Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot track and cure infection, hearing 'Congratulations, you've won!' sound


  • This topic is locked This topic is locked
14 replies to this topic

#1 viq

viq

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 20 February 2012 - 08:25 AM

Hello.

For the last couple of days I've been hearing random 'Congratulations, you've won!' sound from my PC. Also, noticed some sluggishness while running the PC recently, but no pop-ups or search redirects.
Tried several tools including full scan with Norton 360 (ver. 5.2.0.13 with latest updates, it also runs constantly on my PC and is used for regular scanning) and ESET Online Scanner (having stopped Norton 360 during scan with ESET), which both found and removed several threats, but that annoying sound was still there.

So I turned to BleepingComputer and received some great help from boopme in this thread: http://www.bleepingcomputer.com/forums/topic443201.html/page__pid__2603636
I performed suggested steps (logs can be found in the mentioned thread if they are of any help), and the software apparently found and removed some infections. I'm not hearing the annoying 'Congratulations, you've won!' sound anymore (about 12 hours had passed since cleaning), but I'm still unsured if the PC is clean.

boopme redirected me to this section of the forum, so here I am =) With the logs from steps 6-9 of Preparation guide

Please note that my system is Windows7 86x Russian, so please let me know if you see any suspicious symbols in the logs so that I could look if they may be of legitimate origin or not (to the extent of my understanding =).

I'm feeling better about the health of my PC after yesterday's checks [EDIT, ~8 hours later: sadly, that sound is still here.], but I will be very grateful if you guys could help me ensure that the system is cleaned to the possible maximum level.

----------------------------------------------------------

Logs:

1. DDS.txt log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.2.1
Run by vitalik at 0:40:39 on 2012-02-20
Microsoft Windows 7 Максимальная 6.1.7601.1.1251.7.1049.18.2046.757 [GMT 2:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\Explorer.EXE
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\vitalik\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\DAEMON Tools Pro\DTAgent.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Users\vitalik\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\KatMouse\KatMouse.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\taskmgr.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\vitalik\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Total Commander\Totalcmd.exe
C:\Program Files\AutoIt3\Au3Info.exe
C:\Users\vitalik\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.2.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.2.0.13\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.0 runtime\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.2.0.13\coIEPlg.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [Google Update] "c:\users\vitalik\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [F.lux] "c:\users\vitalik\local settings\apps\f.lux\flux.exe" /noshow
uRun: [EPSON Stylus CX4300 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticar.exe /fu "c:\windows\temp\E_S6142.tmp" /EF "HKCU"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\vitalik\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoho~1.lnk - c:\program files\autohotkey\AutoHotkey.exe
StartupFolder: c:\users\vitalik\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\vitalik\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\vitalik\appdata\roaming\micros~1\windows\startm~1\programs\startup\katmouse.lnk - c:\program files\katmouse\KatMouse.exe
StartupFolder: c:\users\vitalik\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Отправить в OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: &Экспорт в Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\users\vitalik\desktop\PartyPoker.lnk
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
TCP: Interfaces\{2F583018-F6B1-45BF-B503-941D7706781F} : NameServer = 8.8.8.8,192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\vitalik\appdata\roaming\mozilla\firefox\profiles\el1i6fqe.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\wolfram research\browser\8.0.3.2427702\npmathplugin.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\new_plugin\npjp2.dll
FF - plugin: c:\users\vitalik\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\users\vitalik\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\vitalik\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys [2012-2-1 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys [2012-2-1 744568]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2011-2-20 19496]
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2011-8-15 20512]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120215.001\BHDrvx86.sys [2012-2-16 820344]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-11-21 232512]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120217.003\IDSvix86.sys [2012-2-18 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys [2012-2-1 136312]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\0502000.00d\symnets.sys [2012-2-1 299640]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-6 163328]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2011-2-20 68136]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-19 652360]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.2.0.13\ccsvchst.exe [2012-2-1 130008]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-12-6 9067008]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-12-6 264192]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-6 106104]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2011-2-20 51712]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-19 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Служба Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-14 136176]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2011-4-21 8192]
S3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2011-2-20 17488]
S3 gupdatem;Служба Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-14 136176]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2011-2-20 24944]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-3-27 27192]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
.
=============== Created Last 30 ================
.
2012-02-19 03:52:36 -------- d-----w- c:\users\vitalik\appdata\roaming\Malwarebytes
2012-02-19 03:51:00 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-19 03:51:00 -------- d-----w- c:\programdata\Malwarebytes
2012-02-19 03:51:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-17 20:39:30 -------- d-----w- c:\users\vitalik\appdata\roaming\JGsoft
2012-02-17 18:51:28 67312 ----a-w- c:\windows\UnDeployV.exe
2012-02-15 21:41:10 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 21:41:03 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 21:41:01 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 21:40:59 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-13 23:31:27 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-02-13 23:31:27 -------- d-----w- c:\program files\Uniblue
2012-02-13 23:30:35 -------- d-----w- c:\users\vitalik\appdata\local\PackageAware
2012-02-13 20:55:58 94208 ----a-w- c:\windows\system32\ImageSearchDLL.dll
2012-02-12 21:29:30 -------- d-----w- c:\program files\Tesseract301
2012-02-12 21:10:53 -------- d-----w- c:\program files\tesseract
2012-02-12 20:01:38 -------- d-----w- c:\program files\Text Catch
2012-02-12 19:36:05 -------- d-----w- C:\Python27
2012-02-12 16:54:08 -------- d-----w- c:\users\vitalik\AutoItScripts
2012-02-12 16:23:54 -------- d-----w- c:\program files\AutoIt3
2012-02-10 15:23:48 -------- d-----w- c:\programdata\Playrix Entertainment
2012-02-09 01:19:01 -------- d-----w- c:\users\vitalik\appdata\local\Logitech
2012-02-09 01:15:49 -------- d-----w- c:\program files\common files\Logitech
2012-02-07 18:27:58 -------- d-----w- c:\users\vitalik\.jade
2012-02-07 00:08:25 -------- d-----w- c:\program files\AMD APP
2012-02-07 00:08:20 -------- d-----w- c:\program files\common files\ATI Technologies
2012-02-06 21:48:24 -------- d-----w- C:\AMD
2012-02-03 19:02:10 -------- d-----r- c:\users\vitalik\Dropbox
2012-02-03 18:57:14 -------- d-----w- c:\users\vitalik\appdata\roaming\Dropbox
2012-02-02 23:13:11 -------- d-----w- c:\users\vitalik\.IntelliJIdea11
2012-02-02 02:03:43 -------- d-----w- c:\users\vitalik\appdata\roaming\Executor
2012-02-02 02:03:38 -------- d-----w- c:\program files\Executor
2012-02-02 01:49:45 -------- d-----w- c:\users\vitalik\appdata\roaming\Launchy
2012-02-01 18:45:49 744568 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\symefa.sys
2012-02-01 18:45:49 516216 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\srtsp.sys
2012-02-01 18:45:49 50168 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\srtspx.sys
2012-02-01 18:45:49 340088 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\symds.sys
2012-02-01 18:45:49 299640 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symnets.sys
2012-02-01 18:45:48 136312 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys
2012-02-01 18:45:35 -------- d-----w- c:\windows\system32\drivers\n360\0502000.00D
2012-01-30 18:28:54 -------- d-----w- c:\users\vitalik\appdata\roaming\Sublime Text 2
2012-01-30 18:28:20 -------- d-----w- c:\program files\Sublime Text 2
2012-01-24 23:47:13 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-01-24 23:46:49 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-01-24 22:07:59 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe
2012-01-24 22:07:53 404080 ----a-w- c:\windows\system32\vmnat.exe
2012-01-24 22:07:52 26352 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2012-01-24 22:07:46 760432 ----a-w- c:\windows\system32\vnetlib.dll
2012-01-24 22:07:07 24688 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2012-01-24 22:06:34 -------- d-----w- c:\program files\common files\VMware
2012-01-24 11:57:12 -------- d-----w- c:\program files\Intel Corporation
2012-01-24 11:39:56 -------- d-----w- c:\users\vitalik\appdata\local\VMware
2012-01-24 07:45:53 -------- d-----w- c:\program files\VMware
2012-01-24 07:43:32 -------- d-----w- c:\users\vitalik\VMwareVMs
2012-01-23 21:38:43 -------- d-----w- c:\users\vitalik\appdata\roaming\.matplotlib
2012-01-23 21:33:59 -------- d-----w- c:\users\vitalik\appdata\roaming\.anki
2012-01-23 21:33:12 -------- d-----w- c:\program files\Anki
2012-01-21 20:47:06 -------- d-----w- c:\users\vitalik\appdata\local\FontCreator
2012-01-21 20:47:00 1078504 ----a-w- c:\windows\system32\FontInstaller2.dll
2012-01-21 20:46:59 -------- d-----w- c:\users\vitalik\appdata\roaming\FontCreator
2012-01-21 20:46:59 -------- d-----w- c:\program files\High-Logic FontCreator
2012-01-21 19:49:44 -------- d-----w- c:\program files\Type light
2012-01-21 02:29:19 -------- d-----w- c:\users\vitalik\.vim-fuf-data
2012-01-21 01:47:23 -------- d-----w- c:\program files\curl-7.23.1-ssl-sspi-zlib-static-bin-w32
2012-01-21 01:35:02 441 ----a-w- c:\users\vitalik\curl.cmd
2012-01-21 00:28:05 -------- d-----w- c:\users\vitalik\vimfiles
2012-01-21 00:18:19 -------- d-----w- c:\program files\apache-ant-1.8.2
.
==================== Find3M ====================
.
2012-02-19 04:14:12 17488 ----a-w- c:\windows\gdrv.sys
2012-02-03 19:39:26 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-02-02 15:59:46 17488 ----a-w- c:\windows\etdrv.sys
2012-02-02 02:00:01 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-12-19 12:12:00 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-12-19 12:11:58 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2011-12-19 12:11:56 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-06 03:44:22 9067008 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-12-06 03:17:50 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-12-06 03:17:36 778752 ----a-w- c:\windows\system32\aticfx32.dll
2011-12-06 03:12:52 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-12-06 03:12:16 404992 ----a-w- c:\windows\system32\atieclxx.exe
2011-12-06 03:11:44 163328 ----a-w- c:\windows\system32\atiesrxx.exe
2011-12-06 03:10:30 163840 ----a-w- c:\windows\system32\atitmmxx.dll
2011-12-06 03:10:12 360448 ----a-w- c:\windows\system32\atipdlxx.dll
2011-12-06 03:10:00 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-12-06 03:09:54 20992 ----a-w- c:\windows\system32\atimuixx.dll
2011-12-06 03:09:44 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-12-06 03:06:38 6159872 ----a-w- c:\windows\system32\atidxx32.dll
2011-12-06 02:56:40 19125760 ----a-w- c:\windows\system32\atioglxx.dll
2011-12-06 02:39:24 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2011-12-06 02:34:24 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-12-06 02:34:14 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-12-06 02:33:36 5919232 ----a-w- c:\windows\system32\atiumdag.dll
2011-12-06 02:29:30 11484672 ----a-w- c:\windows\system32\aticaldd.dll
2011-12-06 02:28:50 4206592 ----a-w- c:\windows\system32\atiumdva.dll
2011-12-06 02:18:42 51200 ----a-w- c:\windows\system32\coinst.dll
2011-12-06 02:12:50 356352 ----a-w- c:\windows\system32\atiadlxx.dll
2011-12-06 02:12:34 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-12-06 02:12:22 33280 ----a-w- c:\windows\system32\atigktxx.dll
2011-12-06 02:11:50 264192 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-12-06 02:11:16 33280 ----a-w- c:\windows\system32\atiuxpag.dll
2011-12-06 02:11:02 29696 ----a-w- c:\windows\system32\atiu9pag.dll
2011-12-06 02:10:42 53760 ----a-w- c:\windows\system32\atimpc32.dll
2011-12-06 02:10:42 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2011-12-06 02:10:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-12-05 20:04:00 59904 ----a-w- c:\windows\system32\OpenVideo.dll
2011-12-05 20:03:52 54784 ----a-w- c:\windows\system32\OVDecode.dll
2011-12-05 20:03:04 14499328 ----a-w- c:\windows\system32\amdocl.dll
2011-08-30 19:39:08 9925160 ----a-w- c:\program files\common files\lpuninstall.exe
.
============= FINISH: 0:45:41.99 ===============

