Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Ultimate Trivia" PC Malware and Short Code Text Message Scam


  • This topic is locked This topic is locked
34 replies to this topic

#1 Steve23

Steve23

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:07:07 AM

Posted 18 February 2012 - 01:09 PM

Dear BC MRT Members,

Thank you for your help in the past. Unfortunately I am in need of your services once again.

Dell Latitude D620 laptop, WinXP Pro SP3, Intel Core2 CPU T7200 @ 2GHz, 2.0GB RAM, 945GM Chipset.

Logs: DDS.txt appended. Attach.txt and ARK.log attached.

Main point: I get a lot of problematic ‘take this survey’ pop-ups and just got an Avast malware message on my PC.

Frequently when I go enter URLs to go to legitimate sites, I get a full screen browser window that says 'the site <URL I just typed> is conducting a survey of it's site.' I do not get virus warnings from Avast Free Version. The one time I responded (yes, I know, I'm an idiot; this had all the warning signs of a scam) I got shuffled through four stages of count-down timed (finish the entries on this screen in less than one minute) screens to select a prize (iPhone 4S, Apple iPad, or $1000 Walmart gift card), enter my e-mail and cell phone number and then confirm my cell phone number by entering a code from a text they just sent me. I opened the Terms and Conditions and Privacy Policy after (no time during) to see that I just signed up to pay $9.99 a month via my Sprint phone bill to a www.ultimate-trivia.com scam who doesn’t even have a company name or address.

I’ll put some info down about the mobile phone side only so that search strings may hit this thread. The text message came from the number 37568 for Ultimate-Trivia Alerts, reply HELP4help or STOP2end, support@ultimate-trivia.com or 18557070049. I texted STOP and it said ‘subscription cancelled.’ I don’t feel sure about this so I call Sprint, my mobile phone carrier, and had them block what they called ‘short codes’ for my account, which included the Ultimate-Trivia scam.

Back to the PC. As luck would have it my laptop battery died and when I restarted and Chrome asked to restore tabs and I said ‘yes,’ Avast threw a warning when trying to open the very first pop-up offering the survey:
Infection Details:
URL: http://affiliate.ab1trk.com/rd/r.php?sid
Process: file://C:\WINDOWS\system32\IWPDGINA.dll
Infection: url:Mal

‘Take this survey’ pop-ups are only on this PC out of eight in the house (not as good as it sounds; two are 486’s, but hey, they still work (if you can call it that)).

EDIT#1: When I posted to this forum just now I noticed a bunch of random words in the post were made into hyperlinks I did not create. I don't know if you can see this in the post or if it is just on my PC. If I dwell on one I get a small pop-up from Text Enhance (which I thought I clicked 'disable' on before (yeah, that probably enabled it more)) that says something like "You've been selected to receive a free $500 Wal-Mart Gift Card." Clicking on it takes me to one of the sites that begin the previously mentioned bogus survey process. The properties for the URL are:
Protocol: Unknown Protocol
Type: File
Address: #

EDIT#2: I just got a full page pop-up saying my credit card was compromised and to enter the credit card number. Yeah, right. At the bottom it said Ad Provided by FreeWorkz, click here to uninstall, which then provides a pop-up on how to use the Windows O/S Add / Remove Programs Control Panel. However, when I did that, Avast said the uninstaller was malware and to run a boot scan, which I did. I have the aswBoot.txt log available, if needed. Basically Avast found three Java-Agents and a FreeWorkz dll Adaware-Gen, all of which were deleted. The path to the FreeWorkz dll still exists and contains a javascript file that looks like it will just re-download the infected dll. I still have the random words that when poked give Text Enhance pop-ups. Although Java auto-update is enabled, I decided to manually update Java to makes sure I am at the latest, which is Java SE6u31 I believe. Having done this I re-ran and attached up-to-date DDS and GMER logs. I don't know why my first ARK.log was 1105 lines and my second was only 796 lines. I included only the most recent ones here, but I have the eariler ones saved if needed.

So two questions:
(1) How can I be sure I’m clean with respect to the stupid mistake I just made responding to the Ultimate Trivia scam? Obviously I’m only concerned with the PC and not the mobile phone in the Bleeping Computer forum.
(2) How can I take care of the various Text Enhance and ‘Take this survey’ pop-up problem that appears attached to this PC? By the way, this is my teen age daughters PC and maybe that tells you some important stuff right there ;-)

Thank you!

Sincerely,
Steve

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 0:01:18 on 2012-02-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1354 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\DigitalLifeboat\Data Protection Service\DataProtectionUpdateService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\DigitalLifeboat\Data Protection Service\DataProtectionService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\DigitalLifeboat\Data Protection Service\DigitalLifeboatClientApp.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: AutorunsDisabled - No File
BHO: BFlix Class: {0c9f4179-6ce2-4c6a-a3e5-67ff3592a12e} - c:\program files\bflix\BFlix.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Digital Lifeboat Client Application] c:\program files\digitallifeboat\data protection service\DigitalLifeboatClientApp.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [c:\windows\system32\v0400ext.ax] c:\windows\system32\regsvr32.exe /s c:\windows\system32\V0400Ext.ax
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: AutorunsDisabled\cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-2 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-2-2 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-2-2 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-2-2 44768]
R2 Digital Lifeboat Backup Service;Digital Lifeboat Backup Service;c:\program files\digitallifeboat\data protection service\DataProtectionService.exe [2012-1-18 11776]
R2 Digital Lifeboat Update Service;Digital Lifeboat Update Service;c:\program files\digitallifeboat\data protection service\DataProtectionUpdateService.exe [2012-1-18 154112]
R2 ggcfdrv;ggcfdrv;c:\windows\system32\drivers\ggcfdrv.sys [2012-1-18 21336]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-10-9 6609920]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-6 136176]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2010-6-29 69692]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-6 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [2011-10-19 192096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-19 04:55:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-19 03:46:23 -------- d--h--w- C:\Lifeboat Restore Working
2012-02-16 03:44:56 -------- d-----w- c:\documents and settings\owner\local settings\application data\WMTools Downloaded Files
2012-02-15 02:34:09 -------- d-----w- c:\program files\BFlix
2012-02-15 02:34:09 -------- d-----w- c:\documents and settings\all users\application data\100
2012-02-15 02:33:24 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2012-02-15 02:17:43 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 02:17:43 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-03 02:49:33 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-03 02:49:15 41184 ----a-w- c:\windows\avastSS.scr
2012-02-03 02:49:01 -------- d-----w- c:\program files\AVAST Software
2012-02-03 02:49:01 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-01-23 03:36:07 -------- d--h--w- C:\LifeboatStorage
2012-01-23 03:35:49 -------- d-----w- c:\program files\DigitalLifeboat
2012-01-23 03:35:48 -------- d-----w- c:\documents and settings\all users\application data\DigitalLifeboat
.
==================== Find3M ====================
.
2012-02-19 04:55:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-18 14:12:56 21336 ----a-w- c:\windows\system32\drivers\ggcfdrv.sys
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 0:01:48.46 ===============

