Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gala re-direct and other malicious files...


  • This topic is locked This topic is locked
29 replies to this topic

#1 JustMyAlias

JustMyAlias

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 10 February 2012 - 08:46 AM

My (son's) laptop became infected last night (Wed) through Facebook.
It is running Windows Vista.

Initially, it looked like there was an AV or AVA something virus running - but it's gone now.
I have run SpyBot, Malware Bytes and Ad-Aware (all latest versions and updates) - all have found files and removed most.
A few could not be removed because supposedly I did not have Administrator rights.
The Gala re-direct was occurring, even in safe mode.
My "Administrator" rights have been blocked, Windows Security Center has been set to Off and blocked, and Ad-Aware's AdWatch seems to have been blocked too (unless this is a paid only feature...) - I cannot change these even in safe mode.
I am also unable to immunize in SpyBot b/c I lack Admin rights.
I ran all 3 programs again in Safe Mode - a few additional files were found and removed -
including
Trojan.Boot.Alureon and
JS Obfuscator (these may not be exact - it's what I jotted down on scrap paper...)

I posted in the "Am I Infected" topic, and posted the requested logs there, per the help of Broni.
He suggested that I post here, because there are some registry keys missing, and additional tools might be needed.
Here is my original post:
My link

I am currently running in normal Windows mode, and don't seem to be having any obvious issues (no Gala re-directs lately - since mid-day yesterday), but I want to be sure I am clear and free...
TIA for any help!!

Attached Files


Edited by JustMyAlias, 10 February 2012 - 08:52 AM.


BC AdBot (Login to Remove)

 


#2 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 10 February 2012 - 02:52 PM

quick update-
and hoping this does not have a significant impact on the info I already posted...
(AdAware) AdWatch DID allow me to turn the protection on when I re-booted.
I uninstalled Norton/ Symantec - as the license has just expired, and I did not intend to renew it.
I got a message that it 'may' have been in conflict with the Windows firewall, as both were trying to run.
Then I installed ZoneAlarm.

The Av program that is causing me grief popped up again -
AV Security Essentials (Ava38_8050)...

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:54 PM

Posted 12 February 2012 - 01:28 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 12 February 2012 - 01:51 PM

Disabled AdWatch, SpyBot and Zone Alarm.
Ran De-Fogger - no isssues, but a re-boot was not required.

DDS logs:
(hoping I understood your request not to attch the logs, but to paste them in...)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Austen at 13:47:01 on 2012-02-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3063.1907 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
FW: ZoneAlarm Free Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATK Hotkey\MsgTranAgt.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2645238
mDefault_Page_URL = hxxp://www.lenovo.com
uInternet Settings,ProxyOverride = *.local;192.168.*.*
uURLSearchHooks: H - No File
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
mURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EnergyCut_Utility] c:\program files\lenovo\energycut\utilty.exe
mRun: [EnergyCut] c:\program files\lenovo\energycut\EnergyCut.exe
mRun: [PCMService] "c:\program files\lenovo\shuttlecenter\PCMService.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Skytel] Skytel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NPSStartup]
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [ISW]
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: c:\users\austen\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - c:\program files\lenovo\veriface\OpenWnd.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://etciec102.coca-cola.com/+CSCOL+/relayp.cab
DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://campwoof2.dyndns.org:7180/RtspVaPgDec.cab
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 205.152.37.23 205.152.150.23
TCP: Interfaces\{DCFAC32F-399F-48DB-9E9D-8569EBBA3A28} : DhcpNameServer = 205.152.37.23 205.152.150.23
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-2-9 64512]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-4 21504]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-2-9 1153368]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-5-19 21520]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-7-22 180736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-16 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152152]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2012-1-18 30312]
S3 CapFilt;CapFilt;c:\windows\system32\drivers\CapFilt.sys [2008-9-4 18048]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2012-1-18 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-10-16 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-23 15232]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2012-1-18 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2012-1-18 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2012-1-18 121576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-12 07:25:31 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fc94fbb5-d717-4f49-9138-7adab60da707}\offreg.dll
2012-02-10 19:28:03 -------- d-----w- c:\users\austen\appdata\roaming\CheckPoint
2012-02-10 19:27:49 -------- d-----w- c:\program files\Conduit
2012-02-10 19:27:43 -------- d-----w- c:\users\austen\appdata\local\Conduit
2012-02-10 19:27:41 -------- d-----w- c:\program files\ZoneAlarm_Security
2012-02-10 19:27:00 -------- d-----w- c:\programdata\CheckPoint
2012-02-10 19:26:15 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-10 19:20:45 -------- d-----w- c:\program files\CheckPoint
2012-02-10 06:31:25 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fc94fbb5-d717-4f49-9138-7adab60da707}\mpengine.dll
2012-02-09 16:44:19 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-02-09 16:16:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-09 16:02:16 -------- d-----w- c:\users\austen\appdata\local\adaware
2012-02-09 16:02:15 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-02-09 16:02:10 -------- d-----w- c:\program files\Toolbar Cleaner
2012-02-09 16:01:16 -------- d-----w- c:\program files\adawaretb
2012-02-09 16:01:03 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-02-09 16:00:52 -------- d-----w- c:\program files\Lavasoft
2012-02-09 15:54:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-09 15:54:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-09 03:51:09 -------- d-sh--w- c:\users\austen\appdata\roaming\AV Security Essentials
2012-02-09 03:51:09 -------- d-sh--w- c:\programdata\AVWMADUVPRSE
2012-02-09 03:50:37 -------- d-sh--w- c:\programdata\a38f00
2012-01-30 04:01:47 -------- d-----w- c:\users\austen\appdata\roaming\Motorola
2012-01-30 04:01:47 -------- d-----w- C:\Temp
2012-01-30 03:53:10 -------- d-----w- c:\program files\common files\Motorola Shared
2012-01-27 03:40:51 -------- d-----w- c:\program files\Orneta
2012-01-27 02:13:49 -------- d-----w- c:\program files\QPST
2012-01-23 14:48:56 -------- d-----w- c:\program files\iPod
2012-01-23 14:48:52 -------- d-----w- c:\program files\iTunes
2012-01-19 02:03:34 1547776 ----a-w- c:\windows\system32\WMVDECOD.DLL
