Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect on Laptop and iPhone


  • This topic is locked This topic is locked
24 replies to this topic

#1 orteleus

orteleus

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 09 February 2012 - 10:23 PM

When clicked, some Google search results redirect to the wrong website (datingpuma.com and vipsearchs.com are common). This has occurred on both my laptop and iPhone which are both connected to the same wireless router. On both the laptop and iPhone I am also frequently unable to access Google Reader or Calendar. I have also been experiencing quite a few BSOD. The error message usually reads "ISQRL" (or something like that) but the information disappears so quickly I never I have time to write it down. The Vista theme has also reverted to a Windows 97 (or at least an earlier version) appearance. I was able to revert to the Vista theme temporarily but frequent BSOD switched it back and I gave up. In short, my computer is kind of a mess.
AVG is my anti-virus software. I have run a half-dozen Malwarebytes scans (both quick and full). The first scan detected threats but none have detected threats since then. I also ran the Kaspersky TDSSkiller.exe program which located and cured a rootkit (sorry forget to save the name). But the problem of redirects keeps occurring (although less frequently).
Any help would be really appreciated.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_24
Run by Craig at 17:43:46 on 2012-02-09
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3543.1826 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\aestsrv.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Users\Craig\AppData\Local\Akamai\netsession_win.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIHLA.EXE
C:\Growtronix\Growtronix Server.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Craig\AppData\Local\Akamai\netsession_win.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Craig\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.dell.com
uStart Page = hxxp://www.ask.com/?l=dis&o=15179
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Google Update] "c:\users\craig\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] "c:\users\craig\appdata\local\akamai\netsession_win.exe"
uRun: [Epson Stylus NX230(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatihla.exe /fu "c:\users\craig\appdata\local\temp\E_S8F73.tmp" /EF "HKCU"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\craig\appdata\roaming\micros~1\windows\startm~1\programs\startup\epsona~1.lnk - c:\users\craig\appdata\roaming\leadertech\powerregister\Epson all-in-one Registration.exe
StartupFolder: c:\users\craig\appdata\roaming\micros~1\windows\startm~1\programs\startup\jobula~1.lnk - c:\program files\jobulator\Jobulator.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\growtr~1.lnk - c:\growtronix\Growtronix Server.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{176B8D62-706E-4D00-9E0F-6D304C564F79} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D8D523CD-D8E7-40E5-90F6-8465C0E86DB9} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 94.63.147.16 www.google.com
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\craig\appdata\roaming\mozilla\firefox\profiles\xolls3rs.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\craig\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\users\craig\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\craig\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_0145da1d\AEstSrv.exe [2010-10-4 81920]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-6-9 521600]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-9 652360]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-9 20464]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2010-10-4 144672]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2010-10-4 269216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-5 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-5 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
S4 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2012-02-09 22:54:38 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2012-02-09 22:04:18 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2012-02-09 17:54:34 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-09 17:04:25 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-09 17:04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-09 05:46:36 -------- d-----w- c:\users\craig\appdata\roaming\Malwarebytes
2012-02-09 05:46:05 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 18:30:07 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{015683de-a264-46c7-8a61-3adb174ea1fc}\offreg.dll
2012-02-06 14:35:04 -------- d-----w- c:\users\craig\appdata\roaming\Leader Technologies
2012-02-03 03:52:07 -------- d-----w- c:\program files\LTCM Client
2012-02-03 03:50:48 77824 ----a-w- c:\windows\system32\EBAPI.dll
2012-02-03 03:50:48 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2012-02-03 03:50:48 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2012-02-03 03:50:48 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2012-02-03 03:50:48 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2012-02-03 03:49:31 475410 ----a-w- c:\windows\system32\ensppmon.dll
2012-02-03 03:49:31 458129 ----a-w- c:\windows\system32\ensppui.dll
2012-02-03 03:49:31 249344 ----a-w- c:\windows\system32\enspres.dll
2012-02-03 03:49:30 475410 ----a-w- c:\windows\system32\enppmon.dll
2012-02-03 03:49:30 458129 ----a-w- c:\windows\system32\enppui.dll
2012-02-03 03:49:30 249344 ----a-w- c:\windows\system32\enpres.dll
2012-02-03 03:49:29 -------- d-----w- c:\program files\EpsonNet
2012-02-03 03:49:06 -------- d-----w- c:\program files\common files\EPSON
2012-02-03 03:48:56 -------- d-----w- c:\program files\Epson America Inc
2012-02-03 03:47:22 93696 ----a-w- c:\windows\system32\E_FLBHLA.DLL
2012-02-03 03:47:21 63488 ----a-w- c:\windows\system32\E_FD4BHLA.DLL
2012-02-03 03:47:11 -------- d-----w- c:\programdata\EPSON
2012-02-03 03:46:41 -------- d-----w- c:\program files\Epson Software
2012-02-03 03:45:14 132560 ----a-w- c:\windows\system32\esdevapp.exe
2012-02-03 03:45:14 12800 ----a-w- c:\windows\system32\escdev.dll
2012-02-03 03:45:12 341504 ----a-w- c:\windows\system32\esw2ud.dll
2012-02-03 03:44:46 -------- d-----w- c:\program files\epson
2012-01-29 23:48:27 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{015683de-a264-46c7-8a61-3adb174ea1fc}\mpengine.dll
2012-01-29 23:31:38 -------- d-----w- c:\users\craig\appdata\local\ElevatedDiagnostics
2012-01-29 22:19:54 -------- d--h--w- C:\$AVG
2012-01-29 05:03:10 121856 ----a-w- c:\programdata\microsoft\windows\drm\627.tmp
2012-01-22 17:24:33 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2012-01-22 17:24:33 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2012-01-14 22:58:28 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-14 22:58:28 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-14 22:58:28 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-14 22:58:28 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-14 22:58:28 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-14 22:58:28 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-11 15:22:31 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 15:22:31 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 15:22:30 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 15:22:29 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 15:22:25 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 15:22:24 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-11 15:22:23 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 15:22:23 1314816 ----a-w- c:\windows\system32\quartz.dll
.
==================== Find3M ====================
.
2011-12-07 16:08:58 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:44:49.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 10 February 2012 - 02:27 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 orteleus

orteleus
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 10 February 2012 - 08:55 AM

Thanks for replying so quickly. The results you asked for are below.

