Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with google redirect - like everyone else


  • This topic is locked This topic is locked
13 replies to this topic

#1 dkdkdkdk

dkdkdkdk

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 17 February 2012 - 04:05 AM

Hi there,
I have read your preparations steps on posting logs and will start with DDS log. Also, I have attached the Attach.txt from DDS and the Ark.txt from GMER.

Other information:
I have Symantec AV installed.
I have tried with Malwarebytes, but without luck.
I have tried the tdsskiller from Kaspersky, without luck.
I have tried combofix, without luck.
Google is redirecting in both IE and FireFox.
I have checked proxy setting, which are fine (set to automatic).
..think that was it.

Hope some kind soul out there can help me.
Thanks you so much for your help!

Kind regards
DK

DDS LOG:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by jj at 11:40:54 on 2012-02-16
Microsoft Windows 7 Professional 6.1.7601.1.1252.45.1030.18.1912.661 [GMT 1:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\System32\svchost.exe -k Cognizance
C:\windows\System32\svchost.exe -k Bioscrypt
c:\Program Files\Fingerprint Sensor\AtService.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\Hpservice.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskeng.exe
c:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\rundll32.exe
C:\windows\system32\AEADISRV.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\IBM\Lotus\Notes\nsd.exe
C:\Program Files\DesktopCentral_Agent\bin\dcagentservice.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\DesktopCentral_Agent\bin\dcondemand.exe
C:\windows\system32\conhost.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\DesktopCentral_Agent\bin\dcagenttrayicon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\SwyxIt!\SwyxIt!.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\SwyxIt!\CLMgr.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\vssvc.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=da_DK&c=92&bd=all&pf=cmnb
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\symantec\symantec endpoint protection\12.1.671.4971.105\bin\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\manage~1.lnk - c:\program files\desktopcentral_agent\bin\dcagenttrayicon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\swyxit!.lnk - c:\program files\swyxit!\SwyxIt!.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: LocalAccountTokenFilterPolicy = 1 (0x1)
IE: Dial selected number / URI - c:\program files\swyxit!\IEDial.htm
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: S&end til OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Send billede til &Bluetooth-enhed... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send siden til &Bluetooth-enhed... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {F8E553C6-4C00-11D3-80BC-00105A653379} - c:\program files\swyxit!\IEDial.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.101.5
TCP: Interfaces\{98C3EE58-67DA-4249-8DA2-292F245E5C48} : DhcpNameServer = 192.168.101.5
TCP: Interfaces\{98C3EE58-67DA-4249-8DA2-292F245E5C48}\358656271647F6E6027556E6A586F6570284F64756C6 : DhcpNameServer = 61.153.177.198 61.153.177.199
TCP: Interfaces\{98C3EE58-67DA-4249-8DA2-292F245E5C48}\B414259435 : DhcpNameServer = 193.162.153.164 194.239.134.83
TCP: Interfaces\{98C3EE58-67DA-4249-8DA2-292F245E5C48}\D41627363702960586F6E656 : DhcpNameServer = 194.239.134.83 193.162.153.164
TCP: Interfaces\{98C3EE58-67DA-4249-8DA2-292F245E5C48}\D6F6271696E656 : DhcpNameServer = 192.168.4.90 192.168.4.1
TCP: Interfaces\{CCD1C6E5-C79B-4EE4-B991-215A83586694} : DhcpNameServer = 192.168.101.5
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\hewlet~1\iam\bin\APSHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
IFEO: image file execution options - svchost.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jj\appdata\roaming\mozilla\firefox\profiles\3ea8yw3u.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2009-7-30 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-7-30 12960]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c01029f\136b.105\x86\SymDS.sys [2011-10-12 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c01029f\136b.105\x86\SymEFA.sys [2011-10-12 756856]
R1 BHDrvx86;BHDrvx86;c:\programdata\symantec\symantec endpoint protection\12.1.671.4971.105\data\definitions\bashdefs\20120215.011\BHDrvx86.sys [2012-2-16 820344]
R1 IDSVix86;IDSVix86;c:\programdata\symantec\symantec endpoint protection\12.1.671.4971.105\data\definitions\ipsdefs\20120215.002\IDSvix86.sys [2012-2-16 368248]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2009-7-30 12528]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c01029f\136b.105\x86\Ironx86.sys [2011-10-12 136312]
R1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\sep\0c01029f\136b.105\x86\symnets.sys [2011-10-12 299640]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-4 207400]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2009-7-14 20992]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Bioscrypt [2009-7-14 20992]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2009-7-29 1201400]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2009-7-30 256544]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2009-7-8 26168]
R2 IAANTMON;Intel® Matrix Storage Event Monitor;c:\program files\intel\intel matrix storage manager\IAANTmon.exe [2010-1-7 354840]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\ibm\lotus\notes\nsd.exe [2008-12-6 3315080]
R2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 7 - Agent;c:\program files\desktopcentral_agent\bin\dcagentservice.exe [2011-9-8 568456]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\12.1.671.4971.105\bin\ccSvcHst.exe [2011-10-12 137224]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-4-16 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-7-29 482176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-4-16 29472]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-1-7 228408]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-7-13 214016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-4 106104]
R3 NETw5s32;Intel® Wireless WiFi Link adapter driver til Windows 7 32 Bit ;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-4-16 49152]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Tjenesten Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-15 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Tjeneste (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-15 136176]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2009-7-30 45056]
S3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 7 - Remote Control;c:\program files\desktopcentral_agent\bin\dcrdservice.exe [2011-9-8 580744]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-6-4 4231680]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 StorSvc;Lagertjeneste;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-6 52224]
S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [2011-5-10 42496]
S3 WatAdminSvc;Tjenesten Windows Aktivering;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-22 1343400]
.
=============== Created Last 30 ================
.
2012-02-16 10:08:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-14 18:40:59 -------- d-----w- c:\users\jj\appdata\roaming\AV Security Essentials
2012-02-14 18:40:56 -------- d-sh--w- c:\programdata\AVJVYPDVSE
2012-02-14 18:40:40 -------- d-----w- c:\programdata\86a0d1
2012-02-04 12:51:27 -------- d-----w- c:\users\jj\appdata\local\CrashDumps
2012-02-03 14:17:20 -------- d-s---w- C:\ComboFix
2012-02-03 13:53:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-03 13:21:41 2 --shatr- c:\windows\winstart.bat
2012-02-03 13:00:52 -------- d-----w- c:\program files\UnHackMe
2012-02-03 12:43:45 -------- d-----w- c:\users\jj\appdata\roaming\Malwarebytes
2012-02-03 12:43:34 -------- d-----w- c:\programdata\Malwarebytes
2012-02-03 12:43:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-03 12:32:58 -------- d-----w- c:\users\jj\appdata\local\NPE
2012-02-03 12:32:58 -------- d-----w- c:\programdata\Norton
2012-02-03 12:14:59 -------- d-sh--w- C:\$RECYCLE.BIN
2012-02-03 11:58:05 98816 ----a-w- c:\windows\sed.exe
2012-02-03 11:58:05 518144 ----a-w- c:\windows\SWREG.exe
2012-02-03 11:58:05 256000 ----a-w- c:\windows\PEV.exe
2012-02-03 11:58:05 208896 ----a-w- c:\windows\MBR.exe
2012-01-31 09:20:00 84992 --sha-r- c:\windows\system32\sysedith.dll
2012-01-22 18:45:47 -------- d-----w- c:\program files\DaBriSoft
2012-01-17 22:08:38 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-17 22:08:38 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-17 22:08:38 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-17 22:08:38 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 22:08:38 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-17 22:08:38 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-17 22:08:38 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-17 22:08:38 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-17 22:08:38 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-17 22:08:37 15872 ----a-w- c:\windows\system32\sspisrv.dll
.
==================== Find3M ====================
.
2012-01-14 03:35:54 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 07:40:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 08:58:41 442880 ----a-w- c:\windows\system32\ntshrui.dll
2011-12-30 05:27:56 478720 ----a-w- c:\windows\system32\timedate.cpl
2011-12-16 07:54:22 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-16 07:52:58 690688 ----a-w- c:\windows\system32\msvcrt.dll
2011-12-16 06:09:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-19 14:01:00 67072 ----a-w- c:\windows\system32\packager.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD25 rev.12.0 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x8303E000]<< >>UNKNOWN [0x8942D000]<< >>UNKNOWN [0x8A1EF000]<< >>UNKNOWN [0x8A029000]<< >>UNKNOWN [0x83007000]<< >>UNKNOWN [0x8960B000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x8307552A] -> \Device\Harddisk0\DR0[0x871BE438]
\Driver\Disk[0x871BDEE8] -> IRP_MJ_CREATE -> 0x8943139F
3 [0x8943159E] -> ntkrnlpa!IofCallDriver[0x8307552A] -> [0x871BEC48]
\Driver\hpdskflt[0x87186B50] -> IRP_MJ_CREATE -> 0x8A02AFB0
5 [0x8A02B090] -> ntkrnlpa!IofCallDriver[0x8307552A] -> \Device\Ide\IAAStorageDevice-1[0x86784028]
\Driver\iaStor[0x86769F38] -> IRP_MJ_CREATE -> 0x8964F92E
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:41:28,07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:12 AM

Posted 20 February 2012 - 12:10 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 dkdkdkdk

dkdkdkdk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 22 February 2012 - 05:59 AM

Hi Gringo

Thanks for your reply.
Unfortunately I cannot get Symantec disabled. I first tried to disable it by following the guide in your links, but without luck. I have even tried to uninstall it completely and deleted related reg keys and related files, but still when I try to run ComboFix it tells me that Symantec is still an active real time scanner.