2012-01-18 19:32:14 96488 ----a-w- c:\windows\system32\drivers\ssadbus.sys
2012-01-18 19:32:14 30312 ----a-w- c:\windows\system32\drivers\ssadadb.sys
2012-01-18 19:32:14 1416680 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2012-01-18 19:32:14 1416680 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01005.dll
2012-01-18 19:32:14 12776 ----a-w- c:\windows\system32\drivers\ssadmdfl.sys
2012-01-18 19:32:14 121576 ----a-w- c:\windows\system32\drivers\ssadmdm.sys
2012-01-18 19:32:14 10344 ----a-w- c:\windows\system32\drivers\ssadcmnt.sys
2012-01-18 19:32:14 10344 ----a-w- c:\windows\system32\drivers\ssadcm.sys
2012-01-18 19:32:14 10216 ----a-w- c:\windows\system32\drivers\ssadwhnt.sys
2012-01-18 19:32:14 10216 ----a-w- c:\windows\system32\drivers\ssadwh.sys
2012-01-18 19:18:59 -------- d-----w- c:\programdata\Samsung
2012-01-18 18:58:25 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2012-01-18 18:56:35 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2012-01-18 18:56:35 238952 ----a-w- c:\windows\system32\FsUsbExService.Exe
2012-01-18 18:56:35 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2012-01-18 18:56:03 -------- d-----w- c:\users\austen\appdata\roaming\Samsung
2012-01-18 18:53:55 -------- d-----w- c:\program files\Samsung
2012-01-18 01:47:24 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 01:47:24 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 01:47:24 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 01:47:23 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-18 01:47:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 01:47:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-14 21:12:50 -------- d-----w- c:\program files\Coupons
.
==================== Find3M ====================
.
2012-01-27 05:21:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-22 15:16:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 15:59:48 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 20:23:34 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47:03 66560 ----a-w- c:\windows\system32\packager.dll
.
============= FINISH: 13:47:57.04 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/4/2008 5:54:53 AM
System Uptime: 2/11/2012 3:17:30 AM (34 hours ago)
.
Motherboard: LENOVO | | SPEEDY
Processor: Intel® Core™2 Duo CPU T5750 @ 2.00GHz | Socket 478 | 2000/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 189 GiB total, 87.979 GiB free.
D: is FIXED (NTFS) - 27 GiB total, 26.381 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 373 GiB total, 191.644 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP246: 2/4/2012 1:15:15 PM - Scheduled Checkpoint
RP247: 2/5/2012 2:06:42 PM - Scheduled Checkpoint
RP248: 2/7/2012 2:06:08 AM - Windows Update
RP249: 2/8/2012 12:00:17 AM - Scheduled Checkpoint
RP250: 2/8/2012 2:06:18 AM - Windows Update
RP251: 2/8/2012 8:54:37 PM - Scheduled Checkpoint
RP252: 2/9/2012 10:59:09 AM - Installed Ad-Aware
RP253: 2/9/2012 11:00:26 AM - Installed Ad-Aware
RP254: 2/10/2012 12:47:03 AM - Scheduled Checkpoint
RP255: 2/10/2012 1:30:47 AM - Windows Update
RP256: 2/10/2012 2:25:42 PM - Windows Update
RP257: 2/10/2012 2:28:41 PM - Device Driver Package Install: Check Point Software Technologies Ltd. Network Service
RP258: 2/11/2012 3:57:10 AM - Scheduled Checkpoint
RP259: 2/12/2012 12:00:29 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Ad-Aware Security Toolbar
Adobe Flash Player 11 ActiveX
Adobe Reader 8.3.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATK Hotkey
Bonjour
Broadcom Gigabit Integrated Controller
Business Contact Manager for Outlook 2007 SP2
CCleaner
Coupon Printer for Windows
EasyCapture
EnergyCut
Ftp Explorer Mobile for Windows Mobile 5.0
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iCloud
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
ISO Recorder
iTunes
Java Auto Updater
Java™ 6 Update 27
Lenovo Easy Camera
lenovo scrnsave
LiveUpdate Notice (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.1.1000
mCore
mDriver
mHelp
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mMHouse
MotoHelper MergeModules
Motorola Mobile Drivers Installation 5.4.0
Motorola SM56 Speakerphone Modem
mPfMgr
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Power2Go 5.0
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
SAMSUNG USB Driver for Mobile Phones
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Shuttle Center II
Softi FreeOCR
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC 9.0 Runtime
VeriFace
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
WinFlash
ZoneAlarm Firewall
ZoneAlarm Free
ZoneAlarm Security
ZoneAlarm Security Toolbar
ZoneAlarm Toolbar
.
==== Event Viewer Messages From Past Week ========
.
2/9/2012 7:29:24 PM, Error: EventLog [6008] - The previous system shutdown at 7:27:20 PM on 2/9/2012 was unexpected.
2/9/2012 12:14:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service RapiMgr with arguments "" in order to run the server: {ED081F25-6A77-4C89-B689-C6E15C582EC1}
2/9/2012 12:12:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
2/9/2012 12:11:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
2/9/2012 11:50:50 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
2/9/2012 11:50:36 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl SPBBCDrv spldr SRTSPX SYMTDI Wanarpv6
2/8/2012 5:31:26 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.103 for the Network Card with network address 001CBFBC39D6 has been denied by the DHCP server 192.168.2.254 (The DHCP Server sent a DHCPNACK message).
2/5/2012 10:11:38 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
2/5/2012 10:10:06 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.101 for the Network Card with network address 001CBFBC39D6 has been denied by the DHCP server 192.168.2.254 (The DHCP Server sent a DHCPNACK message).
2/11/2012 3:18:54 AM, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
2/11/2012 10:57:02 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer JORDYN_NETBOOK that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DCFAC32F-399F-48DB-9E9D-856. The master browser is stopping or an election is being forced.
2/10/2012 9:44:13 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: a2injectiondriver AFD DfsC eeCtrl NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb SPBBCDrv spldr SRTSPX SYMTDI tdx Wanarpv6
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
2/10/2012 9:42:30 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
2/10/2012 9:42:02 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
2/10/2012 9:42:02 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
2/10/2012 9:42:02 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
2/10/2012 9:42:00 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/10/2012 9:41:50 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
2/10/2012 9:39:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.
2/10/2012 9:39:33 AM, Error: Service Control Manager [7000] - The Windows Modules Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/10/2012 9:39:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service TrustedInstaller with arguments "" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
2/10/2012 2:29:58 PM, Error: Service Control Manager [7030] - The TrueVector Internet Monitor service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
.
==== End Of File ===========================