Attached Files


Edited by Steve23, 19 February 2012 - 01:10 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 20 February 2012 - 12:32 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:07:07 AM

Posted 20 February 2012 - 03:10 PM

Hola Gringo,

ComboFix Log.txt attached.

Possible Mistake: I am sorry for this. Prior to starting ComboFix, I accidentally selected ‘disable until next restart’ on my virus scanner. ComboFix caused a re-boot, which I should have anticipated. Virus scanner came back on and popped a message for ComboFix. In response, I first permanently disabled the virus scanner and then told the virus scanner pop-up to open ComboFix normally. Also, the virus scanner updated its virus definitions while ComboFix was running. I do not know if any of this affects the ComboFix results. I did successfully generate a log only a few minutes after the virus scanner pop-up. Let me know if you want me to re-run ComboxFix.

Symptoms Update:
  • Upon first inspection with a little trial surfing, the malware pop-ups for survey offers and the randomly hyperlinked words that lead to the survey seem to be gone. However in previewing my post I just now noticed one randomly hyperlinked word (whereas before there were more like five), but the behavior was different than before. It used to pop-up a little window by Text-Enhance, which when you clicked inside it led you to the bogus survey page. Right now I do not get the little pop-up window but just a small yellowish textbox that says “Powered by Text-Enhance.” When I clicked the link I was taken to a bogus looking site at http://www.freshweddings.com/results2.aspx?keywords=malware, which was a quick re-direct from www.textsrv.com/click?v= <blah, blah, blah>.
  • FreeWorkz is now also gone from Add / Remove Programs list.
  • Also, the directory (I'm pretty sure it is the same directory) with the 'let's re-download the malware' Freeworkz.js file is now empty except for a dll ("C:\Program Files\FreeWorkz\FreeWorkzPE.dll"). Scanning this file with Avast Free Version does not find a threat. You will let me know what I should do with this dll and its parent directory, right?

please Do not Attach logs or put in code boxes

I assume that means no logs unless you request them, right?
What does it mean to "put code in boxes?"

Steve


ComboFix 12-02-19.02 - Owner 02/20/2012 13:43:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1387 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Papa\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\100
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\iwpdgina.dll
c:\windows\system32\SET35A.tmp
c:\windows\system32\SET35B.tmp
c:\windows\system32\SET365.tmp
c:\windows\system32\SET36A.tmp
c:\windows\system32\SET36B.tmp
c:\windows\system32\SET36C.tmp
c:\windows\system32\SET371.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-19 18:13 . 2012-02-19 18:13 -------- d-----w- C:\Lifeboat Restore Working
2012-02-19 04:56 . 2012-02-19 04:56 -------- d-----w- c:\program files\Common Files\Java
2012-02-19 04:55 . 2012-02-19 04:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-19 04:55 . 2012-02-19 04:55 -------- d-----w- c:\program files\Java
2012-02-16 03:44 . 2012-02-16 04:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
2012-02-15 23:24 . 2012-02-15 23:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-02-15 02:34 . 2012-02-15 02:34 -------- d-----w- c:\program files\BFlix
2012-02-15 02:34 . 2012-02-15 02:34 -------- d-----w- c:\program files\Windows Sidebar
2012-02-15 02:33 . 2012-02-16 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-02-15 02:17 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 02:17 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-03 02:49 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-03 02:49 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-03 02:49 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-03 02:49 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-03 02:49 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-03 02:49 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-02-03 02:49 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-02-03 02:49 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-02-03 02:49 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-02-03 02:49 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-03 02:49 . 2012-02-03 02:49 -------- d-----w- c:\program files\AVAST Software
2012-02-03 02:49 . 2012-02-03 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-01-23 03:36 . 2012-01-23 03:39 -------- d-----w- C:\LifeboatStorage
2012-01-23 03:35 . 2012-01-23 03:35 -------- d-----w- c:\program files\DigitalLifeboat
2012-01-23 03:35 . 2012-02-20 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DigitalLifeboat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-19 04:55 . 2010-06-29 17:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-18 14:12 . 2012-01-18 14:12 21336 ----a-w- c:\windows\system32\drivers\ggcfdrv.sys
2012-01-12 16:53 . 2008-04-14 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C9F4179-6CE2-4c6a-A3E5-67FF3592A12E}]
2011-12-30 19:33 167936 ----a-w- c:\program files\BFlix\Bflix.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\V0400Ext.ax"="c:\windows\system32\V0400Ext.ax" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2011-06-22 1407248]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-06-22 1210640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-09-10 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Digital Lifeboat Client Application"="c:\program files\DigitalLifeboat\Data Protection Service\DigitalLifeboatClientApp.exe" [2012-02-16 531840]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-6-27 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DigitalLifeboat\\Data Protection Service\\DigitalLifeboatClientApp.exe"=
"c:\\Program Files\\DigitalLifeboat\\Data Protection Service\\DataProtectionService.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/2/2012 9:49 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/2/2012 9:49 PM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/2/2012 9:49 PM 20568]
R2 Digital Lifeboat Backup Service;Digital Lifeboat Backup Service;c:\program files\DigitalLifeboat\Data Protection Service\DataProtectionService.exe [1/18/2012 9:14 AM 11776]
R2 Digital Lifeboat Update Service;Digital Lifeboat Update Service;c:\program files\DigitalLifeboat\Data Protection Service\DataProtectionUpdateService.exe [1/18/2012 9:14 AM 154112]
R2 ggcfdrv;ggcfdrv;c:\windows\system32\drivers\ggcfdrv.sys [1/18/2012 9:12 AM 21336]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [10/9/2011 6:06 PM 6609920]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2011 6:16 PM 136176]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/29/2010 8:55 AM 69692]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2011 6:16 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [10/19/2011 9:56 PM 192096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-06 23:16]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-06 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-FreeWorkz - c:\program files\FreeWorkz\Uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 13:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(3600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-20 13:55:43 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 18:55
ComboFix2.txt 2011-09-17 19:18
.
Pre-Run: 143,879,704,576 bytes free
Post-Run: 143,850,778,624 bytes free
.
- - End Of File - - 0E5F8172B63FDC2B6A556582AD6F8795

