Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus.32.Zaccess among other things?


  • This topic is locked This topic is locked
34 replies to this topic

#1 Balkon

Balkon

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 11 February 2012 - 01:36 AM

I've done quite a few things before ultimately giving up and asking for help as I'm still a newbie. The computer was plagued with functionality issues such as DHCP not working and all the system restore points being corrupted, there was also a black desktop with only a mouse cursor upon each normal boot. Any virus scans didn't yield any infections and restoring the computer to factory defaults has proven impossible. TDSSkiller found virus.32.Zaccess but it can't remove it as it always pops up and the ability to set up a firewall has been disabled by the virus. Any help you can give me will be greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by Renecito at 23:51:12 on 2012-02-10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.1771 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Users\Renecito\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\libusbd-nt.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Renecito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renecito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renecito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renecito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Steam\Steam.exe
C:\Users\Renecito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Renecito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.dell.com
mDefault_Page_URL = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [<NO NAME>]
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
dRun: [Steam] "c:\program files\steam\steam.exe" -silent
dRun: [Google Update] "c:\users\renecito\appdata\local\google\update\GoogleUpdate.exe" /c
dRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
dRun: [DS3 Tool] c:\program files\motioninjoy\ds3\DS3_Tool.exe -mini
dRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [Akamai NetSession Interface] "c:\users\renecito\appdata\local\akamai\netsession_win.exe"
StartupFolder: c:\users\renecito\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\renecito\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\renecito\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.254.254
TCP: Interfaces\{EA39B9B6-117E-49A6-8237-B4946E3D8418} : NameServer = 192.168.254.254
TCP: Interfaces\{EA39B9B6-117E-49A6-8237-B4946E3D8418} : DhcpNameServer = 192.168.254.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\renecito\appdata\roaming\mozilla\firefox\profiles\xsqb8vub.blogging\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\users\renecito\appdata\roaming\mozilla\firefox\profiles\xsqb8vub.blogging\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\imtcp_xpcom.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\renecito\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\users\renecito\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files\cyberlink\powerdvd dx\000.fcl [2008-7-24 39408]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-11-9 8913920]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-11-9 263680]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-12-17 33792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 atidgllk;atidgllk;c:\users\renecito\downloads\ati_winflash_2.0.1.14\atidgllk.sys [2011-12-7 12048]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2011-10-17 82960]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2010-12-1 81168]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
S4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-9 176128]
S4 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
S4 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\common files\futuremark shared\futuremark systeminfo\FMSISvc.exe [2011-2-16 129440]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-30 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-30 136176]
S4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-2 1373576]
S4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\hi-rez studios\HiPatchService.exe [2011-12-7 14216]
S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S4 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
.
=============== Created Last 30 ================
.
2012-02-09 06:21:16 -------- d-----w- c:\users\renecito\appdata\roaming\SUPERAntiSpyware.com
2012-02-09 06:20:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-09 06:20:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-08 03:17:17 -------- d-----w- c:\program files\Symantec
2012-02-08 01:00:10 -------- d-s---w- C:\ComboFix
2012-02-08 00:00:16 98816 ----a-w- c:\windows\sed.exe
2012-02-08 00:00:16 518144 ----a-w- c:\windows\SWREG.exe
2012-02-08 00:00:16 256000 ----a-w- c:\windows\PEV.exe
2012-02-08 00:00:16 208896 ----a-w- c:\windows\MBR.exe
2012-02-07 23:39:25 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-06 17:19:55 26176 ---ha-w- c:\windows\system32\hamachi.sys
2012-02-06 17:19:41 -------- d-----w- c:\program files\LogMeIn Hamachi
2012-02-05 20:59:15 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-02 09:47:08 -------- d-----w- c:\users\renecito\appdata\roaming\ZOO Digital Publishing
2012-01-30 22:31:37 -------- d-----w- c:\users\renecito\appdata\roaming\Hi-Rez Studios
2012-01-30 22:27:31 -------- d-----w- c:\windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
2012-01-29 03:37:16 -------- d-----w- c:\users\renecito\appdata\roaming\runic games
2012-01-27 22:31:49 49152 ----a-r- c:\users\renecito\appdata\roaming\microsoft\installer\{46b69f5f-e77d-49de-9729-0f562564a15e}\NewShortcut1_46B69F5FE77D49DE97290F562564A15E_1.exe
2012-01-26 22:34:13 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2012-01-26 22:28:52 255496 ----a-w- c:\windows\system32\MijFrc.dll
2012-01-25 20:21:02 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2012-01-25 20:20:56 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-25 20:20:49 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 20:20:49 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 20:20:49 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 20:20:48 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-25 20:20:48 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 20:20:48 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-13 03:39:24 -------- d-----w- c:\users\renecito\appdata\roaming\NationRed
2012-01-12 18:35:23 -------- d-----w- c:\program files\Fortune Summoners Demo
2012-01-12 16:26:25 -------- d-----w- c:\programdata\Steam
2012-01-12 16:26:08 -------- d-----w- c:\programdata\PopCap Games
.
==================== Find3M ====================
.
2012-02-10 23:43:48 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 03:24:48 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-08 02:25:33 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2012-02-07 23:40:19 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-12-18 22:15:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-16 09:40:45 41984 ----a-w- c:\windows\system32\~WebUpdateHelper.exe
2011-12-15 03:38:48 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-15 03:38:48 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 15:59:48 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 20:23:34 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47:03 66560 ----a-w- c:\windows\system32\packager.dll
.
============= FINISH: 23:52:13.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:55 PM

Posted 14 February 2012 - 10:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Did you set this proxy?
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421

You may also ask your Internet Provided if you need it.

If not required remove it.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:9421 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


p.s.
If ComboFix hangs for more than one hour stop the process using the Task Manager.

Run the ComboFix again and post the log if you can.

#3 Balkon

Balkon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 14 February 2012 - 05:00 PM

Hey, thanks for the help. I tried starting combofix but it takes well over 20 minutes until I eventually receive a "Freeware implementation of XCACLS has stopped working" message. I close it, but should I leave the autoscan window open or is this not going to work for me?

Edit: I was able to get it working with safe mode but it left no log at c:\. Curiously, I found a combofix file there, but what it did was redirect me to the C and D drive on the "my computer" screen. It did notify me that there was indeed rootkit activity detected and told me to write down what it found...this is what it gave me:

c:\windows\system32\config\systemprofile\appdata\roaming\ntos.exe
c:\windows\system32\config\systemprofile\appdata\roaming\oembios.exe
c:\windows\system32\config\systemprofile\appdata\roaming\twext.exe
c:\windows\system32\config\systemprofile\appdata\roaming\twex.exe
c:\windows\system32\config\systemprofile\appdata\roaming\sdra64.exe
c:\windows\system32\config\systemprofile\appdata\roaming\intel64.exe
c:\windows\system32\config\systemprofile\appdata\roaming\wsnpoema.exe
c:\windows\system32\config\systemprofile\appdata\roaming\swin32.exe
c:\windows\system32\config\systemprofile\appdata\roaming\localsys64.exe
c:\windows\system32\config\systemprofile\appdata\roaming\64dlls.exe
c:\windows\system32\config\systemprofile\appdata\roaming\sdra73.exe
c:\windows\system32\config\systemprofile\appdata\roaming\kernel32.exe

Edited by Balkon, 14 February 2012 - 09:04 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:55 PM

Posted 15 February 2012 - 09:13 AM

Please run these tools for now.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

#5 Balkon

Balkon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 15 February 2012 - 06:31 PM

Hey thanks for replying. Here's the TDSSkiller log, it's that same virus. Says it cleans it out, but it always pops back up on the next reboot, but here's the latest report on it.


