FltMgr - ok
22:36:23.0269 1084 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
22:36:23.0269 1084 Fs_Rec - ok
22:36:23.0300 1084 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
22:36:23.0300 1084 gagp30kx - ok
22:36:23.0331 1084 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
22:36:23.0331 1084 GEARAspiWDM - ok
22:36:23.0550 1084 hcmon (adb4348da1345877b04e22203afc8993) C:\Windows\system32\drivers\hcmon.sys
22:36:23.0550 1084 hcmon - ok
22:36:23.0643 1084 HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys
22:36:23.0659 1084 HdAudAddService - ok
22:36:23.0706 1084 HDAudBus (0c0d0f8a3ff09ecc81963d09ec6a0a84) C:\Windows\system32\DRIVERS\HDAudBus.sys
22:36:23.0706 1084 HDAudBus - ok
22:36:23.0737 1084 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
22:36:23.0737 1084 HidBth - ok
22:36:23.0784 1084 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
22:36:23.0784 1084 HidIr - ok
22:36:23.0831 1084 HidUsb (128e2da8483fdd4dd0c7b3f9abd6f323) C:\Windows\system32\DRIVERS\hidusb.sys
22:36:23.0831 1084 HidUsb - ok
22:36:23.0862 1084 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
22:36:23.0877 1084 HpCISSs - ok
22:36:23.0909 1084 HTTP (e690736da6c543f5d99c8fa27bea31db) C:\Windows\system32\drivers\HTTP.sys
22:36:23.0924 1084 HTTP - ok
22:36:23.0940 1084 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
22:36:23.0955 1084 i2omp - ok
22:36:24.0002 1084 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
22:36:24.0002 1084 i8042prt - ok
22:36:24.0033 1084 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
22:36:24.0033 1084 iaStorV - ok
22:36:24.0080 1084 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
22:36:24.0096 1084 iirsp - ok
22:36:24.0127 1084 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
22:36:24.0127 1084 intelide - ok
22:36:24.0158 1084 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
22:36:24.0158 1084 intelppm - ok
22:36:24.0221 1084 IpFilterDriver (99b821f5bebd6a3cc3fe564f802ae0fd) C:\Windows\system32\DRIVERS\ipfltdrv.sys
22:36:24.0221 1084 IpFilterDriver - ok
22:36:24.0221 1084 IpInIp - ok
22:36:24.0252 1084 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
22:36:24.0252 1084 IPMIDRV - ok
22:36:24.0283 1084 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
22:36:24.0283 1084 IPNAT - ok
22:36:24.0330 1084 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
22:36:24.0330 1084 IRENUM - ok
22:36:24.0377 1084 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
22:36:24.0377 1084 isapnp - ok
22:36:24.0439 1084 iScsiPrt (49e4ccbf74783fce5d2cc1ff6480e1f4) C:\Windows\system32\DRIVERS\msiscsi.sys
22:36:24.0439 1084 iScsiPrt - ok
22:36:24.0455 1084 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
22:36:24.0470 1084 iteatapi - ok
22:36:24.0501 1084 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
22:36:24.0501 1084 iteraid - ok
22:36:24.0548 1084 k57nd60a (eb5c7891b9e6e4a1a4428f2160b12b53) C:\Windows\system32\DRIVERS\k57nd60a.sys
22:36:24.0564 1084 k57nd60a - ok
22:36:24.0595 1084 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
22:36:24.0595 1084 kbdclass - ok
22:36:24.0595 1084 kbdhid (bf8783a5066cfecf45095459e8010fa7) C:\Windows\system32\DRIVERS\kbdhid.sys
22:36:24.0611 1084 kbdhid - ok
22:36:24.0642 1084 KSecDD (ccdcce6224e1e207e953af826b98a9d9) C:\Windows\system32\Drivers\ksecdd.sys
22:36:24.0658 1084 KSecDD - ok
22:36:24.0689 1084 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
22:36:24.0704 1084 ksthunk - ok
22:36:24.0751 1084 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
22:36:24.0751 1084 lltdio - ok
22:36:24.0798 1084 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
22:36:24.0798 1084 LSI_FC - ok
22:36:24.0829 1084 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
22:36:24.0845 1084 LSI_SAS - ok
22:36:24.0876 1084 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
22:36:24.0876 1084 LSI_SCSI - ok
22:36:24.0907 1084 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
22:36:24.0907 1084 luafv - ok
22:36:24.0938 1084 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
22:36:24.0938 1084 megasas - ok
22:36:24.0970 1084 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
22:36:24.0985 1084 MegaSR - ok
22:36:25.0063 1084 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
22:36:25.0063 1084 Modem - ok
22:36:25.0110 1084 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
22:36:25.0110 1084 monitor - ok
22:36:25.0126 1084 motandroidusb - ok