What should I do? Should I run ComboFix anyways? I cant find any traces of Symantec running on my computer either as processes or services.

Kind regards
Marc

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:12 AM

Posted 22 February 2012 - 06:06 AM

Hello


Yes - go ahead and run combofix anyway


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 dkdkdkdk

dkdkdkdk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 22 February 2012 - 07:31 AM

Ran ComboFix without any problems, I have pasted the log below.
Google is still redirecting me though. Anyways here is the log, thanks for helping me out.

ComboFix 12-02-21.02 - jj 22-02-2012 13:04:57.4.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.45.1030.18.1912.1087 [GMT 1:00]
Kører fra: c:\users\jj\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Forrige Kørsel --
.
Inficeret kopi af c:\windows\system32\userinit.exe blev fundet og desinficeret
Genskabt kopi fra - c:\windows\ERDNT\cache\userinit.exe
.
--------
.
.
((((((((((((((((((((((((((((( Filer skabt fra 2012-01-22 til 2012-02-22 )))))))))))))))))))))))))))))))))))
.
.
2012-02-22 12:11 . 2012-02-22 12:11 -------- d-----w- c:\users\studadmin\AppData\Local\temp
2012-02-22 12:11 . 2012-02-22 12:11 -------- d-----w- c:\users\mas\AppData\Local\temp
2012-02-22 12:11 . 2012-02-22 12:11 -------- d-----w- c:\users\jj7\AppData\Local\temp
2012-02-22 12:11 . 2012-02-22 12:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-22 09:54 . 2012-02-22 09:54 -------- d-----w- c:\users\jj\AppData\Local\VS Revo Group
2012-02-22 09:54 . 2009-12-30 09:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-02-22 09:54 . 2012-02-22 09:54 -------- d-----w- c:\program files\VS Revo Group
2012-02-16 17:34 . 2012-02-16 17:34 -------- d-----w- c:\programdata\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-02-16 10:08 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-14 18:40 . 2012-02-14 18:41 -------- d-----w- c:\users\jj\AppData\Roaming\AV Security Essentials
2012-02-14 18:40 . 2012-02-14 18:40 -------- d-sh--w- c:\programdata\AVJVYPDVSE
2012-02-14 18:40 . 2012-02-16 10:16 -------- d-----w- c:\programdata\86a0d1
2012-02-04 12:51 . 2012-02-14 18:41 -------- d-----w- c:\users\jj\AppData\Local\CrashDumps
2012-02-03 13:53 . 2012-02-03 13:53 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-03 13:21 . 2012-02-03 13:21 2 --shatr- c:\windows\winstart.bat
2012-02-03 13:16 . 2012-02-03 13:16 -------- d-----w- c:\users\jj\AppData\Local\Mozilla
2012-02-03 13:00 . 2012-02-03 14:17 -------- d-----w- c:\program files\UnHackMe
2012-02-03 12:43 . 2012-02-03 12:43 -------- d-----w- c:\users\jj\AppData\Roaming\Malwarebytes
2012-02-03 12:43 . 2012-02-03 12:43 -------- d-----w- c:\programdata\Malwarebytes
2012-02-03 12:43 . 2012-02-16 10:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-03 12:32 . 2012-02-03 12:35 -------- d-----w- c:\users\jj\AppData\Local\NPE
2012-02-03 12:32 . 2012-02-03 12:33 -------- d-----w- c:\programdata\Norton
2012-01-31 09:20 . 2012-01-31 09:20 84992 --sha-r- c:\windows\system32\sysedith.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 10:05 . 2011-10-12 12:04 240048 ----a-w- c:\windows\system32\SymVPN.dll
2012-01-11 07:40 . 2011-06-29 10:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-15 06:33 . 2011-10-23 04:55 335184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-01-29 16:11 . 2012-02-03 13:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25626408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-07-27 288312]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-17 186904]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-04 400936]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2009-07-30 354360]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2009-07-23 24848]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-09-21 1791272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-03 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-03 151064]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-15 358936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-30 795936]
SwyxIt!.lnk - c:\program files\SwyxIt!\SwyxIt!.exe [2010-6-21 4069200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"LocalAccountTokenFilterPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\HEWLET~1\IAM\Bin\APSHook.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ManageEngine Desktop Central Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ManageEngine Desktop Central Agent.lnk
backup=c:\windows\pss\ManageEngine Desktop Central Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acevents]
2009-06-04 00:16 153640 ----a-w- c:\program files\ActivIdentity\ActivClient\acevents.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-13 13:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Tjenesten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 136176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 gupdatem;Google Update Tjeneste (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 136176]
R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2009-07-30 45056]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-06-04 4231680]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl.sys [2011-05-10 42496]
R3 WatAdminSvc;Tjenesten Windows Aktivering;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-22 1343400]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-04 207400]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-07-29 1201400]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-07-29 256544]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 26168]
S2 IAANTMON;Intel® Matrix Storage Event Monitor;c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2009-06-17 354840]
S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\IBM\Lotus\Notes\nsd.exe [2008-12-06 3315080]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-07-15 2058776]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-07-29 482176]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-07-13 214016]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 NETw5s32;Intel® Wireless WiFi Link adapter driver til Windows 7 32 Bit ;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker
Bioscrypt REG_MULTI_SZ ASChannel
GPSvcGroup REG_MULTI_SZ GPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Indhold af mappen 'Planlagte Opgaver'
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 09:38]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 09:38]
.
2012-02-17 c:\windows\Tasks\HPCeeScheduleForjj.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 02:22]
.
2012-02-22 c:\windows\Tasks\Tjpqzmiss.job
- c:\windows\system32\sysedith.dll [2012-01-31 09:20]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=da_DK&c=92&bd=all&pf=cmnb
uInternet Settings,ProxyOverride = *.local
IE: Dial selected number / URI - c:\program files\SwyxIt!\IEDial.htm
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: S&end til OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send billede til &Bluetooth-enhed... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send siden til &Bluetooth-enhed... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{F8E553C6-4C00-11D3-80BC-00105A653379} - c:\program files\SwyxIt!\IEDial.htm
TCP: DhcpNameServer = 192.168.101.5
FF - ProfilePath - c:\users\jj\AppData\Roaming\Mozilla\Firefox\Profiles\3ea8yw3u.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - TOMME GENVEJE FJERNET - - - -
.
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs startet under kørende Processer ---------------------
.
- - - - - - - > 'Explorer.exe'(732)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFTaskbar.dll
.
Gennemført tid: 2012-02-22 13:20:48
ComboFix-quarantined-files.txt 2012-02-22 12:20
ComboFix2.txt 2012-02-03 12:16
.
Pre-Kørsel: 182.841.643.008 byte ledig
Post-Kørsel: 182.748.590.080 byte ledig
.
- - End Of File - - 92F1D2092424170BA0EAB56029507EF4

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:12 AM

Posted 22 February 2012 - 07:59 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 dkdkdkdk

dkdkdkdk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 22 February 2012 - 08:23 AM

TDSSKiller doesnt find anything.
aswMBR did find something: File: C:\windows\system32\sysedith.dll INFECTED. Unfortunately the scan crashes every time it reaches the c:\assembly\GAC_MSIL\Microsoft.VisualStudios.Tools.Applications folder.

I have managed to save a log file during the scan before it crashes. This is NOT a complete log of the scan as it does not finish, but it is the most extended one I can get.