Windows IP Configuration

Host Name . . . . . . . . . . . . : Craig-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
Physical Address. . . . . . . . . : 00-22-5F-E8-AB-19
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b548:b587:8eb:a54%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.104(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, February 09, 2012 7:33:39 PM
Lease Expires . . . . . . . . . . : Saturday, February 11, 2012 7:33:39 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 268444255
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-3C-B4-AB-00-25-64-53-03-68
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-25-64-53-03-68
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D8D523CD-D8E7-40E5-90F6-8465C0E86DB9}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:c5a:12c7:3f57:fe97(Preferred)
Link-local IPv6 Address . . . . . : fe80::c5a:12c7:3f57:fe97%16(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{176B8D62-706E-4D00-9E0F-6D304C564F79}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Reusable ISATAP Interface {ADA2BCFA-03BB-4748-9CD9-E996E772208F}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.225.148
74.125.225.145
74.125.225.147
74.125.225.146
74.125.225.144

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.139.183.24
209.191.122.70
72.30.2.43
98.137.149.56



Pinging google.com [74.125.225.115] with 32 bytes of data:

Reply from 74.125.225.115: bytes=32 time=24ms TTL=53

Reply from 74.125.225.115: bytes=32 time=42ms TTL=53



Ping statistics for 74.125.225.115:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 24ms, Maximum = 42ms, Average = 33ms



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

Reply from 98.137.149.56: bytes=32 time=158ms TTL=49

Reply from 98.137.149.56: bytes=32 time=73ms TTL=49



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 73ms, Maximum = 158ms, Average = 115ms

===========================================================================
Interface List
11 ...00 22 5f e8 ab 19 ...... Dell Wireless 1397 WLAN Mini-Card
10 ...00 25 64 53 03 68 ...... Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
13 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
15 ...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.104 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.104 281
192.168.1.104 255.255.255.255 On-link 192.168.1.104 281
192.168.1.255 255.255.255.255 On-link 192.168.1.104 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.104 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.104 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 18 ::/0 On-link
1 306 ::1/128 On-link
16 18 2001::/32 On-link
16 266 2001:0:4137:9e76:c5a:12c7:3f57:fe97/128
On-link
11 281 fe80::/64 On-link
16 266 fe80::/64 On-link
16 266 fe80::c5a:12c7:3f57:fe97/128
On-link
11 281 fe80::b548:b587:8eb:a54/128
On-link
1 306 ff00::/8 On-link
16 266 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 10 February 2012 - 01:06 PM

After you have run these steps - you need to let me know how the computer is doing

Resetting Router


  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know the router's default password, you can look it up. Here
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using or you can use OpenDNS
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

flush the DNS:

Now lets flush the DNS on the computer:

  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:


    ipconfig /flushdns

Now lets check the router again

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 orteleus

orteleus
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 10 February 2012 - 08:02 PM

I am away from my place the next few days. On Monday I'll be back and will reset the router and take the other steps you asked. Thanks.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 10 February 2012 - 08:34 PM

No problem and see you then


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 orteleus

orteleus
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 13 February 2012 - 03:24 PM

From Friday-Sunday, my computer was connected to a wireless router at a hotel/convention. On my laptop, Gmail and Google Reader would not load. Clicking on Google search results directed me to the correct website approx. 90% of the time. The other 10% of the time I was redirected to another website. My iPhone showed no signs of infection.

I reset my router and used the OpenDNS addresses provided on their webpage. I ran the command prompt to flush the DNS but received this message: “The requested operation requires elevation.”

Below are the results you asked for:



Windows IP Configuration

Host Name . . . . . . . . . . . . : Craig-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
Physical Address. . . . . . . . . : 00-22-5F-E8-AB-19
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b548:b587:8eb:a54%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.104(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, February 13, 2012 1:09:26 PM
Lease Expires . . . . . . . . . . : Tuesday, February 14, 2012 1:09:26 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 268444255
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-3C-B4-AB-00-25-64-53-03-68
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-25-64-53-03-68
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D8D523CD-D8E7-40E5-90F6-8465C0E86DB9}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:436:3690:3f57:fe97(Preferred)
Link-local IPv6 Address . . . . . : fe80::436:3690:3f57:fe97%16(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{176B8D62-706E-4D00-9E0F-6D304C564F79}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Reusable ISATAP Interface {ADA2BCFA-03BB-4748-9CD9-E996E772208F}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.225.101
74.125.225.100
74.125.225.109
74.125.225.96
74.125.225.98
74.125.225.105
74.125.225.97
74.125.225.102
74.125.225.110
74.125.225.99
74.125.225.108
74.125.225.106
74.125.225.103
74.125.225.107
74.125.225.104
74.125.225.111

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.139.183.24
209.191.122.70
72.30.2.43
98.137.149.56



Pinging google.com [74.125.225.101] with 32 bytes of data:

Reply from 74.125.225.101: bytes=32 time=21ms TTL=53

Reply from 74.125.225.101: bytes=32 time=21ms TTL=53



Ping statistics for 74.125.225.101:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 21ms, Maximum = 21ms, Average = 21ms



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:

Reply from 72.30.2.43: bytes=32 time=73ms TTL=50

Reply from 72.30.2.43: bytes=32 time=74ms TTL=50



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 73ms, Maximum = 74ms, Average = 73ms

===========================================================================
Interface List
11 ...00 22 5f e8 ab 19 ...... Dell Wireless 1397 WLAN Mini-Card
10 ...00 25 64 53 03 68 ...... Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
13 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
15 ...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.104 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.104 281
192.168.1.104 255.255.255.255 On-link 192.168.1.104 281
192.168.1.255 255.255.255.255 On-link 192.168.1.104 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.104 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.104 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 18 ::/0 On-link
1 306 ::1/128 On-link
16 18 2001::/32 On-link
16 266 2001:0:4137:9e76:436:3690:3f57:fe97/128
On-link
11 281 fe80::/64 On-link
16 266 fe80::/64 On-link
16 266 fe80::436:3690:3f57:fe97/128
On-link
11 281 fe80::b548:b587:8eb:a54/128
On-link
1 306 ff00::/8 On-link
16 266 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

#8 orteleus

orteleus
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 16 February 2012 - 05:51 PM

I can still not access Google Reader or Calendar. Google is also refusing to carry out search queries, reporting "unusual activity". Any suggestions? Thanks

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 16 February 2012 - 08:58 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 orteleus

orteleus
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 17 February 2012 - 02:05 PM

I disabled Malwarebytes, Windows Firewall, Windows Defender, and AVG. I was only able to temp. disable AVG for 15 minutes. But the Combofix scan took longer than that and AVG reactivated for a few moments during the scan before I could disable it again. So I don't know if that might have caused any problems with Combofix.

After running Combofix I can now access Google Reader and Calendar. I've also had no issues with Google search links being redirected. Below is the Combofix log.