15:58:34.0027 5640 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
15:58:34.0486 5640 ============================================================
15:58:34.0487 5640 Current date / time: 2012/02/15 15:58:34.0486
15:58:34.0487 5640 SystemInfo:
15:58:34.0487 5640
15:58:34.0487 5640 OS Version: 6.0.6002 ServicePack: 2.0
15:58:34.0487 5640 Product type: Workstation
15:58:34.0487 5640 ComputerName: RENE-PC
15:58:34.0487 5640 UserName: Renecito
15:58:34.0487 5640 Windows directory: C:\Windows
15:58:34.0487 5640 System windows directory: C:\Windows
15:58:34.0487 5640 Processor architecture: Intel x86
15:58:34.0487 5640 Number of processors: 2
15:58:34.0487 5640 Page size: 0x1000
15:58:34.0487 5640 Boot type: Normal boot
15:58:34.0487 5640 ============================================================
15:58:35.0932 5640 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:58:35.0971 5640 \Device\Harddisk0\DR0:
15:58:35.0971 5640 MBR used
15:58:35.0971 5640 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1F800, BlocksNum 0x1400000
15:58:35.0971 5640 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x141F800, BlocksNum 0x49438000
15:58:36.0277 5640 Initialize success
15:58:36.0277 5640 ============================================================
15:58:56.0911 6004 ============================================================
15:58:56.0911 6004 Scan started
15:58:56.0911 6004 Mode: Manual;
15:58:56.0911 6004 ============================================================
15:58:57.0824 6004 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
15:58:57.0834 6004 ACPI - ok
15:58:57.0868 6004 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
15:58:57.0875 6004 adp94xx - ok
15:58:57.0898 6004 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
15:58:57.0904 6004 adpahci - ok
15:58:57.0923 6004 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
15:58:57.0925 6004 adpu160m - ok
15:58:57.0947 6004 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
15:58:57.0950 6004 adpu320 - ok
15:58:58.0051 6004 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
15:58:58.0055 6004 AFD - ok
15:58:58.0080 6004 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
15:58:58.0081 6004 agp440 - ok
15:58:58.0103 6004 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
15:58:58.0105 6004 aic78xx - ok
15:58:58.0125 6004 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
15:58:58.0126 6004 aliide - ok
15:58:58.0143 6004 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
15:58:58.0145 6004 amdagp - ok
15:58:58.0157 6004 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
15:58:58.0158 6004 amdide - ok
15:58:58.0177 6004 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
15:58:58.0178 6004 AmdK7 - ok
15:58:58.0197 6004 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
15:58:58.0199 6004 AmdK8 - ok
15:58:58.0861 6004 amdkmdag (ab70f110143892eb41aa46500aa5cf00) C:\Windows\system32\DRIVERS\atikmdag.sys
15:58:58.0999 6004 amdkmdag - ok
15:58:59.0189 6004 amdkmdap (32d68d05b871eed5572d0c2c764ea4ec) C:\Windows\system32\DRIVERS\atikmpag.sys
15:58:59.0191 6004 amdkmdap - ok
15:58:59.0388 6004 AmdLLD (ad8fa28d8ed0d0a689a0559085ce0f18) C:\Windows\system32\DRIVERS\AmdLLD.sys
15:58:59.0389 6004 AmdLLD - ok
15:58:59.0452 6004 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
15:58:59.0454 6004 arc - ok
15:58:59.0468 6004 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
15:58:59.0470 6004 arcsas - ok
15:58:59.0493 6004 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
15:58:59.0495 6004 AsyncMac - ok
15:58:59.0518 6004 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
15:58:59.0519 6004 atapi - ok
15:58:59.0713 6004 atidgllk (adf7ef046725442ba32c4aef12646fd0) C:\Users\Renecito\Downloads\ati_winflash_2.0.1.14\atidgllk.sys
15:58:59.0728 6004 atidgllk - ok
15:58:59.0758 6004 AtiHDAudioService (c8f5273b12cfa5c0888263e34140cb8a) C:\Windows\system32\drivers\AtihdLH3.sys
15:58:59.0760 6004 AtiHDAudioService - ok
15:58:59.0767 6004 AtiHdmiService - ok
15:58:59.0795 6004 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
15:58:59.0796 6004 Beep - ok
15:58:59.0818 6004 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
15:58:59.0819 6004 blbdrive - ok
15:58:59.0873 6004 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
15:58:59.0874 6004 bowser - ok
15:58:59.0904 6004 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
15:58:59.0905 6004 BrFiltLo - ok
15:58:59.0924 6004 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
15:58:59.0925 6004 BrFiltUp - ok
15:58:59.0943 6004 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
15:58:59.0945 6004 Brserid - ok
15:58:59.0959 6004 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
15:58:59.0960 6004 BrSerWdm - ok
15:58:59.0988 6004 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
15:58:59.0989 6004 BrUsbMdm - ok
15:59:00.0006 6004 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
15:59:00.0007 6004 BrUsbSer - ok
15:59:00.0027 6004 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
15:59:00.0028 6004 BTHMODEM - ok
15:59:00.0100 6004 catchme - ok
15:59:00.0116 6004 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
15:59:00.0118 6004 cdfs - ok
15:59:00.0125 6004 cdrom - ok
15:59:00.0148 6004 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
15:59:00.0149 6004 circlass - ok
15:59:00.0220 6004 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
15:59:00.0224 6004 CLFS - ok
15:59:00.0248 6004 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
15:59:00.0250 6004 cmdide - ok
15:59:00.0270 6004 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
15:59:00.0271 6004 Compbatt - ok
15:59:00.0296 6004 cpuz135 - ok
15:59:00.0310 6004 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
15:59:00.0311 6004 crcdisk - ok
15:59:00.0333 6004 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
15:59:00.0334 6004 Crusoe - ok
15:59:00.0363 6004 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
15:59:00.0364 6004 disk - ok
15:59:00.0405 6004 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
15:59:00.0406 6004 drmkaud - ok
15:59:00.0438 6004 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
15:59:00.0443 6004 DXGKrnl - ok
15:59:00.0462 6004 e1express (04944f4fc4f0477185f5d26ae0ddb90e) C:\Windows\system32\DRIVERS\e1e6032.sys
15:59:00.0464 6004 e1express - ok
15:59:00.0484 6004 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
15:59:00.0486 6004 E1G60 - ok
15:59:00.0493 6004 EagleNT - ok
15:59:00.0519 6004 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
15:59:00.0521 6004 Ecache - ok
15:59:00.0554 6004 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
15:59:00.0559 6004 elxstor - ok
15:59:00.0581 6004 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
15:59:00.0582 6004 ErrDev - ok
15:59:00.0613 6004 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
15:59:00.0616 6004 exfat - ok
15:59:00.0635 6004 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
15:59:00.0638 6004 fastfat - ok
15:59:00.0653 6004 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
15:59:00.0654 6004 fdc - ok
15:59:00.0708 6004 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
15:59:00.0709 6004 FileInfo - ok
15:59:00.0728 6004 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
15:59:00.0729 6004 Filetrace - ok
15:59:00.0750 6004 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
15:59:00.0751 6004 flpydisk - ok
15:59:00.0761 6004 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
15:59:00.0764 6004 FltMgr - ok
15:59:00.0790 6004 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
15:59:00.0791 6004 Fs_Rec - ok
15:59:00.0810 6004 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
15:59:00.0811 6004 gagp30kx - ok
15:59:00.0830 6004 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
15:59:00.0831 6004 GEARAspiWDM - ok
15:59:00.0852 6004 giveio (77ebf3e9386daa51551af429052d88d0) C:\Windows\system32\giveio.sys
15:59:00.0853 6004 giveio - ok
15:59:00.0913 6004 hamachi (833051c6c6c42117191935f734cfbd97) C:\Windows\system32\DRIVERS\hamachi.sys
15:59:00.0931 6004 hamachi - ok
15:59:00.0990 6004 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
15:59:00.0993 6004 HdAudAddService - ok
15:59:01.0027 6004 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
15:59:01.0044 6004 HDAudBus - ok
15:59:01.0057 6004 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
15:59:01.0058 6004 HidBth - ok
15:59:01.0078 6004 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
15:59:01.0079 6004 HidIr - ok
15:59:01.0095 6004 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
15:59:01.0096 6004 HidUsb - ok
15:59:01.0131 6004 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
15:59:01.0133 6004 HpCISSs - ok
15:59:01.0164 6004 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\Windows\system32\DRIVERS\HSX_DPV.sys
15:59:01.0180 6004 HSF_DPV - ok
15:59:01.0189 6004 HSXHWBS2 (ed98350ecd4a5a9c9f1e641c09872bb2) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
15:59:01.0193 6004 HSXHWBS2 - ok
15:59:01.0222 6004 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
15:59:01.0227 6004 HTTP - ok
15:59:01.0245 6004 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
15:59:01.0246 6004 i2omp - ok
15:59:01.0266 6004 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
15:59:01.0268 6004 i8042prt - ok
15:59:01.0308 6004 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\drivers\iastor.sys
15:59:01.0312 6004 iaStor - ok
15:59:01.0348 6004 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
15:59:01.0351 6004 iaStorV - ok
15:59:01.0412 6004 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
15:59:01.0413 6004 iirsp - ok
15:59:01.0505 6004 IntcAzAudAddService (f8f53c5449f15b23d4c61d51d2701da8) C:\Windows\system32\drivers\RTKVHDA.sys
15:59:01.0520 6004 IntcAzAudAddService - ok
15:59:01.0560 6004 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\DRIVERS\intelide.sys
15:59:01.0578 6004 intelide - ok
15:59:01.0603 6004 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
15:59:01.0604 6004 intelppm - ok
15:59:01.0672 6004 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
15:59:01.0673 6004 IpFilterDriver - ok
15:59:01.0705 6004 IpInIp - ok
15:59:01.0733 6004 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
15:59:01.0735 6004 IPMIDRV - ok
15:59:01.0756 6004 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
15:59:01.0759 6004 IPNAT - ok
15:59:01.0788 6004 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
15:59:01.0788 6004 IRENUM - ok
15:59:01.0814 6004 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
15:59:01.0815 6004 isapnp - ok
15:59:01.0845 6004 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
15:59:01.0847 6004 iScsiPrt - ok
15:59:01.0862 6004 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
15:59:01.0876 6004 iteatapi - ok
15:59:01.0898 6004 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
15:59:01.0899 6004 iteraid - ok
15:59:01.0917 6004 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
15:59:01.0918 6004 kbdclass - ok
15:59:01.0953 6004 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
15:59:01.0954 6004 kbdhid - ok
15:59:02.0090 6004 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
15:59:02.0104 6004 KSecDD - ok
15:59:02.0140 6004 LGBusEnum (170e7093a77ad586f3a012a3db651d94) C:\Windows\system32\drivers\LGBusEnum.sys
15:59:02.0140 6004 LGBusEnum - ok
15:59:02.0195 6004 LGVirHid (d2dd04d1c8df65eecd1f2c7fb947d43e) C:\Windows\system32\drivers\LGVirHid.sys
15:59:02.0196 6004 LGVirHid - ok
15:59:02.0249 6004 libusb0 (e2f1dcf4a68cc6cf694fbfba1842f4cd) C:\Windows\system32\drivers\libusb0.sys
15:59:02.0257 6004 libusb0 - ok
15:59:02.0276 6004 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
15:59:02.0278 6004 lltdio - ok
15:59:02.0340 6004 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
15:59:02.0352 6004 LSI_FC - ok
15:59:02.0365 6004 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
15:59:02.0367 6004 LSI_SAS - ok
15:59:02.0390 6004 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
15:59:02.0392 6004 LSI_SCSI - ok
15:59:02.0414 6004 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
15:59:02.0416 6004 luafv - ok
15:59:02.0442 6004 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\Windows\system32\DRIVERS\mcdbus.sys
15:59:02.0444 6004 mcdbus - ok
15:59:02.0477 6004 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
15:59:02.0477 6004 mdmxsdk - ok
15:59:02.0494 6004 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
15:59:02.0495 6004 megasas - ok
15:59:02.0518 6004 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
15:59:02.0523 6004 MegaSR - ok
15:59:02.0541 6004 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
15:59:02.0541 6004 Modem - ok
15:59:02.0570 6004 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
15:59:02.0571 6004 monitor - ok
15:59:02.0603 6004 MotioninJoyXFilter (61448ba3cca3063541437694a5527af2) C:\Windows\system32\DRIVERS\MijXfilt.sys
15:59:02.0623 6004 MotioninJoyXFilter - ok
15:59:02.0643 6004 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
15:59:02.0643 6004 mouclass - ok
15:59:02.0660 6004 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
15:59:02.0661 6004 mouhid - ok
15:59:02.0671 6004 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
15:59:02.0672 6004 MountMgr - ok
15:59:02.0696 6004 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
15:59:02.0698 6004 mpio - ok
15:59:02.0717 6004 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
15:59:02.0718 6004 mpsdrv - ok
15:59:02.0739 6004 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
15:59:02.0740 6004 Mraid35x - ok
15:59:02.0795 6004 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
15:59:02.0797 6004 MREMP50 - ok
15:59:02.0800 6004 MREMP50a64 - ok
15:59:02.0809 6004 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
15:59:02.0810 6004 MRESP50 - ok
15:59:02.0812 6004 MRESP50a64 - ok
15:59:02.0839 6004 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
15:59:02.0841 6004 MRxDAV - ok
15:59:02.0873 6004 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
15:59:02.0875 6004 mrxsmb - ok
15:59:02.0950 6004 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
15:59:02.0953 6004 mrxsmb10 - ok
15:59:02.0963 6004 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
15:59:02.0965 6004 mrxsmb20 - ok
15:59:02.0982 6004 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
15:59:02.0983 6004 msahci - ok
15:59:03.0004 6004 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
15:59:03.0006 6004 msdsm - ok
15:59:03.0022 6004 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
15:59:03.0023 6004 Msfs - ok
15:59:03.0032 6004 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
15:59:03.0033 6004 msisadrv - ok
15:59:03.0059 6004 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
15:59:03.0060 6004 MSKSSRV - ok
15:59:03.0074 6004 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
15:59:03.0075 6004 MSPCLOCK - ok
15:59:03.0086 6004 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
15:59:03.0087 6004 MSPQM - ok
15:59:03.0109 6004 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
15:59:03.0112 6004 MsRPC - ok
15:59:03.0159 6004 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
15:59:03.0160 6004 mssmbios - ok
15:59:03.0189 6004 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
15:59:03.0190 6004 MSTEE - ok
15:59:03.0198 6004 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
15:59:03.0199 6004 Mup - ok
15:59:03.0272 6004 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
15:59:03.0286 6004 NativeWifiP - ok
15:59:03.0319 6004 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
15:59:03.0326 6004 NDIS - ok
15:59:03.0335 6004 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
15:59:03.0336 6004 NdisTapi - ok
15:59:03.0356 6004 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
15:59:03.0357 6004 Ndisuio - ok
15:59:03.0385 6004 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
15:59:03.0388 6004 NdisWan - ok
15:59:03.0397 6004 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
15:59:03.0399 6004 NDProxy - ok
15:59:03.0448 6004 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
15:59:03.0449 6004 NetBIOS - ok
15:59:03.0457 6004 netbt - ok
15:59:03.0496 6004 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
15:59:03.0498 6004 nfrd960 - ok
15:59:03.0527 6004 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
15:59:03.0528 6004 Npfs - ok
15:59:03.0541 6004 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
15:59:03.0542 6004 nsiproxy - ok
15:59:03.0592 6004 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
15:59:03.0617 6004 Ntfs - ok
15:59:03.0634 6004 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
15:59:03.0635 6004 ntrigdigi - ok
15:59:03.0666 6004 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
15:59:03.0667 6004 Null - ok
15:59:03.0676 6004 NwlnkFlt - ok
15:59:03.0687 6004 NwlnkFwd - ok
15:59:03.0717 6004 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
15:59:03.0719 6004 ohci1394 - ok
15:59:03.0746 6004 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
15:59:03.0748 6004 Parport - ok
15:59:03.0769 6004 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
15:59:03.0770 6004 partmgr - ok
15:59:03.0792 6004 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
15:59:03.0794 6004 Parvdm - ok
15:59:03.0822 6004 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
15:59:03.0824 6004 pci - ok
15:59:03.0834 6004 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
15:59:03.0835 6004 pciide - ok
15:59:03.0854 6004 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
15:59:03.0857 6004 pcmcia - ok
15:59:03.0892 6004 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
15:59:03.0909 6004 PEAUTH - ok
15:59:03.0996 6004 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
15:59:04.0006 6004 PptpMiniport - ok
15:59:04.0023 6004 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
15:59:04.0025 6004 Processor - ok
15:59:04.0056 6004 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
15:59:04.0068 6004 PSched - ok
15:59:04.0121 6004 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\Windows\system32\Drivers\PxHelp20.sys
15:59:04.0122 6004 PxHelp20 - ok
15:59:04.0161 6004 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
15:59:04.0186 6004 ql2300 - ok
15:59:04.0204 6004 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
15:59:04.0206 6004 ql40xx - ok
15:59:04.0229 6004 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
15:59:04.0231 6004 QWAVEdrv - ok
15:59:04.0845 6004 R300 (ab70f110143892eb41aa46500aa5cf00) C:\Windows\system32\DRIVERS\atikmdag.sys
15:59:04.0908 6004 R300 - ok
15:59:05.0072 6004 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
15:59:05.0086 6004 RasAcd - ok
15:59:05.0117 6004 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
15:59:05.0119 6004 Rasl2tp - ok
15:59:05.0145 6004 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
15:59:05.0146 6004 RasPppoe - ok
15:59:05.0174 6004 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
15:59:05.0175 6004 RasSstp - ok
15:59:05.0236 6004 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
15:59:05.0240 6004 rdbss - ok
15:59:05.0288 6004 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
15:59:05.0289 6004 RDPCDD - ok
15:59:05.0318 6004 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
15:59:05.0322 6004 rdpdr - ok
15:59:05.0330 6004 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
15:59:05.0331 6004 RDPENCDD - ok
15:59:05.0364 6004 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
15:59:05.0367 6004 RDPWD - ok
15:59:05.0399 6004 RimUsb - ok
15:59:05.0443 6004 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
15:59:05.0444 6004 RimVSerPort - ok
15:59:05.0463 6004 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
15:59:05.0465 6004 ROOTMODEM - ok
15:59:05.0492 6004 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
15:59:05.0493 6004 rspndr - ok
15:59:05.0547 6004 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
15:59:05.0557 6004 sbp2port - ok
15:59:05.0580 6004 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
15:59:05.0581 6004 secdrv - ok
15:59:05.0610 6004 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
15:59:05.0611 6004 Serenum - ok
15:59:05.0639 6004 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
15:59:05.0641 6004 Serial - ok
15:59:05.0663 6004 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
15:59:05.0664 6004 sermouse - ok
15:59:05.0693 6004 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
15:59:05.0693 6004 sffdisk - ok
15:59:05.0711 6004 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
15:59:05.0712 6004 sffp_mmc - ok
15:59:05.0728 6004 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
15:59:05.0730 6004 sffp_sd - ok
15:59:05.0739 6004 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
15:59:05.0740 6004 sfloppy - ok
15:59:05.0767 6004 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
15:59:05.0768 6004 sisagp - ok
15:59:05.0790 6004 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
15:59:05.0791 6004 SiSRaid2 - ok
15:59:05.0813 6004 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
15:59:05.0815 6004 SiSRaid4 - ok
15:59:05.0849 6004 Smb (ed23daaaccaf6f7efcfaf0cc155873e8) C:\Windows\system32\DRIVERS\smb.sys
15:59:05.0850 6004 Suspicious file (Forged): C:\Windows\system32\DRIVERS\smb.sys. Real md5: ed23daaaccaf6f7efcfaf0cc155873e8, Fake md5: 7b75299a4d201d6a6533603d6914ab04
15:59:05.0850 6004 Smb ( Virus.Win32.ZAccess.c ) - infected
15:59:05.0850 6004 Smb - detected Virus.Win32.ZAccess.c (0)
15:59:05.0885 6004 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\Windows\system32\speedfan.sys
15:59:05.0887 6004 speedfan - ok
15:59:05.0900 6004 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
15:59:05.0901 6004 spldr - ok
15:59:05.0973 6004 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
15:59:05.0978 6004 srv - ok
15:59:06.0007 6004 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
15:59:06.0010 6004 srv2 - ok
15:59:06.0026 6004 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
15:59:06.0028 6004 srvnet - ok
15:59:06.0087 6004 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
15:59:06.0087 6004 swenum - ok
15:59:06.0108 6004 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
15:59:06.0109 6004 Symc8xx - ok
15:59:06.0129 6004 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
15:59:06.0130 6004 Sym_hi - ok
15:59:06.0148 6004 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
15:59:06.0150 6004 Sym_u3 - ok
15:59:06.0201 6004 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
15:59:06.0208 6004 Tcpip - ok
15:59:06.0234 6004 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
15:59:06.0241 6004 Tcpip6 - ok
15:59:06.0274 6004 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
15:59:06.0276 6004 tcpipreg - ok
15:59:06.0296 6004 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
15:59:06.0297 6004 TDPIPE - ok
15:59:06.0313 6004 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
15:59:06.0314 6004 TDTCP - ok
15:59:06.0322 6004 tdx - ok
15:59:06.0349 6004 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
15:59:06.0350 6004 TermDD - ok
15:59:06.0414 6004 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
15:59:06.0415 6004 tssecsrv - ok
15:59:06.0427 6004 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
15:59:06.0428 6004 tunmp - ok
15:59:06.0446 6004 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
15:59:06.0448 6004 tunnel - ok
15:59:06.0465 6004 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
15:59:06.0467 6004 uagp35 - ok
15:59:06.0523 6004 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
15:59:06.0527 6004 udfs - ok
15:59:06.0556 6004 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
15:59:06.0558 6004 uliagpkx - ok
15:59:06.0577 6004 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
15:59:06.0581 6004 uliahci - ok
15:59:06.0601 6004 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
15:59:06.0604 6004 UlSata - ok
15:59:06.0663 6004 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
15:59:06.0674 6004 ulsata2 - ok
15:59:06.0690 6004 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
15:59:06.0691 6004 umbus - ok
15:59:06.0709 6004 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
15:59:06.0710 6004 UMPass - ok
15:59:06.0743 6004 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
15:59:06.0745 6004 usbaudio - ok
15:59:06.0764 6004 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
15:59:06.0766 6004 usbccgp - ok
15:59:06.0798 6004 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
15:59:06.0802 6004 usbcir - ok
15:59:06.0825 6004 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
15:59:06.0844 6004 usbehci - ok
15:59:07.0024 6004 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
15:59:07.0027 6004 usbhub - ok
15:59:07.0042 6004 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
15:59:07.0043 6004 usbohci - ok
15:59:07.0067 6004 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
15:59:07.0069 6004 usbprint - ok
15:59:07.0088 6004 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
15:59:07.0090 6004 usbscan - ok
15:59:07.0106 6004 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
15:59:07.0108 6004 USBSTOR - ok
15:59:07.0123 6004 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
15:59:07.0124 6004 usbuhci - ok
15:59:07.0154 6004 usb_rndisx (35c9095fa7076466afbfc5b9ec4b779e) C:\Windows\system32\DRIVERS\usb8023x.sys
15:59:07.0155 6004 usb_rndisx - ok
15:59:07.0188 6004 VClone (1cdaa48cb2f7744b8d25650e050766a5) C:\Windows\system32\DRIVERS\VClone.sys
15:59:07.0190 6004 VClone - ok
15:59:07.0209 6004 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
15:59:07.0211 6004 vga - ok
15:59:07.0231 6004 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
15:59:07.0233 6004 VgaSave - ok
15:59:07.0254 6004 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
15:59:07.0255 6004 viaagp - ok
15:59:07.0272 6004 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
15:59:07.0274 6004 ViaC7 - ok
15:59:07.0328 6004 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
15:59:07.0338 6004 viaide - ok
15:59:07.0346 6004 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
15:59:07.0347 6004 volmgr - ok
15:59:07.0369 6004 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
15:59:07.0373 6004 volmgrx - ok
15:59:07.0391 6004 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
15:59:07.0394 6004 volsnap - ok
15:59:07.0414 6004 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
15:59:07.0416 6004 vsmraid - ok
15:59:07.0439 6004 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
15:59:07.0440 6004 WacomPen - ok
15:59:07.0449 6004 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
15:59:07.0450 6004 Wanarp - ok
15:59:07.0453 6004 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
15:59:07.0454 6004 Wanarpv6 - ok
15:59:07.0476 6004 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
15:59:07.0477 6004 Wd - ok
15:59:07.0509 6004 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
15:59:07.0510 6004 WDC_SAM - ok
15:59:07.0543 6004 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
15:59:07.0560 6004 Wdf01000 - ok
15:59:07.0610 6004 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
15:59:07.0627 6004 winachsf - ok
15:59:07.0669 6004 WinUSB (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\WinUSB.sys
15:59:07.0670 6004 WinUSB - ok
15:59:07.0692 6004 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
15:59:07.0693 6004 WmiAcpi - ok
15:59:07.0729 6004 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
15:59:07.0731 6004 WpdUsb - ok
15:59:07.0748 6004 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
15:59:07.0749 6004 ws2ifsl - ok
15:59:07.0817 6004 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
15:59:07.0825 6004 WudfPf - ok
15:59:07.0845 6004 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
15:59:07.0847 6004 WUDFRd - ok
15:59:07.0873 6004 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
15:59:07.0873 6004 XAudio - ok
15:59:07.0900 6004 XDva296 - ok
15:59:07.0908 6004 XDva390 - ok
15:59:07.0964 6004 xusb21 (ee9144207ee0211eb5656ba6808ac4a0) C:\Windows\system32\DRIVERS\xusb21.sys
15:59:07.0966 6004 xusb21 - ok
15:59:08.0016 6004 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (8903c6979ea677a9af3d36e0d3709203) C:\Program Files\CyberLink\PowerDVD DX\000.fcl
15:59:08.0017 6004 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} - ok
15:59:08.0055 6004 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
15:59:08.0121 6004 \Device\Harddisk0\DR0 - ok
15:59:08.0133 6004 Boot (0x1200) (11c30335c9227a3432bc10ddf73d14db) \Device\Harddisk0\DR0\Partition0
15:59:08.0135 6004 \Device\Harddisk0\DR0\Partition0 - ok
15:59:08.0138 6004 Boot (0x1200) (99320ac53ff2f5686f22d0b1e57364bd) \Device\Harddisk0\DR0\Partition1
15:59:08.0139 6004 \Device\Harddisk0\DR0\Partition1 - ok
15:59:08.0140 6004 ============================================================
15:59:08.0140 6004 Scan finished
15:59:08.0140 6004 ============================================================
15:59:08.0152 5996 Detected object count: 1
15:59:08.0152 5996 Actual detected object count: 1
15:59:14.0211 5996 C:\Windows\system32\DRIVERS\smb.sys - copied to quarantine
15:59:14.0427 5996 Backup copy found, using it..
15:59:14.0455 5996 C:\Windows\system32\DRIVERS\smb.sys - will be cured on reboot
15:59:21.0505 5996 Smb ( Virus.Win32.ZAccess.c ) - User select action: Cure
15:59:25.0936 5628 Deinitialize success