22:36:25.0141 1084 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
22:36:25.0141 1084 mouclass - ok
22:36:25.0172 1084 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
22:36:25.0172 1084 mouhid - ok
22:36:25.0188 1084 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
22:36:25.0188 1084 MountMgr - ok
22:36:25.0235 1084 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
22:36:25.0250 1084 mpio - ok
22:36:25.0282 1084 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
22:36:25.0282 1084 mpsdrv - ok
22:36:25.0313 1084 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
22:36:25.0313 1084 Mraid35x - ok
22:36:25.0344 1084 MRxDAV (fe2706c15f8345c342820e4e4583fea0) C:\Windows\system32\drivers\mrxdav.sys
22:36:25.0344 1084 MRxDAV - ok
22:36:25.0391 1084 mrxsmb (b698eb9acc7ecd4927d99d268918f912) C:\Windows\system32\DRIVERS\mrxsmb.sys
22:36:25.0391 1084 mrxsmb - ok
22:36:25.0422 1084 mrxsmb10 (9a797e27fd28500ee13d43000c931435) C:\Windows\system32\DRIVERS\mrxsmb10.sys
22:36:25.0422 1084 mrxsmb10 - ok
22:36:25.0438 1084 mrxsmb20 (f9425d610712533107a264e2d5b2154b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
22:36:25.0438 1084 mrxsmb20 - ok
22:36:25.0485 1084 msahci (730b784962d22d2c6481eae2370e7c8c) C:\Windows\system32\drivers\msahci.sys
22:36:25.0485 1084 msahci - ok
22:36:25.0500 1084 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
22:36:25.0516 1084 msdsm - ok
22:36:25.0563 1084 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
22:36:25.0563 1084 Msfs - ok
22:36:25.0594 1084 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
22:36:25.0594 1084 msisadrv - ok
22:36:25.0641 1084 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
22:36:25.0641 1084 MSKSSRV - ok
22:36:25.0672 1084 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
22:36:25.0672 1084 MSPCLOCK - ok
22:36:25.0687 1084 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
22:36:25.0687 1084 MSPQM - ok
22:36:25.0734 1084 MsRPC (b8e32e6103fbba9fbb1d0c11ff0d13b5) C:\Windows\system32\drivers\MsRPC.sys
22:36:25.0734 1084 MsRPC - ok
22:36:25.0765 1084 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
22:36:25.0765 1084 mssmbios - ok
22:36:25.0781 1084 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
22:36:25.0781 1084 MSTEE - ok
22:36:25.0828 1084 Mup (ddf133501f68d6988a0f55dfa88637b4) C:\Windows\system32\Drivers\mup.sys
22:36:25.0828 1084 Mup - ok
22:36:25.0843 1084 NativeWifiP (73b99c98fa3a2ed1566e02d6fe1913a5) C:\Windows\system32\DRIVERS\nwifi.sys
22:36:25.0859 1084 NativeWifiP - ok
22:36:25.0906 1084 NDIS (f9a3ae5c9f047d71a36a99f9abca7d02) C:\Windows\system32\drivers\ndis.sys
22:36:25.0921 1084 NDIS - ok
22:36:25.0953 1084 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
22:36:25.0953 1084 NdisTapi - ok
22:36:25.0968 1084 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
22:36:25.0984 1084 Ndisuio - ok
22:36:25.0999 1084 NdisWan (52e3e8e35101399be9b2938c992aa087) C:\Windows\system32\DRIVERS\ndiswan.sys
22:36:25.0999 1084 NdisWan - ok
22:36:26.0015 1084 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
22:36:26.0015 1084 NDProxy - ok
22:36:26.0031 1084 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
22:36:26.0031 1084 NetBIOS - ok
22:36:26.0046 1084 netbt (7a29ca243a629230799754162d80120f) C:\Windows\system32\DRIVERS\netbt.sys
22:36:26.0062 1084 netbt - ok
22:36:26.0093 1084 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
22:36:26.0109 1084 nfrd960 - ok
22:36:26.0109 1084 Npfs (b06154e2a2c91e9be5599fca53bc4cd0) C:\Windows\system32\drivers\Npfs.sys
22:36:26.0109 1084 Npfs - ok
22:36:26.0140 1084 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
22:36:26.0140 1084 nsiproxy - ok
22:36:26.0202 1084 Ntfs (fe86ba5ac3b50e2ca911e9c60c07b638) C:\Windows\system32\drivers\Ntfs.sys
22:36:26.0249 1084 Ntfs - ok
22:36:26.0280 1084 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
22:36:26.0280 1084 Null - ok
22:36:26.0312 1084 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
22:36:26.0312 1084 nvraid - ok
22:36:26.0343 1084 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
22:36:26.0343 1084 nvstor - ok
22:36:26.0358 1084 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
22:36:26.0358 1084 nv_agp - ok
22:36:26.0358 1084 NwlnkFlt - ok
22:36:26.0374 1084 NwlnkFwd - ok
22:36:26.0405 1084 ohci1394 (1b30103fde512915a9214b108b6e7a9c) C:\Windows\system32\DRIVERS\ohci1394.sys
22:36:26.0405 1084 ohci1394 - ok