ComboFix 12-02-17.02 - Craig 02/17/2012 12:29:24.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3543.1692 [GMT -6:00]
Running from: c:\users\Craig\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2012-01-17 to 2012-02-17 )))))))))))))))))))))))))))))))
.
.
2012-02-17 18:42 . 2012-02-17 18:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-13 21:02 . 2006-12-20 00:31 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2012-02-13 21:02 . 2006-12-20 00:20 77824 ----a-w- c:\windows\system32\EBAPI.dll
2012-02-13 21:02 . 2003-12-17 07:01 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2012-02-09 22:54 . 2010-06-22 05:14 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2012-02-09 22:04 . 2012-02-09 22:35 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2012-02-09 17:54 . 2012-02-09 22:33 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-09 17:04 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-09 17:04 . 2012-02-09 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-09 05:46 . 2012-02-09 05:46 -------- d-----w- c:\users\Craig\AppData\Roaming\Malwarebytes
2012-02-09 05:46 . 2012-02-09 06:14 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 18:30 . 2012-02-08 18:30 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{015683DE-A264-46C7-8A61-3ADB174EA1FC}\offreg.dll
2012-02-06 14:35 . 2012-02-06 14:35 -------- d-----w- c:\users\Craig\AppData\Roaming\Epson
2012-02-06 14:35 . 2012-02-06 14:35 -------- d-----w- c:\users\Craig\AppData\Roaming\Leader Technologies
2012-02-03 03:52 . 2012-02-03 03:52 -------- d-----w- c:\users\Craig\AppData\Roaming\Leadertech
2012-02-03 03:52 . 2012-02-03 03:52 -------- d-----w- c:\program files\LTCM Client
2012-02-03 03:49 . 2010-09-13 21:01 458129 ----a-w- c:\windows\system32\ensppui.dll
2012-02-03 03:49 . 2010-09-13 21:00 475410 ----a-w- c:\windows\system32\ensppmon.dll
2012-02-03 03:49 . 2008-06-18 17:49 249344 ----a-w- c:\windows\system32\enspres.dll
2012-02-03 03:49 . 2010-09-13 21:01 458129 ----a-w- c:\windows\system32\enppui.dll
2012-02-03 03:49 . 2010-09-13 21:00 475410 ----a-w- c:\windows\system32\enppmon.dll
2012-02-03 03:49 . 2008-06-18 17:49 249344 ----a-w- c:\windows\system32\enpres.dll
2012-02-03 03:49 . 2012-02-03 03:49 -------- d-----w- c:\program files\EpsonNet
2012-02-03 03:49 . 2012-02-13 20:45 -------- d-----w- c:\program files\Common Files\EPSON
2012-02-03 03:48 . 2012-02-03 03:48 -------- d-----w- c:\program files\Epson America Inc
2012-02-03 03:47 . 2012-02-03 03:43 93696 ----a-w- c:\windows\system32\E_FLBHLA.DLL
2012-02-03 03:47 . 2012-02-03 03:43 63488 ----a-w- c:\windows\system32\E_FD4BHLA.DLL
2012-02-03 03:47 . 2012-02-13 20:43 -------- d-----w- c:\programdata\EPSON
2012-02-03 03:46 . 2012-02-03 03:46 -------- d-----w- c:\program files\Epson Software
2012-02-03 03:45 . 2009-10-16 06:00 132560 ----a-w- c:\windows\system32\esdevapp.exe
2012-02-03 03:45 . 2009-10-16 06:00 12800 ----a-w- c:\windows\system32\escdev.dll
2012-02-03 03:45 . 2011-08-10 06:00 341504 ----a-w- c:\windows\system32\esw2ud.dll
2012-02-03 03:44 . 2012-02-03 03:52 -------- d-----w- c:\program files\epson
2012-01-29 23:48 . 2012-01-17 10:39 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{015683DE-A264-46C7-8A61-3ADB174EA1FC}\mpengine.dll
2012-01-29 23:31 . 2012-01-29 23:31 -------- d-----w- c:\users\Craig\AppData\Local\ElevatedDiagnostics
2012-01-29 22:19 . 2012-01-29 22:19 -------- d-----w- C:\$AVG
2012-01-29 21:10 . 2012-01-29 21:10 -------- d-----w- c:\windows\Sun
2012-01-29 05:03 . 2012-01-29 05:03 121856 ----a-w- c:\programdata\Microsoft\Windows\DRM\627.tmp
2012-01-22 17:24 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2012-01-22 17:24 . 2009-08-20 05:50 46928 ----a-r- c:\windows\system32\AdobePDF.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-13 19:15 . 2011-09-01 13:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-07 16:08 . 2010-10-10 02:04 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-25 15:59 . 2012-01-11 15:22 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-02-13 19:15 . 2012-02-08 18:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2011-08-04 20:15 3512088 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2011-08-04 20:15 3512088 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Craig\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-01-18 274432]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\Craig\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - c:\users\Craig\AppData\Roaming\Leadertech\PowerRegister\Epson all-in-one Registration.exe [2011-3-22 2561024]
Jobulator.lnk - c:\program files\Jobulator\Jobulator.exe [2012-1-3 142848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Growtronix Server.lnk - c:\growtronix\Growtronix Server.exe [2011-10-28 57649152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Growtronix Server.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Growtronix Server.lnk
backup=c:\windows\pss\Growtronix Server.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^MozyHome Status.lnk]
backup=c:\windows\pss\MozyHome Status.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Craig^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Jobulator.lnk]
backup=c:\windows\pss\Jobulator.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Craig^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 05:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 10:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 08:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-23 03:10 402432 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-05-26 19:57 136176 ----atw- c:\users\Craig\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-10-17 22:07 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-05-07 22:41 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 00:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 18:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2008-02-20 19:31 53248 ----a-w- c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4098679926-76172908-770150053-1000]
"EnableNotificationsRef"=dword:00000002
"EnableNotifications"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\aestsrv.exe [2009-03-03 81920]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 02:31]
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 02:31]
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4098679926-76172908-770150053-1000Core.job
- c:\users\Craig\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-26 19:57]
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4098679926-76172908-770150053-1000UA.job
- c:\users\Craig\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-26 19:57]
.
2012-02-17 c:\windows\Tasks\User_Feed_Synchronization-{F8973E9A-059E-4870-964B-C50FEA357C20}.job
- c:\windows\system32\msfeedssync.exe [2012-02-14 04:44]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Craig\AppData\Roaming\Mozilla\Firefox\Profiles\xolls3rs.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-35194292.sys
MSConfigStartUp-HPPQVideo - c:\program files\HP\ScheduledLaunch\HP Color LaserJet CP2020 Series\bin\hppschlnch.exe -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CP2020_Series -f PQOptimizerVideo.xml
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-17 12:43
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
Completion time: 2012-02-17 12:46:06
ComboFix-quarantined-files.txt 2012-02-17 18:45
.
Pre-Run: 207,971,815,424 bytes free
Post-Run: 211,139,751,936 bytes free
.
- - End Of File - - D06E146AD6A92A9347F2246837FC98A7

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 17 February 2012 - 10:23 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 orteleus

orteleus
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 18 February 2012 - 11:26 PM

I've had no noticeable issues with my computer since my last post. Below are the TDSSKiller and aswMBR reports