2. Attach.txt file created by DDS - see attachments

3. Ark.txt log created by GMER - see attachments
GMER run extremely slowly for more then 10 hours and almost completely stalled the system. I decided to save to ark.txt whatever it managed to collect (it has already done checking System32 folder if I remember correctly). Saving the file took another 15 mins of staring into the motionless monitor =) After that I tried to rerun GMER, and almost instantly dropped to BSOD, which hasn't occured with this PC for several monthes already. I dont think that running GMER can provide any substantial help info in my case since it runs with big problems on this machine, but if you insist perhaps I could try to use GMER several more times. Attached artk.txt is what I saved after 1st GMER run.

---------------------------------------------------------------------------------------------------------------

Thanks!

Attached Files


Edited by viq, 20 February 2012 - 05:23 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:07 PM

Posted 21 February 2012 - 02:54 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 viq

viq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 21 February 2012 - 10:09 AM

Hello Gringo =)

Thank you for helping me.

I've took steps that you requested. Everything went smoothly, below I will post the log that ComboFix produced after running.

Here is some description of what is going on presently.

Yesterday's evening was full of 'congratulations'. It seems like they are starting to at around 00.00 and are most active for the next couple of hours. I don't hear any sounds during the daylight time (no sound since booting up this morning for example, though I didn't run any checks of cleaning apps).
Also, I've tried playing with the sound mixer while having alerts and it looks like the sound level of 'congratulations' alerts corelate with the level set with the Win7 sound mixer for Chrome browser, i.e. if I amp up the global sound level, but keep Chrome low, the 'congratulations' stay of low sound level too. I may be mistaking, but perhaps it could give some hints. I use latest version of Chrome (17.0.963.56 m) with AdBlock 2.5.19 and couple of other extensions for browsing. I did not install any extensions lately though.

No pop-ups, no redirects, usual (slower then before, but standard for last several weeks) speed of PC operation without any noticable lags etc. Obvious part of being infected is just these sounds, or at least I cannot mention anything of similar magnitude.

Just ask me if I can provide any kind of help from my side, I'm more then willing to cooperate - for the sake of my sanity =)

---------------------------------------------------------------------------------------------------------------
ComboFix log:
---------------------------------------------------------------------------------------------------------------


ComboFix 12-02-21.02 - vitalik 21.02.2012 12:19:07.1.2 - x86
Microsoft Windows 7 Максимальная 6.1.7601.1.1251.7.1049.18.2046.1343 [GMT 2:00]
Running from: c:\users\vitalik\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\vitalik\AppData\Roaming\Roaming
c:\users\vitalik\AppData\Roaming\Roaming\HoldemManager\config\FTPRushTables.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-01-21 to 2012-02-21 )))))))))))))))))))))))))))))))
.
.
2012-02-21 10:35 . 2012-02-21 10:35 -------- d-----w- c:\users\vitalik\AppData\Local\temp
2012-02-19 03:52 . 2012-02-19 03:52 -------- d-----w- c:\users\vitalik\AppData\Roaming\Malwarebytes
2012-02-19 03:51 . 2012-02-19 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-19 03:51 . 2012-02-19 03:51 -------- d-----w- c:\programdata\Malwarebytes
2012-02-19 03:51 . 2011-12-10 13:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-17 20:39 . 2012-02-17 20:39 -------- d-----w- c:\users\vitalik\AppData\Roaming\JGsoft
2012-02-17 18:51 . 2010-08-19 01:33 67312 ----a-w- c:\windows\UnDeployV.exe
2012-02-15 21:41 . 2011-12-30 05:27 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 21:41 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 21:41 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 21:40 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-13 23:31 . 2012-02-13 23:31 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-02-13 23:31 . 2012-02-13 23:31 -------- d-----w- c:\program files\Uniblue
2012-02-13 23:30 . 2012-02-13 23:30 -------- d-----w- c:\users\vitalik\AppData\Local\PackageAware
2012-02-13 20:55 . 2008-02-28 21:39 94208 ----a-w- c:\windows\system32\ImageSearchDLL.dll
2012-02-12 21:29 . 2012-02-12 21:29 -------- d-----w- c:\program files\Tesseract301
2012-02-12 21:10 . 2012-02-12 21:10 -------- d-----w- c:\program files\tesseract
2012-02-12 20:01 . 2012-02-17 21:56 -------- d-----w- c:\program files\Text Catch
2012-02-12 19:36 . 2012-02-13 02:36 -------- d-----w- C:\Python27
2012-02-12 16:54 . 2012-02-19 01:10 -------- d-----w- c:\users\vitalik\AutoItScripts
2012-02-12 16:23 . 2012-02-18 22:37 -------- d-----w- c:\program files\AutoIt3
2012-02-10 15:23 . 2012-02-10 15:23 -------- d-----w- c:\programdata\Playrix Entertainment
2012-02-09 01:19 . 2012-02-09 01:19 -------- d-----w- c:\users\vitalik\AppData\Local\Logitech
2012-02-09 01:15 . 2012-02-09 01:15 -------- d-----w- c:\program files\Common Files\Logitech
2012-02-07 18:27 . 2012-02-07 18:27 -------- d-----w- c:\users\vitalik\.jade
2012-02-07 00:09 . 2012-02-07 00:09 -------- d-----w- c:\programdata\ATI
2012-02-07 00:08 . 2012-02-07 00:08 -------- d-----w- c:\program files\AMD APP
2012-02-07 00:08 . 2012-02-07 00:08 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-02-06 21:48 . 2012-02-06 21:48 -------- d-----w- C:\AMD
2012-02-03 19:02 . 2012-02-20 12:33 -------- d-----r- c:\users\vitalik\Dropbox
2012-02-03 18:57 . 2012-02-20 15:32 -------- d-----w- c:\users\vitalik\AppData\Roaming\Dropbox
2012-02-02 23:13 . 2012-02-02 23:13 -------- d-----w- c:\users\vitalik\.IntelliJIdea11
2012-02-02 02:03 . 2012-02-02 02:08 -------- d-----w- c:\users\vitalik\AppData\Roaming\Executor
2012-02-02 02:03 . 2012-02-02 02:03 -------- d-----w- c:\program files\Executor
2012-02-02 01:49 . 2012-02-02 02:34 -------- d-----w- c:\users\vitalik\AppData\Roaming\Launchy
2012-02-01 18:45 . 2012-02-14 16:26 -------- d-----w- c:\windows\system32\drivers\N360\0502000.00D
2012-01-30 18:28 . 2012-01-30 18:28 -------- d-----w- c:\users\vitalik\AppData\Roaming\Sublime Text 2
2012-01-30 18:28 . 2012-01-30 18:29 -------- d-----w- c:\program files\Sublime Text 2
2012-01-24 23:47 . 2011-12-19 12:11 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-01-24 23:46 . 2011-12-19 12:11 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-01-24 22:07 . 2011-03-25 21:42 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe
2012-01-24 22:07 . 2011-03-25 21:42 404080 ----a-w- c:\windows\system32\vmnat.exe
2012-01-24 22:07 . 2011-03-25 21:40 26352 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2012-01-24 22:07 . 2011-03-25 21:42 760432 ----a-w- c:\windows\system32\vnetlib.dll
2012-01-24 22:07 . 2011-03-25 21:41 24688 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2012-01-24 22:06 . 2012-01-24 22:06 -------- d-----w- c:\program files\Common Files\VMware
2012-01-24 11:57 . 2012-01-24 11:57 -------- d-----w- c:\program files\Intel Corporation
2012-01-24 11:39 . 2012-01-25 18:45 -------- d-----w- c:\users\vitalik\AppData\Local\VMware
2012-01-24 11:39 . 2012-01-25 18:44 -------- d-----w- c:\users\vitalik\AppData\Roaming\VMware
2012-01-24 07:45 . 2012-01-24 22:04 -------- d-----w- c:\program files\VMware
2012-01-24 07:45 . 2012-02-20 12:32 -------- d-----w- c:\programdata\VMware
2012-01-24 07:43 . 2012-01-25 18:43 -------- d-----w- c:\users\vitalik\VMwareVMs
2012-01-23 21:38 . 2012-01-26 21:23 -------- d-----w- c:\users\vitalik\AppData\Roaming\.matplotlib
2012-01-23 21:33 . 2012-02-17 21:53 -------- d-----w- c:\users\vitalik\AppData\Roaming\.anki
2012-01-23 21:33 . 2012-01-23 21:33 -------- d-----w- c:\program files\Anki
2012-01-23 19:05 . 2012-01-23 19:05 -------- d-----w- c:\users\Timka\AppData\Roaming\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-20 12:32 . 2011-02-20 01:24 17488 ----a-w- c:\windows\gdrv.sys
2012-02-03 19:39 . 2011-02-21 00:46 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-02-02 15:59 . 2011-02-20 01:26 17488 ----a-w- c:\windows\etdrv.sys
2012-02-02 02:00 . 2011-02-20 01:25 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2012-01-21 01:35 . 2012-01-21 01:35 441 ----a-w- c:\users\vitalik\curl.cmd