Attached Files

  • Attached File  log.txt   11.35KB   1 downloads

Edited by gringo_pr, 20 February 2012 - 03:28 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 20 February 2012 - 03:30 PM

Hello Steve


I would like them copied and pasted into the reply (see my edit above)

this is a code or quote box and it makes the reports harder to read




Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:07:07 AM

Posted 20 February 2012 - 04:42 PM

Gringo, Thanks for the quick reply.

First, I disabled my virus scanner because I didn't know if I should have left it disabled from the CombiFix run. I also closed all open programs.

Then I ran TDSSKiller. The log is below.

When I ran aswMBR I did not get the prompt for downloading extra definitions, maybe because I use Avast Free AntiVirus and am up to date with my definitions. I also was unable to complete the aswMBR scan. I got a Windows Dr. Waston style error message that said "avast! Antrootkit has encountered a problem and needs to close." When I hit close in the error window, it closed aswMBR and I could not grab a log. I did not retry it. What would you like me to do about that?

Steve

From TDSSKiller:
16:19:36.0953 3676 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
16:19:37.0531 3676 ============================================================
16:19:37.0531 3676 Current date / time: 2012/02/20 16:19:37.0531
16:19:37.0531 3676 SystemInfo:
16:19:37.0531 3676
16:19:37.0531 3676 OS Version: 5.1.2600 ServicePack: 3.0
16:19:37.0531 3676 Product type: Workstation
16:19:37.0531 3676 ComputerName: OWNER-634657A0E
16:19:37.0531 3676 UserName: Owner
16:19:37.0531 3676 Windows directory: C:\WINDOWS
16:19:37.0531 3676 System windows directory: C:\WINDOWS
16:19:37.0531 3676 Processor architecture: Intel x86
16:19:37.0531 3676 Number of processors: 2
16:19:37.0531 3676 Page size: 0x1000
16:19:37.0531 3676 Boot type: Normal boot
16:19:37.0531 3676 ============================================================
16:19:39.0125 3676 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
16:19:39.0125 3676 \Device\Harddisk0\DR0:
16:19:39.0125 3676 MBR used
16:19:39.0125 3676 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A18A82
16:19:39.0140 3676 Initialize success
16:19:39.0140 3676 ============================================================
16:20:03.0250 2124 ============================================================
16:20:03.0250 2124 Scan started
16:20:03.0250 2124 Mode: Manual;
16:20:03.0250 2124 ============================================================
16:20:03.0656 2124 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
16:20:03.0656 2124 Aavmker4 - ok
16:20:03.0671 2124 Abiosdsk - ok
16:20:03.0687 2124 abp480n5 - ok
16:20:03.0734 2124 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:20:03.0750 2124 ACPI - ok
16:20:03.0781 2124 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:20:03.0781 2124 ACPIEC - ok
16:20:03.0796 2124 adpu160m - ok
16:20:03.0843 2124 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:20:03.0859 2124 aec - ok
16:20:03.0906 2124 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
16:20:03.0906 2124 AFD - ok
16:20:03.0921 2124 Aha154x - ok
16:20:03.0937 2124 aic78u2 - ok
16:20:03.0937 2124 aic78xx - ok
16:20:03.0953 2124 AliIde - ok
16:20:03.0968 2124 amsint - ok
16:20:04.0015 2124 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
16:20:04.0015 2124 ApfiltrService - ok
16:20:04.0062 2124 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
16:20:04.0078 2124 APPDRV - ok
16:20:04.0078 2124 asc - ok
16:20:04.0093 2124 asc3350p - ok
16:20:04.0109 2124 asc3550 - ok
16:20:04.0125 2124 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
16:20:04.0125 2124 aswFsBlk - ok
16:20:04.0140 2124 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
16:20:04.0140 2124 aswMon2 - ok
16:20:04.0171 2124 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
16:20:04.0171 2124 aswRdr - ok
16:20:04.0203 2124 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
16:20:04.0203 2124 aswSnx - ok
16:20:04.0218 2124 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
16:20:04.0234 2124 aswSP - ok
16:20:04.0250 2124 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
16:20:04.0250 2124 aswTdi - ok
16:20:04.0296 2124 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:20:04.0296 2124 AsyncMac - ok
16:20:04.0328 2124 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:20:04.0328 2124 atapi - ok
16:20:04.0343 2124 Atdisk - ok
16:20:04.0375 2124 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:20:04.0375 2124 Atmarpc - ok
16:20:04.0421 2124 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:20:04.0421 2124 audstub - ok
16:20:04.0468 2124 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
16:20:04.0484 2124 b57w2k - ok
16:20:04.0515 2124 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:20:04.0515 2124 Beep - ok
16:20:04.0562 2124 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
16:20:04.0578 2124 BthEnum - ok
16:20:04.0578 2124 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
16:20:04.0593 2124 BthPan - ok
16:20:04.0640 2124 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
16:20:04.0656 2124 BTHPORT - ok
16:20:04.0687 2124 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
16:20:04.0687 2124 BTHUSB - ok
16:20:04.0687 2124 catchme - ok
16:20:04.0718 2124 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:20:04.0734 2124 cbidf2k - ok
16:20:04.0765 2124 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
16:20:04.0781 2124 CCDECODE - ok
16:20:04.0781 2124 cd20xrnt - ok
16:20:04.0812 2124 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:20:04.0812 2124 Cdaudio - ok