22:36:26.0468 1084 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
22:36:26.0468 1084 Parport - ok
22:36:26.0514 1084 partmgr (5ab40c36894f4c06bdab0c9a2fba282d) C:\Windows\system32\drivers\partmgr.sys
22:36:26.0514 1084 partmgr - ok
22:36:26.0546 1084 pci (2a5b2a51559066ea84742909b5b2cd69) C:\Windows\system32\drivers\pci.sys
22:36:26.0546 1084 pci - ok
22:36:26.0577 1084 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
22:36:26.0577 1084 pciide - ok
22:36:26.0608 1084 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
22:36:26.0608 1084 pcmcia - ok
22:36:26.0639 1084 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
22:36:26.0670 1084 PEAUTH - ok
22:36:26.0733 1084 PptpMiniport (f5739f2c6db2534c384ad5150808e8f5) C:\Windows\system32\DRIVERS\raspptp.sys
22:36:26.0733 1084 PptpMiniport - ok
22:36:26.0764 1084 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
22:36:26.0764 1084 Processor - ok
22:36:26.0811 1084 PSched (0e0e205a296095fe4c631e6a4775ad6c) C:\Windows\system32\DRIVERS\pacer.sys
22:36:26.0811 1084 PSched - ok
22:36:26.0858 1084 PxHlpa64 (fbf4db6d53585437e41a113300002a2b) C:\Windows\system32\Drivers\PxHlpa64.sys
22:36:26.0858 1084 PxHlpa64 - ok
22:36:26.0905 1084 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
22:36:26.0936 1084 ql2300 - ok
22:36:26.0983 1084 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
22:36:26.0983 1084 ql40xx - ok
22:36:27.0045 1084 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
22:36:27.0045 1084 QWAVEdrv - ok
22:36:27.0185 1084 R300 (cef278088637401f07a0064b0b900a32) C:\Windows\system32\DRIVERS\atikmdag.sys
22:36:27.0217 1084 R300 - ok
22:36:27.0248 1084 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
22:36:27.0248 1084 RasAcd - ok
22:36:27.0310 1084 Rasl2tp (3b9085f91ef00abd15a6f36570e90e12) C:\Windows\system32\DRIVERS\rasl2tp.sys
22:36:27.0310 1084 Rasl2tp - ok
22:36:27.0326 1084 RasPppoe (2ce1703c27196094fb6e4c6e439f2c21) C:\Windows\system32\DRIVERS\raspppoe.sys
22:36:27.0326 1084 RasPppoe - ok
22:36:27.0341 1084 RasSstp (fcd04fa67e8b40fa0ad361dd38593942) C:\Windows\system32\DRIVERS\rassstp.sys
22:36:27.0341 1084 RasSstp - ok
22:36:27.0373 1084 rdbss (33fa5b6136d92ee0f53f021c79091300) C:\Windows\system32\DRIVERS\rdbss.sys
22:36:27.0373 1084 rdbss - ok
22:36:27.0388 1084 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
22:36:27.0388 1084 RDPCDD - ok
22:36:27.0435 1084 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
22:36:27.0435 1084 rdpdr - ok
22:36:27.0451 1084 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
22:36:27.0451 1084 RDPENCDD - ok
22:36:27.0497 1084 RDPWD (7747082f672aa2846235c9cea42e2e72) C:\Windows\system32\drivers\RDPWD.sys
22:36:27.0497 1084 RDPWD - ok
22:36:27.0560 1084 rimmptsk (d13d70fac45fc1df69f88559b1f72f0a) C:\Windows\system32\DRIVERS\rimmpx64.sys
22:36:27.0560 1084 rimmptsk - ok
22:36:27.0575 1084 rimsptsk (bb9edc55b0b8cb4fcd713428820e0776) C:\Windows\system32\DRIVERS\rimspx64.sys
22:36:27.0575 1084 rimsptsk - ok
22:36:27.0607 1084 rismxdp (481c3fdeacaae04b74c58288dbc91df9) C:\Windows\system32\DRIVERS\rixdpx64.sys
22:36:27.0607 1084 rismxdp - ok
22:36:27.0622 1084 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
22:36:27.0622 1084 rspndr - ok
22:36:27.0654 1084 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
22:36:27.0654 1084 sbp2port - ok
22:36:27.0716 1084 sdbus (fb30126d3e617c86cd8e8643792ca3cf) C:\Windows\system32\DRIVERS\sdbus.sys
22:36:27.0732 1084 sdbus - ok
22:36:27.0732 1084 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
22:36:27.0732 1084 secdrv - ok
22:36:27.0763 1084 Sentinel (82215bbed5d37b0c354f0e83fd0c8423) C:\Windows\System32\Drivers\SENTINEL64.SYS
22:36:27.0778 1084 Sentinel - ok
22:36:27.0794 1084 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
22:36:27.0794 1084 Serenum - ok
22:36:27.0810 1084 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
22:36:27.0810 1084 Serial - ok
22:36:27.0856 1084 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
22:36:27.0856 1084 sermouse - ok
22:36:27.0888 1084 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
22:36:27.0888 1084 sffdisk - ok
22:36:27.0919 1084 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
22:36:27.0919 1084 sffp_mmc - ok
22:36:27.0950 1084 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
22:36:27.0950 1084 sffp_sd - ok
22:36:27.0981 1084 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
22:36:27.0981 1084 sfloppy - ok