2011-12-19 12:12 . 2011-12-19 12:12 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-12-19 12:11 . 2011-12-19 12:11 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2011-12-19 12:11 . 2011-12-19 12:11 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2011-12-06 03:44 . 2011-12-06 03:44 9067008 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-12-06 03:17 . 2011-12-06 03:17 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-12-06 03:17 . 2011-10-26 02:05 778752 ----a-w- c:\windows\system32\aticfx32.dll
2011-12-06 03:12 . 2011-12-06 03:12 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-12-06 03:12 . 2011-12-06 03:12 404992 ----a-w- c:\windows\system32\atieclxx.exe
2011-12-06 03:11 . 2011-12-06 03:11 163328 ----a-w- c:\windows\system32\atiesrxx.exe
2011-12-06 03:10 . 2011-12-06 03:10 163840 ----a-w- c:\windows\system32\atitmmxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 360448 ----a-w- c:\windows\system32\atipdlxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-12-06 03:09 . 2011-12-06 03:09 20992 ----a-w- c:\windows\system32\atimuixx.dll
2011-12-06 03:09 . 2011-12-06 03:09 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-12-06 03:06 . 2011-10-26 01:55 6159872 ----a-w- c:\windows\system32\atidxx32.dll
2011-12-06 02:56 . 2011-12-06 02:56 19125760 ----a-w- c:\windows\system32\atioglxx.dll
2011-12-06 02:39 . 2011-12-06 02:39 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2011-12-06 02:34 . 2011-12-06 02:34 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-12-06 02:34 . 2011-12-06 02:34 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-12-06 02:33 . 2011-10-26 01:35 5919232 ----a-w- c:\windows\system32\atiumdag.dll
2011-12-06 02:29 . 2011-12-06 02:29 11484672 ----a-w- c:\windows\system32\aticaldd.dll
2011-12-06 02:28 . 2011-10-26 01:32 4206592 ----a-w- c:\windows\system32\atiumdva.dll
2011-12-06 02:18 . 2011-10-26 01:29 51200 ----a-w- c:\windows\system32\coinst.dll
2011-12-06 02:12 . 2011-12-06 02:12 356352 ----a-w- c:\windows\system32\atiadlxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 33280 ----a-w- c:\windows\system32\atigktxx.dll
2011-12-06 02:11 . 2011-12-06 02:11 264192 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-12-06 02:11 . 2011-10-26 01:21 33280 ----a-w- c:\windows\system32\atiuxpag.dll
2011-12-06 02:11 . 2011-10-26 01:20 29696 ----a-w- c:\windows\system32\atiu9pag.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\system32\atimpc32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-12-05 20:04 . 2011-12-05 20:04 59904 ----a-w- c:\windows\system32\OpenVideo.dll
2011-12-05 20:03 . 2011-12-05 20:03 54784 ----a-w- c:\windows\system32\OVDecode.dll
2011-12-05 20:03 . 2011-12-05 20:03 14499328 ----a-w- c:\windows\system32\amdocl.dll
2011-08-30 19:39 . 2011-08-30 19:39 9925160 ----a-w- c:\program files\Common Files\lpuninstall.exe
2011-11-24 13:35 . 2011-06-14 20:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:58 94208 ----a-w- c:\users\vitalik\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:58 94208 ----a-w- c:\users\vitalik\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:58 94208 ----a-w- c:\users\vitalik\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:58 94208 ----a-w- c:\users\vitalik\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"F.lux"="c:\users\vitalik\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-26 8546848]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-05 343168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2011-03-25 129648]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
c:\users\vitalik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2011-3-28 870400]
Dropbox.lnk - c:\users\vitalik\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-17 26530760]
KatMouse.lnk - c:\program files\KatMouse\KatMouse.exe [2007-5-30 50688]
Вырезка экрана и программа запуска для OneNote 2010.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
"174.132.202.108,255.255.255.255,192.168.168.133,1"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-22 19:10 402432 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVI]
2007-07-26 13:05 20480 ----a-w- c:\program files\Gigabyte\ET6\ETcall.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-17 05:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Служба Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-19 136176]
R2 KMService;KMService;c:\windows\system32\srvany.exe [2011-04-21 8192]
R3 AODDriver;AODDriver;c:\program files\Gigabyte\ET6\i386\AODDriver.sys [2009-02-22 7168]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 etdrv;etdrv;c:\windows\etdrv.sys [2012-02-02 17488]
R3 GPU-Z;GPU-Z;c:\users\vitalik\AppData\Local\Temp\GPU-Z.sys [x]
R3 gupdatem;Служба Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-19 136176]
R3 GVTDrv;GVTDrv;c:\windows\system32\Drivers\GVTDrv.sys [2012-02-02 24944]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Служба технологий активации Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-24 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\SYMDS.SYS [2011-01-27 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\SYMEFA.SYS [2011-03-15 744568]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2010-04-22 19496]
S1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2011-08-15 20512]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120215.001\BHDrvx86.sys [2011-12-01 820344]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-11-21 232512]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120217.003\IDSvix86.sys [2011-12-15 368248]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\Ironx86.SYS [2011-01-27 136312]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\0502000.00D\SYMNETS.SYS [2011-04-21 299640]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-12-19 158512]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-12-19 91440]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-06 163328]
S2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\ESSVR.EXE [2009-03-02 68136]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-31 652360]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe [2011-04-17 130008]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-02-01 65536]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2011-03-25 70768]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-25 539248]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-12-06 9067008]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-12-06 264192]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 106104]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-12-19 104752]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-12-19 116016]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39447450
*Deregistered* - 39447450
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-13 23:58]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-13 23:58]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322267218-1103627592-3799314005-1001Core.job
- c:\users\vitalik\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-19 23:58]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322267218-1103627592-3799314005-1001UA.job
- c:\users\vitalik\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-19 23:58]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322267218-1103627592-3799314005-1005Core.job
- c:\users\Timka\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-11 00:54]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322267218-1103627592-3799314005-1005UA.job
- c:\users\Timka\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-11 00:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Отправить в OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: Interfaces\{2F583018-F6B1-45BF-B503-941D7706781F}: NameServer = 8.8.8.8,192.168.1.1
FF - ProfilePath - c:\users\vitalik\AppData\Roaming\Mozilla\Firefox\Profiles\el1i6fqe.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2322267218-1103627592-3799314005-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:77,5e,40,ff,15,88,ce,5c,e9,34,8f,b0,0f,3b,a9,df,14,73,30,db,37,ac,37,
9d,1f,fe,c1,3e,9d,db,a8,42,32,92,78,fe,aa,60,59,53,d4,71,97,52,5a,83,f3,b8,\
"??"=hex:a7,99,b5,3a,0c,a9,0a,ef,11,63,b7,90,78,99,1b,92
.
[HKEY_USERS\S-1-5-21-2322267218-1103627592-3799314005-1001\Software\SecuROM\License information*]
"datasecu"=hex:dc,bc,4b,33,71,24,4b,d7,5a,1f,ba,56,36,ca,57,13,7b,80,3e,16,0d,
57,42,69,37,6e,77,ea,98,c5,eb,87,86,81,28,27,69,f6,56,b0,8b,de,b5,0f,0b,7c,\
"rkeysecu"=hex:64,31,0d,1a,c2,51,42,05,a8,eb,d4,6f,46,bb,9f,9b
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-21 12:40:27
ComboFix-quarantined-files.txt 2012-02-21 10:40
.
Pre-Run: 20 088 881 152 байт свободно
Post-Run: 20 729 221 120 байт свободно
.
- - End Of File - - 264E3107B659020A2BA2A400668630B1