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:54 PM

Posted 12 February 2012 - 02:28 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 12 February 2012 - 11:18 PM

The computer seems to be running okay - no re-directs or other popups or weird behavior.


ComboFix 12-02-12.01 - Austen 02/12/2012 22:59:15.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3063.1903 [GMT -5:00]
Running from: c:\users\Austen\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
FW: ZoneAlarm Free Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\cid.drv
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.tmp
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\eb.dll
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\eb.tmp
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\fan.tmp
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\gid.sys
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\hymt.tmp
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\kernel32.tmp
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\pal.drv
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\pal.sys
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\runddl.exe
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.tmp
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\sld.sys
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\tjd.dll
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))
.
.
2012-02-13 04:06 . 2012-02-13 04:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-13 04:06 . 2012-02-13 04:06 -------- d-----w- c:\users\Bobby\AppData\Local\temp
2012-02-10 19:28 . 2012-02-10 19:28 -------- d-----w- c:\users\Austen\AppData\Roaming\CheckPoint
2012-02-10 19:27 . 2012-02-10 19:27 -------- d-----w- c:\program files\Conduit
2012-02-10 19:27 . 2012-02-10 19:27 -------- d-----w- c:\users\Austen\AppData\Local\Conduit
2012-02-10 19:27 . 2012-02-10 19:27 -------- d-----w- c:\program files\ZoneAlarm_Security
2012-02-10 19:27 . 2012-02-10 19:27 -------- d-----w- c:\programdata\CheckPoint
2012-02-10 19:26 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-10 19:20 . 2012-02-10 19:27 -------- d-----w- c:\program files\CheckPoint
2012-02-10 06:31 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FC94FBB5-D717-4F49-9138-7ADAB60DA707}\mpengine.dll
2012-02-09 16:44 . 2012-02-09 16:16 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-02-09 16:16 . 2012-02-09 16:16 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-09 16:02 . 2012-02-09 16:02 -------- d-----w- c:\users\Austen\AppData\Local\adaware
2012-02-09 16:02 . 2012-02-13 03:49 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-02-09 16:02 . 2012-02-09 16:02 -------- d-----w- c:\program files\Toolbar Cleaner
2012-02-09 16:01 . 2012-02-09 16:02 -------- d-----w- c:\program files\adawaretb
2012-02-09 16:01 . 2011-12-23 12:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-02-09 16:00 . 2012-02-09 16:00 -------- d-----w- c:\program files\Lavasoft
2012-02-09 16:00 . 2012-02-09 16:01 -------- d-----w- c:\programdata\Lavasoft
2012-02-09 15:54 . 2012-02-13 03:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-09 15:54 . 2012-02-10 13:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-09 03:51 . 2012-02-09 03:52 -------- d-sh--w- c:\users\Austen\AppData\Roaming\AV Security Essentials
2012-02-09 03:51 . 2012-02-09 03:51 -------- d-sh--w- c:\programdata\AVWMADUVPRSE
2012-02-09 03:50 . 2012-02-09 16:44 -------- d-sh--w- c:\programdata\a38f00
2012-02-01 02:13 . 2012-02-01 02:13 -------- d-----w- c:\users\Bobby\AppData\Roaming\Motorola
2012-01-30 04:01 . 2012-02-09 12:34 -------- d-----w- C:\Temp
2012-01-30 04:01 . 2012-01-30 04:01 -------- d-----w- c:\users\Austen\AppData\Roaming\Motorola
2012-01-30 03:53 . 2012-01-30 03:53 -------- d-----w- c:\program files\Common Files\Motorola Shared
2012-01-27 03:40 . 2012-01-27 03:40 -------- d-----w- c:\program files\Orneta
2012-01-27 02:13 . 2012-02-09 17:10 -------- d-----w- c:\program files\QPST
2012-01-23 14:48 . 2012-01-23 14:48 -------- d-----w- c:\program files\iPod
2012-01-23 14:48 . 2012-01-23 14:50 -------- d-----w- c:\program files\iTunes
2012-01-22 14:56 . 2012-01-22 14:56 -------- d-----w- c:\programdata\McAfee
2012-01-19 02:03 . 2009-07-27 15:00 1547776 ----a-w- c:\windows\system32\WMVDECOD.DLL
2012-01-18 19:32 . 2010-05-12 10:15 1416680 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2012-01-18 19:32 . 2010-05-12 10:15 1416680 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01005.dll
2012-01-18 19:32 . 2010-05-12 10:14 121576 ----a-w- c:\windows\system32\drivers\ssadmdm.sys
2012-01-18 19:32 . 2010-05-12 10:14 10216 ----a-w- c:\windows\system32\drivers\ssadwhnt.sys
2012-01-18 19:32 . 2010-05-12 10:14 10216 ----a-w- c:\windows\system32\drivers\ssadwh.sys
2012-01-18 19:32 . 2010-05-12 10:14 96488 ----a-w- c:\windows\system32\drivers\ssadbus.sys
2012-01-18 19:32 . 2010-05-12 10:14 12776 ----a-w- c:\windows\system32\drivers\ssadmdfl.sys
2012-01-18 19:32 . 2010-05-12 10:14 10344 ----a-w- c:\windows\system32\drivers\ssadcmnt.sys
2012-01-18 19:32 . 2010-05-12 10:14 10344 ----a-w- c:\windows\system32\drivers\ssadcm.sys
2012-01-18 19:32 . 2010-05-12 10:14 30312 ----a-w- c:\windows\system32\drivers\ssadadb.sys
2012-01-18 19:18 . 2012-01-18 19:18 -------- d-----w- c:\programdata\Samsung
2012-01-18 18:58 . 2012-01-18 19:28 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2012-01-18 18:58 . 2012-01-18 18:58 -------- d-----w- c:\program files\DIFX
2012-01-18 18:56 . 2010-07-29 07:50 238952 ----a-w- c:\windows\system32\FsUsbExService.Exe
2012-01-18 18:56 . 2010-06-14 00:32 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2012-01-18 18:56 . 2009-11-02 14:39 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2012-01-18 18:56 . 2012-01-18 19:51 -------- d-----w- c:\users\Austen\AppData\Roaming\Samsung
2012-01-18 18:53 . 2012-01-18 19:35 -------- d-----w- c:\program files\Samsung
2012-01-18 01:47 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 01:47 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 01:47 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 01:47 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 01:47 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 01:47 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-14 21:12 . 2012-01-14 21:12 -------- d-----w- c:\program files\Coupons
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-27 05:21 . 2011-10-16 16:46 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-22 15:16 . 2011-10-16 22:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-14 02:08 . 2011-12-14 02:08 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-10 20:24 . 2011-12-12 19:21 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 15:59 . 2012-01-11 15:21 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37 . 2011-12-15 12:45 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 20:23 . 2012-01-11 15:21 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47 . 2012-01-11 15:21 66560 ----a-w- c:\windows\system32\packager.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-12-21 15:44 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2008-09-04 11:29 241752 ----a-w- c:\program files\Lenovo\VeriFace\IcnOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-09-29 2647872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-16 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"EnergyCut_Utility"="c:\program files\Lenovo\EnergyCut\utilty.exe" [2005-11-14 2506752]
"EnergyCut"="c:\program files\Lenovo\EnergyCut\EnergyCut.exe" [2007-11-15 1232896]
"PCMService"="c:\program files\Lenovo\ShuttleCenter\PCMService.exe" [2007-10-26 417792]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-16 22:00]
.
2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-16 22:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 205.152.37.23 205.152.150.23
DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://campwoof2.dyndns.org:7180/RtspVaPgDec.cab
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-NPSStartup - (no file)
HKLM-Run-ISW - (no file)
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-12 23:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(756)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2012-02-12 23:08:32
ComboFix-quarantined-files.txt 2012-02-13 04:08
.
Pre-Run: 97,979,011,072 bytes free
Post-Run: 102,648,111,104 bytes free
.
- - End Of File - - A1B7F90C0F62D91E9E83C93A84014D77

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:54 PM

Posted 12 February 2012 - 11:31 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 13 February 2012 - 09:26 AM