16:20:04.0828 2124 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:20:04.0828 2124 Cdfs - ok
16:20:04.0875 2124 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:20:04.0875 2124 Cdrom - ok
16:20:04.0890 2124 cerc6 - ok
16:20:04.0906 2124 Changer - ok
16:20:04.0921 2124 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
16:20:04.0921 2124 CmBatt - ok
16:20:04.0937 2124 CmdIde - ok
16:20:04.0953 2124 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
16:20:04.0953 2124 Compbatt - ok
16:20:04.0968 2124 Cpqarray - ok
16:20:05.0015 2124 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
16:20:05.0031 2124 cpudrv - ok
16:20:05.0031 2124 dac2w2k - ok
16:20:05.0046 2124 dac960nt - ok
16:20:05.0062 2124 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:20:05.0078 2124 Disk - ok
16:20:05.0093 2124 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
16:20:05.0093 2124 DLABMFSM - ok
16:20:05.0125 2124 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
16:20:05.0125 2124 DLABOIOM - ok
16:20:05.0140 2124 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
16:20:05.0140 2124 DLACDBHM - ok
16:20:05.0156 2124 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
16:20:05.0156 2124 DLADResM - ok
16:20:05.0171 2124 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
16:20:05.0171 2124 DLAIFS_M - ok
16:20:05.0187 2124 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
16:20:05.0187 2124 DLAOPIOM - ok
16:20:05.0187 2124 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
16:20:05.0187 2124 DLAPoolM - ok
16:20:05.0203 2124 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
16:20:05.0203 2124 DLARTL_M - ok
16:20:05.0218 2124 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
16:20:05.0218 2124 DLAUDFAM - ok
16:20:05.0234 2124 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
16:20:05.0234 2124 DLAUDF_M - ok
16:20:05.0312 2124 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:20:05.0328 2124 dmboot - ok
16:20:05.0359 2124 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:20:05.0359 2124 dmio - ok
16:20:05.0375 2124 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:20:05.0375 2124 dmload - ok
16:20:05.0421 2124 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:20:05.0421 2124 DMusic - ok
16:20:05.0437 2124 dpti2o - ok
16:20:05.0453 2124 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:20:05.0453 2124 drmkaud - ok
16:20:05.0453 2124 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
16:20:05.0468 2124 DRVMCDB - ok
16:20:05.0468 2124 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
16:20:05.0484 2124 DRVNDDM - ok
16:20:05.0531 2124 el575nd5 (23f6b9cf432f492ebbd8105d78cb008c) C:\WINDOWS\system32\DRIVERS\el575nd5.sys
16:20:05.0531 2124 el575nd5 - ok
16:20:05.0546 2124 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:20:05.0546 2124 Fastfat - ok
16:20:05.0593 2124 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
16:20:05.0593 2124 Fdc - ok
16:20:05.0609 2124 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:20:05.0609 2124 Fips - ok
16:20:05.0625 2124 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
16:20:05.0625 2124 Flpydisk - ok
16:20:05.0671 2124 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
16:20:05.0671 2124 FltMgr - ok
16:20:05.0687 2124 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:20:05.0687 2124 Fs_Rec - ok
16:20:05.0703 2124 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:20:05.0703 2124 Ftdisk - ok
16:20:05.0734 2124 ggcfdrv (a1cd26b7fab97e1f853121cea6bb7cd3) C:\WINDOWS\system32\DRIVERS\ggcfdrv.sys
16:20:05.0734 2124 ggcfdrv - ok
16:20:05.0765 2124 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:20:05.0765 2124 Gpc - ok
16:20:05.0828 2124 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINDOWS\system32\Drivers\oz776.sys
16:20:05.0828 2124 guardian2 - ok
16:20:05.0875 2124 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:20:05.0890 2124 HDAudBus - ok
16:20:05.0937 2124 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:20:05.0937 2124 HidUsb - ok
16:20:05.0953 2124 hpn - ok
16:20:06.0031 2124 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
16:20:06.0046 2124 HSF_DPV - ok
16:20:06.0078 2124 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
16:20:06.0078 2124 HSXHWAZL - ok
16:20:06.0140 2124 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:20:06.0156 2124 HTTP - ok
16:20:06.0171 2124 i2omgmt - ok
16:20:06.0171 2124 i2omp - ok
16:20:06.0234 2124 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:20:06.0234 2124 i8042prt - ok
16:20:06.0500 2124 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:20:06.0640 2124 ialm - ok
16:20:06.0750 2124 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:20:06.0750 2124 Imapi - ok
16:20:06.0765 2124 ini910u - ok
16:20:06.0765 2124 IntelIde - ok
16:20:06.0828 2124 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:20:06.0828 2124 intelppm - ok
16:20:06.0859 2124 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
16:20:06.0859 2124 Ip6Fw - ok
16:20:06.0890 2124 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:20:06.0890 2124 IpFilterDriver - ok
16:20:06.0906 2124 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:20:06.0906 2124 IpInIp - ok
16:20:06.0937 2124 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:20:06.0953 2124 IpNat - ok
16:20:06.0968 2124 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:20:06.0968 2124 IPSec - ok
16:20:07.0015 2124 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:20:07.0015 2124 IRENUM - ok
16:20:07.0062 2124 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:20:07.0078 2124 isapnp - ok