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks you for your time again.
Waiting for further instructions.

Viq

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:07 PM

Posted 21 February 2012 - 01:06 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 viq

viq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 21 February 2012 - 07:21 PM

Hello gringo.

Here are the logs:

---------------------------------------------------------------------------------------------------------------------------------------------------------

1. TDSSKiller log (0 threats, no reboot was required)



01:41:03.0618 6464 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
01:41:05.0691 6464 ============================================================
01:41:05.0691 6464 Current date / time: 2012/02/22 01:41:05.0691
01:41:05.0691 6464 SystemInfo:
01:41:05.0691 6464
01:41:05.0692 6464 OS Version: 6.1.7601 ServicePack: 1.0
01:41:05.0692 6464 Product type: Workstation
01:41:05.0692 6464 ComputerName: ORK
01:41:05.0692 6464 UserName: vitalik
01:41:05.0692 6464 Windows directory: C:\Windows
01:41:05.0692 6464 System windows directory: C:\Windows
01:41:05.0692 6464 Processor architecture: Intel x86
01:41:05.0692 6464 Number of processors: 2
01:41:05.0692 6464 Page size: 0x1000
01:41:05.0692 6464 Boot type: Normal boot
01:41:05.0692 6464 ============================================================
01:41:17.0812 6464 Drive \Device\Harddisk0\DR0 - Size: 0x4A85C4DE00 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
01:41:17.0858 6464 Drive \Device\Harddisk1\DR1 - Size: 0x25432CDE00 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
01:41:18.0375 6464 \Device\Harddisk0\DR0:
01:41:18.0437 6464 MBR used
01:41:18.0437 6464 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1765BE80
01:41:18.0437 6464 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1765C000, BlocksNum 0xDDD1800
01:41:18.0437 6464 \Device\Harddisk1\DR1:
01:41:18.0437 6464 MBR used
01:41:18.0437 6464 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1DFF7E7
01:41:18.0444 6464 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x1DFF865, BlocksNum 0x7801F1A
01:41:18.0460 6464 \Device\Harddisk1\DR1\Partition2: MBR, Type 0x7, StartLBA 0x96017BE, BlocksNum 0x9413442
01:41:19.0250 6464 Initialize success
01:41:19.0250 6464 ============================================================
01:41:30.0081 6248 ============================================================
01:41:30.0081 6248 Scan started
01:41:30.0081 6248 Mode: Manual;
01:41:30.0081 6248 ============================================================
01:41:40.0141 6248 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
01:41:40.0189 6248 1394ohci - ok
01:41:40.0457 6248 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
01:41:40.0484 6248 ACPI - ok
01:41:40.0688 6248 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
01:41:40.0746 6248 AcpiPmi - ok
01:41:41.0022 6248 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\drivers\adp94xx.sys
01:41:41.0048 6248 adp94xx - ok
01:41:41.0287 6248 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\drivers\adpahci.sys
01:41:41.0301 6248 adpahci - ok
01:41:41.0532 6248 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\drivers\adpu320.sys
01:41:41.0559 6248 adpu320 - ok
01:41:41.0799 6248 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
01:41:41.0823 6248 AFD - ok
01:41:42.0012 6248 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
01:41:42.0026 6248 agp440 - ok
01:41:42.0233 6248 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\drivers\djsvs.sys
01:41:42.0255 6248 aic78xx - ok
01:41:42.0573 6248 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
01:41:42.0603 6248 aliide - ok
01:41:42.0965 6248 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
01:41:42.0980 6248 amdagp - ok
01:41:43.0169 6248 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
01:41:43.0196 6248 amdide - ok
01:41:43.0392 6248 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\drivers\amdk8.sys
01:41:43.0405 6248 AmdK8 - ok
01:41:45.0235 6248 amdkmdag (65b44179cf184b08e86097bffbf03f24) C:\Windows\system32\DRIVERS\atikmdag.sys
01:41:45.0503 6248 amdkmdag - ok
01:41:45.0609 6248 amdkmdap (5e1c65524ff1713711ce27879d813384) C:\Windows\system32\DRIVERS\atikmpag.sys
01:41:45.0622 6248 amdkmdap - ok
01:41:45.0696 6248 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\drivers\amdppm.sys
01:41:45.0705 6248 AmdPPM - ok
01:41:45.0742 6248 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
01:41:45.0753 6248 amdsata - ok
01:41:45.0909 6248 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\drivers\amdsbs.sys
01:41:45.0912 6248 amdsbs - ok
01:41:45.0934 6248 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
01:41:45.0942 6248 amdxata - ok
01:41:46.0015 6248 AODDriver (21ca6a013a75fcf6f930d4b08803973a) C:\Program Files\Gigabyte\ET6\i386\AODDriver.sys
01:41:46.0021 6248 AODDriver - ok
01:41:46.0063 6248 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
01:41:46.0074 6248 AppID - ok
01:41:46.0182 6248 AppleCharger (f0a48ce44d3f368990ca8954340bd9a0) C:\Windows\system32\DRIVERS\AppleCharger.sys
01:41:46.0244 6248 AppleCharger - ok
01:41:46.0321 6248 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\drivers\arc.sys
01:41:46.0323 6248 arc - ok
01:41:46.0416 6248 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\drivers\arcsas.sys
01:41:46.0435 6248 arcsas - ok
01:41:46.0496 6248 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
01:41:46.0509 6248 AsyncMac - ok
01:41:46.0547 6248 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
01:41:46.0547 6248 atapi - ok
01:41:46.0641 6248 AtiHDAudioService (7725aecceddf81bd8374c77157e450ea) C:\Windows\system32\drivers\AtihdW73.sys
01:41:46.0657 6248 AtiHDAudioService - ok
01:41:46.0868 6248 atikmdag (65b44179cf184b08e86097bffbf03f24) C:\Windows\system32\DRIVERS\atikmdag.sys
01:41:46.0907 6248 atikmdag - ok
01:41:46.0993 6248 atitray (6f6bf0b550156037d6b17bb443debe20) C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
01:41:47.0013 6248 atitray - ok
01:41:47.0139 6248 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\drivers\bxvbdx.sys
01:41:47.0161 6248 b06bdrv - ok
01:41:47.0198 6248 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
01:41:47.0213 6248 b57nd60x - ok
01:41:47.0240 6248 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
01:41:47.0255 6248 Beep - ok
01:41:47.0407 6248 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120215.001\BHDrvx86.sys
01:41:47.0415 6248 BHDrvx86 - ok
01:41:47.0513 6248 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
01:41:47.0515 6248 blbdrive - ok
01:41:47.0565 6248 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
01:41:47.0577 6248 bowser - ok
01:41:47.0595 6248 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\BrFiltLo.sys
01:41:47.0596 6248 BrFiltLo - ok
01:41:47.0615 6248 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\BrFiltUp.sys
01:41:47.0616 6248 BrFiltUp - ok
01:41:47.0701 6248 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
01:41:47.0703 6248 BridgeMP - ok
01:41:47.0730 6248 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
01:41:47.0734 6248 Brserid - ok
01:41:47.0759 6248 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
01:41:47.0777 6248 BrSerWdm - ok
01:41:47.0797 6248 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
01:41:47.0798 6248 BrUsbMdm - ok
01:41:47.0815 6248 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
01:41:47.0832 6248 BrUsbSer - ok
01:41:47.0952 6248 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\drivers\bthmodem.sys
01:41:47.0954 6248 BTHMODEM - ok
01:41:48.0056 6248 catchme - ok
01:41:48.0304 6248 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
01:41:48.0319 6248 cdfs - ok
01:41:48.0366 6248 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
01:41:48.0370 6248 cdrom - ok
01:41:48.0433 6248 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\drivers\circlass.sys
01:41:48.0435 6248 circlass - ok
01:41:48.0501 6248 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
01:41:48.0504 6248 CLFS - ok
01:41:48.0566 6248 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\drivers\CmBatt.sys
01:41:48.0567 6248 CmBatt - ok
01:41:48.0602 6248 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
01:41:48.0604 6248 cmdide - ok
01:41:48.0663 6248 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
01:41:48.0678 6248 CNG - ok
01:41:48.0724 6248 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\drivers\compbatt.sys
01:41:48.0775 6248 Compbatt - ok
01:41:48.0808 6248 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\DRIVERS\CompositeBus.sys
01:41:48.0821 6248 CompositeBus - ok
01:41:48.0884 6248 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\drivers\crcdisk.sys
01:41:48.0886 6248 crcdisk - ok
01:41:48.0950 6248 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
01:41:48.0955 6248 CSC - ok
01:41:49.0046 6248 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
01:41:49.0087 6248 DfsC - ok
01:41:49.0217 6248 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
01:41:49.0227 6248 discache - ok
01:41:49.0272 6248 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\drivers\disk.sys
01:41:49.0274 6248 Disk - ok
01:41:49.0300 6248 dmvsc (2a958ef85db1b61ffca65044fa4bce9e) C:\Windows\system32\drivers\dmvsc.sys
01:41:49.0341 6248 dmvsc - ok
01:41:49.0384 6248 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
01:41:49.0386 6248 drmkaud - ok
01:41:49.0472 6248 dtsoftbus01 (c8eb60a182bee9afd6b394c0145a1732) C:\Windows\system32\DRIVERS\dtsoftbus01.sys
01:41:49.0482 6248 dtsoftbus01 - ok
01:41:49.0541 6248 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
01:41:49.0550 6248 DXGKrnl - ok
01:41:49.0661 6248 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\drivers\evbdx.sys
01:41:49.0690 6248 ebdrv - ok
01:41:49.0775 6248 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
01:41:49.0781 6248 eeCtrl - ok
01:41:49.0903 6248 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\drivers\elxstor.sys
01:41:49.0909 6248 elxstor - ok
01:41:50.0019 6248 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
01:41:50.0029 6248 EraserUtilRebootDrv - ok
01:41:50.0043 6248 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
01:41:50.0045 6248 ErrDev - ok
01:41:50.0083 6248 etdrv (3af0ae042afe486b22644cd3fbebf2e2) C:\Windows\etdrv.sys
01:41:50.0170 6248 etdrv - ok
01:41:50.0251 6248 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
01:41:50.0290 6248 exfat - ok
01:41:50.0349 6248 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
01:41:50.0352 6248 fastfat - ok
01:41:50.0423 6248 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\drivers\fdc.sys
01:41:50.0424 6248 fdc - ok
01:41:50.0448 6248 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
01:41:50.0456 6248 FileInfo - ok
01:41:50.0479 6248 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
01:41:50.0481 6248 Filetrace - ok
01:41:50.0680 6248 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\drivers\flpydisk.sys
01:41:50.0696 6248 flpydisk - ok
01:41:50.0724 6248 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
01:41:50.0728 6248 FltMgr - ok
01:41:50.0743 6248 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
01:41:50.0745 6248 FsDepends - ok
01:41:50.0759 6248 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
01:41:50.0761 6248 Fs_Rec - ok
01:41:50.0810 6248 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
01:41:50.0814 6248 fvevol - ok
01:41:50.0884 6248 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\drivers\gagp30kx.sys
01:41:50.0902 6248 gagp30kx - ok
01:41:50.0939 6248 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\Windows\gdrv.sys
01:41:50.0989 6248 gdrv - ok
01:41:51.0064 6248 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
01:41:51.0079 6248 GEARAspiWDM - ok
01:41:51.0197 6248 GPU-Z - ok
01:41:51.0333 6248 GVTDrv (689a8eef2a2d62b28a0a578a6196531c) C:\Windows\system32\Drivers\GVTDrv.sys
01:41:51.0372 6248 GVTDrv - ok
01:41:51.0433 6248 hcmon (51fa91bb463b15fd8eacd5045c3f2fa6) C:\Windows\system32\drivers\hcmon.sys
01:41:51.0442 6248 hcmon - ok
01:41:51.0471 6248 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
01:41:51.0473 6248 hcw85cir - ok
01:41:51.0574 6248 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
01:41:51.0579 6248 HdAudAddService - ok
01:41:51.0605 6248 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\DRIVERS\HDAudBus.sys
01:41:51.0608 6248 HDAudBus - ok
01:41:51.0628 6248 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\drivers\HidBatt.sys
01:41:51.0630 6248 HidBatt - ok