08:59:03.0319 6084 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
08:59:04.0123 6084 ============================================================
08:59:04.0124 6084 Current date / time: 2012/02/13 08:59:04.0123
08:59:04.0124 6084 SystemInfo:
08:59:04.0124 6084
08:59:04.0124 6084 OS Version: 6.0.6002 ServicePack: 2.0
08:59:04.0124 6084 Product type: Workstation
08:59:04.0124 6084 ComputerName: AUSTEN-PC
08:59:04.0124 6084 UserName: Austen
08:59:04.0124 6084 Windows directory: C:\Windows
08:59:04.0124 6084 System windows directory: C:\Windows
08:59:04.0124 6084 Processor architecture: Intel x86
08:59:04.0124 6084 Number of processors: 2
08:59:04.0124 6084 Page size: 0x1000
08:59:04.0124 6084 Boot type: Normal boot
08:59:04.0124 6084 ============================================================
08:59:04.0821 6084 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
08:59:04.0842 6084 Drive \Device\Harddisk1\DR1 - Size: 0x5D27216000 (372.61 Gb), SectorSize: 0x200, Cylinders: 0xBE01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
08:59:04.0852 6084 \Device\Harddisk0\DR0:
08:59:04.0853 6084 MBR used
08:59:04.0853 6084 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x179E30DA
08:59:04.0870 6084 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x179E3158, BlocksNum 0x366381F
08:59:04.0870 6084 \Device\Harddisk1\DR1:
08:59:04.0870 6084 MBR used
08:59:04.0870 6084 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2E933DC1
08:59:04.0980 6084 Initialize success
08:59:04.0980 6084 ============================================================
08:59:07.0951 3944 ============================================================
08:59:07.0951 3944 Scan started
08:59:07.0951 3944 Mode: Manual;
08:59:07.0951 3944 ============================================================
08:59:09.0371 3944 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
08:59:09.0375 3944 ACPI - ok
08:59:09.0412 3944 ACPIVPC (87114efedeb94af49323ca61f344716d) C:\Windows\system32\DRIVERS\AcpiVpc.sys
08:59:09.0413 3944 ACPIVPC - ok
08:59:09.0535 3944 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
08:59:09.0544 3944 adp94xx - ok
08:59:09.0635 3944 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
08:59:09.0642 3944 adpahci - ok
08:59:09.0702 3944 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
08:59:09.0705 3944 adpu160m - ok
08:59:09.0740 3944 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
08:59:09.0744 3944 adpu320 - ok
08:59:09.0876 3944 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
08:59:09.0882 3944 AFD - ok
08:59:10.0015 3944 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
08:59:10.0017 3944 agp440 - ok
08:59:10.0062 3944 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
08:59:10.0064 3944 aic78xx - ok
08:59:10.0095 3944 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
08:59:10.0096 3944 aliide - ok
08:59:10.0190 3944 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
08:59:10.0192 3944 amdagp - ok
08:59:10.0225 3944 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
08:59:10.0226 3944 amdide - ok
08:59:10.0278 3944 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
08:59:10.0280 3944 AmdK7 - ok
08:59:10.0291 3944 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
08:59:10.0293 3944 AmdK8 - ok
08:59:10.0369 3944 androidusb (dd8d9c597af7cd2f6b70a3d6a4a1acea) C:\Windows\system32\Drivers\ssadadb.sys
08:59:10.0371 3944 androidusb - ok
08:59:10.0470 3944 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
08:59:10.0472 3944 arc - ok
08:59:10.0551 3944 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
08:59:10.0553 3944 arcsas - ok
08:59:10.0635 3944 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
08:59:10.0636 3944 AsyncMac - ok
08:59:10.0695 3944 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
08:59:10.0697 3944 atapi - ok
08:59:10.0820 3944 b57nd60x (aa6b367ca7da571dfc3374ec137d87a5) C:\Windows\system32\DRIVERS\b57nd60x.sys
08:59:10.0824 3944 b57nd60x - ok
08:59:10.0888 3944 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
08:59:10.0889 3944 Beep - ok
08:59:10.0980 3944 blbdrive - ok
08:59:11.0060 3944 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
08:59:11.0062 3944 bowser - ok
08:59:11.0103 3944 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
08:59:11.0104 3944 BrFiltLo - ok
08:59:11.0180 3944 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
08:59:11.0182 3944 BrFiltUp - ok
08:59:11.0224 3944 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
08:59:11.0226 3944 Brserid - ok
08:59:11.0272 3944 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
08:59:11.0453 3944 BrSerWdm - ok
08:59:11.0504 3944 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
08:59:11.0505 3944 BrUsbMdm - ok
08:59:11.0570 3944 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
08:59:11.0571 3944 BrUsbSer - ok
08:59:11.0629 3944 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
08:59:11.0630 3944 BTHMODEM - ok
08:59:11.0777 3944 Cam5607 (4d33abcdd4fc8eb904111b21520d502a) C:\Windows\system32\Drivers\BisonC07.sys
08:59:11.0792 3944 Cam5607 - ok
08:59:11.0893 3944 CapFilt (8ad2e8bf80c495c79f8dbf0d5d787a04) C:\Windows\system32\drivers\CapFilt.sys
08:59:11.0894 3944 CapFilt - ok
08:59:11.0977 3944 catchme - ok
08:59:12.0083 3944 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
08:59:12.0086 3944 cdfs - ok
08:59:12.0143 3944 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
08:59:12.0145 3944 cdrom - ok
08:59:12.0179 3944 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
08:59:12.0181 3944 circlass - ok
08:59:12.0345 3944 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
08:59:12.0350 3944 CLFS - ok
08:59:12.0487 3944 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
08:59:12.0489 3944 CmBatt - ok
08:59:12.0521 3944 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
08:59:12.0523 3944 cmdide - ok
08:59:12.0551 3944 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
08:59:12.0553 3944 Compbatt - ok
08:59:12.0637 3944 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
08:59:12.0638 3944 crcdisk - ok
08:59:12.0670 3944 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
08:59:12.0672 3944 Crusoe - ok
08:59:12.0729 3944 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
08:59:12.0731 3944 DfsC - ok
08:59:12.0876 3944 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
08:59:12.0878 3944 disk - ok
08:59:12.0937 3944 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
08:59:12.0938 3944 drmkaud - ok
08:59:13.0005 3944 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
08:59:13.0017 3944 DXGKrnl - ok
08:59:13.0107 3944 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
08:59:13.0110 3944 E1G60 - ok
08:59:13.0159 3944 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
08:59:13.0163 3944 Ecache - ok
08:59:13.0298 3944 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
08:59:13.0305 3944 elxstor - ok
08:59:13.0453 3944 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
08:59:13.0458 3944 exfat - ok
08:59:13.0541 3944 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
08:59:13.0544 3944 fastfat - ok
08:59:13.0573 3944 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
08:59:13.0574 3944 fdc - ok
08:59:13.0695 3944 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
08:59:13.0711 3944 FileInfo - ok
08:59:13.0775 3944 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
08:59:13.0785 3944 Filetrace - ok
08:59:13.0858 3944 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
08:59:13.0860 3944 flpydisk - ok
08:59:13.0951 3944 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
08:59:13.0955 3944 FltMgr - ok
08:59:14.0097 3944 FsUsbExDisk (cbe5f69a5e5b918225f420ba748f3742) C:\Windows\system32\FsUsbExDisk.SYS
08:59:14.0099 3944 FsUsbExDisk - ok
08:59:14.0154 3944 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
08:59:14.0155 3944 Fs_Rec - ok
08:59:14.0243 3944 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
08:59:14.0245 3944 gagp30kx - ok
08:59:14.0332 3944 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
08:59:14.0334 3944 GEARAspiWDM - ok
08:59:14.0429 3944 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
08:59:14.0434 3944 HdAudAddService - ok
08:59:14.0536 3944 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
08:59:14.0547 3944 HDAudBus - ok
08:59:14.0647 3944 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
08:59:14.0655 3944 HidBth - ok
08:59:14.0681 3944 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
08:59:14.0682 3944 HidIr - ok
08:59:14.0769 3944 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
08:59:14.0771 3944 HidUsb - ok
08:59:14.0875 3944 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
08:59:14.0876 3944 HpCISSs - ok
08:59:14.0914 3944 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
08:59:14.0922 3944 HTTP - ok
08:59:15.0002 3944 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
08:59:15.0003 3944 i2omp - ok
08:59:15.0064 3944 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
08:59:15.0066 3944 i8042prt - ok
08:59:15.0163 3944 iaStor (5df93509037399b53d3ecaa8a67b6c58) C:\Windows\system32\DRIVERS\iaStor.sys
08:59:15.0165 3944 iaStor - ok
08:59:15.0208 3944 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
08:59:15.0213 3944 iaStorV - ok
08:59:15.0410 3944 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
08:59:15.0520 3944 igfx - ok
08:59:15.0637 3944 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
08:59:15.0638 3944 iirsp - ok
08:59:15.0760 3944 IntcAzAudAddService (ae3df3265781543b616e0a8830f6774b) C:\Windows\system32\drivers\RTKVHDA.sys
08:59:15.0797 3944 IntcAzAudAddService - ok