First log is TDSSKiller
Second log is the aswMBR


TDSSKiller LOG:

14:03:42.0302 5868 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
14:03:42.0410 5868 ============================================================
14:03:42.0410 5868 Current date / time: 2012/02/22 14:03:42.0410
14:03:42.0410 5868 SystemInfo:
14:03:42.0410 5868
14:03:42.0410 5868 OS Version: 6.1.7601 ServicePack: 1.0
14:03:42.0410 5868 Product type: Workstation
14:03:42.0410 5868 ComputerName: COPCAP-JJ7
14:03:42.0410 5868 UserName: jj
14:03:42.0410 5868 Windows directory: C:\windows
14:03:42.0410 5868 System windows directory: C:\windows
14:03:42.0410 5868 Processor architecture: Intel x86
14:03:42.0410 5868 Number of processors: 2
14:03:42.0410 5868 Page size: 0x1000
14:03:42.0410 5868 Boot type: Normal boot
14:03:42.0410 5868 ============================================================
14:03:42.0713 5868 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
14:03:42.0715 5868 \Device\Harddisk0\DR0:
14:03:42.0715 5868 MBR used
14:03:42.0715 5868 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x96000
14:03:42.0715 5868 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x96800, BlocksNum 0x1AF2D800
14:03:42.0715 5868 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1AFC4000, BlocksNum 0x1E00000
14:03:42.0715 5868 \Device\Harddisk0\DR0\Partition3: MBR, Type 0xC, StartLBA 0x1CDC4000, BlocksNum 0x3FD800
14:03:42.0741 5868 Initialize success
14:03:42.0741 5868 ============================================================
14:03:43.0942 2260 ============================================================
14:03:43.0942 2260 Scan started
14:03:43.0942 2260 Mode: Manual;
14:03:43.0942 2260 ============================================================
14:03:44.0206 2260 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\windows\system32\drivers\1394ohci.sys
14:03:44.0207 2260 1394ohci - ok
14:03:44.0249 2260 Accelerometer (4df5e6215a102a192b2b6dbb61f2fba5) C:\windows\system32\DRIVERS\Accelerometer.sys
14:03:44.0250 2260 Accelerometer - ok
14:03:44.0283 2260 ACPI (cea80c80bed809aa0da6febc04733349) C:\windows\system32\drivers\ACPI.sys
14:03:44.0285 2260 ACPI - ok
14:03:44.0320 2260 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\windows\system32\drivers\acpipmi.sys
14:03:44.0321 2260 AcpiPmi - ok
14:03:44.0366 2260 ADIHdAudAddService (6c61bceb60c2c187e6f96001fd69493e) C:\windows\system32\drivers\ADIHdAud.sys
14:03:44.0368 2260 ADIHdAudAddService - ok
14:03:44.0394 2260 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
14:03:44.0396 2260 adp94xx - ok
14:03:44.0417 2260 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
14:03:44.0419 2260 adpahci - ok
14:03:44.0456 2260 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
14:03:44.0457 2260 adpu320 - ok
14:03:44.0515 2260 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\windows\system32\drivers\afd.sys
14:03:44.0517 2260 AFD - ok
14:03:44.0585 2260 AgereSoftModem (faa5a0b80e011464c7654851ce3d7fe7) C:\windows\system32\DRIVERS\AGRSM.sys
14:03:44.0592 2260 AgereSoftModem - ok
14:03:44.0636 2260 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\drivers\agp440.sys
14:03:44.0636 2260 agp440 - ok
14:03:44.0679 2260 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
14:03:44.0680 2260 aic78xx - ok
14:03:44.0714 2260 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\drivers\aliide.sys
14:03:44.0714 2260 aliide - ok
14:03:44.0740 2260 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\drivers\amdagp.sys
14:03:44.0740 2260 amdagp - ok
14:03:44.0755 2260 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\drivers\amdide.sys
14:03:44.0755 2260 amdide - ok
14:03:44.0788 2260 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
14:03:44.0788 2260 AmdK8 - ok
14:03:44.0808 2260 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
14:03:44.0808 2260 AmdPPM - ok
14:03:44.0854 2260 amdsata (d320bf87125326f996d4904fe24300fc) C:\windows\system32\drivers\amdsata.sys
14:03:44.0855 2260 amdsata - ok
14:03:44.0885 2260 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
14:03:44.0886 2260 amdsbs - ok
14:03:44.0900 2260 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\windows\system32\drivers\amdxata.sys
14:03:44.0900 2260 amdxata - ok
14:03:44.0938 2260 AppID (aea177f783e20150ace5383ee368da19) C:\windows\system32\drivers\appid.sys
14:03:44.0939 2260 AppID - ok
14:03:45.0018 2260 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
14:03:45.0019 2260 arc - ok
14:03:45.0050 2260 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
14:03:45.0051 2260 arcsas - ok
14:03:45.0103 2260 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
14:03:45.0104 2260 AsyncMac - ok
14:03:45.0145 2260 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\drivers\atapi.sys
14:03:45.0145 2260 atapi - ok
14:03:45.0183 2260 ATSwpWDF (1ec637725aebe586508626ba50af3324) C:\windows\system32\Drivers\ATSwpWDF.sys
14:03:45.0185 2260 ATSwpWDF - ok
14:03:45.0226 2260 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
14:03:45.0229 2260 b06bdrv - ok
14:03:45.0248 2260 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
14:03:45.0250 2260 b57nd60x - ok
14:03:45.0286 2260 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
14:03:45.0286 2260 Beep - ok
14:03:45.0314 2260 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
14:03:45.0314 2260 blbdrive - ok
14:03:45.0376 2260 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\windows\system32\DRIVERS\bowser.sys
14:03:45.0377 2260 bowser - ok
14:03:45.0393 2260 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
14:03:45.0393 2260 BrFiltLo - ok
14:03:45.0408 2260 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
14:03:45.0409 2260 BrFiltUp - ok
14:03:45.0439 2260 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\windows\system32\DRIVERS\bridge.sys
14:03:45.0440 2260 BridgeMP - ok
14:03:45.0531 2260 BrPar (2fe6d5be0629f706197b30c0aa05de30) C:\windows\System32\drivers\BrPar.sys
14:03:45.0531 2260 BrPar - ok
14:03:45.0557 2260 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
14:03:45.0559 2260 Brserid - ok
14:03:45.0580 2260 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
14:03:45.0581 2260 BrSerWdm - ok
14:03:45.0606 2260 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
14:03:45.0607 2260 BrUsbMdm - ok
14:03:45.0623 2260 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
14:03:45.0623 2260 BrUsbSer - ok
14:03:45.0649 2260 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\windows\system32\drivers\BthEnum.sys
14:03:45.0650 2260 BthEnum - ok
14:03:45.0670 2260 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
14:03:45.0671 2260 BTHMODEM - ok
14:03:45.0698 2260 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\windows\system32\DRIVERS\bthpan.sys
14:03:45.0699 2260 BthPan - ok
14:03:45.0731 2260 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\windows\System32\Drivers\BTHport.sys
14:03:45.0733 2260 BTHPORT - ok
14:03:45.0772 2260 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\windows\System32\Drivers\BTHUSB.sys
14:03:45.0773 2260 BTHUSB - ok
14:03:45.0810 2260 btwaudio (d57d29132efe13a83133d9bd449e0cf1) C:\windows\system32\drivers\btwaudio.sys
14:03:45.0811 2260 btwaudio - ok
14:03:45.0841 2260 btwavdt (d282c14a69357d0e1bafaecc2ca98c3a) C:\windows\system32\DRIVERS\btwavdt.sys
14:03:45.0842 2260 btwavdt - ok
14:03:45.0866 2260 btwl2cap (aafd7cb76ba61fbb08e302da208c974a) C:\windows\system32\DRIVERS\btwl2cap.sys
14:03:45.0867 2260 btwl2cap - ok
14:03:45.0891 2260 btwrchid (02eb4d2b05967df2d32f29c84ab1fb17) C:\windows\system32\DRIVERS\btwrchid.sys
14:03:45.0892 2260 btwrchid - ok
14:03:46.0009 2260 catchme - ok
14:03:46.0036 2260 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
14:03:46.0037 2260 cdfs - ok
14:03:46.0084 2260 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\windows\system32\DRIVERS\cdrom.sys
14:03:46.0085 2260 cdrom - ok
14:03:46.0133 2260 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
14:03:46.0133 2260 circlass - ok
14:03:46.0157 2260 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
14:03:46.0159 2260 CLFS - ok
14:03:46.0207 2260 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
14:03:46.0207 2260 CmBatt - ok
14:03:46.0225 2260 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\drivers\cmdide.sys
14:03:46.0226 2260 cmdide - ok
14:03:46.0258 2260 CNG (6427525d76f61d0c519b008d3680e8e7) C:\windows\system32\Drivers\cng.sys
14:03:46.0261 2260 CNG - ok
14:03:46.0303 2260 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
14:03:46.0303 2260 Compbatt - ok
14:03:46.0336 2260 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\windows\system32\drivers\CompositeBus.sys
14:03:46.0337 2260 CompositeBus - ok
14:03:46.0360 2260 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
14:03:46.0360 2260 crcdisk - ok
14:03:46.0410 2260 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\windows\system32\drivers\csc.sys
14:03:46.0413 2260 CSC - ok
14:03:46.0459 2260 DfsC (f024449c97ec1e464aaffda18593db88) C:\windows\system32\Drivers\dfsc.sys
14:03:46.0460 2260 DfsC - ok
14:03:46.0482 2260 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
14:03:46.0483 2260 discache - ok
14:03:46.0509 2260 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
14:03:46.0510 2260 Disk - ok
14:03:46.0545 2260 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