And here's the aswMBR log along with the MBR.rar in attachment. Thanks again for taking the time to go over this:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-15 16:05:36
-----------------------------
16:05:36.198 OS Version: Windows 6.0.6002 Service Pack 2
16:05:36.199 Number of processors: 2 586 0x1706
16:05:36.199 ComputerName: RENE-PC UserName:
16:05:37.898 Initialize success
16:05:56.925 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:05:56.927 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
16:05:56.944 Disk 0 MBR read successfully
16:05:56.947 Disk 0 MBR scan
16:05:56.950 Disk 0 Windows VISTA default MBR code
16:05:56.958 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
16:05:56.972 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 129024
16:05:57.001 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 600176 MB offset 21100544
16:05:57.020 Disk 0 scanning sectors +1250260992
16:05:57.158 Disk 0 scanning C:\Windows\system32\drivers
16:06:00.655 File: C:\Windows\system32\drivers\afd.sys **SUSPICIOUS**
16:06:07.964 Disk 0 trace - called modules:
16:06:07.992 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82d31fc0]<<
16:06:07.997 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x884eb4d8]
16:06:08.002 3 CLASSPNP.SYS[8dba08b3] -> nt!IofCallDriver -> [0x8a31dc10]
16:06:08.008 \Driver\00010083[0x8a6711b8] -> IRP_MJ_CREATE -> 0x82d31fc0
16:06:08.013 Scan finished successfully
16:06:21.952 Disk 0 MBR has been saved successfully to "C:\Users\Renecito\Desktop\MBR.dat"
16:06:21.959 The log file has been saved successfully to "C:\Users\Renecito\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   565bytes   0 downloads