08:59:15.0882 3944 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
08:59:15.0883 3944 intelide - ok
08:59:15.0927 3944 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
08:59:15.0928 3944 intelppm - ok
08:59:16.0023 3944 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
08:59:16.0024 3944 IpFilterDriver - ok
08:59:16.0102 3944 IpInIp - ok
08:59:16.0180 3944 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
08:59:16.0182 3944 IPMIDRV - ok
08:59:16.0223 3944 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
08:59:16.0225 3944 IPNAT - ok
08:59:16.0301 3944 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
08:59:16.0302 3944 IRENUM - ok
08:59:16.0374 3944 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
08:59:16.0375 3944 isapnp - ok
08:59:16.0424 3944 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
08:59:16.0427 3944 iScsiPrt - ok
08:59:16.0530 3944 ISWKL (08a811bfd207dfdec588881c18bacbaa) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
08:59:16.0531 3944 ISWKL - ok
08:59:16.0632 3944 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
08:59:16.0633 3944 iteatapi - ok
08:59:16.0704 3944 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
08:59:16.0705 3944 iteraid - ok
08:59:16.0748 3944 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
08:59:16.0749 3944 kbdclass - ok
08:59:16.0830 3944 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
08:59:16.0831 3944 kbdhid - ok
08:59:16.0882 3944 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
08:59:16.0891 3944 KSecDD - ok
08:59:16.0970 3944 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
08:59:16.0971 3944 Lavasoft Kernexplorer - ok
08:59:17.0084 3944 Lbd (336abe8721cbc3110f1c6426da633417) C:\Windows\system32\DRIVERS\Lbd.sys
08:59:17.0086 3944 Lbd - ok
08:59:17.0149 3944 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
08:59:17.0151 3944 lltdio - ok
08:59:17.0190 3944 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
08:59:17.0192 3944 LSI_FC - ok
08:59:17.0332 3944 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
08:59:17.0334 3944 LSI_SAS - ok
08:59:17.0373 3944 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
08:59:17.0375 3944 LSI_SCSI - ok
08:59:17.0411 3944 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
08:59:17.0413 3944 luafv - ok
08:59:17.0519 3944 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
08:59:17.0520 3944 megasas - ok
08:59:17.0579 3944 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
08:59:17.0580 3944 Modem - ok
08:59:17.0607 3944 MODEMCSA (cbb59c41f19efea1a000793e08070a62) C:\Windows\system32\drivers\MODEMCSA.sys
08:59:17.0609 3944 MODEMCSA - ok
08:59:17.0730 3944 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
08:59:17.0732 3944 monitor - ok
08:59:17.0785 3944 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
08:59:17.0786 3944 mouclass - ok
08:59:17.0820 3944 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
08:59:17.0821 3944 mouhid - ok
08:59:17.0919 3944 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
08:59:17.0921 3944 MountMgr - ok
08:59:17.0987 3944 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
08:59:17.0989 3944 mpio - ok
08:59:18.0083 3944 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
08:59:18.0085 3944 mpsdrv - ok
08:59:18.0153 3944 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
08:59:18.0155 3944 Mraid35x - ok
08:59:18.0258 3944 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
08:59:18.0262 3944 MRxDAV - ok
08:59:18.0295 3944 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
08:59:18.0298 3944 mrxsmb - ok
08:59:18.0313 3944 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
08:59:18.0317 3944 mrxsmb10 - ok
08:59:18.0329 3944 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
08:59:18.0331 3944 mrxsmb20 - ok
08:59:18.0365 3944 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
08:59:18.0367 3944 msahci - ok
08:59:18.0457 3944 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
08:59:18.0460 3944 msdsm - ok
08:59:18.0531 3944 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
08:59:18.0533 3944 Msfs - ok
08:59:18.0626 3944 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
08:59:18.0627 3944 msisadrv - ok
08:59:18.0660 3944 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
08:59:18.0661 3944 MSKSSRV - ok
08:59:18.0694 3944 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
08:59:18.0695 3944 MSPCLOCK - ok
08:59:18.0721 3944 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
08:59:18.0722 3944 MSPQM - ok
08:59:18.0759 3944 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
08:59:18.0762 3944 MsRPC - ok
08:59:18.0856 3944 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
08:59:18.0857 3944 mssmbios - ok
08:59:18.0909 3944 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
08:59:18.0910 3944 MSTEE - ok
08:59:19.0025 3944 MTsensor (97affa9d95ffe20eee6229bc6be166cf) C:\Windows\system32\DRIVERS\ATKACPI.sys
08:59:19.0026 3944 MTsensor - ok
08:59:19.0062 3944 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
08:59:19.0064 3944 Mup - ok
08:59:19.0097 3944 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
08:59:19.0100 3944 NativeWifiP - ok
08:59:19.0215 3944 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
08:59:19.0226 3944 NDIS - ok
08:59:19.0301 3944 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
08:59:19.0303 3944 NdisTapi - ok
08:59:19.0354 3944 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
08:59:19.0355 3944 Ndisuio - ok
08:59:19.0417 3944 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
08:59:19.0420 3944 NdisWan - ok
08:59:19.0487 3944 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
08:59:19.0489 3944 NDProxy - ok
08:59:19.0509 3944 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
08:59:19.0511 3944 NetBIOS - ok
08:59:19.0547 3944 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
08:59:19.0552 3944 netbt - ok
08:59:19.0728 3944 NETw3v32 (35d5458d9a1b26b2005abffbf4c1c5e7) C:\Windows\system32\DRIVERS\NETw3v32.sys
08:59:19.0794 3944 NETw3v32 - ok
08:59:19.0968 3944 NETw4v32 (25acccfc33dd448b9d3037c5e439e830) C:\Windows\system32\DRIVERS\NETw4v32.sys
08:59:20.0034 3944 NETw4v32 - ok
08:59:20.0133 3944 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
08:59:20.0134 3944 nfrd960 - ok
08:59:20.0169 3944 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
08:59:20.0170 3944 Npfs - ok
08:59:20.0199 3944 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
08:59:20.0200 3944 nsiproxy - ok
08:59:20.0388 3944 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
08:59:20.0406 3944 Ntfs - ok
08:59:20.0501 3944 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
08:59:20.0502 3944 ntrigdigi - ok
08:59:20.0543 3944 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
08:59:20.0544 3944 Null - ok
08:59:20.0578 3944 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
08:59:20.0581 3944 nvraid - ok
08:59:20.0669 3944 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
08:59:20.0670 3944 nvstor - ok
08:59:20.0698 3944 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
08:59:20.0701 3944 nv_agp - ok
08:59:20.0712 3944 NwlnkFlt - ok
08:59:20.0726 3944 NwlnkFwd - ok
08:59:20.0837 3944 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
08:59:20.0839 3944 ohci1394 - ok
08:59:20.0903 3944 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
08:59:20.0905 3944 Parport - ok
08:59:20.0982 3944 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
08:59:20.0984 3944 partmgr - ok
08:59:21.0015 3944 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
08:59:21.0016 3944 Parvdm - ok
08:59:21.0052 3944 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
08:59:21.0056 3944 pci - ok
08:59:21.0115 3944 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
08:59:21.0117 3944 pciide - ok
08:59:21.0145 3944 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
08:59:21.0148 3944 pcmcia - ok
08:59:21.0220 3944 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
08:59:21.0236 3944 PEAUTH - ok
08:59:21.0378 3944 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
08:59:21.0380 3944 PptpMiniport - ok
08:59:21.0477 3944 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
08:59:21.0478 3944 Processor - ok
08:59:21.0604 3944 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
08:59:21.0607 3944 PSched - ok
08:59:21.0670 3944 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
08:59:21.0686 3944 ql2300 - ok
08:59:21.0798 3944 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
08:59:21.0800 3944 ql40xx - ok
08:59:21.0844 3944 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
08:59:21.0846 3944 QWAVEdrv - ok
08:59:21.0946 3944 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
08:59:21.0947 3944 RasAcd - ok
08:59:22.0003 3944 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
08:59:22.0005 3944 Rasl2tp - ok
08:59:22.0072 3944 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
08:59:22.0074 3944 RasPppoe - ok
08:59:22.0101 3944 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
08:59:22.0104 3944 RasSstp - ok
08:59:22.0140 3944 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
08:59:22.0145 3944 rdbss - ok
08:59:22.0190 3944 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
08:59:22.0191 3944 RDPCDD - ok
08:59:22.0339 3944 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
08:59:22.0344 3944 rdpdr - ok
08:59:22.0380 3944 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
08:59:22.0381 3944 RDPENCDD - ok
08:59:22.0465 3944 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
08:59:22.0469 3944 RDPWD - ok
08:59:22.0540 3944 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\Windows\system32\DRIVERS\rimmptsk.sys