14:03:46.0545 2260 drmkaud - ok
14:03:46.0585 2260 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\windows\System32\drivers\dxgkrnl.sys
14:03:46.0589 2260 DXGKrnl - ok
14:03:46.0628 2260 e1yexpress (8eef52ad831471e323ee7364a8656d35) C:\windows\system32\DRIVERS\e1y6032.sys
14:03:46.0630 2260 e1yexpress - ok
14:03:46.0718 2260 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
14:03:46.0734 2260 ebdrv - ok
14:03:46.0770 2260 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
14:03:46.0772 2260 elxstor - ok
14:03:46.0802 2260 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\drivers\errdev.sys
14:03:46.0803 2260 ErrDev - ok
14:03:46.0840 2260 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
14:03:46.0841 2260 exfat - ok
14:03:46.0861 2260 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
14:03:46.0863 2260 fastfat - ok
14:03:46.0893 2260 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
14:03:46.0894 2260 fdc - ok
14:03:46.0916 2260 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
14:03:46.0917 2260 FileInfo - ok
14:03:46.0936 2260 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
14:03:46.0937 2260 Filetrace - ok
14:03:46.0957 2260 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
14:03:46.0958 2260 flpydisk - ok
14:03:46.0977 2260 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
14:03:46.0978 2260 FltMgr - ok
14:03:47.0004 2260 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
14:03:47.0005 2260 FsDepends - ok
14:03:47.0024 2260 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
14:03:47.0025 2260 Fs_Rec - ok
14:03:47.0065 2260 fvevol (8a73e79089b282100b9393b644cb853b) C:\windows\system32\DRIVERS\fvevol.sys
14:03:47.0066 2260 fvevol - ok
14:03:47.0091 2260 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
14:03:47.0091 2260 gagp30kx - ok
14:03:47.0147 2260 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
14:03:47.0147 2260 GEARAspiWDM - ok
14:03:47.0233 2260 HBtnKey (7dad592a4d28092d584cfb4deef1373d) C:\windows\system32\DRIVERS\cpqbttn.sys
14:03:47.0234 2260 HBtnKey - ok
14:03:47.0254 2260 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
14:03:47.0255 2260 hcw85cir - ok
14:03:47.0297 2260 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\windows\system32\drivers\HdAudio.sys
14:03:47.0299 2260 HdAudAddService - ok
14:03:47.0327 2260 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\windows\system32\drivers\HDAudBus.sys
14:03:47.0328 2260 HDAudBus - ok
14:03:47.0358 2260 HECI (30d57ee84e1e169d41a6e873b549a096) C:\windows\system32\DRIVERS\HECI.sys
14:03:47.0359 2260 HECI - ok
14:03:47.0379 2260 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
14:03:47.0380 2260 HidBatt - ok
14:03:47.0400 2260 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
14:03:47.0401 2260 HidBth - ok
14:03:47.0423 2260 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
14:03:47.0424 2260 HidIr - ok
14:03:47.0444 2260 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\windows\system32\DRIVERS\hidusb.sys
14:03:47.0444 2260 HidUsb - ok
14:03:47.0534 2260 hpdskflt (e1d82f0c8456abb03b7df5d623ca47d1) C:\windows\system32\DRIVERS\hpdskflt.sys
14:03:47.0535 2260 hpdskflt - ok
14:03:47.0572 2260 HpqKbFiltr (1210960ff8928950d2a786895b0c424a) C:\windows\system32\DRIVERS\HpqKbFiltr.sys
14:03:47.0572 2260 HpqKbFiltr - ok
14:03:47.0603 2260 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\drivers\HpSAMD.sys
14:03:47.0604 2260 HpSAMD - ok
14:03:47.0660 2260 HTTP (871917b07a141bff43d76d8844d48106) C:\windows\system32\drivers\HTTP.sys
14:03:47.0663 2260 HTTP - ok
14:03:47.0693 2260 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\windows\system32\drivers\hwpolicy.sys
14:03:47.0694 2260 hwpolicy - ok
14:03:47.0728 2260 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\drivers\i8042prt.sys
14:03:47.0729 2260 i8042prt - ok
14:03:47.0778 2260 iaStor (d483687eace0c065ee772481a96e05f5) C:\windows\system32\DRIVERS\iaStor.sys
14:03:47.0780 2260 iaStor - ok
14:03:47.0797 2260 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\windows\system32\drivers\iaStorV.sys
14:03:47.0799 2260 iaStorV - ok
14:03:47.0948 2260 igfx (a70c995199a47f326eef4f9f5e6267a1) C:\windows\system32\DRIVERS\igdkmd32.sys
14:03:47.0980 2260 igfx - ok
14:03:48.0009 2260 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
14:03:48.0010 2260 iirsp - ok
14:03:48.0046 2260 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\drivers\intelide.sys
14:03:48.0047 2260 intelide - ok
14:03:48.0078 2260 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
14:03:48.0078 2260 intelppm - ok
14:03:48.0103 2260 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
14:03:48.0103 2260 IpFilterDriver - ok
14:03:48.0131 2260 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\windows\system32\drivers\IPMIDrv.sys
14:03:48.0132 2260 IPMIDRV - ok
14:03:48.0150 2260 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
14:03:48.0151 2260 IPNAT - ok
14:03:48.0192 2260 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
14:03:48.0192 2260 IRENUM - ok
14:03:48.0212 2260 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\drivers\isapnp.sys
14:03:48.0213 2260 isapnp - ok
14:03:48.0236 2260 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\windows\system32\drivers\msiscsi.sys
14:03:48.0238 2260 iScsiPrt - ok
14:03:48.0253 2260 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\DRIVERS\kbdclass.sys
14:03:48.0254 2260 kbdclass - ok
14:03:48.0267 2260 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\windows\system32\DRIVERS\kbdhid.sys
14:03:48.0268 2260 kbdhid - ok
14:03:48.0316 2260 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\windows\system32\Drivers\ksecdd.sys
14:03:48.0317 2260 KSecDD - ok
14:03:48.0340 2260 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\windows\system32\Drivers\ksecpkg.sys
14:03:48.0341 2260 KSecPkg - ok
14:03:48.0374 2260 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
14:03:48.0375 2260 lltdio - ok
14:03:48.0431 2260 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
14:03:48.0432 2260 LSI_FC - ok
14:03:48.0466 2260 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
14:03:48.0467 2260 LSI_SAS - ok
14:03:48.0486 2260 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
14:03:48.0487 2260 LSI_SAS2 - ok
14:03:48.0502 2260 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
14:03:48.0503 2260 LSI_SCSI - ok
14:03:48.0530 2260 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
14:03:48.0531 2260 luafv - ok
14:03:48.0593 2260 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\windows\system32\drivers\mbam.sys
14:03:48.0594 2260 MBAMProtector - ok
14:03:48.0647 2260 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
14:03:48.0648 2260 megasas - ok
14:03:48.0666 2260 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
14:03:48.0668 2260 MegaSR - ok
14:03:48.0701 2260 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
14:03:48.0701 2260 Modem - ok
14:03:48.0722 2260 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
14:03:48.0723 2260 monitor - ok
14:03:48.0767 2260 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
14:03:48.0768 2260 mouclass - ok
14:03:48.0791 2260 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
14:03:48.0792 2260 mouhid - ok
14:03:48.0833 2260 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\windows\system32\drivers\mountmgr.sys
14:03:48.0834 2260 mountmgr - ok
14:03:48.0866 2260 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\windows\system32\drivers\mpio.sys
14:03:48.0867 2260 mpio - ok
14:03:48.0878 2260 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
14:03:48.0878 2260 mpsdrv - ok
14:03:48.0923 2260 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\windows\system32\drivers\mrxdav.sys
14:03:48.0923 2260 MRxDAV - ok
14:03:48.0964 2260 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\windows\system32\DRIVERS\mrxsmb.sys
14:03:48.0965 2260 mrxsmb - ok
14:03:49.0004 2260 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\windows\system32\DRIVERS\mrxsmb10.sys
14:03:49.0005 2260 mrxsmb10 - ok
14:03:49.0025 2260 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\windows\system32\DRIVERS\mrxsmb20.sys
14:03:49.0026 2260 mrxsmb20 - ok
14:03:49.0045 2260 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\windows\system32\drivers\msahci.sys
14:03:49.0045 2260 msahci - ok
14:03:49.0072 2260 msdsm (55055f8ad8be27a64c831322a780a228) C:\windows\system32\drivers\msdsm.sys
14:03:49.0073 2260 msdsm - ok
14:03:49.0104 2260 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
14:03:49.0105 2260 Msfs - ok
14:03:49.0120 2260 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
14:03:49.0120 2260 mshidkmdf - ok
14:03:49.0140 2260 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\drivers\msisadrv.sys
14:03:49.0140 2260 msisadrv - ok
14:03:49.0164 2260 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
14:03:49.0165 2260 MSKSSRV - ok
14:03:49.0190 2260 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
14:03:49.0190 2260 MSPCLOCK - ok
14:03:49.0210 2260 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
14:03:49.0211 2260 MSPQM - ok
14:03:49.0227 2260 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
14:03:49.0228 2260 MsRPC - ok
14:03:49.0250 2260 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\drivers\mssmbios.sys