22:36:27.0997 1084 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
22:36:28.0012 1084 SiSRaid2 - ok
22:36:28.0028 1084 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
22:36:28.0028 1084 SiSRaid4 - ok
22:36:28.0059 1084 Smb (41eb2e8e005feedcafce301983eff932) C:\Windows\system32\DRIVERS\smb.sys
22:36:28.0059 1084 Smb - ok
22:36:28.0090 1084 spldr (f9cb0672162f7f04248e2b82c1ff4617) C:\Windows\system32\drivers\spldr.sys
22:36:28.0090 1084 spldr - ok
22:36:28.0122 1084 srv (a8abd7d0d907b45cf3831f4dd8644349) C:\Windows\system32\DRIVERS\srv.sys
22:36:28.0122 1084 srv - ok
22:36:28.0168 1084 srv2 (6c72eea39e1c37b436a6d1532999f9ec) C:\Windows\system32\DRIVERS\srv2.sys
22:36:28.0168 1084 srv2 - ok
22:36:28.0200 1084 srvnet (7f69bcf9e6fa3d93c82ee6b87812666d) C:\Windows\system32\DRIVERS\srvnet.sys
22:36:28.0200 1084 srvnet - ok
22:36:28.0278 1084 STHDA (ba16447226abfd342e130d2f24f73d32) C:\Windows\system32\DRIVERS\stwrt64.sys
22:36:28.0293 1084 STHDA - ok
22:36:28.0340 1084 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
22:36:28.0340 1084 swenum - ok
22:36:28.0356 1084 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
22:36:28.0371 1084 Symc8xx - ok
22:36:28.0403 1084 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
22:36:28.0403 1084 Sym_hi - ok
22:36:28.0418 1084 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
22:36:28.0418 1084 Sym_u3 - ok
22:36:28.0449 1084 SynTP (79a93ec9d224b1f43c0e2f023d61dca3) C:\Windows\system32\DRIVERS\SynTP.sys
22:36:28.0449 1084 SynTP - ok
22:36:28.0512 1084 Tcpip (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\drivers\tcpip.sys
22:36:28.0543 1084 Tcpip - ok
22:36:28.0605 1084 Tcpip6 (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\DRIVERS\tcpip.sys
22:36:28.0621 1084 Tcpip6 - ok
22:36:28.0699 1084 tcpipreg (c29d4b3b08ad0b7e8564814e4ff6a57b) C:\Windows\system32\drivers\tcpipreg.sys
22:36:28.0699 1084 tcpipreg - ok
22:36:28.0761 1084 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
22:36:28.0761 1084 TDPIPE - ok
22:36:28.0793 1084 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
22:36:28.0793 1084 TDTCP - ok
22:36:28.0824 1084 tdx (8c39c72e0e853de04748c0337d9b9216) C:\Windows\system32\DRIVERS\tdx.sys
22:36:28.0824 1084 tdx - ok
22:36:28.0839 1084 TermDD (3f0ebf6ee609f2a276c0d5faf244ec90) C:\Windows\system32\DRIVERS\termdd.sys
22:36:28.0855 1084 TermDD - ok
22:36:28.0886 1084 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
22:36:28.0886 1084 tssecsrv - ok
22:36:28.0949 1084 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
22:36:28.0949 1084 tunmp - ok
22:36:28.0995 1084 tunnel (2dc2c423572946e9a3131425bda73cb6) C:\Windows\system32\DRIVERS\tunnel.sys
22:36:28.0995 1084 tunnel - ok
22:36:29.0042 1084 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
22:36:29.0058 1084 uagp35 - ok
22:36:29.0120 1084 udfs (eca6629e33f122afff18a2ab7c3eb033) C:\Windows\system32\DRIVERS\udfs.sys
22:36:29.0120 1084 udfs - ok
22:36:29.0183 1084 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
22:36:29.0183 1084 uliagpkx - ok
22:36:29.0230 1084 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
22:36:29.0230 1084 uliahci - ok
22:36:29.0261 1084 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
22:36:29.0261 1084 UlSata - ok
22:36:29.0292 1084 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
22:36:29.0292 1084 ulsata2 - ok
22:36:29.0339 1084 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
22:36:29.0339 1084 umbus - ok
22:36:29.0401 1084 USBAAPL64 (f724b03c3dfaacf08d17d38bf3333583) C:\Windows\system32\Drivers\usbaapl64.sys
22:36:29.0401 1084 USBAAPL64 - ok
22:36:29.0448 1084 usbccgp (cee5090e3c2f23df52b732dc3cc16ad8) C:\Windows\system32\DRIVERS\usbccgp.sys
22:36:29.0448 1084 usbccgp - ok
22:36:29.0479 1084 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
22:36:29.0479 1084 usbcir - ok
22:36:29.0526 1084 usbehci (3bb628ad6e7391e801ce4bda9a52bb1d) C:\Windows\system32\DRIVERS\usbehci.sys
22:36:29.0526 1084 usbehci - ok
22:36:29.0542 1084 usbhub (d02090110a4d92b4b9a9a2e17729e997) C:\Windows\system32\DRIVERS\usbhub.sys
22:36:29.0557 1084 usbhub - ok
22:36:29.0573 1084 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
22:36:29.0588 1084 usbohci - ok
22:36:29.0620 1084 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
22:36:29.0620 1084 usbprint - ok
22:36:29.0666 1084 usbscan (ea0bf666868964fbe8cb10e50c97b9f1) C:\Windows\system32\DRIVERS\usbscan.sys