16:20:07.0125 2124 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:20:07.0125 2124 Kbdclass - ok
16:20:07.0171 2124 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:20:07.0171 2124 kbdhid - ok
16:20:07.0218 2124 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:20:07.0218 2124 kmixer - ok
16:20:07.0234 2124 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:20:07.0234 2124 KSecDD - ok
16:20:07.0250 2124 lbrtfdc - ok
16:20:07.0265 2124 MBAMSwissArmy - ok
16:20:07.0312 2124 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
16:20:07.0312 2124 mdmxsdk - ok
16:20:07.0343 2124 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:20:07.0343 2124 mnmdd - ok
16:20:07.0375 2124 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:20:07.0375 2124 Modem - ok
16:20:07.0406 2124 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:20:07.0406 2124 Mouclass - ok
16:20:07.0437 2124 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:20:07.0437 2124 mouhid - ok
16:20:07.0468 2124 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:20:07.0484 2124 MountMgr - ok
16:20:07.0484 2124 mraid35x - ok
16:20:07.0515 2124 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:20:07.0531 2124 MRxDAV - ok
16:20:07.0593 2124 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:20:07.0609 2124 MRxSmb - ok
16:20:07.0625 2124 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:20:07.0625 2124 Msfs - ok
16:20:07.0671 2124 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:20:07.0671 2124 MSKSSRV - ok
16:20:07.0687 2124 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:20:07.0687 2124 MSPCLOCK - ok
16:20:07.0703 2124 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:20:07.0703 2124 MSPQM - ok
16:20:07.0750 2124 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:20:07.0765 2124 mssmbios - ok
16:20:07.0796 2124 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
16:20:07.0796 2124 MSTEE - ok
16:20:07.0828 2124 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
16:20:07.0828 2124 Mup - ok
16:20:07.0859 2124 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
16:20:07.0859 2124 NABTSFEC - ok
16:20:07.0890 2124 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:20:07.0890 2124 NDIS - ok
16:20:07.0906 2124 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
16:20:07.0906 2124 NdisIP - ok
16:20:07.0953 2124 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:20:07.0953 2124 NdisTapi - ok
16:20:08.0000 2124 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:20:08.0015 2124 Ndisuio - ok
16:20:08.0015 2124 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:20:08.0031 2124 NdisWan - ok
16:20:08.0046 2124 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
16:20:08.0046 2124 NDProxy - ok
16:20:08.0062 2124 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:20:08.0062 2124 NetBIOS - ok
16:20:08.0109 2124 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:20:08.0109 2124 NetBT - ok
16:20:08.0265 2124 NETw5x32 (aa88346ab7849a1cb34bd3424febfece) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
16:20:08.0359 2124 NETw5x32 - ok
16:20:08.0640 2124 NETwLx32 (72062b53186e4a3f5fcbc41ebb62b905) C:\WINDOWS\system32\DRIVERS\NETwLx32.sys
16:20:08.0890 2124 NETwLx32 - ok
16:20:09.0000 2124 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:20:09.0000 2124 Npfs - ok
16:20:09.0062 2124 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:20:09.0078 2124 Ntfs - ok
16:20:09.0140 2124 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:20:09.0140 2124 Null - ok
16:20:09.0203 2124 NWADI (9edf6fd48a9eb4afdf225eb9c5111df6) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
16:20:09.0203 2124 NWADI - ok
16:20:09.0250 2124 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:20:09.0250 2124 NwlnkFlt - ok
16:20:09.0265 2124 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:20:09.0265 2124 NwlnkFwd - ok
16:20:09.0296 2124 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
16:20:09.0296 2124 Parport - ok
16:20:09.0312 2124 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:20:09.0312 2124 PartMgr - ok
16:20:09.0343 2124 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:20:09.0343 2124 ParVdm - ok
16:20:09.0375 2124 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
16:20:09.0375 2124 PCASp50 - ok
16:20:09.0406 2124 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:20:09.0406 2124 PCI - ok
16:20:09.0421 2124 PCIDump - ok
16:20:09.0437 2124 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:20:09.0437 2124 PCIIde - ok
16:20:09.0453 2124 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
16:20:09.0468 2124 Pcmcia - ok
16:20:09.0468 2124 PDCOMP - ok
16:20:09.0484 2124 PDFRAME - ok
16:20:09.0500 2124 PDRELI - ok
16:20:09.0515 2124 PDRFRAME - ok
16:20:09.0515 2124 perc2 - ok
16:20:09.0531 2124 perc2hib - ok
16:20:09.0578 2124 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:20:09.0593 2124 PptpMiniport - ok
16:20:09.0625 2124 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:20:09.0625 2124 PSched - ok
16:20:09.0640 2124 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:20:09.0640 2124 Ptilink - ok
16:20:09.0671 2124 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:20:09.0671 2124 PxHelp20 - ok
16:20:09.0687 2124 ql1080 - ok
16:20:09.0703 2124 Ql10wnt - ok
16:20:09.0703 2124 ql12160 - ok
16:20:09.0718 2124 ql1240 - ok
16:20:09.0734 2124 ql1280 - ok
16:20:09.0750 2124 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:20:09.0750 2124 RasAcd - ok
16:20:09.0765 2124 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:20:09.0765 2124 Rasl2tp - ok
16:20:09.0781 2124 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:20:09.0781 2124 RasPppoe - ok