14:03:49.0251 2260 mssmbios - ok
14:03:49.0264 2260 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
14:03:49.0264 2260 MSTEE - ok
14:03:49.0282 2260 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
14:03:49.0282 2260 MTConfig - ok
14:03:49.0301 2260 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
14:03:49.0301 2260 Mup - ok
14:03:49.0341 2260 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
14:03:49.0343 2260 NativeWifiP - ok
14:03:49.0391 2260 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\windows\system32\drivers\ndis.sys
14:03:49.0395 2260 NDIS - ok
14:03:49.0424 2260 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
14:03:49.0425 2260 NdisCap - ok
14:03:49.0440 2260 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
14:03:49.0440 2260 NdisTapi - ok
14:03:49.0477 2260 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\windows\system32\DRIVERS\ndisuio.sys
14:03:49.0477 2260 Ndisuio - ok
14:03:49.0510 2260 NdisWan (38fbe267e7e6983311179230facb1017) C:\windows\system32\DRIVERS\ndiswan.sys
14:03:49.0511 2260 NdisWan - ok
14:03:49.0548 2260 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\windows\system32\drivers\NDProxy.sys
14:03:49.0549 2260 NDProxy - ok
14:03:49.0579 2260 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
14:03:49.0580 2260 NetBIOS - ok
14:03:49.0611 2260 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\windows\system32\DRIVERS\netbt.sys
14:03:49.0612 2260 NetBT - ok
14:03:49.0790 2260 NETw5s32 (5b2dfa9c5c02ddf2a113cc0f551b59df) C:\windows\system32\DRIVERS\NETw5s32.sys
14:03:49.0826 2260 NETw5s32 - ok
14:03:49.0937 2260 netw5v32 (af1ae2e42b03395560b1cde03230205c) C:\windows\system32\DRIVERS\netw5v32.sys
14:03:49.0961 2260 netw5v32 - ok
14:03:49.0995 2260 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
14:03:49.0995 2260 nfrd960 - ok
14:03:50.0022 2260 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
14:03:50.0023 2260 Npfs - ok
14:03:50.0035 2260 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
14:03:50.0035 2260 nsiproxy - ok
14:03:50.0106 2260 Ntfs (81189c3d7763838e55c397759d49007a) C:\windows\system32\drivers\Ntfs.sys
14:03:50.0113 2260 Ntfs - ok
14:03:50.0126 2260 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
14:03:50.0127 2260 Null - ok
14:03:50.0168 2260 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\windows\system32\drivers\nvraid.sys
14:03:50.0169 2260 nvraid - ok
14:03:50.0186 2260 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\windows\system32\drivers\nvstor.sys
14:03:50.0187 2260 nvstor - ok
14:03:50.0210 2260 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\drivers\nv_agp.sys
14:03:50.0211 2260 nv_agp - ok
14:03:50.0239 2260 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\drivers\ohci1394.sys
14:03:50.0239 2260 ohci1394 - ok
14:03:50.0307 2260 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
14:03:50.0308 2260 Parport - ok
14:03:50.0333 2260 Partizan - ok
14:03:50.0371 2260 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\windows\system32\drivers\partmgr.sys
14:03:50.0372 2260 partmgr - ok
14:03:50.0390 2260 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
14:03:50.0390 2260 Parvdm - ok
14:03:50.0409 2260 pci (673e55c3498eb970088e812ea820aa8f) C:\windows\system32\drivers\pci.sys
14:03:50.0410 2260 pci - ok
14:03:50.0430 2260 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\drivers\pciide.sys
14:03:50.0430 2260 pciide - ok
14:03:50.0467 2260 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
14:03:50.0468 2260 pcmcia - ok
14:03:50.0507 2260 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
14:03:50.0508 2260 pcw - ok
14:03:50.0533 2260 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
14:03:50.0536 2260 PEAUTH - ok
14:03:50.0604 2260 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
14:03:50.0605 2260 PptpMiniport - ok
14:03:50.0624 2260 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
14:03:50.0625 2260 Processor - ok
14:03:50.0649 2260 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
14:03:50.0650 2260 Psched - ok
14:03:50.0691 2260 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
14:03:50.0698 2260 ql2300 - ok
14:03:50.0714 2260 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
14:03:50.0715 2260 ql40xx - ok
14:03:50.0739 2260 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
14:03:50.0740 2260 QWAVEdrv - ok
14:03:50.0758 2260 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
14:03:50.0758 2260 RasAcd - ok
14:03:50.0768 2260 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
14:03:50.0768 2260 RasAgileVpn - ok
14:03:50.0789 2260 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
14:03:50.0790 2260 Rasl2tp - ok
14:03:50.0821 2260 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
14:03:50.0822 2260 RasPppoe - ok
14:03:50.0836 2260 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
14:03:50.0837 2260 RasSstp - ok
14:03:50.0876 2260 rdbss (d528bc58a489409ba40334ebf96a311b) C:\windows\system32\DRIVERS\rdbss.sys
14:03:50.0877 2260 rdbss - ok
14:03:50.0892 2260 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
14:03:50.0892 2260 rdpbus - ok
14:03:50.0926 2260 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\windows\system32\DRIVERS\RDPCDD.sys
14:03:50.0926 2260 RDPCDD - ok
14:03:50.0964 2260 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\windows\system32\drivers\rdpdr.sys
14:03:50.0965 2260 RDPDR - ok
14:03:50.0996 2260 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
14:03:50.0996 2260 RDPENCDD - ok
14:03:51.0012 2260 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
14:03:51.0012 2260 RDPREFMP - ok
14:03:51.0047 2260 RDPWD (288b06960d78428ff89e811632684e20) C:\windows\system32\drivers\RDPWD.sys
14:03:51.0048 2260 RDPWD - ok
14:03:51.0093 2260 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\windows\system32\drivers\rdyboost.sys
14:03:51.0094 2260 rdyboost - ok
14:03:51.0157 2260 Revoflt (b9bb8e2093c1615ad6ea55ad96214354) C:\windows\system32\DRIVERS\revoflt.sys
14:03:51.0157 2260 Revoflt - ok
14:03:51.0188 2260 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\windows\system32\DRIVERS\rfcomm.sys
14:03:51.0189 2260 RFCOMM - ok
14:03:51.0230 2260 rimmptsk (df672613fbbcd58c38bb0bc2694bcfb0) C:\windows\system32\DRIVERS\rimmptsk.sys
14:03:51.0231 2260 rimmptsk - ok
14:03:51.0242 2260 rismc32 (470fc46e2989f6606043c1c5365b15fd) C:\windows\system32\DRIVERS\rismc32.sys
14:03:51.0243 2260 rismc32 - ok
14:03:51.0280 2260 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
14:03:51.0281 2260 rspndr - ok
14:03:51.0312 2260 RsvLock (13335d083935ab88e09c9acc077355b5) C:\windows\system32\drivers\RsvLock.sys
14:03:51.0313 2260 RsvLock - ok
14:03:51.0346 2260 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\windows\system32\drivers\vms3cap.sys
14:03:51.0347 2260 s3cap - ok
14:03:51.0386 2260 SafeBoot (062b82fa74c895382ab0784d493c8c9c) C:\windows\system32\drivers\SafeBoot.sys
14:03:51.0387 2260 Suspicious file (NoAccess): C:\windows\system32\drivers\SafeBoot.sys. md5: 062b82fa74c895382ab0784d493c8c9c
14:03:51.0387 2260 SafeBoot ( LockedFile.Multi.Generic ) - warning
14:03:51.0387 2260 SafeBoot - detected LockedFile.Multi.Generic (1)
14:03:51.0411 2260 SbAlg (c9cb2c392c35cbee2733c836d23dc642) C:\windows\system32\drivers\SbAlg.sys
14:03:51.0412 2260 SbAlg - ok
14:03:51.0431 2260 SbFsLock (b5a8ecdee930b52fd3ba35700a15ea53) C:\windows\system32\drivers\SbFsLock.sys
14:03:51.0432 2260 SbFsLock - ok
14:03:51.0472 2260 sbp2port (05d860da1040f111503ac416ccef2bca) C:\windows\system32\drivers\sbp2port.sys
14:03:51.0473 2260 sbp2port - ok
14:03:51.0506 2260 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\windows\system32\DRIVERS\scfilter.sys
14:03:51.0506 2260 scfilter - ok
14:03:51.0545 2260 sdbus (0328be1c7f1cba23848179f8762e391c) C:\windows\system32\drivers\sdbus.sys
14:03:51.0546 2260 sdbus - ok
14:03:51.0561 2260 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
14:03:51.0562 2260 secdrv - ok
14:03:51.0601 2260 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
14:03:51.0602 2260 Serenum - ok
14:03:51.0615 2260 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
14:03:51.0616 2260 Serial - ok
14:03:51.0630 2260 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
14:03:51.0631 2260 sermouse - ok
14:03:51.0669 2260 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\drivers\sffdisk.sys
14:03:51.0670 2260 sffdisk - ok
14:03:51.0686 2260 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\drivers\sffp_mmc.sys
14:03:51.0687 2260 sffp_mmc - ok
14:03:51.0702 2260 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\windows\system32\drivers\sffp_sd.sys
14:03:51.0703 2260 sffp_sd - ok
14:03:51.0721 2260 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
14:03:51.0721 2260 sfloppy - ok
14:03:51.0748 2260 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\drivers\sisagp.sys
14:03:51.0748 2260 sisagp - ok
14:03:51.0775 2260 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
14:03:51.0776 2260 SiSRaid2 - ok
14:03:51.0786 2260 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
14:03:51.0787 2260 SiSRaid4 - ok
14:03:51.0811 2260 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
14:03:51.0812 2260 Smb - ok
14:03:51.0909 2260 SNP2UVC (869d33035d5ca4b5bc58777b8fd1f47f) C:\windows\system32\DRIVERS\snp2uvc.sys
14:03:51.0919 2260 SNP2UVC - ok