22:36:29.0666 1084 usbscan - ok
22:36:29.0760 1084 USBSTOR (586d9876a4945779c8eea926c0d16889) C:\Windows\system32\DRIVERS\USBSTOR.SYS
22:36:29.0760 1084 USBSTOR - ok
22:36:29.0807 1084 usbuhci (d63b28cffbba74bc374b41a60543190c) C:\Windows\system32\DRIVERS\usbuhci.sys
22:36:29.0807 1084 usbuhci - ok
22:36:29.0854 1084 usbvideo (fc33099877790d51b0927b7039059855) C:\Windows\system32\Drivers\usbvideo.sys
22:36:29.0854 1084 usbvideo - ok
22:36:29.0885 1084 VClone (fd911873c0bb6945fa38c16e9a2b58f9) C:\Windows\system32\DRIVERS\VClone.sys
22:36:29.0885 1084 VClone - ok
22:36:29.0947 1084 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
22:36:29.0947 1084 vga - ok
22:36:29.0979 1084 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
22:36:29.0979 1084 VgaSave - ok
22:36:30.0025 1084 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
22:36:30.0025 1084 viaide - ok
22:36:30.0088 1084 vmci (87fc1dd880e8cac4faebb84af61a87c4) C:\Windows\system32\DRIVERS\vmci.sys
22:36:30.0088 1084 vmci - ok
22:36:30.0119 1084 VMnetAdapter (b259c31378bc855afd1b53f59311c251) C:\Windows\system32\DRIVERS\vmnetadapter.sys
22:36:30.0119 1084 VMnetAdapter - ok
22:36:30.0135 1084 VMnetBridge (dec4ce720ffeda939cf1ba315cfbd993) C:\Windows\system32\DRIVERS\vmnetbridge.sys
22:36:30.0135 1084 VMnetBridge - ok
22:36:30.0150 1084 VMnetuserif (f6720c0c51a5bd4e204e0816770622cf) C:\Windows\system32\drivers\vmnetuserif.sys
22:36:30.0150 1084 VMnetuserif - ok
22:36:30.0181 1084 vmusb (415b167695c4b5960a13098622ef3d80) C:\Windows\system32\Drivers\vmusb.sys
22:36:30.0181 1084 vmusb - ok
22:36:30.0228 1084 vmx86 (9e8d231425a6b63f97bfd5421f571419) C:\Windows\system32\drivers\vmx86.sys
22:36:30.0228 1084 vmx86 - ok
22:36:30.0275 1084 volmgr (793d9b32a1c462c91f6f70358283ac97) C:\Windows\system32\drivers\volmgr.sys
22:36:30.0275 1084 volmgr - ok
22:36:30.0306 1084 volmgrx (5aa217da5dc4ff5b9ac9ab86563b3223) C:\Windows\system32\drivers\volmgrx.sys
22:36:30.0322 1084 volmgrx - ok
22:36:30.0337 1084 volsnap (de4307412d98050239026e56a7dff3c0) C:\Windows\system32\drivers\volsnap.sys
22:36:30.0337 1084 volsnap - ok
22:36:30.0400 1084 vpnva (0e4df91e83da5739ffb18535d4db10aa) C:\Windows\system32\DRIVERS\vpnva64.sys
22:36:30.0400 1084 vpnva - ok
22:36:30.0447 1084 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
22:36:30.0447 1084 vsmraid - ok
22:36:30.0493 1084 vstor2-mntapi10-shared - ok
22:36:30.0525 1084 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
22:36:30.0525 1084 WacomPen - ok
22:36:30.0556 1084 Wanarp (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys
22:36:30.0556 1084 Wanarp - ok
22:36:30.0571 1084 Wanarpv6 (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys
22:36:30.0571 1084 Wanarpv6 - ok
22:36:30.0603 1084 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
22:36:30.0603 1084 Wd - ok
22:36:30.0650 1084 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
22:36:30.0681 1084 Wdf01000 - ok
22:36:30.0759 1084 WmiAcpi (7999dfb1c555efc0db69576f70027867) C:\Windows\system32\DRIVERS\wmiacpi.sys
22:36:30.0759 1084 WmiAcpi - ok
22:36:30.0821 1084 WpdUsb (6329d1990db931073b86ab5946d8e317) C:\Windows\system32\DRIVERS\wpdusb.sys
22:36:30.0821 1084 WpdUsb - ok
22:36:30.0837 1084 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
22:36:30.0852 1084 ws2ifsl - ok
22:36:30.0884 1084 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
22:36:30.0884 1084 WUDFRd - ok
22:36:30.0915 1084 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0
22:36:30.0962 1084 \Device\Harddisk0\DR0 - ok
22:36:30.0977 1084 MBR (0x1B8) (0792f22bcc85cfd3b28324561fffcabb) \Device\Harddisk1\DR1
22:36:33.0006 1084 \Device\Harddisk1\DR1 - ok
22:36:33.0021 1084 Boot (0x1200) (064977206f2bb5b152d4ddffd7056478) \Device\Harddisk0\DR0\Partition0
22:36:33.0021 1084 \Device\Harddisk0\DR0\Partition0 - ok
22:36:33.0053 1084 Boot (0x1200) (36444167d4d8e947e0a4fd49f2892306) \Device\Harddisk0\DR0\Partition1
22:36:33.0053 1084 \Device\Harddisk0\DR0\Partition1 - ok
22:36:33.0053 1084 Boot (0x1200) (6b9049d163d441e9ed832d0b2492f843) \Device\Harddisk1\DR1\Partition0
22:36:33.0053 1084 \Device\Harddisk1\DR1\Partition0 - ok
22:36:33.0053 1084 ============================================================
22:36:33.0053 1084 Scan finished
22:36:33.0053 1084 ============================================================
22:36:33.0068 1568 Detected object count: 0
22:36:33.0068 1568 Actual detected object count: 0