16:20:09.0796 2124 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:20:09.0796 2124 Raspti - ok
16:20:09.0828 2124 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:20:09.0843 2124 Rdbss - ok
16:20:09.0843 2124 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:20:09.0859 2124 RDPCDD - ok
16:20:09.0906 2124 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:20:09.0906 2124 rdpdr - ok
16:20:09.0968 2124 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
16:20:09.0968 2124 RDPWD - ok
16:20:10.0000 2124 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:20:10.0000 2124 redbook - ok
16:20:10.0046 2124 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
16:20:10.0046 2124 RFCOMM - ok
16:20:10.0109 2124 s24trans (27fc71da659305e260acbda15a318399) C:\WINDOWS\system32\DRIVERS\s24trans.sys
16:20:10.0109 2124 s24trans - ok
16:20:10.0140 2124 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:20:10.0156 2124 Secdrv - ok
16:20:10.0171 2124 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:20:10.0171 2124 serenum - ok
16:20:10.0187 2124 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:20:10.0187 2124 Serial - ok
16:20:10.0218 2124 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:20:10.0218 2124 Sfloppy - ok
16:20:10.0234 2124 Simbad - ok
16:20:10.0265 2124 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
16:20:10.0265 2124 SLIP - ok
16:20:10.0296 2124 Sparrow - ok
16:20:10.0343 2124 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:20:10.0343 2124 splitter - ok
16:20:10.0406 2124 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:20:10.0406 2124 sr - ok
16:20:10.0468 2124 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
16:20:10.0484 2124 Srv - ok
16:20:10.0562 2124 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
16:20:10.0578 2124 STHDA - ok
16:20:10.0593 2124 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
16:20:10.0609 2124 streamip - ok
16:20:10.0640 2124 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:20:10.0640 2124 swenum - ok
16:20:10.0656 2124 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:20:10.0656 2124 swmidi - ok
16:20:10.0671 2124 symc810 - ok
16:20:10.0687 2124 symc8xx - ok
16:20:10.0703 2124 sym_hi - ok
16:20:10.0718 2124 sym_u3 - ok
16:20:10.0734 2124 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:20:10.0734 2124 sysaudio - ok
16:20:10.0812 2124 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:20:10.0812 2124 Tcpip - ok
16:20:10.0859 2124 TcUsb (5ca437a08509fb7ecf843480fc1232e2) C:\WINDOWS\system32\Drivers\tcusb.sys
16:20:10.0859 2124 TcUsb - ok
16:20:10.0890 2124 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:20:10.0890 2124 TDPIPE - ok
16:20:10.0906 2124 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:20:10.0906 2124 TDTCP - ok
16:20:10.0921 2124 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:20:10.0937 2124 TermDD - ok
16:20:10.0953 2124 TosIde - ok
16:20:10.0984 2124 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:20:11.0000 2124 Udfs - ok
16:20:11.0000 2124 UIUSys - ok
16:20:11.0015 2124 ultra - ok
16:20:11.0078 2124 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:20:11.0093 2124 Update - ok
16:20:11.0156 2124 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
16:20:11.0156 2124 usbaudio - ok
16:20:11.0203 2124 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:20:11.0203 2124 usbccgp - ok
16:20:11.0250 2124 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:20:11.0265 2124 usbehci - ok
16:20:11.0328 2124 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:20:11.0328 2124 usbhub - ok
16:20:11.0390 2124 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:20:11.0406 2124 USBSTOR - ok
16:20:11.0421 2124 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:20:11.0421 2124 usbuhci - ok
16:20:11.0468 2124 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
16:20:11.0468 2124 usbvideo - ok
16:20:11.0515 2124 VF0400Vid (4eaa63e835be32ac40014d635a7735b2) C:\WINDOWS\system32\DRIVERS\V0400Vid.sys
16:20:11.0531 2124 VF0400Vid - ok
16:20:11.0546 2124 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:20:11.0546 2124 VgaSave - ok
16:20:11.0562 2124 ViaIde - ok
16:20:11.0593 2124 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:20:11.0593 2124 VolSnap - ok
16:20:11.0625 2124 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:20:11.0625 2124 Wanarp - ok
16:20:11.0640 2124 WDICA - ok
16:20:11.0687 2124 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:20:11.0687 2124 wdmaud - ok
16:20:11.0750 2124 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
16:20:11.0765 2124 winachsf - ok
16:20:11.0843 2124 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
16:20:11.0843 2124 WmiAcpi - ok
16:20:11.0890 2124 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:20:11.0890 2124 WS2IFSL - ok
16:20:11.0937 2124 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
16:20:11.0937 2124 WSTCODEC - ok
16:20:12.0000 2124 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:20:12.0000 2124 WudfPf - ok
16:20:12.0015 2124 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:20:12.0015 2124 WudfRd - ok
16:20:12.0046 2124 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
16:20:12.0328 2124 \Device\Harddisk0\DR0 - ok
16:20:12.0343 2124 Boot (0x1200) (c0a084ea883628bfc0d69745237b48b9) \Device\Harddisk0\DR0\Partition0
16:20:12.0343 2124 \Device\Harddisk0\DR0\Partition0 - ok
16:20:12.0343 2124 ============================================================
16:20:12.0343 2124 Scan finished
16:20:12.0343 2124 ============================================================
16:20:12.0343 0944 Detected object count: 0
16:20:12.0343 0944 Actual detected object count: 0