01:41:51.0658 6248 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\drivers\hidbth.sys
01:41:51.0661 6248 HidBth - ok
01:41:51.0741 6248 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\drivers\hidir.sys
01:41:51.0750 6248 HidIr - ok
01:41:51.0838 6248 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
01:41:51.0840 6248 HidUsb - ok
01:41:51.0876 6248 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
01:41:51.0878 6248 HpSAMD - ok
01:41:51.0909 6248 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
01:41:51.0915 6248 HTTP - ok
01:41:51.0931 6248 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
01:41:51.0932 6248 hwpolicy - ok
01:41:51.0983 6248 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
01:41:51.0993 6248 i8042prt - ok
01:41:52.0085 6248 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
01:41:52.0091 6248 iaStorV - ok
01:41:52.0400 6248 IDSVix86 (b6662611e8fa3a71473c4a9bd0d23755) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120218.003\IDSvix86.sys
01:41:52.0422 6248 IDSVix86 - ok
01:41:52.0528 6248 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\drivers\iirsp.sys
01:41:52.0541 6248 iirsp - ok
01:41:52.0662 6248 IntcAzAudAddService (c5df8a7fdc75019bf8d8aa4b56be85c0) C:\Windows\system32\drivers\RTKVHDA.sys
01:41:52.0691 6248 IntcAzAudAddService - ok
01:41:52.0802 6248 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
01:41:52.0804 6248 intelide - ok
01:41:52.0826 6248 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
01:41:52.0833 6248 intelppm - ok
01:41:52.0864 6248 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
01:41:52.0868 6248 IpFilterDriver - ok
01:41:52.0910 6248 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
01:41:52.0912 6248 IPMIDRV - ok
01:41:52.0935 6248 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
01:41:52.0937 6248 IPNAT - ok
01:41:53.0043 6248 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
01:41:53.0044 6248 IRENUM - ok
01:41:53.0063 6248 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
01:41:53.0078 6248 isapnp - ok
01:41:53.0108 6248 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
01:41:53.0152 6248 iScsiPrt - ok
01:41:53.0195 6248 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
01:41:53.0207 6248 kbdclass - ok
01:41:53.0302 6248 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys
01:41:53.0305 6248 kbdhid - ok
01:41:53.0347 6248 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
01:41:53.0363 6248 KSecDD - ok
01:41:53.0382 6248 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
01:41:53.0391 6248 KSecPkg - ok
01:41:53.0435 6248 L1C (a158cea8644b8a5c1ec0e9a81b70f65a) C:\Windows\system32\DRIVERS\L1C62x86.sys
01:41:53.0437 6248 L1C - ok
01:41:53.0548 6248 LHidFilt (318b3d608fbec44b7e0c23bf759dced5) C:\Windows\system32\DRIVERS\LHidFilt.Sys
01:41:53.0563 6248 LHidFilt - ok
01:41:53.0609 6248 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
01:41:53.0611 6248 lltdio - ok
01:41:53.0632 6248 LMouFilt (84af069d219df3c43dc6792b2bbd7bed) C:\Windows\system32\DRIVERS\LMouFilt.Sys
01:41:53.0634 6248 LMouFilt - ok
01:41:53.0769 6248 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\drivers\lsi_fc.sys
01:41:53.0771 6248 LSI_FC - ok
01:41:53.0783 6248 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\drivers\lsi_sas.sys
01:41:53.0803 6248 LSI_SAS - ok
01:41:53.0832 6248 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\drivers\lsi_sas2.sys
01:41:53.0833 6248 LSI_SAS2 - ok
01:41:53.0858 6248 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\drivers\lsi_scsi.sys
01:41:53.0861 6248 LSI_SCSI - ok
01:41:53.0933 6248 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
01:41:53.0935 6248 luafv - ok
01:41:54.0037 6248 LUsbFilt (81642f134929946ab4b9572c4c17298c) C:\Windows\system32\Drivers\LUsbFilt.Sys
01:41:54.0041 6248 LUsbFilt - ok
01:41:54.0132 6248 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
01:41:54.0172 6248 MBAMProtector - ok
01:41:54.0221 6248 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\drivers\megasas.sys
01:41:54.0223 6248 megasas - ok
01:41:54.0305 6248 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\drivers\MegaSR.sys
01:41:54.0329 6248 MegaSR - ok
01:41:54.0437 6248 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
01:41:54.0452 6248 Modem - ok
01:41:54.0501 6248 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
01:41:54.0508 6248 monitor - ok
01:41:54.0556 6248 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
01:41:54.0558 6248 mouclass - ok
01:41:54.0622 6248 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
01:41:54.0637 6248 mouhid - ok
01:41:54.0792 6248 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
01:41:54.0794 6248 mountmgr - ok
01:41:54.0831 6248 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
01:41:54.0834 6248 mpio - ok
01:41:54.0860 6248 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
01:41:54.0871 6248 mpsdrv - ok
01:41:54.0897 6248 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
01:41:54.0900 6248 MRxDAV - ok
01:41:54.0945 6248 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
01:41:54.0960 6248 mrxsmb - ok
01:41:55.0034 6248 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
01:41:55.0044 6248 mrxsmb10 - ok
01:41:55.0068 6248 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
01:41:55.0081 6248 mrxsmb20 - ok
01:41:55.0105 6248 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
01:41:55.0107 6248 msahci - ok
01:41:55.0130 6248 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
01:41:55.0133 6248 msdsm - ok
01:41:55.0162 6248 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
01:41:55.0164 6248 Msfs - ok
01:41:55.0174 6248 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
01:41:55.0182 6248 mshidkmdf - ok
01:41:55.0246 6248 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
01:41:55.0247 6248 msisadrv - ok
01:41:55.0287 6248 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
01:41:55.0288 6248 MSKSSRV - ok
01:41:55.0302 6248 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
01:41:55.0312 6248 MSPCLOCK - ok
01:41:55.0333 6248 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
01:41:55.0336 6248 MSPQM - ok
01:41:55.0353 6248 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
01:41:55.0356 6248 MsRPC - ok
01:41:55.0370 6248 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
01:41:55.0371 6248 mssmbios - ok
01:41:55.0382 6248 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
01:41:55.0384 6248 MSTEE - ok
01:41:55.0423 6248 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\drivers\MTConfig.sys
01:41:55.0424 6248 MTConfig - ok
01:41:55.0474 6248 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
01:41:55.0476 6248 Mup - ok
01:41:55.0548 6248 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
01:41:55.0552 6248 NativeWifiP - ok
01:41:55.0740 6248 NAVENG (862f55824ac81295837b0ab63f91071f) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120221.002\NAVENG.SYS
01:41:55.0742 6248 NAVENG - ok
01:41:55.0878 6248 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120221.002\NAVEX15.SYS
01:41:55.0893 6248 NAVEX15 - ok
01:41:55.0985 6248 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
01:41:55.0994 6248 NDIS - ok
01:41:56.0020 6248 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
01:41:56.0022 6248 NdisCap - ok
01:41:56.0049 6248 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
01:41:56.0051 6248 NdisTapi - ok
01:41:56.0099 6248 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
01:41:56.0101 6248 Ndisuio - ok
01:41:56.0128 6248 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
01:41:56.0130 6248 NdisWan - ok
01:41:56.0194 6248 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
01:41:56.0207 6248 NDProxy - ok
01:41:56.0235 6248 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
01:41:56.0237 6248 NetBIOS - ok
01:41:56.0253 6248 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
01:41:56.0256 6248 NetBT - ok
01:41:56.0387 6248 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\drivers\nfrd960.sys
01:41:56.0407 6248 nfrd960 - ok
01:41:56.0434 6248 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
01:41:56.0502 6248 Npfs - ok
01:41:56.0556 6248 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
01:41:56.0602 6248 nsiproxy - ok
01:41:56.0651 6248 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
01:41:56.0682 6248 Ntfs - ok
01:41:56.0758 6248 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
01:41:56.0760 6248 Null - ok
01:41:56.0833 6248 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
01:41:56.0836 6248 nvraid - ok
01:41:56.0870 6248 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
01:41:56.0873 6248 nvstor - ok
01:41:56.0898 6248 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
01:41:56.0901 6248 nv_agp - ok
01:41:56.0944 6248 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
01:41:56.0946 6248 ohci1394 - ok
01:41:57.0045 6248 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
01:41:57.0047 6248 Parport - ok
01:41:57.0063 6248 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
01:41:57.0065 6248 partmgr - ok
01:41:57.0087 6248 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
01:41:57.0123 6248 Parvdm - ok
01:41:57.0155 6248 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
01:41:57.0158 6248 pci - ok
01:41:57.0179 6248 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
01:41:57.0181 6248 pciide - ok
01:41:57.0204 6248 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\drivers\pcmcia.sys
01:41:57.0235 6248 pcmcia - ok
01:41:57.0462 6248 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
01:41:57.0487 6248 pcw - ok
01:41:57.0822 6248 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
01:41:59.0447 6248 PEAUTH - ok
01:42:00.0505 6248 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
01:42:00.0574 6248 PptpMiniport - ok
01:42:00.0760 6248 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\drivers\processr.sys
01:42:00.0776 6248 Processor - ok
01:42:00.0884 6248 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
01:42:00.0887 6248 Psched - ok
01:42:00.0934 6248 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\drivers\ql2300.sys
01:42:00.0967 6248 ql2300 - ok
01:42:00.0996 6248 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\drivers\ql40xx.sys
01:42:01.0018 6248 ql40xx - ok
01:42:01.0289 6248 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
01:42:01.0310 6248 QWAVEdrv - ok
01:42:01.0416 6248 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
01:42:01.0417 6248 RasAcd - ok
01:42:01.0463 6248 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
01:42:01.0465 6248 RasAgileVpn - ok
01:42:01.0481 6248 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
01:42:01.0495 6248 Rasl2tp - ok
01:42:01.0536 6248 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
01:42:01.0538 6248 RasPppoe - ok
01:42:01.0634 6248 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
01:42:01.0678 6248 RasSstp - ok
01:42:01.0942 6248 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
01:42:01.0946 6248 rdbss - ok
01:42:02.0049 6248 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
01:42:02.0051 6248 rdpbus - ok
01:42:02.0113 6248 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
01:42:02.0114 6248 RDPCDD - ok
01:42:02.0161 6248 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
01:42:02.0200 6248 RDPDR - ok
01:42:02.0576 6248 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
01:42:02.0611 6248 RDPENCDD - ok
01:42:02.0793 6248 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
01:42:02.0828 6248 RDPREFMP - ok
01:42:03.0027 6248 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
01:42:03.0097 6248 RdpVideoMiniport - ok
01:42:03.0416 6248 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
01:42:03.0462 6248 RDPWD - ok
01:42:03.0793 6248 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
01:42:03.0796 6248 rdyboost - ok
01:42:03.0845 6248 Revoflt (b9bb8e2093c1615ad6ea55ad96214354) C:\Windows\system32\DRIVERS\revoflt.sys
01:42:03.0889 6248 Revoflt - ok
01:42:03.0943 6248 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
01:42:03.0945 6248 rspndr - ok
01:42:04.0022 6248 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
01:42:04.0035 6248 s3cap - ok
01:42:04.0073 6248 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
01:42:04.0095 6248 sbp2port - ok
01:42:04.0137 6248 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
01:42:04.0139 6248 scfilter - ok
01:42:04.0179 6248 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
01:42:04.0181 6248 secdrv - ok