::::::::::::: ComboFix log:

ComboFix 12-01-29.01 - David 01/28/2012 22:42:08.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6108.4381 [GMT -7:00]
Running from: c:\users\David\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\David\AppData\Local\{19E7FAAB-D1AE-4F4B-B4FE-F27A093E266C}
c:\users\David\AppData\Local\{19E7FAAB-D1AE-4F4B-B4FE-F27A093E266C}\chrome.manifest
c:\users\David\AppData\Local\{19E7FAAB-D1AE-4F4B-B4FE-F27A093E266C}\chrome\content\_cfg.js
c:\users\David\AppData\Local\{19E7FAAB-D1AE-4F4B-B4FE-F27A093E266C}\chrome\content\overlay.xul
c:\users\David\AppData\Local\{19E7FAAB-D1AE-4F4B-B4FE-F27A093E266C}\install.rdf
c:\users\David\AppData\Local\{C0033104-6429-476F-8E14-CC0493DE969C}
c:\users\David\AppData\Local\{C0033104-6429-476F-8E14-CC0493DE969C}\chrome\content\overlay.xul
c:\users\David\AppData\Local\{C0033104-6429-476F-8E14-CC0493DE969C}\install.rdf
c:\users\David\AppData\Local\{F211A6BF-1D04-4123-822B-8F5CDBDFBAA8}
c:\users\David\AppData\Local\{F211A6BF-1D04-4123-822B-8F5CDBDFBAA8}\chrome\content\overlay.xul
c:\users\David\AppData\Local\{F211A6BF-1D04-4123-822B-8F5CDBDFBAA8}\install.rdf
c:\users\David\AppData\Roaming\Roaming
c:\users\David\AppData\Roaming\Roaming\ICAClient\webica.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\system32\consrv.dll
c:\windows\system32\java.exe
c:\windows\System64
c:\windows\SysWow64\regobj.dll
c:\windows\SysWow64\win.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-29 )))))))))))))))))))))))))))))))
.
.
2012-01-29 05:50 . 2012-01-29 05:53 -------- d-----w- c:\users\David\AppData\Local\temp
2012-01-29 05:50 . 2012-01-29 05:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-27 22:33 . 2012-01-27 22:33 -------- d-----w- c:\program files (x86)\Cobian Backup 8
2012-01-23 23:43 . 2012-01-27 04:13 -------- d-----w- c:\users\David\AppData\Local\isaNetTask
2012-01-23 03:48 . 2012-01-23 03:48 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
2012-01-23 03:48 . 2012-01-23 03:48 -------- d-----w- c:\program files (x86)\EndNote X5
2012-01-22 18:56 . 2012-01-23 03:48 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
2012-01-22 18:40 . 2012-01-22 18:40 -------- d--h--w- c:\programdata\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}
2012-01-22 18:19 . 2012-01-22 18:22 -------- d-----w- c:\windows\AutoKMS
2012-01-22 18:02 . 2012-01-22 18:02 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-01-22 17:50 . 2012-01-22 17:50 -------- d-----w- c:\program files (x86)\Elaborate Bytes
2012-01-19 00:57 . 2012-01-19 00:57 -------- d-----w- c:\users\David\AppData\Roaming\Intuit
2012-01-19 00:54 . 2012-01-19 00:54 -------- d-----w- c:\users\David\AppData\Local\IsolatedStorage
2012-01-19 00:54 . 2012-01-19 00:55 -------- d-----w- c:\program files (x86)\Common Files\Intuit
2012-01-19 00:51 . 2012-01-19 00:51 -------- d-----w- c:\program files (x86)\TurboTax
2012-01-19 00:48 . 2012-01-19 00:55 -------- d-----w- c:\programdata\Intuit
2012-01-14 23:23 . 2012-01-14 23:23 -------- d-----w- c:\users\David\.idl
2012-01-14 23:01 . 2012-01-14 23:02 -------- d-----w- C:\RSI
2012-01-09 05:50 . 2012-01-09 05:50 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-01-09 01:54 . 2012-01-09 01:54 -------- d-----w- c:\windows\SysWow64\QuickTime
2012-01-09 01:53 . 2012-01-09 01:53 -------- d-----w- c:\program files (x86)\Common Files\TechSmith Shared
2012-01-09 01:53 . 2012-01-09 01:53 -------- d-----w- c:\programdata\TechSmith
2012-01-09 01:53 . 2012-01-09 01:53 -------- d-----w- c:\program files (x86)\TechSmith
2012-01-08 21:26 . 2012-01-08 21:26 -------- d-----w- c:\users\David\AppData\Roaming\gedit
2012-01-08 21:11 . 2012-01-08 21:12 -------- d-----w- c:\users\David\.gconf
2012-01-08 21:10 . 2012-01-08 21:26 -------- d-----w- c:\program files (x86)\gedit
2012-01-07 18:49 . 2012-01-07 18:49 -------- d-----w- c:\program files (x86)\Apple Software Update
2012-01-07 05:20 . 2012-01-07 05:20 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-07 05:20 . 2012-01-07 05:20 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-07 05:20 . 2012-01-07 05:20 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-01-07 05:20 . 2012-01-07 05:20 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-01-06 07:21 . 2012-01-06 07:21 -------- d-----w- c:\users\David\AppData\Roaming\Motorola