Edited by Balkon, 15 February 2012 - 06:35 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:55 PM

Posted 16 February 2012 - 10:26 AM

Now run the aswMBR.exe tool. Select the Fix button.

Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.

When you see the message restart the computer normally.

Run aswBMR.exe normally this time and post the log.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    afd.sys
    smb.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post the logs for my review.

Let me know what issues are persisting on this computer.

#7 Balkon

Balkon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 16 February 2012 - 06:10 PM

Ok, problems as far I can tell is that I still can't enable Windows firewall: "Due to an unidentified problem, Windows cannot display Windows Firewall settings". Another problem, is that I have to disable the User Account Control in order to still avoid booting up to a black screen with a mouse (have to manually enable "explorer.exe" vis task manager in order for the desktop to show up. Also, internet is still slow as I get brief messages telling me that "TCP/IP command has encountered a problem" only to disappear in an instant. So I guess that I'm still vulnerable to any future attacks.

Also, after doing the aswMBR fix, on the next reboot as I attempted to retrieve the log I was hit with a BSOD. It managed to record a log that I was able to save which was this:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: a
BCP1: 00000000
BCP2: 00000002
BCP3: 00000001
BCP4: 8524788C
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini021612-01.dmp
C:\Users\Renecito\AppData\Local\Temp\WER-38828-0.sysdata.xml
C:\Users\Renecito\AppData\Local\Temp\WERAEA5.tmp.version.txt


But it hasn't shown up again since that one incident. Regardless of all that, here are the logs as requested...thanks again as always.