14:03:51.0937 2260 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
14:03:51.0937 2260 spldr - ok
14:03:51.0989 2260 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\windows\system32\DRIVERS\srv.sys
14:03:51.0991 2260 srv - ok
14:03:52.0015 2260 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\windows\system32\DRIVERS\srv2.sys
14:03:52.0017 2260 srv2 - ok
14:03:52.0037 2260 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\windows\system32\DRIVERS\srvnet.sys
14:03:52.0039 2260 srvnet - ok
14:03:52.0073 2260 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
14:03:52.0073 2260 stexstor - ok
14:03:52.0125 2260 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\windows\system32\drivers\vmstorfl.sys
14:03:52.0126 2260 storflt - ok
14:03:52.0152 2260 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\windows\system32\drivers\storvsc.sys
14:03:52.0152 2260 storvsc - ok
14:03:52.0170 2260 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\drivers\swenum.sys
14:03:52.0170 2260 swenum - ok
14:03:52.0234 2260 SynTP (0e8676fb3bb95aa40fdf7a4a31018c8b) C:\windows\system32\DRIVERS\SynTP.sys
14:03:52.0241 2260 SynTP - ok
14:03:52.0307 2260 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\windows\system32\drivers\tcpip.sys
14:03:52.0315 2260 Tcpip - ok
14:03:52.0382 2260 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\windows\system32\DRIVERS\tcpip.sys
14:03:52.0389 2260 TCPIP6 - ok
14:03:52.0426 2260 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\windows\system32\drivers\tcpipreg.sys
14:03:52.0427 2260 tcpipreg - ok
14:03:52.0463 2260 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\windows\system32\drivers\tdpipe.sys
14:03:52.0464 2260 TDPIPE - ok
14:03:52.0478 2260 TDTCP (2c10395baa4847f83042813c515cc289) C:\windows\system32\drivers\tdtcp.sys
14:03:52.0478 2260 TDTCP - ok
14:03:52.0508 2260 tdx (b459575348c20e8121d6039da063c704) C:\windows\system32\DRIVERS\tdx.sys
14:03:52.0509 2260 tdx - ok
14:03:52.0522 2260 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\windows\system32\drivers\termdd.sys
14:03:52.0523 2260 TermDD - ok
14:03:52.0566 2260 TPM (5ad05191dc8b444a7ba4d79b76c42a30) C:\windows\system32\drivers\tpm.sys
14:03:52.0567 2260 TPM - ok
14:03:52.0615 2260 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\windows\system32\DRIVERS\tssecsrv.sys
14:03:52.0616 2260 tssecsrv - ok
14:03:52.0671 2260 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\windows\system32\drivers\tsusbflt.sys
14:03:52.0672 2260 TsUsbFlt - ok
14:03:52.0711 2260 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\windows\system32\DRIVERS\tunnel.sys
14:03:52.0712 2260 tunnel - ok
14:03:52.0736 2260 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
14:03:52.0736 2260 uagp35 - ok
14:03:52.0772 2260 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\windows\system32\DRIVERS\udfs.sys
14:03:52.0774 2260 udfs - ok
14:03:52.0805 2260 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\drivers\uliagpkx.sys
14:03:52.0806 2260 uliagpkx - ok
14:03:52.0847 2260 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\windows\system32\drivers\umbus.sys
14:03:52.0848 2260 umbus - ok
14:03:52.0875 2260 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
14:03:52.0876 2260 UmPass - ok
14:03:52.0915 2260 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\windows\system32\Drivers\usbaapl.sys
14:03:52.0915 2260 USBAAPL - ok
14:03:52.0962 2260 usbaudio (1d9f2bd026e8e2d45033a4df3f16b78c) C:\windows\system32\drivers\usbaudio.sys
14:03:52.0963 2260 usbaudio - ok
14:03:52.0989 2260 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\windows\system32\DRIVERS\usbccgp.sys
14:03:52.0990 2260 usbccgp - ok
14:03:53.0018 2260 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\drivers\usbcir.sys
14:03:53.0019 2260 usbcir - ok
14:03:53.0045 2260 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\windows\system32\DRIVERS\usbehci.sys
14:03:53.0046 2260 usbehci - ok
14:03:53.0077 2260 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\windows\system32\DRIVERS\usbhub.sys
14:03:53.0078 2260 usbhub - ok
14:03:53.0105 2260 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\windows\system32\DRIVERS\usbohci.sys
14:03:53.0105 2260 usbohci - ok
14:03:53.0127 2260 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
14:03:53.0127 2260 usbprint - ok
14:03:53.0145 2260 USBSTOR (f991ab9cc6b908db552166768176896a) C:\windows\system32\DRIVERS\USBSTOR.SYS
14:03:53.0145 2260 USBSTOR - ok
14:03:53.0166 2260 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\windows\system32\DRIVERS\usbuhci.sys
14:03:53.0166 2260 usbuhci - ok
14:03:53.0189 2260 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\windows\System32\Drivers\usbvideo.sys
14:03:53.0190 2260 usbvideo - ok
14:03:53.0214 2260 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\drivers\vdrvroot.sys
14:03:53.0215 2260 vdrvroot - ok
14:03:53.0244 2260 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
14:03:53.0245 2260 vga - ok
14:03:53.0259 2260 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
14:03:53.0260 2260 VgaSave - ok
14:03:53.0280 2260 vhdmp (5461686cca2fda57b024547733ab42e3) C:\windows\system32\drivers\vhdmp.sys
14:03:53.0281 2260 vhdmp - ok
14:03:53.0305 2260 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\drivers\viaagp.sys
14:03:53.0306 2260 viaagp - ok
14:03:53.0336 2260 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
14:03:53.0337 2260 ViaC7 - ok
14:03:53.0354 2260 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\drivers\viaide.sys
14:03:53.0354 2260 viaide - ok
14:03:53.0379 2260 vmbus (c2f2911156fdc7817c52829c86da494e) C:\windows\system32\drivers\vmbus.sys
14:03:53.0380 2260 vmbus - ok
14:03:53.0397 2260 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\windows\system32\drivers\VMBusHID.sys
14:03:53.0397 2260 VMBusHID - ok
14:03:53.0415 2260 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\windows\system32\drivers\volmgr.sys
14:03:53.0416 2260 volmgr - ok
14:03:53.0432 2260 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
14:03:53.0433 2260 volmgrx - ok
14:03:53.0451 2260 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\windows\system32\drivers\volsnap.sys
14:03:53.0452 2260 volsnap - ok
14:03:53.0488 2260 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
14:03:53.0489 2260 vsmraid - ok
14:03:53.0504 2260 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
14:03:53.0505 2260 vwifibus - ok
14:03:53.0532 2260 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
14:03:53.0533 2260 vwififlt - ok
14:03:53.0555 2260 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\windows\system32\DRIVERS\vwifimp.sys
14:03:53.0555 2260 vwifimp - ok
14:03:53.0586 2260 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
14:03:53.0587 2260 WacomPen - ok
14:03:53.0633 2260 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\windows\system32\DRIVERS\wanarp.sys
14:03:53.0634 2260 WANARP - ok
14:03:53.0637 2260 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\windows\system32\DRIVERS\wanarp.sys
14:03:53.0638 2260 Wanarpv6 - ok
14:03:53.0708 2260 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
14:03:53.0709 2260 Wd - ok
14:03:53.0736 2260 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
14:03:53.0738 2260 Wdf01000 - ok
14:03:53.0771 2260 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
14:03:53.0772 2260 WfpLwf - ok
14:03:53.0789 2260 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
14:03:53.0789 2260 WIMMount - ok
14:03:53.0834 2260 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\windows\system32\DRIVERS\WinUsb.sys
14:03:53.0834 2260 WinUsb - ok
14:03:53.0869 2260 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\drivers\wmiacpi.sys
14:03:53.0870 2260 WmiAcpi - ok
14:03:53.0895 2260 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
14:03:53.0896 2260 ws2ifsl - ok
14:03:53.0938 2260 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\windows\system32\drivers\WudfPf.sys
14:03:53.0938 2260 WudfPf - ok
14:03:53.0955 2260 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\windows\system32\DRIVERS\WUDFRd.sys
14:03:53.0957 2260 WUDFRd - ok
14:03:54.0005 2260 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
14:03:54.0059 2260 \Device\Harddisk0\DR0 - ok
14:03:54.0063 2260 Boot (0x1200) (51374f190ea049867e892853c098e6ef) \Device\Harddisk0\DR0\Partition0
14:03:54.0064 2260 \Device\Harddisk0\DR0\Partition0 - ok
14:03:54.0075 2260 Boot (0x1200) (1da9029ca7bc03bb56c82b30872a62a5) \Device\Harddisk0\DR0\Partition1
14:03:54.0076 2260 \Device\Harddisk0\DR0\Partition1 - ok
14:03:54.0106 2260 Boot (0x1200) (ed84b0f3a9a6ce90c6e668fac4f4cc43) \Device\Harddisk0\DR0\Partition2
14:03:54.0107 2260 \Device\Harddisk0\DR0\Partition2 - ok
14:03:54.0125 2260 Boot (0x1200) (0d6fcc597108b721536ee1b9cc7c7be4) \Device\Harddisk0\DR0\Partition3
14:03:54.0125 2260 \Device\Harddisk0\DR0\Partition3 - ok
14:03:54.0126 2260 ============================================================
14:03:54.0127 2260 Scan finished
14:03:54.0127 2260 ============================================================
14:03:54.0137 1452 Detected object count: 1
14:03:54.0137 1452 Actual detected object count: 1
14:04:03.0774 1452 SafeBoot ( LockedFile.Multi.Generic ) - skipped by user
14:04:03.0774 1452 SafeBoot ( LockedFile.Multi.Generic ) - User select action: Skip