20:06:07.0169 1412 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
20:06:07.0623 1412 ============================================================
20:06:07.0623 1412 Current date / time: 2012/02/18 20:06:07.0623
20:06:07.0623 1412 SystemInfo:
20:06:07.0623 1412
20:06:07.0623 1412 OS Version: 6.0.6002 ServicePack: 2.0
20:06:07.0623 1412 Product type: Workstation
20:06:07.0623 1412 ComputerName: CRAIG-PC
20:06:07.0623 1412 UserName: Craig
20:06:07.0623 1412 Windows directory: C:\Windows
20:06:07.0623 1412 System windows directory: C:\Windows
20:06:07.0624 1412 Processor architecture: Intel x86
20:06:07.0624 1412 Number of processors: 2
20:06:07.0624 1412 Page size: 0x1000
20:06:07.0624 1412 Boot type: Normal boot
20:06:07.0624 1412 ============================================================
20:06:08.0753 1412 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
20:06:08.0758 1412 \Device\Harddisk0\DR0:
20:06:08.0758 1412 MBR used
20:06:08.0758 1412 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1F800, BlocksNum 0x1E00000
20:06:08.0758 1412 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1E1F800, BlocksNum 0x2360E800
20:06:08.0982 1412 Initialize success
20:06:08.0982 1412 ============================================================
20:07:07.0522 5216 ============================================================
20:07:07.0522 5216 Scan started
20:07:07.0522 5216 Mode: Manual;
20:07:07.0523 5216 ============================================================
20:07:08.0479 5216 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
20:07:08.0485 5216 ACPI - ok
20:07:08.0630 5216 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
20:07:08.0639 5216 adp94xx - ok
20:07:08.0769 5216 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
20:07:08.0777 5216 adpahci - ok
20:07:08.0966 5216 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
20:07:08.0969 5216 adpu160m - ok
20:07:09.0132 5216 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
20:07:09.0137 5216 adpu320 - ok
20:07:09.0601 5216 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
20:07:09.0607 5216 AFD - ok
20:07:09.0775 5216 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
20:07:09.0778 5216 agp440 - ok
20:07:09.0896 5216 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
20:07:09.0901 5216 aic78xx - ok
20:07:10.0044 5216 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
20:07:10.0046 5216 aliide - ok
20:07:10.0184 5216 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
20:07:10.0204 5216 amdagp - ok
20:07:10.0438 5216 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
20:07:10.0441 5216 amdide - ok
20:07:10.0555 5216 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
20:07:10.0568 5216 AmdK7 - ok
20:07:10.0699 5216 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
20:07:10.0702 5216 AmdK8 - ok
20:07:10.0942 5216 ApfiltrService (a4b208fb0dc1ac076d08078776fb7eb3) C:\Windows\system32\DRIVERS\Apfiltr.sys
20:07:10.0949 5216 ApfiltrService - ok
20:07:11.0184 5216 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
20:07:11.0188 5216 arc - ok
20:07:11.0407 5216 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
20:07:11.0410 5216 arcsas - ok
20:07:11.0795 5216 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
20:07:11.0797 5216 AsyncMac - ok
20:07:11.0966 5216 atapi (0d83c87a801a3dfcd1bf73893fe7518c) C:\Windows\system32\drivers\atapi.sys
20:07:11.0968 5216 atapi - ok
20:07:12.0213 5216 AVGIDSDriver (4cbb56fbc9c0cbc517e6e3a6889ebddc) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
20:07:12.0217 5216 AVGIDSDriver - ok
20:07:12.0439 5216 AVGIDSEH (459bce188232e2fe6152423efef65d76) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
20:07:12.0441 5216 AVGIDSEH - ok
20:07:12.0602 5216 AVGIDSFilter (91d9abe7e88eac7c167cba4ed4d983bf) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
20:07:12.0604 5216 AVGIDSFilter - ok
20:07:12.0904 5216 AVGIDSShim (3fc2714e185c04308215d46730d41a94) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
20:07:12.0906 5216 AVGIDSShim - ok
20:07:13.0039 5216 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\Windows\system32\DRIVERS\avgldx86.sys
20:07:13.0044 5216 Avgldx86 - ok
20:07:13.0218 5216 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\Windows\system32\DRIVERS\avgmfx86.sys
20:07:13.0232 5216 Avgmfx86 - ok
20:07:13.0498 5216 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\Windows\system32\DRIVERS\avgrkx86.sys
20:07:13.0500 5216 Avgrkx86 - ok
20:07:13.0838 5216 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\Windows\system32\DRIVERS\avgtdix.sys
20:07:13.0845 5216 Avgtdix - ok
20:07:14.0009 5216 BCM42RLY (423c7b87e886ac93d22936ea82665f83) C:\Windows\system32\drivers\BCM42RLY.sys
20:07:14.0013 5216 BCM42RLY - ok
20:07:14.0168 5216 BCM43XX (41a70777e892c3dea606758366566a77) C:\Windows\system32\DRIVERS\bcmwl6.sys
20:07:14.0200 5216 BCM43XX - ok
20:07:14.0354 5216 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
20:07:14.0356 5216 Beep - ok
20:07:14.0509 5216 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
20:07:14.0512 5216 blbdrive - ok
20:07:14.0676 5216 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
20:07:14.0679 5216 bowser - ok
20:07:14.0810 5216 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
20:07:14.0812 5216 BrFiltLo - ok
20:07:14.0944 5216 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
20:07:14.0946 5216 BrFiltUp - ok
20:07:15.0097 5216 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
20:07:15.0100 5216 Brserid - ok
20:07:15.0223 5216 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
20:07:15.0227 5216 BrSerWdm - ok
20:07:15.0512 5216 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
20:07:15.0515 5216 BrUsbMdm - ok
20:07:15.0650 5216 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
20:07:15.0652 5216 BrUsbSer - ok
20:07:15.0788 5216 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
20:07:15.0791 5216 BTHMODEM - ok
20:07:15.0967 5216 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\Windows\system32\drivers\BVRPMPR5.SYS
20:07:15.0986 5216 BVRPMPR5 - ok
20:07:16.0084 5216 catchme - ok
20:07:16.0232 5216 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
20:07:16.0267 5216 cdfs - ok
20:07:16.0429 5216 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
20:07:16.0432 5216 cdrom - ok
20:07:16.0587 5216 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
20:07:16.0589 5216 circlass - ok
20:07:16.0752 5216 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
20:07:16.0757 5216 CLFS - ok
20:07:16.0932 5216 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
20:07:16.0934 5216 CmBatt - ok
20:07:17.0096 5216 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
20:07:17.0098 5216 cmdide - ok
20:07:17.0376 5216 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
20:07:17.0379 5216 Compbatt - ok
20:07:17.0521 5216 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
20:07:17.0524 5216 crcdisk - ok
20:07:17.0670 5216 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
20:07:17.0673 5216 Crusoe - ok
20:07:17.0813 5216 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
20:07:17.0815 5216 DfsC - ok
20:07:18.0003 5216 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
20:07:18.0006 5216 disk - ok
20:07:18.0141 5216 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
20:07:18.0143 5216 drmkaud - ok
20:07:18.0325 5216 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
20:07:18.0337 5216 DXGKrnl - ok
20:07:18.0474 5216 e1express (908ed85b7806e8af3af5e9b74f7809d4) C:\Windows\system32\DRIVERS\e1e6032.sys
20:07:18.0480 5216 e1express - ok
20:07:18.0600 5216 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
20:07:18.0603 5216 E1G60 - ok
20:07:18.0784 5216 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
20:07:18.0788 5216 Ecache - ok
20:07:18.0933 5216 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
20:07:18.0940 5216 elxstor - ok
20:07:19.0098 5216 ErrDev (f2a80de2d1b7116052c09cb4d4ca1416) C:\Windows\system32\drivers\errdev.sys
20:07:19.0100 5216 ErrDev - ok
20:07:19.0248 5216 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
20:07:19.0252 5216 exfat - ok
20:07:19.0401 5216 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
20:07:19.0405 5216 fastfat - ok
20:07:19.0643 5216 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
20:07:19.0646 5216 fdc - ok
20:07:19.0787 5216 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
20:07:19.0790 5216 FileInfo - ok
20:07:19.0899 5216 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
20:07:19.0920 5216 Filetrace - ok
20:07:20.0023 5216 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
20:07:20.0025 5216 flpydisk - ok
20:07:20.0187 5216 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
20:07:20.0192 5216 FltMgr - ok
20:07:20.0315 5216 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
20:07:20.0317 5216 Fs_Rec - ok
20:07:20.0450 5216 FTDIBUS (b7aa8283ec551d3a3b924e520e0621a7) C:\Windows\system32\drivers\ftdibus.sys
20:07:20.0472 5216 FTDIBUS - ok
20:07:20.0573 5216 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
20:07:20.0589 5216 gagp30kx - ok
20:07:20.0705 5216 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
20:07:20.0708 5216 GEARAspiWDM - ok
20:07:20.0966 5216 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
20:07:20.0977 5216 HDAudBus - ok
20:07:21.0077 5216 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
20:07:21.0080 5216 HidBth - ok
20:07:21.0188 5216 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
20:07:21.0191 5216 HidIr - ok
20:07:21.0327 5216 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
20:07:21.0330 5216 HidUsb - ok