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-15 16:05:36
-----------------------------
16:05:36.198 OS Version: Windows 6.0.6002 Service Pack 2
16:05:36.199 Number of processors: 2 586 0x1706
16:05:36.199 ComputerName: RENE-PC UserName:
16:05:37.898 Initialize success
16:05:56.925 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:05:56.927 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
16:05:56.944 Disk 0 MBR read successfully
16:05:56.947 Disk 0 MBR scan
16:05:56.950 Disk 0 Windows VISTA default MBR code
16:05:56.958 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
16:05:56.972 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 129024
16:05:57.001 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 600176 MB offset 21100544
16:05:57.020 Disk 0 scanning sectors +1250260992
16:05:57.158 Disk 0 scanning C:\Windows\system32\drivers
16:06:00.655 File: C:\Windows\system32\drivers\afd.sys **SUSPICIOUS**
16:06:07.964 Disk 0 trace - called modules:
16:06:07.992 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82d31fc0]<<
16:06:07.997 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x884eb4d8]
16:06:08.002 3 CLASSPNP.SYS[8dba08b3] -> nt!IofCallDriver -> [0x8a31dc10]
16:06:08.008 \Driver\00010083[0x8a6711b8] -> IRP_MJ_CREATE -> 0x82d31fc0
16:06:08.013 Scan finished successfully
16:06:21.952 Disk 0 MBR has been saved successfully to "C:\Users\Renecito\Desktop\MBR.dat"
16:06:21.959 The log file has been saved successfully to "C:\Users\Renecito\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-16 15:19:20
-----------------------------
15:19:20.922 OS Version: Windows 6.0.6002 Service Pack 2
15:19:20.922 Number of processors: 2 586 0x1706
15:19:20.923 ComputerName: RENE-PC UserName:
15:19:23.391 Initialize success
15:19:52.113 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:19:52.115 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
15:19:52.125 Disk 0 MBR read successfully
15:19:52.127 Disk 0 MBR scan
15:19:52.128 Disk 0 Windows VISTA default MBR code
15:19:52.130 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
15:19:52.136 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 129024
15:19:52.149 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 600176 MB offset 21100544
15:19:52.152 Disk 0 scanning sectors +1250260992
15:19:52.220 Disk 0 scanning C:\Windows\system32\drivers
15:20:06.686 File: C:\Windows\system32\drivers\afd.sys **SUSPICIOUS**
15:20:37.464 Disk 0 trace - called modules:
15:20:37.479 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x92d2bfc0]<<
15:20:37.482 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88685ac8]
15:20:37.809 3 CLASSPNP.SYS[8dbaa8b3] -> nt!IofCallDriver -> [0x8a1a04d0]
15:20:37.813 \Driver\00001330[0x8a1a0638] -> IRP_MJ_CREATE -> 0x92d2bfc0
15:20:37.818 Scan finished successfully
15:20:49.420 Fixing ... C:\Windows\system32\drivers\afd.sys
15:20:50.308 Backup ... C:\Windows\winsxs\backup\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b_afd.sys_084af4a8
15:20:56.769 File C:\Windows\system32\drivers\afd.sys fixed successfully - please reboot ASAP
15:21:18.614 Disk 0 MBR has been saved successfully to "C:\Users\Renecito\Desktop\MBR.dat"
15:21:18.643 The log file has been saved successfully to "C:\Users\Renecito\Desktop\aswMBR.txt"



Here's the combofix log, managed to get it only by having the computer boot up in safe mode through msconfig. Notified me that I was infected with Rootkit.ZeroAccess. Probably the root of my tcp/ip problems.


ComboFix 12-02-16.02 - Renecito 02/16/2012 17:02:40.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2898 [GMT -5:00]
Running from: c:\users\Renecito\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Renecito\AppData\Roaming\Adobe\plugs
c:\users\Renecito\AppData\Roaming\Adobe\shed
c:\windows\$NtUninstallKB51131$
c:\windows\$NtUninstallKB51131$\3516339756\@
c:\windows\$NtUninstallKB51131$\3516339756\cfg.ini
c:\windows\$NtUninstallKB51131$\3516339756\Desktop.ini
c:\windows\$NtUninstallKB51131$\3516339756\L\qnbwvoto
c:\windows\$NtUninstallKB51131$\3516339756\U\00000001.@
c:\windows\$NtUninstallKB51131$\3516339756\U\00000002.@
c:\windows\$NtUninstallKB51131$\3516339756\U\00000004.@
c:\windows\$NtUninstallKB51131$\3516339756\U\80000000.@
c:\windows\$NtUninstallKB51131$\3516339756\U\80000004.@
c:\windows\$NtUninstallKB51131$\3516339756\U\80000032.@
c:\windows\$NtUninstallKB51131$\3516339756\version
c:\windows\$NtUninstallKB51131$\423591096
c:\windows\system32\config\systemprofile\AppData\Roaming\64dlls.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\intel64.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\Kernel32.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\localsys64.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\ntos.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\oembios.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\sdra64.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\sdra73.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\swin32.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\twex.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\twext.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\wsnpoema.exe
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\drivers\smb.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
c:\windows\system32\drivers\tdx.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-16 22:15 . 2012-02-16 22:18 -------- d-----w- c:\users\Renecito\AppData\Local\temp
2012-02-16 22:15 . 2012-02-16 22:15 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-02-16 22:15 . 2012-02-16 22:15 -------- d-----w- c:\users\Rene\AppData\Local\temp
2012-02-16 22:15 . 2012-02-16 22:15 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-02-16 22:15 . 2012-02-16 22:15 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-02-16 22:15 . 2012-02-16 22:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-16 22:15 . 2008-01-21 02:24 71680 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-16 22:15 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-16 22:15 . 2008-01-21 02:24 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-16 22:15 . 2011-04-21 13:28 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-13 22:21 . 2012-02-13 22:21 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-02-13 00:05 . 2012-02-13 00:05 1409 ----a-w- c:\windows\QTFont.for
2012-02-12 07:47 . 2012-02-12 07:47 -------- d-----w- C:\DARK
2012-02-08 03:17 . 2012-02-08 03:17 -------- d-----w- c:\program files\Symantec
2012-02-07 23:39 . 2012-02-15 20:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-06 17:19 . 2009-03-18 21:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2012-02-06 17:19 . 2012-02-06 17:19 -------- d-----w- c:\program files\LogMeIn Hamachi
2012-02-05 20:59 . 2012-02-16 20:27 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-02 09:47 . 2012-02-02 09:47 -------- d-----w- c:\users\Renecito\AppData\Roaming\ZOO Digital Publishing
2012-01-30 22:31 . 2012-01-30 22:31 -------- d-----w- c:\users\Renecito\AppData\Roaming\Hi-Rez Studios
2012-01-30 22:27 . 2012-01-30 22:27 -------- d-----w- c:\windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
2012-01-29 03:37 . 2012-01-29 03:37 -------- d-----w- c:\users\Renecito\AppData\Roaming\runic games
2012-01-27 22:31 . 2012-01-27 22:31 49152 ----a-r- c:\users\Renecito\AppData\Roaming\Microsoft\Installer\{46B69F5F-E77D-49DE-9729-0F562564A15E}\NewShortcut1_46B69F5FE77D49DE97290F562564A15E_1.exe
2012-01-26 22:34 . 2012-01-26 22:34 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2012-01-26 22:28 . 2010-08-20 00:24 255496 ----a-w- c:\windows\system32\MijFrc.dll
2012-01-25 20:21 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2012-01-25 20:20 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-25 20:20 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 20:20 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 20:20 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 20:20 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-25 20:20 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 20:20 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-15 21:00 . 2012-02-16 21:59 66560 ----a-w- c:\windows\system32\drivers\smb.svs
2012-02-15 21:00 . 2009-09-19 02:49 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2012-02-09 03:24 . 2012-02-15 01:07 67072 ----a-w- c:\windows\system32\drivers\cdrom.svs
2012-02-07 23:40 . 2009-09-19 02:50 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-12-18 22:15 . 2011-05-17 18:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-16 09:40 . 2011-01-23 01:53 41984 ----a-w- c:\windows\system32\~WebUpdateHelper.exe
2011-12-15 03:38 . 2010-09-26 21:41 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-15 03:38 . 2010-09-26 21:41 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-25 15:59 . 2012-01-11 00:48 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37 . 2012-01-11 00:47 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 04:26 . 2011-03-24 02:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Renecito\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Renecito\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Renecito\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 343168]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-10-29 128296]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-02 1987976]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 1809992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-07-30 497000]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-02-28 395640]
"Steam"="c:\program files\Steam\steam.exe" [2011-08-15 1242448]
"Google Update"="c:\users\Renecito\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-25 136176]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DS3 Tool"="c:\program files\MotioninJoy\ds3\DS3_Tool.exe" [2011-11-10 109640]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
"Akamai NetSession Interface"="c:\users\Renecito\AppData\Local\Akamai\netsession_win.exe" [2011-12-23 3334432]
.
c:\users\Renecito\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Renecito\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-1-18 24246216]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-5-2 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-24 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
.
R4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CiscoVpnInstallService
fix
omniinet
pctfw1
se45mdm
EL90X
dot4scan
tmesbs32
P17xfi
snapman380
scan
spupdsvc
WmHidLo
WacomVKHid
MSIRCOMM
hap17v2k
ccflic0
elbycdio
liveupdate
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-04-07 00:38]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 03:43]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 03:43]
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4147781646-3040779410-4144261254-1000Core.job
- c:\users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-23 18:33]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4147781646-3040779410-4144261254-1000UA.job
- c:\users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-23 18:33]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4147781646-3040779410-4144261254-1001Core.job
- c:\users\Renecito\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-25 23:37]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4147781646-3040779410-4144261254-1001UA.job
- c:\users\Renecito\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-25 23:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.254.254
TCP: Interfaces\{EA39B9B6-117E-49A6-8237-B4946E3D8418}: NameServer = 192.168.254.254
FF - ProfilePath - c:\users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\xsqb8vub.Blogging\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
SafeBoot-06669918.sys
SafeBoot-35259353.sys
SafeBoot-55233198.sys
SafeBoot-57891620.sys
SafeBoot-61617420.sys
SafeBoot-67784422.sys
SafeBoot-68363147.sys
SafeBoot-79840599.sys
SafeBoot-84845105.sys
SafeBoot-87069613.sys
SafeBoot-88175120.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"=hex:51,66,7a,6c,4c,1d,38,12,2d,dd,7a,
ab,6a,33,56,03,c9,ec,8d,26,b0,f3,64,49
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d2,bc,6f,0b,45,e5,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,d1,3b,0a,0b,bb,72,4c,8c,76,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,d1,3b,0a,0b,bb,72,4c,8c,76,2c,\
.
[HKEY_USERS\S-1-5-21-4147781646-3040779410-4144261254-1001\Software\KISS\«0¹0¿0à0á0¤0É03*D*]
"InstallPath"="c:\\Games\\My game"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1116)
c:\users\Renecito\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2012-02-16 17:24:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-16 22:24
.
Pre-Run: 332,309,000,192 bytes free
Post-Run: 333,167,575,040 bytes free
.
- - End Of File - - 6F4D09B5B7FD3B241EF30FFDE193DE04




Here's the Systemlook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 17:34 on 16/02/2012 by Renecito
Administrator - Elevation successful

No Context: afd.sys

No Context: smb.sys

-= EOF =-

Edited by Balkon, 16 February 2012 - 06:34 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:55 PM

Posted 17 February 2012 - 10:19 AM

Please run the aswMBR tool again and post the log.