08:59:22.0542 3944 rimmptsk - ok
08:59:22.0582 3944 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\Windows\system32\DRIVERS\rimsptsk.sys
08:59:22.0583 3944 rimsptsk - ok
08:59:22.0648 3944 rismxdp (d231b577024aa324af13a42f3a807d10) C:\Windows\system32\DRIVERS\rixdptsk.sys
08:59:22.0649 3944 rismxdp - ok
08:59:22.0687 3944 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
08:59:22.0690 3944 rspndr - ok
08:59:22.0724 3944 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
08:59:22.0726 3944 sbp2port - ok
08:59:22.0872 3944 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
08:59:22.0874 3944 sdbus - ok
08:59:22.0909 3944 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
08:59:22.0910 3944 secdrv - ok
08:59:22.0950 3944 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
08:59:22.0951 3944 Serenum - ok
08:59:23.0036 3944 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
08:59:23.0038 3944 Serial - ok
08:59:23.0079 3944 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
08:59:23.0080 3944 sermouse - ok
08:59:23.0125 3944 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
08:59:23.0126 3944 sffdisk - ok
08:59:23.0227 3944 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
08:59:23.0228 3944 sffp_mmc - ok
08:59:23.0252 3944 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
08:59:23.0263 3944 sffp_sd - ok
08:59:23.0328 3944 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
08:59:23.0329 3944 sfloppy - ok
08:59:23.0445 3944 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
08:59:23.0447 3944 sisagp - ok
08:59:23.0467 3944 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
08:59:23.0468 3944 SiSRaid2 - ok
08:59:23.0491 3944 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
08:59:23.0494 3944 SiSRaid4 - ok
08:59:23.0531 3944 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
08:59:23.0533 3944 Smb - ok
08:59:23.0676 3944 smserial (d9bfd2298f5cf116d8eaae3b02dcee2e) C:\Windows\system32\DRIVERS\smserial.sys
08:59:23.0694 3944 smserial - ok
08:59:23.0810 3944 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
08:59:23.0812 3944 spldr - ok
08:59:23.0867 3944 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
08:59:23.0873 3944 srv - ok
08:59:23.0977 3944 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
08:59:23.0981 3944 srv2 - ok
08:59:24.0000 3944 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
08:59:24.0003 3944 srvnet - ok
08:59:24.0107 3944 ssadbus (406776fe3c2b66796bac1a7afb9ac8a1) C:\Windows\system32\DRIVERS\ssadbus.sys
08:59:24.0109 3944 ssadbus - ok
08:59:24.0152 3944 ssadmdfl (b19532d015a5d295e2aa34bb521202cf) C:\Windows\system32\DRIVERS\ssadmdfl.sys
08:59:24.0154 3944 ssadmdfl - ok
08:59:24.0251 3944 ssadmdm (2aebf9108e6f435458b9499c27394da4) C:\Windows\system32\DRIVERS\ssadmdm.sys
08:59:24.0264 3944 ssadmdm - ok
08:59:24.0366 3944 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
08:59:24.0367 3944 swenum - ok
08:59:24.0421 3944 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
08:59:24.0422 3944 Symc8xx - ok
08:59:24.0495 3944 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
08:59:24.0497 3944 Sym_hi - ok
08:59:24.0524 3944 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
08:59:24.0525 3944 Sym_u3 - ok
08:59:24.0562 3944 SynTP (760e4f5a1e754bbe4a1bd2a0b54f6aa6) C:\Windows\system32\DRIVERS\SynTP.sys
08:59:24.0566 3944 SynTP - ok
08:59:24.0655 3944 Tcpip (16731b631f28f63cd9f4cb60940e7ddd) C:\Windows\system32\drivers\tcpip.sys
08:59:24.0672 3944 Tcpip - ok
08:59:24.0799 3944 Tcpip6 (16731b631f28f63cd9f4cb60940e7ddd) C:\Windows\system32\DRIVERS\tcpip.sys
08:59:24.0806 3944 Tcpip6 - ok
08:59:24.0910 3944 tcpipreg (3fc13f09af9be487c7b4fac4070a036c) C:\Windows\system32\drivers\tcpipreg.sys
08:59:24.0911 3944 tcpipreg - ok
08:59:24.0964 3944 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
08:59:24.0966 3944 TDPIPE - ok
08:59:24.0991 3944 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
08:59:24.0992 3944 TDTCP - ok
08:59:25.0089 3944 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
08:59:25.0091 3944 tdx - ok
08:59:25.0128 3944 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
08:59:25.0130 3944 TermDD - ok
08:59:25.0187 3944 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
08:59:25.0188 3944 tssecsrv - ok
08:59:25.0331 3944 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
08:59:25.0333 3944 tunmp - ok
08:59:25.0348 3944 tunnel (119b8184e106baedc83fce5ddf3950da) C:\Windows\system32\DRIVERS\tunnel.sys
08:59:25.0349 3944 tunnel - ok
08:59:25.0388 3944 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
08:59:25.0390 3944 uagp35 - ok
08:59:25.0426 3944 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
08:59:25.0431 3944 udfs - ok
08:59:25.0519 3944 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
08:59:25.0521 3944 uliagpkx - ok
08:59:25.0571 3944 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
08:59:25.0576 3944 uliahci - ok
08:59:25.0670 3944 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
08:59:25.0672 3944 UlSata - ok
08:59:25.0721 3944 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
08:59:25.0724 3944 ulsata2 - ok
08:59:25.0756 3944 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
08:59:25.0757 3944 umbus - ok
08:59:25.0852 3944 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
08:59:25.0853 3944 USBAAPL - ok
08:59:25.0900 3944 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
08:59:25.0902 3944 usbccgp - ok
08:59:25.0983 3944 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
08:59:25.0985 3944 usbcir - ok
08:59:26.0047 3944 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
08:59:26.0049 3944 usbehci - ok
08:59:26.0114 3944 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
08:59:26.0119 3944 usbhub - ok
08:59:26.0147 3944 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
08:59:26.0149 3944 usbohci - ok
08:59:26.0182 3944 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
08:59:26.0183 3944 usbprint - ok
08:59:26.0261 3944 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
08:59:26.0268 3944 USBSTOR - ok
08:59:26.0394 3944 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
08:59:26.0395 3944 usbuhci - ok
08:59:26.0450 3944 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
08:59:26.0454 3944 usbvideo - ok
08:59:26.0499 3944 usb_rndisx (35c9095fa7076466afbfc5b9ec4b779e) C:\Windows\system32\DRIVERS\usb8023x.sys
08:59:26.0501 3944 usb_rndisx - ok
08:59:26.0581 3944 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
08:59:26.0583 3944 vga - ok
08:59:26.0616 3944 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
08:59:26.0618 3944 VgaSave - ok
08:59:26.0663 3944 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
08:59:26.0665 3944 viaagp - ok
08:59:26.0723 3944 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
08:59:26.0725 3944 ViaC7 - ok
08:59:26.0760 3944 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
08:59:26.0762 3944 viaide - ok
08:59:26.0811 3944 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
08:59:26.0813 3944 volmgr - ok
08:59:26.0858 3944 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
08:59:26.0863 3944 volmgrx - ok
08:59:26.0929 3944 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
08:59:26.0933 3944 volsnap - ok
08:59:27.0002 3944 Vsdatant (6983d0bcac64c2d7460c2125f804f118) C:\Windows\system32\DRIVERS\vsdatant.sys
08:59:27.0012 3944 Vsdatant - ok
08:59:27.0128 3944 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
08:59:27.0131 3944 vsmraid - ok
08:59:27.0167 3944 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
08:59:27.0168 3944 WacomPen - ok
08:59:27.0198 3944 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
08:59:27.0200 3944 Wanarp - ok
08:59:27.0206 3944 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
08:59:27.0207 3944 Wanarpv6 - ok
08:59:27.0380 3944 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
08:59:27.0381 3944 Wd - ok
08:59:27.0428 3944 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
08:59:27.0439 3944 Wdf01000 - ok
08:59:27.0587 3944 winusb (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\winusb.sys
08:59:27.0589 3944 winusb - ok
08:59:27.0627 3944 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\DRIVERS\wmiacpi.sys
08:59:27.0629 3944 WmiAcpi - ok
08:59:27.0698 3944 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
08:59:27.0700 3944 WpdUsb - ok
08:59:27.0853 3944 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
08:59:27.0854 3944 ws2ifsl - ok
08:59:27.0922 3944 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
08:59:27.0925 3944 WUDFRd - ok
08:59:27.0977 3944 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
08:59:28.0005 3944 \Device\Harddisk0\DR0 - ok
08:59:28.0010 3944 MBR (0x1B8) (a3eb1aed427833056370f3570283d6d0) \Device\Harddisk1\DR1
08:59:28.0015 3944 \Device\Harddisk1\DR1 - ok
08:59:28.0019 3944 Boot (0x1200) (b09bd1ee70ad979f3500fba8e3cd3e61) \Device\Harddisk0\DR0\Partition0
08:59:28.0020 3944 \Device\Harddisk0\DR0\Partition0 - ok
08:59:28.0048 3944 Boot (0x1200) (1f3d9287eb4dc992047f045b5ea0df81) \Device\Harddisk0\DR0\Partition1
08:59:28.0050 3944 \Device\Harddisk0\DR0\Partition1 - ok
08:59:28.0054 3944 Boot (0x1200) (37553fa7fc16fa6b84af540fa4be4f26) \Device\Harddisk1\DR1\Partition0
08:59:28.0058 3944 \Device\Harddisk1\DR1\Partition0 - ok
08:59:28.0058 3944 ============================================================
08:59:28.0058 3944 Scan finished
08:59:28.0058 3944 ============================================================
08:59:28.0070 2096 Detected object count: 0
08:59:28.0070 2096 Actual detected object count: 0