20:07:21.0434 5216 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
20:07:21.0437 5216 HpCISSs - ok
20:07:21.0564 5216 HPFXBULK (299683d4c8aaa3f6f5d5d226a1782a6e) C:\Windows\system32\drivers\hpfxbulk.sys
20:07:21.0566 5216 HPFXBULK - ok
20:07:21.0714 5216 HTTP (0eeeca26c8d4bde2a4664db058a81937) C:\Windows\system32\drivers\HTTP.sys
20:07:21.0724 5216 HTTP - ok
20:07:21.0847 5216 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
20:07:21.0850 5216 i2omp - ok
20:07:22.0003 5216 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
20:07:22.0006 5216 i8042prt - ok
20:07:22.0180 5216 iaStor (80c633722da72e97f3f5b3b11325696d) C:\Windows\system32\drivers\iastor.sys
20:07:22.0184 5216 iaStor - ok
20:07:22.0310 5216 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
20:07:22.0316 5216 iaStorV - ok
20:07:22.0628 5216 igfx (938753888eaddb29d4b3754139ec19e8) C:\Windows\system32\DRIVERS\igdkmd32.sys
20:07:22.0727 5216 igfx - ok
20:07:22.0858 5216 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
20:07:22.0860 5216 iirsp - ok
20:07:23.0041 5216 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
20:07:23.0043 5216 intelide - ok
20:07:23.0154 5216 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
20:07:23.0157 5216 intelppm - ok
20:07:23.0300 5216 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
20:07:23.0304 5216 IpFilterDriver - ok
20:07:23.0400 5216 IpInIp - ok
20:07:23.0566 5216 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
20:07:23.0569 5216 IPMIDRV - ok
20:07:23.0710 5216 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
20:07:23.0714 5216 IPNAT - ok
20:07:23.0987 5216 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
20:07:23.0989 5216 IRENUM - ok
20:07:24.0108 5216 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
20:07:24.0111 5216 isapnp - ok
20:07:24.0232 5216 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
20:07:24.0237 5216 iScsiPrt - ok
20:07:24.0266 5216 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
20:07:24.0269 5216 iteatapi - ok
20:07:24.0333 5216 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
20:07:24.0336 5216 iteraid - ok
20:07:24.0448 5216 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
20:07:24.0451 5216 kbdclass - ok
20:07:24.0591 5216 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
20:07:24.0594 5216 kbdhid - ok
20:07:24.0690 5216 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
20:07:24.0699 5216 KSecDD - ok
20:07:24.0843 5216 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
20:07:24.0846 5216 lltdio - ok
20:07:24.0910 5216 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
20:07:24.0913 5216 LSI_FC - ok
20:07:24.0937 5216 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
20:07:24.0941 5216 LSI_SAS - ok
20:07:25.0021 5216 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
20:07:25.0024 5216 LSI_SCSI - ok
20:07:25.0125 5216 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
20:07:25.0129 5216 luafv - ok
20:07:25.0225 5216 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
20:07:25.0228 5216 MBAMProtector - ok
20:07:25.0376 5216 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
20:07:25.0379 5216 megasas - ok
20:07:25.0469 5216 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
20:07:25.0477 5216 MegaSR - ok
20:07:25.0612 5216 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
20:07:25.0615 5216 Modem - ok
20:07:25.0745 5216 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
20:07:25.0747 5216 monitor - ok
20:07:25.0841 5216 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
20:07:25.0843 5216 mouclass - ok
20:07:25.0936 5216 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
20:07:25.0939 5216 mouhid - ok
20:07:25.0994 5216 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
20:07:25.0997 5216 MountMgr - ok
20:07:26.0173 5216 mozyFilter (b8e08bfcab2be31804cea983d2094faf) C:\Windows\system32\DRIVERS\mozy.sys
20:07:26.0176 5216 mozyFilter - ok
20:07:26.0342 5216 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
20:07:26.0346 5216 mpio - ok
20:07:26.0450 5216 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
20:07:26.0454 5216 mpsdrv - ok
20:07:26.0573 5216 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
20:07:26.0576 5216 Mraid35x - ok
20:07:26.0723 5216 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
20:07:26.0727 5216 MRxDAV - ok
20:07:26.0848 5216 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
20:07:26.0852 5216 mrxsmb - ok
20:07:26.0979 5216 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
20:07:26.0985 5216 mrxsmb10 - ok
20:07:27.0085 5216 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
20:07:27.0088 5216 mrxsmb20 - ok
20:07:27.0213 5216 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
20:07:27.0215 5216 msahci - ok
20:07:27.0344 5216 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
20:07:27.0347 5216 msdsm - ok
20:07:27.0468 5216 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
20:07:27.0470 5216 Msfs - ok
20:07:27.0680 5216 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
20:07:27.0682 5216 msisadrv - ok
20:07:27.0837 5216 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
20:07:27.0840 5216 MSKSSRV - ok
20:07:27.0962 5216 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
20:07:27.0964 5216 MSPCLOCK - ok
20:07:28.0083 5216 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
20:07:28.0085 5216 MSPQM - ok
20:07:28.0217 5216 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
20:07:28.0222 5216 MsRPC - ok
20:07:28.0293 5216 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
20:07:28.0296 5216 mssmbios - ok
20:07:28.0391 5216 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
20:07:28.0394 5216 MSTEE - ok
20:07:28.0533 5216 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
20:07:28.0536 5216 Mup - ok
20:07:28.0689 5216 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
20:07:28.0694 5216 NativeWifiP - ok
20:07:28.0841 5216 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
20:07:28.0853 5216 NDIS - ok
20:07:28.0970 5216 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
20:07:28.0974 5216 NdisTapi - ok
20:07:29.0115 5216 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
20:07:29.0118 5216 Ndisuio - ok
20:07:29.0245 5216 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
20:07:29.0250 5216 NdisWan - ok
20:07:29.0351 5216 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
20:07:29.0354 5216 NDProxy - ok
20:07:29.0539 5216 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
20:07:29.0542 5216 NetBIOS - ok
20:07:29.0699 5216 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
20:07:29.0704 5216 netbt - ok
20:07:29.0845 5216 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
20:07:29.0848 5216 nfrd960 - ok
20:07:29.0989 5216 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
20:07:29.0992 5216 Npfs - ok
20:07:30.0103 5216 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
20:07:30.0106 5216 nsiproxy - ok
20:07:30.0295 5216 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
20:07:30.0329 5216 Ntfs - ok
20:07:30.0504 5216 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
20:07:30.0507 5216 ntrigdigi - ok
20:07:30.0639 5216 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
20:07:30.0642 5216 NuidFltr - ok
20:07:30.0806 5216 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
20:07:30.0809 5216 Null - ok
20:07:30.0981 5216 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
20:07:30.0985 5216 nvraid - ok
20:07:31.0186 5216 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
20:07:31.0189 5216 nvstor - ok
20:07:31.0343 5216 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
20:07:31.0348 5216 nv_agp - ok
20:07:31.0454 5216 NwlnkFlt - ok
20:07:31.0699 5216 NwlnkFwd - ok
20:07:32.0042 5216 OA009Ufd (a015dd2ba6009c8bdd00a6c431302d06) C:\Windows\system32\DRIVERS\OA009Ufd.sys
20:07:32.0047 5216 OA009Ufd - ok
20:07:32.0210 5216 OA009Vid (d4e1f63a07c58563a73fd5aa20dcfb65) C:\Windows\system32\DRIVERS\OA009Vid.sys
20:07:32.0217 5216 OA009Vid - ok
20:07:32.0400 5216 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
20:07:32.0403 5216 ohci1394 - ok
20:07:32.0596 5216 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
20:07:32.0600 5216 Parport - ok
20:07:32.0759 5216 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
20:07:32.0761 5216 partmgr - ok
20:07:32.0915 5216 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
20:07:32.0918 5216 Parvdm - ok
20:07:33.0103 5216 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
20:07:33.0123 5216 pci - ok
20:07:33.0288 5216 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
20:07:33.0290 5216 pciide - ok
20:07:33.0505 5216 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
20:07:33.0524 5216 pcmcia - ok
20:07:33.0837 5216 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
20:07:33.0859 5216 PEAUTH - ok
20:07:34.0015 5216 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
20:07:34.0019 5216 PptpMiniport - ok
20:07:34.0075 5216 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
20:07:34.0079 5216 Processor - ok
20:07:34.0203 5216 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
20:07:34.0206 5216 PSched - ok
20:07:34.0345 5216 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
20:07:34.0377 5216 ql2300 - ok
20:07:34.0540 5216 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
20:07:34.0545 5216 ql40xx - ok
20:07:34.0669 5216 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
20:07:34.0671 5216 QWAVEdrv - ok
20:07:34.0834 5216 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
20:07:34.0911 5216 R300 - ok