01:42:04.0239 6248 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
01:42:04.0240 6248 Serenum - ok
01:42:04.0304 6248 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
01:42:04.0307 6248 Serial - ok
01:42:04.0337 6248 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\drivers\sermouse.sys
01:42:04.0339 6248 sermouse - ok
01:42:04.0369 6248 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
01:42:04.0390 6248 sffdisk - ok
01:42:04.0414 6248 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
01:42:04.0416 6248 sffp_mmc - ok
01:42:04.0435 6248 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
01:42:04.0437 6248 sffp_sd - ok
01:42:04.0456 6248 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\drivers\sfloppy.sys
01:42:04.0458 6248 sfloppy - ok
01:42:04.0540 6248 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
01:42:04.0564 6248 sisagp - ok
01:42:04.0653 6248 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\drivers\SiSRaid2.sys
01:42:04.0655 6248 SiSRaid2 - ok
01:42:04.0676 6248 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\drivers\sisraid4.sys
01:42:04.0678 6248 SiSRaid4 - ok
01:42:04.0718 6248 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
01:42:04.0721 6248 Smb - ok
01:42:04.0753 6248 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
01:42:04.0755 6248 spldr - ok
01:42:04.0829 6248 SRTSP (83726cf02eced69138948083e06b6eac) C:\Windows\System32\Drivers\N360\0502000.00D\SRTSP.SYS
01:42:04.0865 6248 SRTSP - ok
01:42:04.0976 6248 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\Windows\system32\drivers\N360\0502000.00D\SRTSPX.SYS
01:42:04.0990 6248 SRTSPX - ok
01:42:05.0028 6248 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
01:42:05.0039 6248 srv - ok
01:42:05.0058 6248 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
01:42:05.0063 6248 srv2 - ok
01:42:05.0076 6248 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
01:42:05.0087 6248 srvnet - ok
01:42:05.0199 6248 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\drivers\stexstor.sys
01:42:05.0201 6248 stexstor - ok
01:42:05.0261 6248 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
01:42:05.0272 6248 storflt - ok
01:42:05.0298 6248 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
01:42:05.0299 6248 storvsc - ok
01:42:05.0314 6248 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
01:42:05.0316 6248 swenum - ok
01:42:05.0436 6248 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\Windows\system32\drivers\N360\0502000.00D\SYMDS.SYS
01:42:05.0441 6248 SymDS - ok
01:42:05.0494 6248 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\Windows\system32\drivers\N360\0502000.00D\SYMEFA.SYS
01:42:05.0503 6248 SymEFA - ok
01:42:05.0598 6248 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\Windows\system32\Drivers\SYMEVENT.SYS
01:42:05.0612 6248 SymEvent - ok
01:42:05.0661 6248 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\Windows\system32\drivers\N360\0502000.00D\Ironx86.SYS
01:42:05.0664 6248 SymIRON - ok
01:42:05.0761 6248 SymNetS (2c688094650d23b62b0a809decd0b12f) C:\Windows\System32\Drivers\N360\0502000.00D\SYMNETS.SYS
01:42:05.0838 6248 SymNetS - ok
01:42:06.0016 6248 Synth3dVsc (f2ad8960812fd111e20e84659ef19d43) C:\Windows\system32\drivers\synth3dvsc.sys
01:42:06.0019 6248 Synth3dVsc - ok
01:42:06.0078 6248 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
01:42:06.0103 6248 Tcpip - ok
01:42:06.0143 6248 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
01:42:06.0150 6248 TCPIP6 - ok
01:42:06.0261 6248 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
01:42:06.0263 6248 tcpipreg - ok
01:42:06.0352 6248 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
01:42:06.0369 6248 TDPIPE - ok
01:42:06.0393 6248 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
01:42:06.0409 6248 TDTCP - ok
01:42:06.0444 6248 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
01:42:06.0446 6248 tdx - ok
01:42:06.0509 6248 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\DRIVERS\termdd.sys
01:42:06.0520 6248 TermDD - ok
01:42:06.0569 6248 terminpt (052306fd76793d5d5ab5d9891fd1adbb) C:\Windows\system32\drivers\terminpt.sys
01:42:06.0570 6248 terminpt - ok
01:42:06.0677 6248 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
01:42:06.0679 6248 tssecsrv - ok
01:42:06.0722 6248 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
01:42:06.0731 6248 TsUsbFlt - ok
01:42:06.0768 6248 TsUsbGD (01246f0baad7b68ec0f472aa41e33282) C:\Windows\system32\drivers\TsUsbGD.sys
01:42:06.0770 6248 TsUsbGD - ok
01:42:06.0824 6248 tsusbhub (045acb987c650d8186c6b4a692223860) C:\Windows\system32\drivers\tsusbhub.sys
01:42:06.0826 6248 tsusbhub - ok
01:42:06.0893 6248 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
01:42:06.0896 6248 tunnel - ok
01:42:06.0938 6248 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\drivers\uagp35.sys
01:42:06.0941 6248 uagp35 - ok
01:42:07.0055 6248 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
01:42:07.0058 6248 udfs - ok
01:42:07.0186 6248 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
01:42:07.0188 6248 uliagpkx - ok
01:42:07.0262 6248 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
01:42:07.0276 6248 umbus - ok
01:42:07.0348 6248 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\drivers\umpass.sys
01:42:07.0350 6248 UmPass - ok
01:42:07.0448 6248 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
01:42:07.0462 6248 usbccgp - ok
01:42:07.0524 6248 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
01:42:07.0537 6248 usbcir - ok
01:42:07.0595 6248 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\drivers\usbehci.sys
01:42:07.0610 6248 usbehci - ok
01:42:07.0690 6248 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
01:42:07.0704 6248 usbhub - ok
01:42:07.0747 6248 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
01:42:07.0761 6248 usbohci - ok
01:42:07.0795 6248 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
01:42:07.0797 6248 usbprint - ok
01:42:07.0867 6248 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
01:42:07.0881 6248 usbscan - ok
01:42:07.0905 6248 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
01:42:07.0908 6248 USBSTOR - ok
01:42:07.0938 6248 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
01:42:07.0948 6248 usbuhci - ok
01:42:08.0049 6248 VBoxDrv (103b23ec82c08fc4bdbc369552ffab2a) C:\Windows\system32\DRIVERS\VBoxDrv.sys
01:42:08.0065 6248 VBoxDrv - ok
01:42:08.0099 6248 VBoxNetAdp (226cd9e42be28a84ec56430fbb57224f) C:\Windows\system32\DRIVERS\VBoxNetAdp.sys
01:42:08.0112 6248 VBoxNetAdp - ok
01:42:08.0145 6248 VBoxNetFlt (0a5d6512dcb14135a388d0e7e69e01bb) C:\Windows\system32\DRIVERS\VBoxNetFlt.sys
01:42:08.0155 6248 VBoxNetFlt - ok
01:42:08.0242 6248 VBoxUSBMon (96a478edfb1fbf1fc663beb09b4175a8) C:\Windows\system32\DRIVERS\VBoxUSBMon.sys
01:42:08.0255 6248 VBoxUSBMon - ok
01:42:08.0376 6248 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
01:42:08.0378 6248 vdrvroot - ok
01:42:08.0405 6248 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
01:42:08.0407 6248 vga - ok
01:42:08.0427 6248 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
01:42:08.0429 6248 VgaSave - ok
01:42:08.0437 6248 VGPU - ok
01:42:08.0468 6248 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
01:42:08.0472 6248 vhdmp - ok
01:42:08.0510 6248 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
01:42:08.0512 6248 viaagp - ok
01:42:08.0577 6248 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\drivers\viac7.sys
01:42:08.0579 6248 ViaC7 - ok
01:42:08.0596 6248 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
01:42:08.0597 6248 viaide - ok
01:42:08.0671 6248 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
01:42:08.0674 6248 vmbus - ok
01:42:08.0699 6248 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
01:42:08.0711 6248 VMBusHID - ok
01:42:08.0747 6248 vmci (6bf7fef91d45fd2c68d71d454243e46d) C:\Windows\system32\Drivers\vmci.sys
01:42:08.0763 6248 vmci - ok
01:42:08.0823 6248 vmkbd (27df4aece721961f9c9064a31790f2ea) C:\Windows\system32\drivers\VMkbd.sys
01:42:08.0837 6248 vmkbd - ok
01:42:08.0892 6248 VMnetAdapter (e41704d8149992107b333cc7a52c07cc) C:\Windows\system32\DRIVERS\vmnetadapter.sys
01:42:08.0899 6248 VMnetAdapter - ok
01:42:08.0927 6248 VMnetBridge (462f2a31ea8b87a28962aca998df1869) C:\Windows\system32\DRIVERS\vmnetbridge.sys
01:42:08.0939 6248 VMnetBridge - ok
01:42:08.0955 6248 VMnetuserif (79bf063792ecbce9bb065090a60a1e7c) C:\Windows\system32\drivers\vmnetuserif.sys
01:42:08.0970 6248 VMnetuserif - ok
01:42:09.0043 6248 vmusb (afb10ad9aa91d2f70c9f0e6bda0d119b) C:\Windows\system32\Drivers\vmusb.sys
01:42:09.0061 6248 vmusb - ok
01:42:09.0140 6248 vmx86 (ba3992252dd311ce41fafe565244fa6f) C:\Windows\system32\Drivers\vmx86.sys
01:42:09.0156 6248 vmx86 - ok
01:42:09.0183 6248 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
01:42:09.0186 6248 volmgr - ok
01:42:09.0242 6248 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
01:42:09.0247 6248 volmgrx - ok
01:42:09.0267 6248 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
01:42:09.0272 6248 volsnap - ok
01:42:09.0357 6248 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\drivers\vsmraid.sys
01:42:09.0360 6248 vsmraid - ok
01:42:09.0467 6248 vstor2-ws60 (98929c5c5314c4c048e2f60492c26723) C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys
01:42:09.0482 6248 vstor2-ws60 - ok
01:42:09.0541 6248 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
01:42:09.0543 6248 vwifibus - ok
01:42:09.0588 6248 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\drivers\wacompen.sys
01:42:09.0590 6248 WacomPen - ok
01:42:09.0619 6248 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
01:42:09.0627 6248 WANARP - ok
01:42:09.0631 6248 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
01:42:09.0632 6248 Wanarpv6 - ok
01:42:09.0664 6248 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\drivers\wd.sys
01:42:09.0666 6248 Wd - ok
01:42:09.0692 6248 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
01:42:09.0698 6248 Wdf01000 - ok
01:42:09.0768 6248 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
01:42:09.0770 6248 WfpLwf - ok
01:42:09.0794 6248 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
01:42:09.0795 6248 WIMMount - ok
01:42:10.0043 6248 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
01:42:10.0062 6248 WinUsb - ok
01:42:10.0135 6248 WmBEnum (5d410936831f7fb58eff941eac3f6d3d) C:\Windows\system32\drivers\WmBEnum.sys
01:42:10.0155 6248 WmBEnum - ok
01:42:10.0174 6248 WmFilter (7a13cfde92956ca61a0927d766c5ad4f) C:\Windows\system32\drivers\WmFilter.sys
01:42:10.0176 6248 WmFilter - ok
01:42:10.0204 6248 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
01:42:10.0206 6248 WmiAcpi - ok
01:42:10.0253 6248 WmVirHid (6f04646bc690f8bbfc344be32a60796d) C:\Windows\system32\drivers\WmVirHid.sys
01:42:10.0255 6248 WmVirHid - ok
01:42:10.0309 6248 WmXlCore (1d6ca43d562333f4dfb40bcef2453f3a) C:\Windows\system32\drivers\WmXlCore.sys
01:42:10.0319 6248 WmXlCore - ok
01:42:10.0365 6248 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
01:42:10.0381 6248 ws2ifsl - ok
01:42:10.0406 6248 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
01:42:10.0417 6248 WudfPf - ok
01:42:10.0483 6248 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
01:42:10.0486 6248 WUDFRd - ok
01:42:10.0531 6248 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
01:42:10.0565 6248 \Device\Harddisk0\DR0 - ok
01:42:10.0578 6248 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
01:42:10.0745 6248 \Device\Harddisk1\DR1 - ok
01:42:10.0749 6248 Boot (0x1200) (1c0f54566decd55a439095255ba40fa1) \Device\Harddisk0\DR0\Partition0
01:42:10.0750 6248 \Device\Harddisk0\DR0\Partition0 - ok
01:42:10.0776 6248 Boot (0x1200) (00f7d3cba3ea111de2fb2bcd47f141ae) \Device\Harddisk0\DR0\Partition1
01:42:10.0777 6248 \Device\Harddisk0\DR0\Partition1 - ok
01:42:10.0780 6248 Boot (0x1200) (31e35d486e3d91ccd8ccf13d848f1a24) \Device\Harddisk1\DR1\Partition0
01:42:10.0780 6248 \Device\Harddisk1\DR1\Partition0 - ok
01:42:10.0797 6248 Boot (0x1200) (ed951410fb98ddf91a91e8e00555f41b) \Device\Harddisk1\DR1\Partition1
01:42:10.0798 6248 \Device\Harddisk1\DR1\Partition1 - ok
01:42:10.0813 6248 Boot (0x1200) (e99ac9be865c2bd3e2be3095bcba6d16) \Device\Harddisk1\DR1\Partition2
01:42:10.0814 6248 \Device\Harddisk1\DR1\Partition2 - ok
01:42:10.0815 6248 ============================================================
01:42:10.0815 6248 Scan finished
01:42:10.0815 6248 ============================================================
01:42:10.0825 1800 Detected object count: 0
01:42:10.0825 1800 Actual detected object count: 0