===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===

Please run the Farbar Service Scanner FSS.exe
Do not check any of the options this time.

Copy the following in the Search Box.

afd.sys
smb.sys


Press the Search File button. Post the result in your next post.

===

Please let me know what issues are still pending on this computer.

#9 Balkon

Balkon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 17 February 2012 - 12:08 PM

So yeah, the computer still shows up as infected, but at least no huge problems like google redirects or frequent BSODs as before when the problem first surfaced. I don't know what to tell you at this point but thanks for the continued assistance as always....


Ok, the aswMBR log contains the previous entries, including the fix from yesterday....


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-15 16:05:36
-----------------------------
16:05:36.198 OS Version: Windows 6.0.6002 Service Pack 2
16:05:36.199 Number of processors: 2 586 0x1706
16:05:36.199 ComputerName: RENE-PC UserName:
16:05:37.898 Initialize success
16:05:56.925 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:05:56.927 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
16:05:56.944 Disk 0 MBR read successfully
16:05:56.947 Disk 0 MBR scan
16:05:56.950 Disk 0 Windows VISTA default MBR code
16:05:56.958 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
16:05:56.972 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 129024
16:05:57.001 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 600176 MB offset 21100544
16:05:57.020 Disk 0 scanning sectors +1250260992
16:05:57.158 Disk 0 scanning C:\Windows\system32\drivers
16:06:00.655 File: C:\Windows\system32\drivers\afd.sys **SUSPICIOUS**
16:06:07.964 Disk 0 trace - called modules:
16:06:07.992 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82d31fc0]<<
16:06:07.997 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x884eb4d8]
16:06:08.002 3 CLASSPNP.SYS[8dba08b3] -> nt!IofCallDriver -> [0x8a31dc10]
16:06:08.008 \Driver\00010083[0x8a6711b8] -> IRP_MJ_CREATE -> 0x82d31fc0
16:06:08.013 Scan finished successfully
16:06:21.952 Disk 0 MBR has been saved successfully to "C:\Users\Renecito\Desktop\MBR.dat"
16:06:21.959 The log file has been saved successfully to "C:\Users\Renecito\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-16 15:19:20
-----------------------------
15:19:20.922 OS Version: Windows 6.0.6002 Service Pack 2
15:19:20.922 Number of processors: 2 586 0x1706
15:19:20.923 ComputerName: RENE-PC UserName:
15:19:23.391 Initialize success
15:19:52.113 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:19:52.115 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
15:19:52.125 Disk 0 MBR read successfully
15:19:52.127 Disk 0 MBR scan
15:19:52.128 Disk 0 Windows VISTA default MBR code
15:19:52.130 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
15:19:52.136 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 129024
15:19:52.149 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 600176 MB offset 21100544
15:19:52.152 Disk 0 scanning sectors +1250260992
15:19:52.220 Disk 0 scanning C:\Windows\system32\drivers
15:20:06.686 File: C:\Windows\system32\drivers\afd.sys **SUSPICIOUS**
15:20:37.464 Disk 0 trace - called modules:
15:20:37.479 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x92d2bfc0]<<
15:20:37.482 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88685ac8]
15:20:37.809 3 CLASSPNP.SYS[8dbaa8b3] -> nt!IofCallDriver -> [0x8a1a04d0]
15:20:37.813 \Driver\00001330[0x8a1a0638] -> IRP_MJ_CREATE -> 0x92d2bfc0
15:20:37.818 Scan finished successfully
15:20:49.420 Fixing ... C:\Windows\system32\drivers\afd.sys
15:20:50.308 Backup ... C:\Windows\winsxs\backup\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b_afd.sys_084af4a8
15:20:56.769 File C:\Windows\system32\drivers\afd.sys fixed successfully - please reboot ASAP
15:21:18.614 Disk 0 MBR has been saved successfully to "C:\Users\Renecito\Desktop\MBR.dat"
15:21:18.643 The log file has been saved successfully to "C:\Users\Renecito\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-17 11:50:17
-----------------------------
11:50:17.722 OS Version: Windows 6.0.6002 Service Pack 2
11:50:17.722 Number of processors: 2 586 0x1706
11:50:17.723 ComputerName: RENE-PC UserName:
11:50:27.515 Initialize success
11:51:49.412 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:51:49.414 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
11:51:49.423 Disk 0 MBR read successfully
11:51:49.425 Disk 0 MBR scan
11:51:49.427 Disk 0 Windows VISTA default MBR code
11:51:49.430 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
11:51:49.442 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 129024
11:51:49.455 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 600176 MB offset 21100544
11:51:49.459 Disk 0 scanning sectors +1250260992
11:51:49.585 Disk 0 scanning C:\Windows\system32\drivers
11:51:53.886 File: C:\Windows\system32\drivers\cdrom.sys **SUSPICIOUS**
11:51:59.443 Disk 0 trace - called modules:
11:51:59.463 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x927e1fc0]<<
11:51:59.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8867fac8]
11:51:59.473 3 CLASSPNP.SYS[8dba68b3] -> nt!IofCallDriver -> [0x89a54420]
11:51:59.479 \Driver\00000881[0x89a54588] -> IRP_MJ_CREATE -> 0x927e1fc0
11:51:59.484 Scan finished successfully
11:52:10.395 Disk 0 MBR has been saved successfully to "C:\Users\Renecito\Desktop\MBR.dat"
11:52:10.438 The log file has been saved successfully to "C:\Users\Renecito\Desktop\aswMBR.txt"

Here's the FSSlog for part 1 of your directions:

Farbar Service Scanner Version: 14-02-2012
Ran by Renecito (administrator) on 17-02-2012 at 11:53:54
Running from "C:\Users\Renecito\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-16 17:15] - [2011-04-21 08:28] - 0273920 ____A (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****


Here's part 2 of your request, I had to search each file separately since it can't seem to search for both at the same time. Hope it's not too much of an inconvenience as it is already.

Farbar Service Scanner Version: 14-02-2012
Ran by Renecito (administrator) on 17-02-2012 at 12:02:11
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)

************************************************
======== Search: "afd.sys" =========

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
[2011-06-15 15:42] - [2011-04-21 08:28] - 0273920 ____A (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys
[2011-06-15 15:42] - [2011-04-21 08:58] - 0273408 ____A () E393785473ABBDD5C46285E5FB0F6710

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
[2009-09-18 21:50] - [2009-04-10 23:47] - 0273920 ____A (Microsoft Corporation) A201207363AA900ABF1A388468688570

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys
[2011-06-15 15:42] - [2011-04-21 08:12] - 0273920 ____A (Microsoft Corporation) C8AF25017CECB75906A571AC70D2D306

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
[2011-06-15 15:42] - [2011-04-21 08:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
[2008-01-20 21:24] - [2008-01-20 21:24] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

C:\Windows\System32\drivers\afd.sys
[2012-02-16 17:15] - [2011-04-21 08:28] - 0273920 ____A (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

====== End Of Search ======

Farbar Service Scanner Version: 14-02-2012
Ran by Renecito (administrator) on 17-02-2012 at 12:04:12
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)

************************************************
======== Search: "smb.sys" =========

C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6002.18005_none_61560a3ff5180c84\smb.sys
[2009-09-18 21:49] - [2012-02-15 16:00] - 0066560 ____A () ED23DAAACCAF6F7EFCFAF0CC155873E8

C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys
[2008-01-20 21:25] - [2008-01-20 21:25] - 0066560 ____A (Microsoft Corporation) 031E6BCD53C9B2B9ACE111EAFEC347B6

C:\Windows\System32\drivers\smb.sys
[2009-09-18 21:49] - [2012-02-15 16:00] - 0066560 ____A (Microsoft Corporation) 7B75299A4D201D6A6533603D6914AB04

====== End Of Search ======

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:55 PM

Posted 17 February 2012 - 01:39 PM

Now run the aswMBR.exe tool. Select the Fix button.

Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.

When you see the message restart the computer normally.

Run aswBMR.exe normally this time and post the log.


Run the ComboFix tool again and post the log also.
===


Please let me know what problem persists.

#11 Balkon

Balkon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 17 February 2012 - 05:27 PM

Ok, I just want to be 100% sure before I do this, when I scan with MBR and the infections pop up, the Fix option is greyed out while FixMBR isn't. So I'm not quite sure how I should proceed with that direction.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:55 PM

Posted 18 February 2012 - 08:44 AM

OK used FixMBR.

#13 Balkon

Balkon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 18 February 2012 - 03:40 PM

Curiously enough, when I started the computer today to do as you asked only the FIX option was available, so I went ahead and picked that. Combofix showed the rootkit.access thing again after doing a second scan with anwMBR to make sure there wasn't anything wrong after the first fix (there wasn't). Usual problems persist. Well, I'll just let you look at the logs then...