20:07:35.0085 5216 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
20:07:35.0087 5216 RasAcd - ok
20:07:35.0257 5216 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
20:07:35.0261 5216 Rasl2tp - ok
20:07:35.0466 5216 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
20:07:35.0469 5216 RasPppoe - ok
20:07:35.0744 5216 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
20:07:35.0747 5216 RasSstp - ok
20:07:35.0943 5216 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
20:07:35.0960 5216 rdbss - ok
20:07:36.0151 5216 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
20:07:36.0193 5216 RDPCDD - ok
20:07:36.0515 5216 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
20:07:36.0521 5216 rdpdr - ok
20:07:36.0662 5216 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
20:07:36.0692 5216 RDPENCDD - ok
20:07:36.0871 5216 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
20:07:36.0876 5216 RDPWD - ok
20:07:37.0090 5216 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
20:07:37.0093 5216 rspndr - ok
20:07:37.0246 5216 RTSTOR (d97d8259293b7a82cb891f37f997df3f) C:\Windows\system32\drivers\RTSTOR.SYS
20:07:37.0250 5216 RTSTOR - ok
20:07:37.0439 5216 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
20:07:37.0443 5216 sbp2port - ok
20:07:37.0664 5216 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
20:07:37.0667 5216 secdrv - ok
20:07:37.0883 5216 Ser2pl (ac1f2a09b76b57356f906eeda43ccc2a) C:\Windows\system32\DRIVERS\ser2pl.sys
20:07:37.0917 5216 Ser2pl - ok
20:07:38.0202 5216 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
20:07:38.0204 5216 Serenum - ok
20:07:38.0414 5216 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
20:07:38.0418 5216 Serial - ok
20:07:38.0605 5216 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
20:07:38.0607 5216 sermouse - ok
20:07:38.0873 5216 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
20:07:38.0875 5216 sffdisk - ok
20:07:39.0061 5216 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
20:07:39.0064 5216 sffp_mmc - ok
20:07:39.0259 5216 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
20:07:39.0261 5216 sffp_sd - ok
20:07:39.0438 5216 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
20:07:39.0440 5216 sfloppy - ok
20:07:39.0642 5216 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
20:07:39.0645 5216 sisagp - ok
20:07:39.0823 5216 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
20:07:39.0826 5216 SiSRaid2 - ok
20:07:40.0017 5216 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
20:07:40.0020 5216 SiSRaid4 - ok
20:07:40.0249 5216 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
20:07:40.0252 5216 Smb - ok
20:07:40.0457 5216 speedfan (3fa2e254bfbce52b3c6f1bf23aab6911) C:\Windows\system32\speedfan.sys
20:07:40.0462 5216 speedfan - ok
20:07:40.0691 5216 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
20:07:40.0693 5216 spldr - ok
20:07:40.0921 5216 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
20:07:40.0930 5216 srv - ok
20:07:41.0280 5216 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
20:07:41.0286 5216 srv2 - ok
20:07:41.0396 5216 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
20:07:41.0400 5216 srvnet - ok
20:07:41.0563 5216 STHDA (02b3ef45094f090e397eea46cbed7b9e) C:\Windows\system32\DRIVERS\stwrt.sys
20:07:41.0594 5216 STHDA - ok
20:07:41.0736 5216 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
20:07:41.0738 5216 swenum - ok
20:07:41.0870 5216 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
20:07:41.0873 5216 Symc8xx - ok
20:07:41.0918 5216 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
20:07:41.0920 5216 Sym_hi - ok
20:07:42.0038 5216 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
20:07:42.0040 5216 Sym_u3 - ok
20:07:42.0211 5216 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
20:07:42.0235 5216 Tcpip - ok
20:07:42.0411 5216 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
20:07:42.0420 5216 Tcpip6 - ok
20:07:42.0565 5216 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
20:07:42.0568 5216 tcpipreg - ok
20:07:42.0699 5216 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
20:07:42.0703 5216 TDPIPE - ok
20:07:42.0850 5216 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
20:07:42.0853 5216 TDTCP - ok
20:07:42.0999 5216 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
20:07:43.0003 5216 tdx - ok
20:07:43.0140 5216 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
20:07:43.0143 5216 TermDD - ok
20:07:43.0286 5216 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
20:07:43.0288 5216 tssecsrv - ok
20:07:43.0315 5216 tunmp (387e5f1a2e0a96faf43f11ea7a7a760e) C:\Windows\system32\DRIVERS\tunmp.sys
20:07:43.0318 5216 tunmp - ok
20:07:43.0487 5216 tunnel (4e2e4203534ebbe07bb8147a8d419143) C:\Windows\system32\DRIVERS\tunnel.sys
20:07:43.0490 5216 tunnel - ok
20:07:43.0645 5216 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
20:07:43.0648 5216 uagp35 - ok
20:07:43.0830 5216 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
20:07:43.0836 5216 udfs - ok
20:07:44.0039 5216 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
20:07:44.0042 5216 uliagpkx - ok
20:07:44.0156 5216 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
20:07:44.0162 5216 uliahci - ok
20:07:44.0246 5216 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
20:07:44.0250 5216 UlSata - ok
20:07:44.0335 5216 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
20:07:44.0339 5216 ulsata2 - ok
20:07:44.0503 5216 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
20:07:44.0506 5216 umbus - ok
20:07:44.0666 5216 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
20:07:44.0668 5216 UMPass - ok
20:07:44.0886 5216 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
20:07:44.0890 5216 USBAAPL - ok
20:07:45.0136 5216 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
20:07:45.0140 5216 usbaudio - ok
20:07:45.0425 5216 usbccgp (922b2ebd5118b9ab120410807131a921) C:\Windows\system32\DRIVERS\usbccgp.sys
20:07:45.0429 5216 usbccgp - ok
20:07:45.0601 5216 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
20:07:45.0604 5216 usbcir - ok
20:07:45.0904 5216 usbehci (3d045eaa73414be8f877f292a84abba2) C:\Windows\system32\DRIVERS\usbehci.sys
20:07:45.0907 5216 usbehci - ok
20:07:46.0313 5216 usbhub (1ae77a4c4e4f526ef9759c31a123f2b0) C:\Windows\system32\DRIVERS\usbhub.sys
20:07:46.0319 5216 usbhub - ok
20:07:46.0487 5216 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
20:07:46.0491 5216 usbohci - ok
20:07:46.0792 5216 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
20:07:46.0794 5216 usbprint - ok
20:07:46.0979 5216 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
20:07:46.0982 5216 usbscan - ok
20:07:47.0241 5216 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:07:47.0245 5216 USBSTOR - ok
20:07:47.0303 5216 usbuhci (f69c1aad04f28415f3fbe99fbe56030b) C:\Windows\system32\DRIVERS\usbuhci.sys
20:07:47.0306 5216 usbuhci - ok
20:07:47.0655 5216 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
20:07:47.0657 5216 vga - ok
20:07:48.0216 5216 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
20:07:48.0218 5216 VgaSave - ok
20:07:48.0441 5216 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
20:07:48.0444 5216 viaagp - ok
20:07:48.0645 5216 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
20:07:48.0648 5216 ViaC7 - ok
20:07:48.0779 5216 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
20:07:48.0782 5216 viaide - ok
20:07:48.0936 5216 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
20:07:48.0939 5216 volmgr - ok
20:07:49.0195 5216 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
20:07:49.0203 5216 volmgrx - ok
20:07:49.0402 5216 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
20:07:49.0410 5216 volsnap - ok
20:07:49.0594 5216 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
20:07:49.0599 5216 vsmraid - ok
20:07:49.0796 5216 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
20:07:49.0799 5216 WacomPen - ok
20:07:49.0902 5216 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
20:07:49.0905 5216 Wanarp - ok
20:07:49.0911 5216 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
20:07:49.0913 5216 Wanarpv6 - ok
20:07:50.0113 5216 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
20:07:50.0116 5216 Wd - ok
20:07:50.0235 5216 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
20:07:50.0245 5216 Wdf01000 - ok
20:07:50.0515 5216 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
20:07:50.0518 5216 WmiAcpi - ok
20:07:50.0681 5216 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
20:07:50.0684 5216 WpdUsb - ok
20:07:50.0790 5216 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
20:07:50.0793 5216 ws2ifsl - ok
20:07:50.0982 5216 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
20:07:50.0986 5216 WUDFRd - ok
20:07:51.0176 5216 yukonwlh (1a51df1a5c658d534ed980d18f7982de) C:\Windows\system32\DRIVERS\yk60x86.sys
20:07:51.0185 5216 yukonwlh - ok
20:07:51.0268 5216 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
20:07:51.0362 5216 \Device\Harddisk0\DR0 - ok
20:07:51.0384 5216 Boot (0x1200) (315c55d615a74fcfce854f08137e9c73) \Device\Harddisk0\DR0\Partition0
20:07:51.0386 5216 \Device\Harddisk0\DR0\Partition0 - ok
20:07:51.0391 5216 Boot (0x1200) (7ba27d2534895ad2b2ba355b9b7d66a3) \Device\Harddisk0\DR0\Partition1
20:07:51.0393 5216 \Device\Harddisk0\DR0\Partition1 - ok
20:07:51.0395 5216 ============================================================
20:07:51.0395 5216 Scan finished
20:07:51.0395 5216 ============================================================
20:07:51.0413 3596 Detected object count: 0
20:07:51.0413 3596 Actual detected object count: 0





aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-18 20:12:41
-----------------------------
20:12:41.566 OS Version: Windows 6.0.6002 Service Pack 2
20:12:41.566 Number of processors: 2 586 0x170A
20:12:41.569 ComputerName: CRAIG-PC UserName: Craig
20:12:43.764 Initialize success
20:13:40.582 AVAST engine defs: 12021802
20:13:52.621 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:13:52.625 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
20:13:52.647 Disk 0 MBR read successfully
20:13:52.652 Disk 0 MBR scan
20:13:52.661 Disk 0 Windows VISTA default MBR code
20:13:52.667 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
20:13:52.685 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
20:13:52.708 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 289821 MB offset 31586304
20:13:52.720 Disk 0 scanning sectors +625139712
20:13:52.856 Disk 0 scanning C:\Windows\system32\drivers
20:14:15.366 Service scanning
20:15:22.741 Modules scanning
20:16:03.727 Disk 0 trace - called modules:
20:16:04.144 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
20:16:04.144 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87465448]
20:16:04.145 3 CLASSPNP.SYS[8c1b18b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x864fd028]
20:16:05.780 AVAST engine scan C:\Windows
20:16:17.044 AVAST engine scan C:\Windows\system32
20:23:20.261 AVAST engine scan C:\Windows\system32\drivers
20:23:58.842 AVAST engine scan C:\Users\Craig
21:10:44.988 AVAST engine scan C:\ProgramData
21:14:28.087 File: C:\ProgramData\Microsoft\Windows\DRM\627.tmp **INFECTED** Win32:MalOb-HP [Cryp]
21:15:13.007 Scan finished successfully
22:20:27.729 Disk 0 MBR has been saved successfully to "C:\Users\Craig\Desktop\MBR.dat"
22:20:27.739 The log file has been saved successfully to "C:\Users\Craig\Desktop\aswMBR.txt"