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


2. aswMBR

Unfortunately, aswMBR did not run well. It downloaded definitions and then after running for about 3-4 min it crashed - Windows displayed its usual alert that application stopped responding.
I tried running aswMBR several times with my Norton 360 enabled, then disabled, but the results were just the same - it crashed.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Thats's it for now. Sounds are still there.

Thanks for your help and directions.

Viq

Edited by viq, 21 February 2012 - 07:53 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:07 PM

Posted 21 February 2012 - 07:55 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 viq

viq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 22 February 2012 - 10:57 AM

Hi gringo.

Below is report from running CFScript.txt + ComboFix.
It run smoothly just like the previous run of ComboFix.
The PC is fine so far, no sound ads yet but thet are usually appearing late in the night anyway.
Also, I played yesterday with different apps and sound levels while hearing the pesky ads and now I think I tracked the loudness of the 'congratulations' to be 100% correlating with the sound level set for Google Chrome (via Win7 Sound Mixer settings).
So perhaps after all the cleaning is done I should reinstall Chrome and all its extensions. What do you think about Chrome being the source and now shelter for the infection to hide?


Thanks! Waiting for furthter instructions.


----------------------------
ComboFix Log with ClearJavaCache



ComboFix 12-02-21.02 - vitalik 22.02.2012 4:31.2.2 - x86
Microsoft Windows 7 Максимальная 6.1.7601.1.1251.7.1049.18.2046.1243 [GMT 2:00]
Running from: c:\users\vitalik\Desktop\ComboFix.exe
Command switches used :: c:\users\vitalik\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\nomonomo\Desktop\.lnk
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
.
.
((((((((((((((((((((((((( Files Created from 2012-01-22 to 2012-02-22 )))))))))))))))))))))))))))))))
.
.
2012-02-22 02:52 . 2012-02-22 02:53 -------- d-----w- c:\users\vitalik\AppData\Local\temp
2012-02-22 02:52 . 2012-02-22 02:52 -------- d-----w- c:\users\Timka\AppData\Local\temp
2012-02-22 02:52 . 2012-02-22 02:52 -------- d-----w- c:\users\nomonomo\AppData\Local\temp
2012-02-22 02:52 . 2012-02-22 02:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-22 02:52 . 2012-02-22 02:52 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-02-19 03:52 . 2012-02-19 03:52 -------- d-----w- c:\users\vitalik\AppData\Roaming\Malwarebytes
2012-02-19 03:51 . 2012-02-19 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-19 03:51 . 2012-02-19 03:51 -------- d-----w- c:\programdata\Malwarebytes
2012-02-19 03:51 . 2011-12-10 13:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-17 20:39 . 2012-02-17 20:39 -------- d-----w- c:\users\vitalik\AppData\Roaming\JGsoft
2012-02-17 18:51 . 2010-08-19 01:33 67312 ----a-w- c:\windows\UnDeployV.exe
2012-02-15 21:41 . 2011-12-30 05:27 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 21:41 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 21:41 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 21:40 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-13 23:31 . 2012-02-13 23:31 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-02-13 23:31 . 2012-02-13 23:31 -------- d-----w- c:\program files\Uniblue
2012-02-13 23:30 . 2012-02-13 23:30 -------- d-----w- c:\users\vitalik\AppData\Local\PackageAware
2012-02-13 20:55 . 2008-02-28 21:39 94208 ----a-w- c:\windows\system32\ImageSearchDLL.dll
2012-02-12 21:29 . 2012-02-12 21:29 -------- d-----w- c:\program files\Tesseract301
2012-02-12 21:10 . 2012-02-12 21:10 -------- d-----w- c:\program files\tesseract
2012-02-12 20:01 . 2012-02-17 21:56 -------- d-----w- c:\program files\Text Catch
2012-02-12 19:36 . 2012-02-13 02:36 -------- d-----w- C:\Python27
2012-02-12 16:54 . 2012-02-19 01:10 -------- d-----w- c:\users\vitalik\AutoItScripts
2012-02-12 16:23 . 2012-02-18 22:37 -------- d-----w- c:\program files\AutoIt3
2012-02-10 15:23 . 2012-02-10 15:23 -------- d-----w- c:\programdata\Playrix Entertainment
2012-02-09 01:19 . 2012-02-09 01:19 -------- d-----w- c:\users\vitalik\AppData\Local\Logitech
2012-02-09 01:15 . 2012-02-09 01:15 -------- d-----w- c:\program files\Common Files\Logitech
2012-02-07 18:27 . 2012-02-07 18:27 -------- d-----w- c:\users\vitalik\.jade
2012-02-07 00:09 . 2012-02-07 00:09 -------- d-----w- c:\programdata\ATI
2012-02-07 00:08 . 2012-02-07 00:08 -------- d-----w- c:\program files\AMD APP
2012-02-07 00:08 . 2012-02-07 00:08 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-02-06 21:48 . 2012-02-06 21:48 -------- d-----w- C:\AMD
2012-02-03 19:02 . 2012-02-20 12:33 -------- d-----r- c:\users\vitalik\Dropbox
2012-02-03 18:57 . 2012-02-20 15:32 -------- d-----w- c:\users\vitalik\AppData\Roaming\Dropbox
2012-02-02 23:13 . 2012-02-02 23:13 -------- d-----w- c:\users\vitalik\.IntelliJIdea11
2012-02-02 02:03 . 2012-02-02 02:08 -------- d-----w- c:\users\vitalik\AppData\Roaming\Executor
2012-02-02 02:03 . 2012-02-02 02:03 -------- d-----w- c:\program files\Executor
2012-02-02 01:49 . 2012-02-02 02:34 -------- d-----w- c:\users\vitalik\AppData\Roaming\Launchy
2012-02-01 18:45 . 2012-02-14 16:26 -------- d-----w- c:\windows\system32\drivers\N360\0502000.00D
2012-01-30 18:28 . 2012-01-30 18:28 -------- d-----w- c:\users\vitalik\AppData\Roaming\Sublime Text 2
2012-01-30 18:28 . 2012-01-30 18:29 -------- d-----w- c:\program files\Sublime Text 2
2012-01-24 23:47 . 2011-12-19 12:11 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-01-24 23:46 . 2011-12-19 12:11 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-01-24 22:07 . 2011-03-25 21:42 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe
2012-01-24 22:07 . 2011-03-25 21:42 404080 ----a-w- c:\windows\system32\vmnat.exe
2012-01-24 22:07 . 2011-03-25 21:40 26352 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2012-01-24 22:07 . 2011-03-25 21:42 760432 ----a-w- c:\windows\system32\vnetlib.dll
2012-01-24 22:07 . 2011-03-25 21:41 24688 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2012-01-24 22:06 . 2012-01-24 22:06 -------- d-----w- c:\program files\Common Files\VMware
2012-01-24 11:57 . 2012-01-24 11:57 -------- d-----w- c:\program files\Intel Corporation
2012-01-24 11:39 . 2012-01-25 18:45 -------- d-----w- c:\users\vitalik\AppData\Local\VMware
2012-01-24 11:39 . 2012-01-25 18:44 -------- d-----w- c:\users\vitalik\AppData\Roaming\VMware
2012-01-24 07:45 . 2012-01-24 22:04 -------- d-----w- c:\program files\VMware
2012-01-24 07:45 . 2012-02-20 12:32 -------- d-----w- c:\programdata\VMware
2012-01-24 07:43 . 2012-01-25 18:43 -------- d-----w- c:\users\vitalik\VMwareVMs
2012-01-23 21:38 . 2012-01-26 21:23 -------- d-----w- c:\users\vitalik\AppData\Roaming\.matplotlib
2012-01-23 21:33 . 2012-02-17 21:53 -------- d-----w- c:\users\vitalik\AppData\Roaming\.anki
2012-01-23 21:33 . 2012-01-23 21:33 -------- d-----w- c:\program files\Anki
2012-01-23 19:05 . 2012-01-23 19:05 -------- d-----w- c:\users\Timka\AppData\Roaming\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-20 12:32 . 2011-02-20 01:24 17488 ----a-w- c:\windows\gdrv.sys
2012-02-03 19:39 . 2011-02-21 00:46 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-02-02 15:59 . 2011-02-20 01:26 17488 ----a-w- c:\windows\etdrv.sys
2012-02-02 02:00 . 2011-02-20 01:25 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2012-01-21 01:35 . 2012-01-21 01:35 441 ----a-w- c:\users\vitalik\curl.cmd
2011-12-19 12:12 . 2011-12-19 12:12 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-12-19 12:11 . 2011-12-19 12:11 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2011-12-19 12:11 . 2011-12-19 12:11 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2011-12-06 03:44 . 2011-12-06 03:44 9067008 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-12-06 03:17 . 2011-12-06 03:17 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-12-06 03:17 . 2011-10-26 02:05 778752 ----a-w- c:\windows\system32\aticfx32.dll
2011-12-06 03:12 . 2011-12-06 03:12 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-12-06 03:12 . 2011-12-06 03:12 404992 ----a-w- c:\windows\system32\atieclxx.exe
2011-12-06 03:11 . 2011-12-06 03:11 163328 ----a-w- c:\windows\system32\atiesrxx.exe
2011-12-06 03:10 . 2011-12-06 03:10 163840 ----a-w- c:\windows\system32\atitmmxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 360448 ----a-w- c:\windows\system32\atipdlxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-12-06 03:09 . 2011-12-06 03:09 20992 ----a-w- c:\windows\system32\atimuixx.dll
2011-12-06 03:09 . 2011-12-06 03:09 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-12-06 03:06 . 2011-10-26 01:55 6159872 ----a-w- c:\windows\system32\atidxx32.dll
2011-12-06 02:56 . 2011-12-06 02:56 19125760 ----a-w- c:\windows\system32\atioglxx.dll
2011-12-06 02:39 . 2011-12-06 02:39 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2011-12-06 02:34 . 2011-12-06 02:34 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-12-06 02:34 . 2011-12-06 02:34 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-12-06 02:33 . 2011-10-26 01:35 5919232 ----a-w- c:\windows\system32\atiumdag.dll
2011-12-06 02:29 . 2011-12-06 02:29 11484672 ----a-w- c:\windows\system32\aticaldd.dll
2011-12-06 02:28 . 2011-10-26 01:32 4206592 ----a-w- c:\windows\system32\atiumdva.dll
2011-12-06 02:18 . 2011-10-26 01:29 51200 ----a-w- c:\windows\system32\coinst.dll
2011-12-06 02:12 . 2011-12-06 02:12 356352 ----a-w- c:\windows\system32\atiadlxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 33280 ----a-w- c:\windows\system32\atigktxx.dll
2011-12-06 02:11 . 2011-12-06 02:11 264192 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-12-06 02:11 . 2011-10-26 01:21 33280 ----a-w- c:\windows\system32\atiuxpag.dll
2011-12-06 02:11 . 2011-10-26 01:20 29696 ----a-w- c:\windows\system32\atiu9pag.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\system32\atimpc32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-12-05 20:04 . 2011-12-05 20:04 59904 ----a-w- c:\windows\system32\OpenVideo.dll
2011-12-05 20:03 . 2011-12-05 20:03 54784 ----a-w- c:\windows\system32\OVDecode.dll
2011-12-05 20:03 . 2011-12-05 20:03 14499328 ----a-w- c:\windows\system32\amdocl.dll
2011-08-30 19:39 . 2011-08-30 19:39 9925160 ----a-w- c:\program files\Common Files\lpuninstall.exe
2011-11-24 13:35 . 2011-06-14 20:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:58 94208 ----a-w- c:\users\vitalik\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:58 94208 ----a-w- c:\users\vitalik\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:58 94208 ----a-w- c:\users\vitalik\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:58 94208 ----a-w- c:\users\vitalik\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"F.lux"="c:\users\vitalik\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-26 8546848]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-05 343168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2011-03-25 129648]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
c:\users\vitalik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2011-3-28 870400]
Dropbox.lnk - c:\users\vitalik\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-17 26530760]
KatMouse.lnk - c:\program files\KatMouse\KatMouse.exe [2007-5-30 50688]
Вырезка экрана и программа запуска для OneNote 2010.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
"174.132.202.108,255.255.255.255,192.168.168.133,1"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-22 19:10 402432 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVI]
2007-07-26 13:05 20480 ----a-w- c:\program files\Gigabyte\ET6\ETcall.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-17 05:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Служба Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-19 136176]
R2 KMService;KMService;c:\windows\system32\srvany.exe [2011-04-21 8192]
R3 AODDriver;AODDriver;c:\program files\Gigabyte\ET6\i386\AODDriver.sys [2009-02-22 7168]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 etdrv;etdrv;c:\windows\etdrv.sys [2012-02-02 17488]
R3 GPU-Z;GPU-Z;c:\users\vitalik\AppData\Local\Temp\GPU-Z.sys [x]
R3 gupdatem;Служба Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-19 136176]
R3 GVTDrv;GVTDrv;c:\windows\system32\Drivers\GVTDrv.sys [2012-02-02 24944]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Служба технологий активации Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-24 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\SYMDS.SYS [2011-01-27 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\SYMEFA.SYS [2011-03-15 744568]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2010-04-22 19496]
S1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2011-08-15 20512]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120215.001\BHDrvx86.sys [2011-12-01 820344]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-11-21 232512]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120218.003\IDSvix86.sys [2011-12-15 368248]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\Ironx86.SYS [2011-01-27 136312]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\0502000.00D\SYMNETS.SYS [2011-04-21 299640]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-12-19 158512]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-12-19 91440]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-06 163328]
S2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\ESSVR.EXE [2009-03-02 68136]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-31 652360]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe [2011-04-17 130008]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-02-01 65536]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2011-03-25 70768]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-25 539248]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-12-06 9067008]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-12-06 264192]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 106104]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-12-19 104752]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-12-19 116016]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39447450
*NewlyCreated* - 76417088
*NewlyCreated* - ASWMBR
*Deregistered* - 39447450
*Deregistered* - 76417088
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-13 23:58]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-13 23:58]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322267218-1103627592-3799314005-1001Core.job
- c:\users\vitalik\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-19 23:58]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322267218-1103627592-3799314005-1001UA.job
- c:\users\vitalik\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-19 23:58]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322267218-1103627592-3799314005-1005Core.job
- c:\users\Timka\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-11 00:54]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322267218-1103627592-3799314005-1005UA.job
- c:\users\Timka\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-11 00:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Отправить в OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: Interfaces\{2F583018-F6B1-45BF-B503-941D7706781F}: NameServer = 8.8.8.8,192.168.1.1
FF - ProfilePath - c:\users\vitalik\AppData\Roaming\Mozilla\Firefox\Profiles\el1i6fqe.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2322267218-1103627592-3799314005-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:77,5e,40,ff,15,88,ce,5c,e9,34,8f,b0,0f,3b,a9,df,14,73,30,db,37,ac,37,
9d,1f,fe,c1,3e,9d,db,a8,42,32,92,78,fe,aa,60,59,53,d4,71,97,52,5a,83,f3,b8,\
"??"=hex:a7,99,b5,3a,0c,a9,0a,ef,11,63,b7,90,78,99,1b,92
.
[HKEY_USERS\S-1-5-21-2322267218-1103627592-3799314005-1001\Software\SecuROM\License information*]
"datasecu"=hex:dc,bc,4b,33,71,24,4b,d7,5a,1f,ba,56,36,ca,57,13,7b,80,3e,16,0d,
57,42,69,37,6e,77,ea,98,c5,eb,87,86,81,28,27,69,f6,56,b0,8b,de,b5,0f,0b,7c,\
"rkeysecu"=hex:64,31,0d,1a,c2,51,42,05,a8,eb,d4,6f,46,bb,9f,9b
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-22 05:01:55
ComboFix-quarantined-files.txt 2012-02-22 03:01
ComboFix2.txt 2012-02-21 10:40
.
Pre-Run: 21 922 004 992 байт свободно
Post-Run: 21 875 912 704 байт свободно
.
- - End Of File - - 40C430C347038AEE777760A9B92D49DC