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-13 09:01:47
-----------------------------
09:01:47.066 OS Version: Windows 6.0.6002 Service Pack 2
09:01:47.066 Number of processors: 2 586 0xF0D
09:01:47.067 ComputerName: AUSTEN-PC UserName: Austen
09:01:48.482 Initialize success
09:08:46.463 AVAST engine defs: 12021300
09:09:32.616 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
09:09:32.618 Disk 0 Vendor: Hitachi_ BBFO Size: 238475MB BusType: 3
09:09:32.640 Disk 0 MBR read successfully
09:09:32.643 Disk 0 MBR scan
09:09:32.648 Disk 0 Windows VISTA default MBR code
09:09:32.651 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 193478 MB offset 63
09:09:32.657 Disk 0 Partition - 00 0F Extended LBA 27847 MB offset 396243225
09:09:32.683 Disk 0 Partition 2 00 12 Compaq diag 17147 MB offset 453273975
09:09:32.700 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 27847 MB offset 396243288
09:09:32.708 Disk 0 scanning sectors +488392065
09:09:32.772 Disk 0 scanning C:\Windows\system32\drivers
09:09:43.508 Service scanning
09:09:45.085 Modules scanning
09:09:52.345 Disk 0 trace - called modules:
09:09:52.373 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
09:09:52.378 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86470988]
09:09:52.384 3 CLASSPNP.SYS[8a79d8b3] -> nt!IofCallDriver -> [0x85941a78]
09:09:52.389 5 acpi.sys[806996bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85959030]
09:09:54.057 AVAST engine scan C:\Windows
09:09:58.879 AVAST engine scan C:\Windows\system32
09:13:38.178 AVAST engine scan C:\Windows\system32\drivers
09:13:54.256 AVAST engine scan C:\Users\Austen
09:18:53.693 AVAST engine scan C:\ProgramData
09:19:34.196 Scan finished successfully
09:22:16.451 Disk 0 MBR has been saved successfully to "C:\Users\Austen\Desktop\MBR.dat"
09:22:16.460 The log file has been saved successfully to "C:\Users\Austen\Desktop\aswMBR.txt"