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-18 14:15:42
-----------------------------
14:15:42.882 OS Version: Windows 6.0.6002 Service Pack 2
14:15:42.882 Number of processors: 2 586 0x1706
14:15:42.882 ComputerName: RENE-PC UserName:
14:15:47.951 Initialize success
14:15:53.874 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:15:53.875 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
14:15:53.908 Disk 0 MBR read successfully
14:15:53.909 Disk 0 MBR scan
14:15:53.911 Disk 0 Windows VISTA default MBR code
14:15:53.953 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
14:15:53.973 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 129024
14:15:54.011 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 600176 MB offset 21100544
14:15:54.037 Disk 0 scanning sectors +1250260992
14:15:54.448 Disk 0 scanning C:\Windows\system32\drivers
14:16:00.383 File: C:\Windows\system32\drivers\cdrom.sys **SUSPICIOUS**
14:16:05.864 Disk 0 trace - called modules:
14:16:05.877 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x91fd2fc0]<<
14:16:05.880 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88675ac8]
14:16:05.884 3 CLASSPNP.SYS[8dba88b3] -> nt!IofCallDriver -> [0x898a1790]
14:16:05.888 \Driver\00000875[0x8a56b6c0] -> IRP_MJ_CREATE -> 0x91fd2fc0
14:16:05.891 Scan finished successfully
14:17:12.583 Fixing ... C:\Windows\system32\drivers\cdrom.sys
14:17:14.343 Backup ... C:\Windows\winsxs\x86_cdrom.inf_31bf3856ad364e35_6.0.6001.18000_none_5fa95be2a3c76a4a\cdrom.sys
14:17:19.968 File C:\Windows\system32\drivers\cdrom.sys fixed successfully - please reboot ASAP
14:17:27.317 Disk 0 MBR has been saved successfully to "C:\Users\Renecito\Desktop\MBR.dat"
14:17:27.370 The log file has been saved successfully to "C:\Users\Renecito\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-18 14:21:23
-----------------------------
14:21:23.998 OS Version: Windows 6.0.6002 Service Pack 2
14:21:23.998 Number of processors: 2 586 0x1706
14:21:23.998 ComputerName: RENE-PC UserName:
14:21:24.965 Initialize success
14:21:28.023 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:21:28.023 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
14:21:28.039 Disk 0 MBR read successfully
14:21:28.039 Disk 0 MBR scan
14:21:28.054 Disk 0 Windows VISTA default MBR code
14:21:28.054 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
14:21:28.070 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 129024
14:21:28.070 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 600176 MB offset 21100544
14:21:28.085 Disk 0 scanning sectors +1250260992
14:21:28.148 Disk 0 scanning C:\Windows\system32\drivers
14:21:33.077 Service scanning
14:21:36.634 Modules scanning
14:21:38.881 Disk 0 trace - called modules:
14:21:38.896 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
14:21:38.912 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x884ea2e8]
14:21:38.912 3 CLASSPNP.SYS[8dba28b3] -> nt!IofCallDriver -> [0x884d1c10]
14:21:38.912 5 acpi.sys[806906bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x877478a0]
14:21:38.912 Scan finished successfully
14:21:48.537 Disk 0 MBR has been saved successfully to "C:\Users\Renecito\Desktop\MBR.dat"
14:21:48.553 The log file has been saved successfully to "C:\Users\Renecito\Desktop\aswMBR.txt"

And here's the combofix log:


ComboFix 12-02-16.02 - Renecito 02/18/2012 15:14:52.2.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2899 [GMT -5:00]
Running from: c:\users\Renecito\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB51131$
c:\windows\$NtUninstallKB51131$\3354076598
c:\windows\$NtUninstallKB51131$\3516339756\@
c:\windows\$NtUninstallKB51131$\3516339756\cfg.ini
c:\windows\$NtUninstallKB51131$\3516339756\Desktop.ini
c:\windows\$NtUninstallKB51131$\3516339756\L\qnbwvoto
c:\windows\$NtUninstallKB51131$\3516339756\oemid
c:\windows\$NtUninstallKB51131$\3516339756\U\00000001.@
c:\windows\$NtUninstallKB51131$\3516339756\U\00000002.@
c:\windows\$NtUninstallKB51131$\3516339756\U\00000004.@
c:\windows\$NtUninstallKB51131$\3516339756\U\80000000.@
c:\windows\$NtUninstallKB51131$\3516339756\U\80000004.@
c:\windows\$NtUninstallKB51131$\3516339756\U\80000032.@
c:\windows\$NtUninstallKB51131$\3516339756\version
.
.
((((((((((((((((((((((((( Files Created from 2012-01-18 to 2012-02-18 )))))))))))))))))))))))))))))))
.
.
2012-02-18 20:26 . 2012-02-18 20:26 -------- d-----w- c:\users\Renecito\AppData\Local\temp
2012-02-18 20:26 . 2012-02-18 20:26 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-02-18 20:26 . 2012-02-18 20:26 -------- d-----w- c:\users\Rene\AppData\Local\temp
2012-02-18 20:26 . 2012-02-18 20:26 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-02-18 20:26 . 2012-02-18 20:26 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-02-18 20:26 . 2012-02-18 20:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-16 22:15 . 2008-01-21 02:24 71680 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-16 22:15 . 2008-01-21 02:23 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-16 22:15 . 2008-01-21 02:24 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-16 22:15 . 2011-04-21 13:28 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-13 22:21 . 2012-02-13 22:21 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-02-13 00:05 . 2012-02-13 00:05 1409 ----a-w- c:\windows\QTFont.for
2012-02-12 07:47 . 2012-02-12 07:47 -------- d-----w- C:\DARK
2012-02-08 03:17 . 2012-02-08 03:17 -------- d-----w- c:\program files\Symantec
2012-02-07 23:39 . 2012-02-15 20:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-06 17:19 . 2009-03-18 21:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2012-02-06 17:19 . 2012-02-06 17:19 -------- d-----w- c:\program files\LogMeIn Hamachi
2012-02-05 20:59 . 2012-02-18 19:14 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-02 09:47 . 2012-02-02 09:47 -------- d-----w- c:\users\Renecito\AppData\Roaming\ZOO Digital Publishing
2012-01-30 22:31 . 2012-01-30 22:31 -------- d-----w- c:\users\Renecito\AppData\Roaming\Hi-Rez Studios
2012-01-30 22:27 . 2012-01-30 22:27 -------- d-----w- c:\windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
2012-01-29 03:37 . 2012-01-29 03:37 -------- d-----w- c:\users\Renecito\AppData\Roaming\runic games
2012-01-27 22:31 . 2012-01-27 22:31 49152 ----a-r- c:\users\Renecito\AppData\Roaming\Microsoft\Installer\{46B69F5F-E77D-49DE-9729-0F562564A15E}\NewShortcut1_46B69F5FE77D49DE97290F562564A15E_1.exe
2012-01-26 22:34 . 2012-01-26 22:34 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2012-01-26 22:28 . 2010-08-20 00:24 255496 ----a-w- c:\windows\system32\MijFrc.dll
2012-01-25 20:21 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2012-01-25 20:20 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-25 20:20 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 20:20 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 20:20 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 20:20 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-25 20:20 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 20:20 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-15 21:00 . 2012-02-16 21:59 66560 ----a-w- c:\windows\system32\drivers\smb.svs
2012-02-15 21:00 . 2009-09-19 02:49 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2012-02-09 03:24 . 2012-02-15 01:07 67072 ----a-w- c:\windows\system32\drivers\cdrom.svs
2012-02-07 23:40 . 2009-09-19 02:50 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-12-18 22:15 . 2011-05-17 18:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-16 09:40 . 2011-01-23 01:53 41984 ----a-w- c:\windows\system32\~WebUpdateHelper.exe
2011-12-15 03:38 . 2010-09-26 21:41 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-15 03:38 . 2010-09-26 21:41 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-25 15:59 . 2012-01-11 00:48 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37 . 2012-01-11 00:47 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 04:26 . 2011-03-24 02:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Renecito\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Renecito\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Renecito\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 343168]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-10-29 128296]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-02 1987976]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 1809992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-07-30 497000]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-02-28 395640]
"Steam"="c:\program files\Steam\steam.exe" [2011-08-15 1242448]
"Google Update"="c:\users\Renecito\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-25 136176]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DS3 Tool"="c:\program files\MotioninJoy\ds3\DS3_Tool.exe" [2011-11-10 109640]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
"Akamai NetSession Interface"="c:\users\Renecito\AppData\Local\Akamai\netsession_win.exe" [2011-12-23 3334432]
.
c:\users\Renecito\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Renecito\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-1-18 24246216]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-5-2 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-24 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
.
R4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CiscoVpnInstallService
fix
omniinet
pctfw1
se45mdm
EL90X
dot4scan
tmesbs32
P17xfi
snapman380
scan
spupdsvc
WmHidLo
WacomVKHid
MSIRCOMM
hap17v2k
ccflic0
elbycdio
liveupdate
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-04-07 00:38]
.
2012-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 03:43]
.
2012-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 03:43]
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4147781646-3040779410-4144261254-1000Core.job
- c:\users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-23 18:33]
.
2012-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4147781646-3040779410-4144261254-1000UA.job
- c:\users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-23 18:33]
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4147781646-3040779410-4144261254-1001Core.job
- c:\users\Renecito\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-25 23:37]
.
2012-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4147781646-3040779410-4144261254-1001UA.job
- c:\users\Renecito\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-25 23:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: Interfaces\{EA39B9B6-117E-49A6-8237-B4946E3D8418}: NameServer = 192.168.254.254
FF - ProfilePath - c:\users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\xsqb8vub.Blogging\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-18 15:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"=hex:51,66,7a,6c,4c,1d,38,12,2d,dd,7a,
ab,6a,33,56,03,c9,ec,8d,26,b0,f3,64,49
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d2,bc,6f,0b,45,e5,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,d1,3b,0a,0b,bb,72,4c,8c,76,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,d1,3b,0a,0b,bb,72,4c,8c,76,2c,\
.
[HKEY_USERS\S-1-5-21-4147781646-3040779410-4144261254-1001\Software\KISS\«0¹0¿0à0á0¤0É03*D*]
"InstallPath"="c:\\Games\\My game"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-18 15:29:12
ComboFix-quarantined-files.txt 2012-02-18 20:29
ComboFix2.txt 2012-02-16 22:24
.
Pre-Run: 344,432,324,608 bytes free
Post-Run: 343,565,402,112 bytes free
.
- - End Of File - - 404398E97011B541B0D42AB63A55D3C0

Edited by Balkon, 18 February 2012 - 03:41 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:55 PM

Posted 19 February 2012 - 09:21 AM

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===


Please let me know what issues are still pending.