aswMBR LOG:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-22 14:09:08
-----------------------------
14:09:08.344 OS Version: Windows 6.1.7601 Service Pack 1
14:09:08.344 Number of processors: 2 586 0x170A
14:09:08.345 ComputerName: COPCAP-JJ7 UserName: jj
14:09:09.096 Initialize success
14:09:12.212 AVAST engine defs: 12022101
14:09:18.019 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:09:18.022 Disk 0 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 3
14:09:18.040 Disk 0 MBR read successfully
14:09:18.043 Disk 0 MBR scan
14:09:18.047 Disk 0 Windows VISTA default MBR code
14:09:18.060 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 2048
14:09:18.077 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 220763 MB offset 616448
14:09:18.108 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 15360 MB offset 452739072
14:09:18.127 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 2043 MB offset 484196352
14:09:18.134 Disk 0 scanning sectors +488380416
14:09:18.185 Disk 0 scanning C:\windows\system32\drivers
14:09:28.644 Service scanning
14:09:42.357 Service SafeBoot C:\windows\System32\Drivers\SafeBoot.sys **LOCKED** 32
14:09:48.271 Modules scanning
14:09:55.901 Disk 0 trace - called modules:
14:09:55.917 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys halmacpi.dll iaStor.sys
14:09:55.923 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x873b1208]
14:09:55.928 3 CLASSPNP.SYS[8981d59e] -> nt!IofCallDriver -> [0x873b1a70]
14:09:55.934 5 hpdskflt.sys[8a59f090] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8697b028]
14:09:56.668 AVAST engine scan C:\windows
14:09:58.989 AVAST engine scan C:\windows\system32
14:11:06.647 File: C:\windows\system32\sysedith.dll **INFECTED** Win32:Diller-T [Trj]
14:11:24.600 Disk 0 MBR has been saved successfully to "C:\Users\jj\Desktop\MBR.dat"
14:11:24.611 The log file has been saved successfully to "C:\Users\jj\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:12 AM