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 19 February 2012 - 12:10 AM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

Folder::
c:\programdata\Microsoft\Windows\DRM
C:\TDSSKiller_Quarantine


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 orteleus

orteleus
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 21 February 2012 - 03:23 PM

Sorry about the late reply. I had some problems running Combofix. I ran the program the first time for more than 45 minutes but the scan never started. The ComboFix icon was labeled "ComboFix-shortcut" so I don't know if that might have had something to do with it. I downloaded Combofix a second time and ran the scan again. The computer rebooted but it stalled on the prompt that stated a report log was being created. I fully uninstalled AVG (instead of only temporarily disabling for 15 minutes) and ran Combofix again. The last scan was successful and generated a log.

Both times that Combofix stalled, I couldn't access Task Manager so had to shut the computer down manually.




ComboFix 12-02-21.02 - Craig 02/21/2012 12:59:49.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3543.2338 [GMT -6:00]
Running from: c:\users\Craig\Desktop\ComboFix.exe
Command switches used :: c:\users\Craig\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\Microsoft\Windows\DRM\627.tmp
c:\programdata\Microsoft\Windows\DRM\blackbox.bin
c:\programdata\Microsoft\Windows\DRM\drmstore.hds
c:\programdata\Microsoft\Windows\DRM\v3ks.bla
c:\programdata\Microsoft\Windows\DRM\v3ks.sec
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\mbr0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\mbr0000\tsk0000.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\mbr0000\tsk0000.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\mbr0000\tsk0001.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\mbr0000\tsk0001.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0000.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0000.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0001.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0001.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0002.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0002.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0003.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0003.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0004.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0004.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0005.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0005.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0006.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0006.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0007.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0007.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0008.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0008.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0009.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0009.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0010.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0010.ini
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0011.dta
c:\tdsskiller_quarantine\09.02.2012_11.52.43\mbr0000\tdlfs0000\tsk0011.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\susp0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\susp0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\susp0000\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\susp0001\object.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\susp0001\svc0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\susp0001\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\susp0001\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0000.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0000.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0001.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0001.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0002.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0002.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0003.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0003.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0004.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0004.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0005.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0005.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0006.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0006.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0007.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0007.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0008.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0008.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0009.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0009.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0010.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0010.ini
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0011.dta
c:\tdsskiller_quarantine\09.02.2012_15.40.06\tdlfs0000\tsk0011.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\susp0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\susp0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\susp0000\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\susp0001\object.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\susp0001\svc0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\susp0001\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\susp0001\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\object.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0000.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0000.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0001.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0001.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0002.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0002.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0003.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0003.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0004.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0004.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0005.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0005.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0006.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0006.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0007.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0007.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0008.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0008.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0009.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0009.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0010.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0010.ini
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0011.dta
c:\tdsskiller_quarantine\09.02.2012_16.32.23\tdlfs0000\tsk0011.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-01-21 to 2012-02-21 )))))))))))))))))))))))))))))))
.
.
2012-02-21 19:08 . 2012-02-21 19:11 -------- d-----w- c:\users\Craig\AppData\Local\temp
2012-02-21 19:08 . 2012-02-21 19:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-21 16:25 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C0FAB7C4-0B7F-4E32-A634-F4DB3D1F9A6C}\mpengine.dll
2012-02-14 22:09 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-14 22:09 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-14 22:09 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-13 21:02 . 2006-12-20 00:31 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2012-02-13 21:02 . 2006-12-20 00:20 77824 ----a-w- c:\windows\system32\EBAPI.dll
2012-02-13 21:02 . 2003-12-17 07:01 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2012-02-09 22:54 . 2010-06-22 05:14 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2012-02-09 22:04 . 2012-02-21 17:53 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2012-02-09 05:46 . 2012-02-09 05:46 -------- d-----w- c:\users\Craig\AppData\Roaming\Malwarebytes
2012-02-09 05:46 . 2012-02-09 06:14 -------- d-----w- c:\programdata\Malwarebytes
2012-02-06 14:35 . 2012-02-06 14:35 -------- d-----w- c:\users\Craig\AppData\Roaming\Epson
2012-02-06 14:35 . 2012-02-06 14:35 -------- d-----w- c:\users\Craig\AppData\Roaming\Leader Technologies
2012-02-03 03:52 . 2012-02-03 03:52 -------- d-----w- c:\users\Craig\AppData\Roaming\Leadertech
2012-02-03 03:52 . 2012-02-03 03:52 -------- d-----w- c:\program files\LTCM Client
2012-02-03 03:49 . 2010-09-13 21:01 458129 ----a-w- c:\windows\system32\ensppui.dll
2012-02-03 03:49 . 2010-09-13 21:00 475410 ----a-w- c:\windows\system32\ensppmon.dll
2012-02-03 03:49 . 2008-06-18 17:49 249344 ----a-w- c:\windows\system32\enspres.dll
2012-02-03 03:49 . 2010-09-13 21:01 458129 ----a-w- c:\windows\system32\enppui.dll
2012-02-03 03:49 . 2010-09-13 21:00 475410 ----a-w- c:\windows\system32\enppmon.dll
2012-02-03 03:49 . 2008-06-18 17:49 249344 ----a-w- c:\windows\system32\enpres.dll
2012-02-03 03:49 . 2012-02-03 03:49 -------- d-----w- c:\program files\EpsonNet
2012-02-03 03:49 . 2012-02-13 20:45 -------- d-----w- c:\program files\Common Files\EPSON
2012-02-03 03:48 . 2012-02-03 03:48 -------- d-----w- c:\program files\Epson America Inc
2012-02-03 03:47 . 2012-02-03 03:43 93696 ----a-w- c:\windows\system32\E_FLBHLA.DLL
2012-02-03 03:47 . 2012-02-03 03:43 63488 ----a-w- c:\windows\system32\E_FD4BHLA.DLL
2012-02-03 03:47 . 2012-02-13 20:43 -------- d-----w- c:\programdata\EPSON
2012-02-03 03:46 . 2012-02-03 03:46 -------- d-----w- c:\program files\Epson Software
2012-02-03 03:45 . 2009-10-16 06:00 132560 ----a-w- c:\windows\system32\esdevapp.exe
2012-02-03 03:45 . 2009-10-16 06:00 12800 ----a-w- c:\windows\system32\escdev.dll
2012-02-03 03:45 . 2011-08-10 06:00 341504 ----a-w- c:\windows\system32\esw2ud.dll
2012-02-03 03:44 . 2012-02-03 03:52 -------- d-----w- c:\program files\epson
2012-01-29 23:31 . 2012-01-29 23:31 -------- d-----w- c:\users\Craig\AppData\Local\ElevatedDiagnostics
2012-01-29 21:10 . 2012-01-29 21:10 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-13 19:15 . 2011-09-01 13:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-29 11:10 . 2010-10-10 02:04 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-11-25 15:59 . 2012-01-11 15:22 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-02-17 18:53 . 2012-02-08 18:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2011-08-04 20:15 3512088 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2011-08-04 20:15 3512088 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Craig\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-01-18 274432]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
.
c:\users\Craig\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - c:\users\Craig\AppData\Roaming\Leadertech\PowerRegister\Epson all-in-one Registration.exe [2011-3-22 2561024]
Jobulator.lnk - c:\program files\Jobulator\Jobulator.exe [2012-1-3 142848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Growtronix Server.lnk - c:\growtronix\Growtronix Server.exe [2011-10-28 57649152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Growtronix Server.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Growtronix Server.lnk
backup=c:\windows\pss\Growtronix Server.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^MozyHome Status.lnk]
backup=c:\windows\pss\MozyHome Status.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Craig^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Jobulator.lnk]
backup=c:\windows\pss\Jobulator.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Craig^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 05:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 10:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 08:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-23 03:10 402432 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-05-26 19:57 136176 ----atw- c:\users\Craig\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-10-17 22:07 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-05-07 22:41 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 00:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 18:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2008-02-20 19:31 53248 ----a-w- c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4098679926-76172908-770150053-1000]
"EnableNotificationsRef"=dword:00000002
"EnableNotifications"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\aestsrv.exe [2009-03-03 81920]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 02:31]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 02:31]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4098679926-76172908-770150053-1000Core.job
- c:\users\Craig\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-26 19:57]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4098679926-76172908-770150053-1000UA.job
- c:\users\Craig\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-26 19:57]
.
2012-02-21 c:\windows\Tasks\User_Feed_Synchronization-{F8973E9A-059E-4870-964B-C50FEA357C20}.job
- c:\windows\system32\msfeedssync.exe [2012-02-21 15:43]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Craig\AppData\Roaming\Mozilla\Firefox\Profiles\xolls3rs.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-21 13:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3304)
c:\program files\MozyHome\mozyshell.dll
c:\program files\MozyHome\LIBEAY32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\STacSV.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wsqmcons.exe
.
**************************************************************************
.
Completion time: 2012-02-21 13:20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-21 19:18
ComboFix2.txt 2012-02-17 18:46
.
Pre-Run: 201,520,943,104 bytes free
Post-Run: 201,270,177,792 bytes free
.
- - End Of File - - 5B19F17996C25624237F7674A0958010

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 21 February 2012 - 07:32 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.4.0
Java™ 6 Update 24
XFINITY Toolbar
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users