#15 Balkon

Balkon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 19 February 2012 - 05:20 PM

Logs are pretty huge, I don't think bleepingcomputer is even letting me post OTL in one post. So here's part one of OTL.TXT

OTL logfile created on: 2/19/2012 4:32:19 PM - Run 1
OTL by OldTimer - Version 3.2.33.0 Folder = C:\Users\Renecito\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.03 Gb Available Physical Memory | 62.51% Memory free
6.68 Gb Paging File | 5.43 Gb Available in Paging File | 81.19% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 586.11 Gb Total Space | 317.02 Gb Free Space | 54.09% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 9.91 Gb Free Space | 99.09% Space Free | Partition Type: NTFS

Computer Name: RENE-PC | User Name: Renecito | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Renecito\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Users\Renecito\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
PRC - C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe (Logitech Inc.)
PRC - C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Windows\System32\libusbd-nt.exe (http://libusb-win32.sourceforge.net)


========== Modules (No Company Name) ==========

MOD - C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\ppgooglenaclpluginchrome.dll ()
MOD - C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\pdf.dll ()
MOD - C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\avutil-51.dll ()
MOD - C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\avformat-53.dll ()
MOD - C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\avcodec-53.dll ()
MOD - C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\gcswf32.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\22e853d2fe1435baa459685dee7ce7b7\WindowsFormsIntegration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\231b0b42eff55de5c7d7debe555c16b7\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\94f892556ec9fa7a508fc9d214ceaedf\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\5aab9bc687029a908fc01473f8e5f77b\UIAutomationProvider.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\53f949f4664bb316f9b7a00d73a6e290\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\fd2c727bcef2e019eb96c1145f423701\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1363115565fff5a641243a48f396f107\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\367c4043efc2f32d843cb588b0dc97fc\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\fecd1103dd16dc1192402770caf56575\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\311bc26c3ed83409589eb6bae0eeb86e\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\c1c06a392871267db27f7cbc40e1c4fb\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\40da9084d0863e07d7ce55953833b8b0\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\8adb45c62e4c797bd4c706afe9e8bfb9\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\f9c36ea806e77872dce891c77b68fac3\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll ()
MOD - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll ()
MOD - C:\Windows\System32\atitmpxx.dll ()
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()
MOD - \\.\globalroot\systemroot\system32\mswsock.dll ()


========== Win32 Services (SafeList) ==========

SRV - (SessionLauncher) -- File not found
SRV - (Akamai) -- c:\program files\common files\akamai/netsession_win_7de0ed9.dll ()
SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (Hamachi2Svc) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (HiPatchService) -- C:\Program Files\Hi-Rez Studios\HiPatchService.exe (Hi-Rez Studios)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (Futuremark SystemInfo Service) -- C:\Program Files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe (Futuremark Corporation)
SRV - (dldt_device) -- C:\Windows\System32\dldtcoms.exe ( )
SRV - (RoxLiveShare10) -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (Sonic Solutions)
SRV - (RoxWatch10) -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe (Sonic Solutions)
SRV - (RoxMediaDB10) -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe (Sonic Solutions)
SRV - (CiscoVpnInstallService) -- C:\Windows\System32\govsrv.dll (Oak Technology Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)
SRV - (AERTFilters) -- C:\Windows\System32\AERTSrv.exe (Andrea Electronics Corporation)
SRV - (libusbd) -- C:\Windows\System32\libusbd-nt.exe (http://libusb-win32.sourceforge.net)


========== Driver Services (SafeList) ==========

DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV - (amdkmdag) -- C:\Windows\System32\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV - (AtiHDAudioService) -- C:\Windows\System32\drivers\AtihdLH3.sys (Advanced Micro Devices)
DRV - (MotioninJoyXFilter) -- C:\Windows\System32\drivers\MijXfilt.sys (MotioninJoy)
DRV - (LGVirHid) -- C:\Windows\System32\drivers\LGVirHid.sys (Logitech Inc.)
DRV - (LGBusEnum) -- C:\Windows\System32\drivers\LGBusEnum.sys (Logitech Inc.)
DRV - (WinUSB) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (mcdbus) -- C:\Windows\System32\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - ({1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}) -- C:\Program Files\CyberLink\PowerDVD DX\000.fcl (Cyberlink Corp.)
DRV - (AmdLLD) -- C:\Windows\System32\drivers\AmdLLD.sys (AMD, Inc.)
DRV - (e1express) Intel® -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (HSXHWBS2) -- C:\Windows\System32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)
DRV - (speedfan) -- C:\Windows\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (atidgllk) -- C:\Users\Renecito\Downloads\ati_winflash_2.0.1.14\atidgllk.sys (ATI Technologies Inc.)
DRV - (libusb0) -- C:\Windows\System32\drivers\libusb0.sys ()
DRV - (giveio) -- C:\Windows\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: chachaguidebar@chacha.com:1.2
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: vshareus@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Renecito\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Renecito\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Renecito\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/15 23:26:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/09 14:36:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/15 23:26:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/09 14:36:12 | 000,000,000 | ---D | M]

[2010/03/25 18:33:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Renecito\AppData\Roaming\Mozilla\Extensions
[2011/06/03 14:56:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\x65rv9ny.default\extensions
[2010/09/22 19:30:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\x65rv9ny.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/24 02:15:08 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\x65rv9ny.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2010/10/24 19:02:38 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\x65rv9ny.default\extensions\vshare@toolbar
[2010/11/13 21:42:45 | 000,000,000 | ---D | M] (vShare) -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\x65rv9ny.default\extensions\vshareus@toolbar
[2012/02/07 04:12:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\xsqb8vub.Blogging\extensions
[2012/02/07 04:12:04 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\xsqb8vub.Blogging\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/03/24 02:43:56 | 000,001,635 | ---- | M] () -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\x65rv9ny.default\searchplugins\firefox-add-ons.xml
[2011/03/24 03:10:26 | 000,005,471 | ---- | M] () -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\x65rv9ny.default\searchplugins\googlecom-in-english.xml
[2011/03/24 02:44:24 | 000,001,032 | ---- | M] () -- C:\Users\Renecito\AppData\Roaming\Mozilla\Firefox\Profiles\x65rv9ny.default\searchplugins\wikipedia-eng.xml
[2012/02/09 00:40:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/09 00:40:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
[2011/07/17 20:04:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2011/07/17 20:04:24 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
() (No name found) -- C:\USERS\RENECITO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X65RV9NY.DEFAULT\EXTENSIONS\{888D99E7-E8B5-46A3-851E-1EC45DA1E644}.XPI
() (No name found) -- C:\USERS\RENECITO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X65RV9NY.DEFAULT\EXTENSIONS\{AE93811A-5C9A-4D34-8462-F7B864FC4696}.XPI
() (No name found) -- C:\USERS\RENECITO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X65RV9NY.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\USERS\RENECITO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X65RV9NY.DEFAULT\EXTENSIONS\{E4A8A97B-F2ED-450B-B12D-EE082BA24781}.XPI
() (No name found) -- C:\USERS\RENECITO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X65RV9NY.DEFAULT\EXTENSIONS\CHACHAGUIDEBAR@CHACHA.COM.XPI
() (No name found) -- C:\USERS\RENECITO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X65RV9NY.DEFAULT\EXTENSIONS\MORNINGCOFFEE@SHANELIESEGANG.XPI
[2011/12/15 23:26:54 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/12/31 04:05:32 | 000,040,960 | ---- | M] (BYOND) -- C:\Program Files\mozilla firefox\plugins\npbyond.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/07/11 16:48:12 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2011/12/15 23:26:52 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/09/02 19:22:20 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
[2011/12/15 23:26:52 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Renecito\AppData\Local\Google\Chrome\Application\17.0.963.56\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.300.12 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U30 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: BYOND stub plugin for Mozilla (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npbyond.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Winamp Application Detector (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\Renecito\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.7.9_0\
CHR - Extension: Angry Birds = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.1.2.1_0\
CHR - Extension: Adblock Plus (Beta) = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.2_0\
CHR - Extension: Add to Amazon Wish List = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciagpekplgpbepdgggflgmahnjgiaced\1.0.0.8_0\
CHR - Extension: 4chan Extension = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehbdpfkillcfibeehjheknempdbfboia\1.13_0\
CHR - Extension: No YouTube Comments = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbeblcelbmadebneggicbpkjhlppjoen\1.0_0\
CHR - Extension: Poppit = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
CHR - Extension: 4chan Plus = C:\Users\Renecito\AppData\Local\Google\Chrome\User Data\Default\Extensions\pinelipedelckihohgdlpcclgocodhjj\2.3.9_0\

O1 HOSTS File: ([2012/02/18 15:26:51 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
O4 - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
O4 - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
O4 - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Renecito\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Renecito\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Renecito\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EA39B9B6-117E-49A6-8237-B4946E3D8418}: NameServer = 192.168.254.254
O18 - Protocol\Handler\vsharechrome - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Renecito\Pictures\KS\e7914ed83c24bc319747c5e4b5ef3914.jpg
O24 - Desktop BackupWallPaper: C:\Users\Renecito\Pictures\KS\e7914ed83c24bc319747c5e4b5ef3914.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users