Posted 22 February 2012 - 08:35 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
C:\windows\system32\sysedith.dll 
c:\windows\Tasks\Tjpqzmiss.job

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 dkdkdkdk

dkdkdkdk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 24 February 2012 - 04:42 AM

We have a breakthrough! Google doesnt forward any more!

I'll post the new ComboFix+CFScript log just in case.

Thank you so much for your help, you really made my life a billion times easier.

Kind regards,
DK

ComboFix+CFScript log:


ComboFix 12-02-21.02 - jj 24-02-2012 8:25.6.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.45.1030.18.1912.977 [GMT 1:00]
Kører fra: c:\users\jj\Desktop\ComboFix.exe
Kommandoer benyttet :: c:\users\jj\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Dannede nyt systemgendannelsespunkt
.
FILE ::
"c:\windows\system32\sysedith.dll"
"c:\windows\Tasks\Tjpqzmiss.job"
.
.
((((((((((((((((((((((((((((( Filer skabt fra 2012-01-24 til 2012-02-24 )))))))))))))))))))))))))))))))))))
.
.
2012-02-24 07:31 . 2012-02-24 07:31 -------- d-----w- c:\users\studadmin\AppData\Local\temp
2012-02-24 07:31 . 2012-02-24 07:31 -------- d-----w- c:\users\mas\AppData\Local\temp
2012-02-24 07:31 . 2012-02-24 07:31 -------- d-----w- c:\users\jj7\AppData\Local\temp
2012-02-24 07:31 . 2012-02-24 07:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-22 14:17 . 2012-02-24 07:32 -------- d-----w- c:\users\jj\AppData\Local\temp
2012-02-22 09:54 . 2012-02-22 09:54 -------- d-----w- c:\users\jj\AppData\Local\VS Revo Group
2012-02-22 09:54 . 2009-12-30 09:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-02-22 09:54 . 2012-02-22 09:54 -------- d-----w- c:\program files\VS Revo Group
2012-02-16 17:34 . 2012-02-16 17:34 -------- d-----w- c:\programdata\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-02-16 10:08 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-14 18:40 . 2012-02-14 18:41 -------- d-----w- c:\users\jj\AppData\Roaming\AV Security Essentials
2012-02-14 18:40 . 2012-02-14 18:40 -------- d-sh--w- c:\programdata\AVJVYPDVSE
2012-02-14 18:40 . 2012-02-16 10:16 -------- d-----w- c:\programdata\86a0d1
2012-02-04 12:51 . 2012-02-22 13:20 -------- d-----w- c:\users\jj\AppData\Local\CrashDumps
2012-02-03 13:53 . 2012-02-03 13:53 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-03 13:21 . 2012-02-03 13:21 2 --shatr- c:\windows\winstart.bat
2012-02-03 13:16 . 2012-02-03 13:16 -------- d-----w- c:\users\jj\AppData\Local\Mozilla
2012-02-03 13:00 . 2012-02-03 14:17 -------- d-----w- c:\program files\UnHackMe
2012-02-03 12:43 . 2012-02-03 12:43 -------- d-----w- c:\users\jj\AppData\Roaming\Malwarebytes
2012-02-03 12:43 . 2012-02-03 12:43 -------- d-----w- c:\programdata\Malwarebytes
2012-02-03 12:43 . 2012-02-16 10:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-03 12:32 . 2012-02-03 12:35 -------- d-----w- c:\users\jj\AppData\Local\NPE
2012-02-03 12:32 . 2012-02-03 12:33 -------- d-----w- c:\programdata\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 10:05 . 2011-10-12 12:04 240048 ----a-w- c:\windows\system32\SymVPN.dll
2012-01-11 07:40 . 2011-06-29 10:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-15 06:33 . 2011-10-23 04:55 335184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-01-29 16:11 . 2012-02-03 13:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25626408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-07-27 288312]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-17 186904]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-04 400936]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2009-07-30 354360]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2009-07-23 24848]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-09-21 1791272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-03 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-03 151064]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-15 358936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-30 795936]
SwyxIt!.lnk - c:\program files\SwyxIt!\SwyxIt!.exe [2010-6-21 4069200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"LocalAccountTokenFilterPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\HEWLET~1\IAM\Bin\APSHook.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ManageEngine Desktop Central Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ManageEngine Desktop Central Agent.lnk
backup=c:\windows\pss\ManageEngine Desktop Central Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acevents]
2009-06-04 00:16 153640 ----a-w- c:\program files\ActivIdentity\ActivClient\acevents.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-13 13:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Tjenesten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 136176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 gupdatem;Google Update Tjeneste (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 136176]
R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2009-07-30 45056]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-06-04 4231680]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl.sys [2011-05-10 42496]
R3 WatAdminSvc;Tjenesten Windows Aktivering;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-22 1343400]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-04 207400]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-07-29 1201400]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-07-29 256544]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 26168]
S2 IAANTMON;Intel® Matrix Storage Event Monitor;c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2009-06-17 354840]
S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\IBM\Lotus\Notes\nsd.exe [2008-12-06 3315080]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-07-15 2058776]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-07-29 482176]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-07-13 214016]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 NETw5s32;Intel® Wireless WiFi Link adapter driver til Windows 7 32 Bit ;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker
Bioscrypt REG_MULTI_SZ ASChannel
GPSvcGroup REG_MULTI_SZ GPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Indhold af mappen 'Planlagte Opgaver'
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 09:38]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 09:38]
.
2012-02-24 c:\windows\Tasks\HPCeeScheduleForjj.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 02:22]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=da_DK&c=92&bd=all&pf=cmnb
uInternet Settings,ProxyOverride = *.local
IE: Dial selected number / URI - c:\program files\SwyxIt!\IEDial.htm
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: S&end til OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send billede til &Bluetooth-enhed... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send siden til &Bluetooth-enhed... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{F8E553C6-4C00-11D3-80BC-00105A653379} - c:\program files\SwyxIt!\IEDial.htm
TCP: DhcpNameServer = 192.168.101.5
FF - ProfilePath - c:\users\jj\AppData\Roaming\Mozilla\Firefox\Profiles\3ea8yw3u.default\
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs startet under kørende Processer ---------------------
.
- - - - - - - > 'Explorer.exe'(4468)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFTaskbar.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\system32\AEADISRV.EXE
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\SwyxIt!\CLMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Shared\hpqToaster.exe
c:\program files\Hewlett-Packard\Shared\hpCaslNotification.exe
c:\program files\SwyxIt!\ODialer.exe
c:\program files\SwyxIt!\LotusNotesAccess.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Gennemført tid: 2012-02-24 08:36:39 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2012-02-24 07:36
ComboFix2.txt 2012-02-22 14:34
ComboFix3.txt 2012-02-22 12:20
ComboFix4.txt 2012-02-03 12:16
.
Pre-Kørsel: 182.687.698.944 byte ledig
Post-Kørsel: 182.608.080.896 byte ledig
.
- - End Of File - - A3F4D2E40B247CC5FE519431E99BF372

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:12 AM

Posted 24 February 2012 - 07:45 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.4.4 - Dansk
Java™ 6 Update 22
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 dkdkdkdk

dkdkdkdk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 24 February 2012 - 08:29 AM

1

Malwarebytes
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.24.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
jj :: COPCAP-JJ7 [administrator]

24-02-2012 14:13:25
mbam-log-2012-02-24 (14-13-25).txt

Skanningstype: Hurtig skanning
Skanningsmuligheder valgt: Hukommelse | Opstart | Registreringsdatabasen | Filsystem | Heuristics/Ekstra | Heuristics/Shuriken | PUP | PUM
Skanningsmuligheder som er deaktiverede: P2P
Objekter skannet: 233084
Tid gået: 4 minut(ter), 15 sekund(er)

Hukommelses Processorer Inficeret: 0
(Ingen skadelige objekter blev fundet)

Hukommelses Moduler Inficeret: 0
(Ingen skadelige objekter blev fundet)

Registreringsdatabasenøgler Inficeret: 0
(Ingen skadelige objekter blev fundet)

Registreringsdatabaseværdier Inficeret: 0
(Ingen skadelige objekter blev fundet)

Registreringsdatabasedata Objekter Inficeret: 0
(Ingen skadelige objekter blev fundet)

Inficerede Mapper: 0
(Ingen skadelige objekter blev fundet)

Inficerede Filer: 0
(Ingen skadelige objekter blev fundet)

(færdig)


2.
HiJackThis LOG:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:24:52, on 24-02-2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
c:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\DesktopCentral_Agent\bin\dcagenttrayicon.exe
C:\Program Files\SwyxIt!\SwyxIt!.exe
C:\Program Files\SwyxIt!\CLMgr.exe
c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files\SwyxIt!\ODialer.exe
C:\Program Files\SwyxIt!\LotusNotesAccess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\windows\system32\RunDll32.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\windows\system32\DllHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=da_DK&c=92&bd=all&pf=cmnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: ManageEngine Desktop Central Agent.lnk = C:\Program Files\DesktopCentral_Agent\bin\dcagenttrayicon.exe
O4 - Global Startup: SwyxIt!.lnk = C:\Program Files\SwyxIt!\SwyxIt!.exe
O8 - Extra context menu item: Dial selected number / URI - C:\Program Files\SwyxIt!\IEDial.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: S&end til OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Send billede til &Bluetooth-enhed... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send siden til &Bluetooth-enhed... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: &Sammenkædede OneNote-noter - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Sammenkædede OneNote-noter - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: SwyxIt! Phone Dialer - {F8E553C6-4C00-11D3-80BC-00105A653379} - C:\Program Files\SwyxIt!\IEDial.htm
O9 - Extra 'Tools' menuitem: SwyxIt! Phone Dialer - {F8E553C6-4C00-11D3-80BC-00105A653379} - C:\Program Files\SwyxIt!\IEDial.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = copcap.lan
O17 - HKLM\Software\..\Telephony: DomainName = copcap.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = copcap.lan
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = copcap.lan
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\PROGRA~1\HEWLET~1\IAM\Bin\APSHook.dll
O23 - Service: ActivIdentity Shared Store Service (ac.sharedstore) - ActivIdentity - c:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - c:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: Bonjour tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Tjenesten Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Tjeneste (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - McAfee, Inc. - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard - C:\windows\system32\Hpservice.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Lotus Notes Diagnostics - IBM - C:\Program Files\IBM\Lotus\Notes\nsd.exe
O23 - Service: ManageEngine Desktop Central 7 - Agent (ManageEngine Desktop Central - Agent) - Unknown owner - C:\Program Files\DesktopCentral_Agent\bin\dcagentservice.exe
O23 - Service: ManageEngine Desktop Central 7 - Remote Control (ManageEngine Desktop Central - Remote Control) - Unknown owner - C:\Program Files\DesktopCentral_Agent\bin\dcrdservice.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

--
End of file - 11994 bytes


3.
No problems during the processes

4.
Computer works like a charm and google does still not redirect

Kind regards,
DK

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:12 AM

Posted 24 February 2012 - 11:11 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
      O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - Global Startup: ManageEngine Desktop Central Agent.lnk = C:\Program Files\DesktopCentral_Agent\bin\dcagenttrayicon.exe
      O4 - Global Startup: SwyxIt!.lnk = C:\Program Files\SwyxIt!\SwyxIt!.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:12 AM

Posted 27 February 2012 - 12:47 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:12 AM

Posted 01 March 2012 - 09:49 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users