2012-01-06 07:18 . 2012-01-06 07:18 -------- d-----w- c:\program files\Common Files\Motorola Shared
2012-01-06 07:18 . 2012-01-28 08:19 -------- d-----w- c:\program files (x86)\Motorola
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-02 05:09 . 2011-06-01 14:51 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-14 06:03 . 2011-12-14 06:03 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-10 22:24 . 2010-08-02 23:00 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-14 06:36 . 2011-11-21 17:07 942192 ----a-w- c:\windows\system32\vnetlib64.dll
2011-11-14 06:36 . 2011-11-21 17:09 63088 ----a-w- c:\windows\system32\drivers\vmx86.sys
2011-11-14 06:36 . 2011-11-21 17:08 354416 ----a-w- c:\windows\SysWow64\vmnetdhcp.exe
2011-11-14 06:36 . 2011-11-21 17:08 433264 ----a-w- c:\windows\SysWow64\vmnat.exe
2011-11-14 06:35 . 2011-11-21 17:08 30320 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2011-11-14 04:59 . 2011-11-14 04:59 252016 ----a-w- c:\windows\SysWow64\vmnc.dll
2011-11-14 04:33 . 2011-11-14 04:33 62064 ----a-w- c:\windows\system32\vmnetbridge.dll
2011-11-14 04:33 . 2011-11-14 04:33 48752 ----a-w- c:\windows\system32\vnetinst.dll
2011-11-14 04:33 . 2011-11-14 04:33 45680 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2011-11-14 04:33 . 2011-11-14 04:33 24176 ----a-w- c:\windows\system32\drivers\vmnet.sys
2011-11-14 04:33 . 2011-11-14 04:33 20080 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"vmware-tray"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2011-11-14 103536]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wmcmgc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-08 21:00]
.
2012-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-08 21:00]
.
2012-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322682365-1537293604-575616848-1000Core.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-13 23:17]
.
2012-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322682365-1537293604-575616848-1000UA.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-13 23:17]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-25 1657128]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-21 4119552]
"combofix"="c:\combofix\CF28396.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\acaptuser64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office14\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\vsocklib.dll
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.2.1
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\i1neg7g9.default\
FF - prefs.js: browser.startup.homepage - hxxps://weblogin.asu.edu/cgi-bin/login?callapp=https%3A%2F%2Fweblogin.asu.edu%2Fgoogle-sso%2FAuthn%3Finit%3Dfalse%26SAMLRequest%3DfVLJTsMwEL0j8Q%252BW79nKgcpqggoIUYklooEDN9eepi6ObTx2C39PmlIBB3p9fvOW8UwuPjpNNuBRWVPSIs0pASOsVKYt6XNzk4zpRXV6MkHeacemMazME7xHwED6SYNseChp9IZZjgqZ4R0gC4LNp%252Fd3bJTmzHkbrLCaktl1Sd9ct9ByJZ10SqxgwVut3Fo6q1tnxUKJ9ZuRZq0oeTnEGu1izRAjzAwGbkIP5fk4KUZJcdbk5ywv2Nn4lZL62%252BlSmX2DY7EWexKy26apk%252Fpx3gwCGyXBP%252FTskrbWthpSYbudfc0R1aaHl1wjUDJFBB%252F6gFfWYOzAz8FvlIDnp7uSrkJwyLJsu92mPzIZzzjGFGTMuEBaDWtlQzP%252Fa5%252FHc%252FODL61%252BlCfZL6nq%252B7t2LWbXtdVKfJKp1nZ75YGHvkLwsW9wY33Hw%252F9uRVoMiJLJcqCyaNCBUEsFkpKs2rv%252BvYv%252BWr4A%26RelayState%3Dhttps%253A%252F%252Fwww.google.com%252Fa%252Fasu.edu%252FServiceLogin%253Fservice%253Dmail%2526passive%253Dtrue%2526rm%253Dfalse%2526continue%253Dhttps%25253A%25252F%25252Fmail.google.com%25252Fa%25252Fasu.edu%25252F%2526bsv%253D1k96igf4806cy%2526ss%253D1%2526ltmpl%253Ddefault%2526ltmplcache%253D2
.
.
------- File Associations -------
.
.txt=bftxtfile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\ArcGIS\License10.0\bin\lmgrd.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\ArcGIS\License10.0\bin\lmgrd.exe
c:\program files (x86)\ArcGIS\License10.0\bin\ARCGIS.exe
c:\windows\SysWOW64\vmnat.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe
c:\program files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-01-28 22:58:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-29 05:58
.
Pre-Run: 82,373,832,704 bytes free
Post-Run: 81,889,202,176 bytes free
.
- - End Of File - - C1616B87909A14ADEF35A90590E2ECA5