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 20 February 2012 - 05:37 PM

Greetings


some of our scans can be very sensitive so i would not worry about it not running

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
c:\windows\system32\drivers\ggcfdrv.sys

Folder::
c:\program files\BFlix

Driver::
ggcfdrv

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

Edited by gringo_pr, 20 February 2012 - 05:37 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:07:07 AM

Posted 20 February 2012 - 06:20 PM

Gringo,

Problems Had: Stupidity :crazy: . I dragged and dropped the wrong text file onto ComboFix the first time, but it gave an error that CFScript was not spelled correctly and quit safely I think.

How's the Computer Running:
  • Still no re-directs to the bogus survey.
  • I don't see random hyperlinks in the preview of my post this time (or last time).
  • C:\Program Files\FreeWorkz\FreeWorkzPE.dll is still there, doing what ill I do not know.

Steve

ComboFix 12-02-19.02 - Owner 02/20/2012 17:59:36.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1293 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\drivers\ggcfdrv.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\BFlix
c:\program files\BFlix\bflix.crx
c:\program files\BFlix\Bflix.dll
c:\program files\BFlix\onload.js
c:\program files\BFlix\uninstall.exe
c:\windows\system32\drivers\ggcfdrv.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GGCFDRV
-------\Service_ggcfdrv
.
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-20 18:53 . 2012-02-20 18:53 -------- d-----w- C:\Lifeboat Restore Working
2012-02-19 04:56 . 2012-02-19 04:56 -------- d-----w- c:\program files\Common Files\Java
2012-02-19 04:55 . 2012-02-19 04:55 -------- d-----w- c:\program files\Java
2012-02-16 03:44 . 2012-02-16 04:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
2012-02-15 23:24 . 2012-02-15 23:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-02-15 02:34 . 2012-02-15 02:34 -------- d-----w- c:\program files\Windows Sidebar
2012-02-15 02:33 . 2012-02-16 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-02-15 02:17 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-03 02:49 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-03 02:49 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-03 02:49 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-03 02:49 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-03 02:49 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-03 02:49 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-02-03 02:49 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-02-03 02:49 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-02-03 02:49 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-02-03 02:49 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-03 02:49 . 2012-02-03 02:49 -------- d-----w- c:\program files\AVAST Software
2012-02-03 02:49 . 2012-02-03 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-01-23 03:36 . 2012-01-23 03:39 -------- d-----w- C:\LifeboatStorage
2012-01-23 03:35 . 2012-01-23 03:35 -------- d-----w- c:\program files\DigitalLifeboat
2012-01-23 03:35 . 2012-02-20 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DigitalLifeboat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-19 04:55 . 2012-02-19 04:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-19 04:55 . 2010-06-29 17:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-12 16:53 . 2008-04-14 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 02:17 3072 ------w- c:\windows\system32\iacenc.dll
2011-12-17 19:46 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-20_18.52.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-20 23:07 . 2012-02-20 23:07 16384 c:\windows\temp\Perflib_Perfdata_914.dat
+ 2008-04-14 12:00 . 2012-02-20 18:56 80130 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2012-02-19 15:16 80130 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-02-20 18:56 482222 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2012-02-19 15:16 482222 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\V0400Ext.ax"="c:\windows\system32\V0400Ext.ax" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2011-06-22 1407248]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-06-22 1210640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-09-10 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Digital Lifeboat Client Application"="c:\program files\DigitalLifeboat\Data Protection Service\DigitalLifeboatClientApp.exe" [2012-02-16 531840]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-6-27 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DigitalLifeboat\\Data Protection Service\\DigitalLifeboatClientApp.exe"=
"c:\\Program Files\\DigitalLifeboat\\Data Protection Service\\DataProtectionService.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/2/2012 9:49 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/2/2012 9:49 PM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/2/2012 9:49 PM 20568]
R2 Digital Lifeboat Backup Service;Digital Lifeboat Backup Service;c:\program files\DigitalLifeboat\Data Protection Service\DataProtectionService.exe [1/18/2012 9:14 AM 11776]
R2 Digital Lifeboat Update Service;Digital Lifeboat Update Service;c:\program files\DigitalLifeboat\Data Protection Service\DataProtectionUpdateService.exe [1/18/2012 9:14 AM 154112]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [10/9/2011 6:06 PM 6609920]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2011 6:16 PM 136176]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/29/2010 8:55 AM 69692]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2011 6:16 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [10/19/2011 9:56 PM 192096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-06 23:16]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-06 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{0C9F4179-6CE2-4c6a-A3E5-67FF3592A12E} - c:\program files\BFlix\BFlix.dll
AddRemove-BFlix - c:\program files\BFlix\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 18:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(3672)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-20 18:10:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 23:10
ComboFix2.txt 2012-02-20 18:55
ComboFix3.txt 2011-09-17 19:18
.
Pre-Run: 143,918,665,728 bytes free
Post-Run: 143,503,966,208 bytes free
.
- - End Of File - - 54A5F5700949DC80E727EBFF901DDA23

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 20 February 2012 - 08:20 PM

Hello


3.C:\Program Files\FreeWorkz\FreeWorkzPE.dll is still there, doing what ill I do not know. - lets go ahead and remove it now, I don't find much info on it.


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

Folder::
C:\Program Files\FreeWorkz

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:07:07 AM

Posted 20 February 2012 - 10:15 PM

Gringo,

ComboFix Log after run with your CFScript.