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:54 PM

Posted 13 February 2012 - 04:50 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

Folder::
c:\program files\Conduit
c:\users\Austen\AppData\Local\Conduit

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 14 February 2012 - 01:59 PM

no issues and the computer seems to be running well

ComboFix 12-02-12.01 - Austen 02/14/2012 13:31:07.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3063.1928 [GMT -5:00]
Running from: c:\users\Austen\Desktop\ComboFix.exe
Command switches used :: c:\users\Austen\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
FW: ZoneAlarm Free Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Conduit
c:\program files\Conduit\Community Alerts\Alert.dll
c:\users\Austen\AppData\Local\Conduit
c:\users\Austen\AppData\Local\Conduit\CT2645238\ZoneAlarm_SecurityAutoUpdateHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
.
.
2012-02-14 18:37 . 2012-02-14 18:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-14 18:37 . 2012-02-14 18:37 -------- d-----w- c:\users\Bobby\AppData\Local\temp
2012-02-14 06:09 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1D83CBF-CEA6-4244-81E7-4F358E04F56D}\mpengine.dll
2012-02-14 02:08 . 2012-02-14 02:08 -------- d-----w- c:\program files\QuickTime
2012-02-14 01:41 . 2012-02-14 01:41 -------- d-----w- c:\program files\iPod
2012-02-14 01:41 . 2012-02-14 01:42 -------- d-----w- c:\program files\iTunes
2012-02-14 01:40 . 2012-02-14 01:40 -------- d-----w- c:\program files\Apple Software Update
2012-02-14 01:39 . 2012-02-14 01:39 -------- d-----w- c:\program files\Bonjour
2012-02-14 00:50 . 2012-02-14 00:50 -------- d-----w- c:\users\Bobby\AppData\Roaming\CheckPoint
2012-02-14 00:50 . 2012-02-14 00:50 -------- d-----w- c:\users\Bobby\AppData\Local\adaware
2012-02-10 19:28 . 2012-02-10 19:28 -------- d-----w- c:\users\Austen\AppData\Roaming\CheckPoint
2012-02-10 19:27 . 2012-02-10 19:27 -------- d-----w- c:\program files\ZoneAlarm_Security
2012-02-10 19:27 . 2012-02-10 19:27 -------- d-----w- c:\programdata\CheckPoint
2012-02-10 19:26 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-10 19:20 . 2012-02-10 19:27 -------- d-----w- c:\program files\CheckPoint
2012-02-09 16:44 . 2012-02-09 16:16 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-02-09 16:16 . 2012-02-09 16:16 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-09 16:02 . 2012-02-09 16:02 -------- d-----w- c:\users\Austen\AppData\Local\adaware
2012-02-09 16:02 . 2012-02-14 02:16 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-02-09 16:02 . 2012-02-09 16:02 -------- d-----w- c:\program files\Toolbar Cleaner
2012-02-09 16:01 . 2012-02-09 16:02 -------- d-----w- c:\program files\adawaretb
2012-02-09 16:01 . 2011-12-23 12:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-02-09 16:00 . 2012-02-09 16:00 -------- d-----w- c:\program files\Lavasoft
2012-02-09 16:00 . 2012-02-09 16:01 -------- d-----w- c:\programdata\Lavasoft
2012-02-09 15:54 . 2012-02-13 04:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-09 15:54 . 2012-02-10 13:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-09 03:51 . 2012-02-09 03:52 -------- d-sh--w- c:\users\Austen\AppData\Roaming\AV Security Essentials
2012-02-09 03:51 . 2012-02-09 03:51 -------- d-sh--w- c:\programdata\AVWMADUVPRSE
2012-02-09 03:50 . 2012-02-09 16:44 -------- d-sh--w- c:\programdata\a38f00
2012-02-01 02:13 . 2012-02-01 02:13 -------- d-----w- c:\users\Bobby\AppData\Roaming\Motorola
2012-01-30 04:01 . 2012-02-09 12:34 -------- d-----w- C:\Temp
2012-01-30 04:01 . 2012-01-30 04:01 -------- d-----w- c:\users\Austen\AppData\Roaming\Motorola
2012-01-30 03:53 . 2012-01-30 03:53 -------- d-----w- c:\program files\Common Files\Motorola Shared
2012-01-27 02:13 . 2012-02-09 17:10 -------- d-----w- c:\program files\QPST
2012-01-22 14:56 . 2012-01-22 14:56 -------- d-----w- c:\programdata\McAfee
2012-01-19 02:03 . 2009-07-27 15:00 1547776 ----a-w- c:\windows\system32\WMVDECOD.DLL
2012-01-18 19:32 . 2010-05-12 10:15 1416680 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2012-01-18 19:32 . 2010-05-12 10:15 1416680 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01005.dll
2012-01-18 19:32 . 2010-05-12 10:14 121576 ----a-w- c:\windows\system32\drivers\ssadmdm.sys
2012-01-18 19:32 . 2010-05-12 10:14 10216 ----a-w- c:\windows\system32\drivers\ssadwhnt.sys
2012-01-18 19:32 . 2010-05-12 10:14 10216 ----a-w- c:\windows\system32\drivers\ssadwh.sys
2012-01-18 19:32 . 2010-05-12 10:14 96488 ----a-w- c:\windows\system32\drivers\ssadbus.sys
2012-01-18 19:32 . 2010-05-12 10:14 12776 ----a-w- c:\windows\system32\drivers\ssadmdfl.sys
2012-01-18 19:32 . 2010-05-12 10:14 10344 ----a-w- c:\windows\system32\drivers\ssadcmnt.sys
2012-01-18 19:32 . 2010-05-12 10:14 10344 ----a-w- c:\windows\system32\drivers\ssadcm.sys
2012-01-18 19:32 . 2010-05-12 10:14 30312 ----a-w- c:\windows\system32\drivers\ssadadb.sys
2012-01-18 19:18 . 2012-01-18 19:18 -------- d-----w- c:\programdata\Samsung
2012-01-18 18:58 . 2012-01-18 19:28 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2012-01-18 18:58 . 2012-01-18 18:58 -------- d-----w- c:\program files\DIFX
2012-01-18 18:56 . 2010-07-29 07:50 238952 ----a-w- c:\windows\system32\FsUsbExService.Exe
2012-01-18 18:56 . 2010-06-14 00:32 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2012-01-18 18:56 . 2009-11-02 14:39 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2012-01-18 18:56 . 2012-01-18 19:51 -------- d-----w- c:\users\Austen\AppData\Roaming\Samsung
2012-01-18 18:53 . 2012-01-18 19:35 -------- d-----w- c:\program files\Samsung
2012-01-18 01:47 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 01:47 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 01:47 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 01:47 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 01:47 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 01:47 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-27 05:21 . 2011-10-16 16:46 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-22 15:16 . 2011-10-16 22:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-14 02:08 . 2011-12-14 02:08 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-10 20:24 . 2011-12-12 19:21 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 15:59 . 2012-01-11 15:21 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37 . 2011-12-15 12:45 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 20:23 . 2012-01-11 15:21 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47 . 2012-01-11 15:21 66560 ----a-w- c:\windows\system32\packager.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-12-21 15:44 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2008-09-04 11:29 241752 ----a-w- c:\program files\Lenovo\VeriFace\IcnOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-09-29 2647872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-16 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"EnergyCut_Utility"="c:\program files\Lenovo\EnergyCut\utilty.exe" [2005-11-14 2506752]
"EnergyCut"="c:\program files\Lenovo\EnergyCut\EnergyCut.exe" [2007-11-15 1232896]
"PCMService"="c:\program files\Lenovo\ShuttleCenter\PCMService.exe" [2007-10-26 417792]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\users\Austen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-16 22:00]
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-16 22:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 192.168.*.*;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 205.152.37.23 205.152.150.23
DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://campwoof2.dyndns.org:7180/RtspVaPgDec.cab
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-14 13:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(776)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'Explorer.exe'(4776)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\Lenovo\VeriFace\IcnOvrly.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\ATK Hotkey\ASLDRSrv.exe
c:\program files\CheckPoint\ZAForceField\IswSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\ATK Hotkey\Hcontrol.exe
c:\program files\ATK Hotkey\MsgTranAgt.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Internet Explorer\IELowutil.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-02-14 13:51:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-14 18:51
ComboFix2.txt 2012-02-13 04:08
.
Pre-Run: 97,188,544,512 bytes free
Post-Run: 97,162,727,424 bytes free
.
- - End Of File - - 0B92DDC1FC83B9E235B3D891E696982B

#11 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 14 February 2012 - 02:19 PM

possibly related...
though thinking it's more likely a Zone Alarm, AdAware, SpyBot issue -
but iTunes will no longer recognize any devices when plugged in
(the computer itself does recognize them, the software does not).
I re-installed iTunes - no luck.
I will try to uninstall ZoneAlarm next, and try again...
(though ZoneAlarm does work to ensure compatibility with iTunes - so not sure this will be an easy resolution...).
I have one unhappy child though and will need to tackle this next. Not sure if you can recommend a good forum for these type of issues...

updating 4:00 pm EST
apparently it WAS ZoneAlarm (bracing myself for the "I told you so" from my son...)
so...
maybe it would be easier to try a different firewall - if you might have a recommendation for that...

Edited by JustMyAlias, 14 February 2012 - 04:03 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:54 PM

Posted 14 February 2012 - 05:30 PM

Hello

Most people now have a router in there home and if you do then windows firewall should be fine

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Ad-Aware Security Toolbar
Adobe Reader 8.3.1
Java™ 6 Update 27
ZoneAlarm Security Toolbar
ZoneAlarm Toolbar
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 15 February 2012 - 09:36 PM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.16.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Austen :: AUSTEN-PC [administrator]

2/15/2012 9:21:52 PM
mbam-log-2012-02-15 (21-21-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193747
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:10:54 PM

Posted 15 February 2012 - 09:51 PM

HiJack This did not have an option to run as Admin for Vista - weird.
Then I got an error -
"For some reason your system denied write access to the host file......
thn tells me to right click and run as Admin for Vista - but I can't...
also does not write to Notepad.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:54 PM

Posted 15 February 2012 - 09:53 PM

This is not from the desktop icon


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Edited by gringo_pr, 15 February 2012 - 09:54 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users