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 29 January 2012 - 01:27 AM

Hello,

Glad its running better lets run a couple of other scanners to make sure no leftovers.


1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 bottleneck

bottleneck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 29 January 2012 - 02:18 AM

Hi fireman4it,

I ran the "Perform Quick Scan" in Malwarebytes and it was successful (please see log below). But when I try to run ESET Online Scan from my Internet Explorer, it stops at step 2 out of 4 (Initialization...) with the following message in red: Can not get update. Is proxy configured?

I am able to connect to the Internet and browse without any problems. Not sure what is causing this error prompt in ESET Online Scan.

Here is the Malwarebytes log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.28.06

Windows Vista Service Pack 1 x64 NTFS
Internet Explorer 7.0.6001.18000
David :: DAVID-PC [administrator]

1/28/2012 11:57:51 PM
mbam-log-2012-01-28 (23-57-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196445
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 29 January 2012 - 10:55 AM

Hello,

Let's try this instead of Eset.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 bottleneck

bottleneck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 29 January 2012 - 04:41 PM

Hi fireman4it,

While I was waiting for your instructions, I read up some more about the infection and decided, as the safest measure, to do a complete reformat and installation of my OS. Thankfully it won't be too much of a hassle for me to reinstall all the programs I had, and I didn't have many documents on the machine.

I want to thank you and other Helpers so much for volunteering your time to help.

How do I close this topic or mark it as "solved" or something like that?

Thanks.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 29 January 2012 - 06:59 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users