Steve

ComboFix 12-02-19.02 - Owner 02/20/2012 21:54:19.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1368 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\FreeWorkz
c:\program files\FreeWorkz\FreeWorkzPE.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-21 to 2012-02-21 )))))))))))))))))))))))))))))))
.
.
2012-02-21 02:50 . 2012-02-21 02:50 -------- d-----w- C:\Lifeboat Restore Working
2012-02-19 04:56 . 2012-02-19 04:56 -------- d-----w- c:\program files\Common Files\Java
2012-02-19 04:55 . 2012-02-19 04:55 -------- d-----w- c:\program files\Java
2012-02-16 03:44 . 2012-02-16 04:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
2012-02-15 23:24 . 2012-02-15 23:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-02-15 02:34 . 2012-02-15 02:34 -------- d-----w- c:\program files\Windows Sidebar
2012-02-15 02:33 . 2012-02-16 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-02-15 02:17 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-03 02:49 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-03 02:49 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-03 02:49 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-03 02:49 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-03 02:49 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-03 02:49 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-02-03 02:49 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-02-03 02:49 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-02-03 02:49 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-02-03 02:49 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-03 02:49 . 2012-02-03 02:49 -------- d-----w- c:\program files\AVAST Software
2012-02-03 02:49 . 2012-02-03 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-01-23 03:36 . 2012-01-23 03:39 -------- d-----w- C:\LifeboatStorage
2012-01-23 03:35 . 2012-01-23 03:35 -------- d-----w- c:\program files\DigitalLifeboat
2012-01-23 03:35 . 2012-02-21 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\DigitalLifeboat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-19 04:55 . 2012-02-19 04:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-19 04:55 . 2010-06-29 17:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-12 16:53 . 2008-04-14 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 02:17 3072 ------w- c:\windows\system32\iacenc.dll
2011-12-17 19:46 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-20_18.52.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-21 03:01 . 2012-02-21 03:01 16384 c:\windows\temp\Perflib_Perfdata_610.dat
+ 2008-04-14 12:00 . 2012-02-21 02:54 80130 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2012-02-19 15:16 80130 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-02-21 02:54 482222 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2012-02-19 15:16 482222 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\V0400Ext.ax"="c:\windows\system32\V0400Ext.ax" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2011-06-22 1407248]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-06-22 1210640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-09-10 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Digital Lifeboat Client Application"="c:\program files\DigitalLifeboat\Data Protection Service\DigitalLifeboatClientApp.exe" [2012-02-16 531840]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-6-27 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DigitalLifeboat\\Data Protection Service\\DigitalLifeboatClientApp.exe"=
"c:\\Program Files\\DigitalLifeboat\\Data Protection Service\\DataProtectionService.exe"=
.
R?2 Digital Lifeboat Backup Service;Digital Lifeboat Backup Service;c:\program files\DigitalLifeboat\Data Protection Service\DataProtectionService.exe [1/18/2012 9:14 AM 11776]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/2/2012 9:49 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/2/2012 9:49 PM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/2/2012 9:49 PM 20568]
R2 Digital Lifeboat Update Service;Digital Lifeboat Update Service;c:\program files\DigitalLifeboat\Data Protection Service\DataProtectionUpdateService.exe [1/18/2012 9:14 AM 154112]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [10/9/2011 6:06 PM 6609920]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2011 6:16 PM 136176]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/29/2010 8:55 AM 69692]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2011 6:16 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [10/19/2011 9:56 PM 192096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-06 23:16]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-06 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 22:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-20 22:04:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-21 03:04
ComboFix2.txt 2012-02-20 23:10
ComboFix3.txt 2012-02-20 18:55
ComboFix4.txt 2011-09-17 19:18
.
Pre-Run: 143,331,622,912 bytes free
Post-Run: 143,394,676,736 bytes free
.
- - End Of File - - D6DE6AD1F681BA9009BCD6A0D0C31A8F

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 20 February 2012 - 10:33 PM

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:07:07 AM

Posted 21 February 2012 - 12:04 AM

Gringo,

Thank you so much for all the support today. I will need to continue this tomorrow evening.

Regards,

Steve

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 21 February 2012 - 01:26 AM

no problem steve I will see you then


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:07:07 AM

Posted 21 February 2012 - 07:36 PM

Gringo,

I ran TFC.exe. No probems.

I ran MBAM. Log appended.
No problems, except I did not see the any "Show Results" like your instructions mentioned. When the scan completed it just opened a log window. The scan window said 'No malicious items detected.' Therefore there was nothing to select for removal. I closed MBAM.

I ran HijackThis. No problems. Log appended.

Computer "seems" to be working ok. No random hyperlinks in the preview of this post. No re-directs after a few trial surfing attempts in IE8 and Chrome.

This ended up being less work than I thought from just reading the instructions; I should have done it last night. Thank you for your patience and continued help.

Steve

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.21.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: OWNER-634657A0E [administrator]

2/21/2012 7:05:23 PM
mbam-log-2012-02-21 (19-05-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 169209
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:23:55 PM, on 2/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\DigitalLifeboat\Data Protection Service\DigitalLifeboatClientApp.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DigitalLifeboat\Data Protection Service\DataProtectionUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalLifeboat\Data Protection Service\DataProtectionService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Digital Lifeboat Client Application] C:\Program Files\DigitalLifeboat\Data Protection Service\DigitalLifeboatClientApp.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0400Ext.ax] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0400Ext.ax
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Digital Lifeboat Backup Service - Digital Lifeboat, Inc - C:\Program Files\DigitalLifeboat\Data Protection Service\DataProtectionService.exe
O23 - Service: Digital Lifeboat Update Service - Digital Lifeboat, Inc. - C:\Program Files\DigitalLifeboat\Data Protection Service\DataProtectionUpdateService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

--
End of file - 7955 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 21 February 2012 - 07:57 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
      O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0400Ext.ax] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0400Ext.ax
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - Global Startup: AutorunsDisabled
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo

Edited by gringo_pr, 21 February 2012 - 08:17 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:07:07 AM

Posted 21 February 2012 - 10:28 PM

Gringo,

Question while I am runnign HijackThis:
Is there a Bleeping Computer Forum where I can get expert support on managing my startups?

This has been a problem area for me on all my computers and I seem ill-equipped to solve it myself. For example, I understood from a previous Bleeping Computer interaction last year that a Java virus and Adobe virus I had were because I was not up to date. That is why I leave them (SunJavaUpdateSched and AdodeARM) on auto-update. I suppose I could just give myself a reminders to do the update manually. In some cases it looks like the *.exe could have been installed by a virus. There are others I am not clear on how to start manually if I disable them. Anyway, that's the kind of dicussion I'm looking to have with an expert. For now, I will just go ahead and enable HijackThis to deal with all the entries you listed. I apprciate if you can point me to the right forum / expert.

Thanks,

Steve




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users