#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:07 PM

Posted 22 February 2012 - 11:11 AM

Hello

It is very possible - I would go ahead and uninstall chrome and reinstall - it will not hurt anything



TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

[b]"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 viq

viq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 22 February 2012 - 05:52 PM

Hello gringo.

Below are logs that you requested.
Regarding reinstalling Chrome - thanks for the advice, will do it right after we are done with all the procedures.

MBAM and HiJackThis ran quickly and without reboot prompts.


Meanwhile, my Norton 360 deleted ComboFix from the desktop because it 'contained Trojan.ADH.2' =)
I turned it off while using MBAM and HiJackThis (and also used TFC as per instructions).

--------------------------------------------------

1. Malwarebytes Anti-Malware log - looks like it found nothing this time
--
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.22.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
vitalik :: ORK [administrator]

Protection: Disabled

23.02.2012 00:11:09
mbam-log-2012-02-23 (00-11-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232561
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


--------------------------------------------------

2. HijackThis log - I see this log contains Russian characters in some places; their descriptions seem legit to me.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 00:39:55, on 23.02.2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Windows\notepad.exe
C:\Program Files\Vim\vim73\gvim.exe
C:\Program Files\HJThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.2.0.13\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.2.0.13\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.2.0.13\coIEPlg.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [F.lux] "C:\Users\vitalik\Local Settings\Apps\F.lux\flux.exe" /noshow
O4 - HKUS\S-1-5-21-2322267218-1103627592-3799314005-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'nomonomo')
O4 - HKUS\S-1-5-21-2322267218-1103627592-3799314005-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'nomonomo')
O4 - S-1-5-21-2322267218-1103627592-3799314005-1003 User Startup: Install LastPass FF RunOnce.lnk = C:\Program Files\Common Files\lpuninstall.exe (User 'nomonomo')
O4 - S-1-5-21-2322267218-1103627592-3799314005-1003 User Startup: Install LastPass IE RunOnce.lnk = C:\Program Files\Common Files\lpuninstall.exe (User 'nomonomo')
O4 - Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O4 - Startup: Dropbox.lnk = vitalik\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: KatMouse.lnk = C:\Program Files\KatMouse\KatMouse.exe
O4 - Startup: Вырезка экрана и программа запуска для OneNote 2010.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O8 - Extra context menu item: &Отправить в OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: Отправить в OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Отправить в OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll
O9 - Extra button: &Связанные заметки OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Связанные заметки OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\vitalik\Desktop\PartyPoker.lnk
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\vitalik\Desktop\PartyPoker.lnk
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F583018-F6B1-45BF-B503-941D7706781F}: NameServer = 8.8.8.8,192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F583018-F6B1-45BF-B503-941D7706781F}: NameServer = 8.8.8.8,192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F583018-F6B1-45BF-B503-941D7706781F}: NameServer = 8.8.8.8,192.168.1.1
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AppleChargerSrv - Unknown owner - C:\Windows\system32\AppleChargerSrv.exe
O23 - Service: Служба Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: Служба Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Служба Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Сервис iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

--
End of file - 9927 bytes

---------------------------------------------------------

Thanks for your time and attention, gringo. You are literally giving second life to my trust in competent tech support - and in online forums =)

Viq

Edited by viq, 22 February 2012 - 05:53 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:07 PM

Posted 22 February 2012 - 06:25 PM

Greetings

We will be finished soon so go ahead and reinstall chrome now


:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
      O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
      O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
      O4 - HKCU\..\Run: [F.lux] "C:\Users\vitalik\Local Settings\Apps\F.lux\flux.exe" /noshow
      O4 - HKUS\S-1-5-21-2322267218-1103627592-3799314005-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'nomonomo')
      O4 - HKUS\S-1-5-21-2322267218-1103627592-3799314005-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'nomonomo')
      O4 - S-1-5-21-2322267218-1103627592-3799314005-1003 User Startup: Install LastPass FF RunOnce.lnk = C:\Program Files\Common Files\lpuninstall.exe (User 'nomonomo')
      O4 - S-1-5-21-2322267218-1103627592-3799314005-1003 User Startup: Install LastPass IE RunOnce.lnk = C:\Program Files\Common Files\lpuninstall.exe (User 'nomonomo')
      O4 - Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
      O4 - Startup: Dropbox.lnk = vitalik\AppData\Roaming\Dropbox\bin\Dropbox.exe
      O4 - Startup: ??????? ?????? ? ????????? ??????? ??? OneNote 2010.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 viq

viq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 23 February 2012 - 05:05 PM

Hello gringo.


Sorry for the delay with replying but ESET scan with 'scan in archives' option took 6 hours. Here are the results (6 total):
------------------------------

C:\Users\vitalik\Desktop\buffer\red.rar JS/Redirector.NBO.Gen trojan
C:\Users\vitalik\Downloads\tsetup.exe Win32/OpenCandy application
C:\Users\vitalik\Dropbox\15-12-2009 work docs .zip PHP/Obfuscated.B application
D:\docs\basics.chm JS/Kryptik.BP trojan
D:\work\tr\posts.rar JS/Kryptik.BP trojan
V:\var\workdocs.zip multiple threats
------------------------------

I'm not sure what 'multiple threats' in the last line stands for, this is just what ESET said =)
I did not fix or delete anything yet - as you requested, but saved log for future deletion of infected items. Was actually surprised that chm files can be infected.

Also, I reinstalled Chrome and removed a couple of startup records using HiJackThis, as suggested in your last post.

I'm glad we're almost done and very thankful to you for attention to my problems =)

Waiting for further instructions.

Viq

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:07 PM

Posted 23 February 2012 - 08:38 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Users\vitalik\Desktop\buffer\red.rar"
    del /f /s /q "C:\Users\vitalik\Downloads\tsetup.exe"
    del /f /s /q "C:\Users\vitalik\Dropbox\15-12-2009 work docs .zip"
    del /f /s /q "D:\docs\basics.chm"
    del /f /s /q "D:\work\tr\posts.rar"
    del /f /s /q "V:\var\workdocs.zip"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 viq

viq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 24 February 2012 - 02:10 PM

Hi gringo.

I removed last malicious findings using the bat file and then removed all the tools we used during the cleaning process.

I wish to thank you once again for helping me out. I feel much better about the health of the PC now and I'm really glad that I was lucky enough to find BleepingComputer and you as a helper.

Good luck to you gringo on your hard but noble path of helping strangers and fighting malware!

Viq

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:07 PM

Posted 24 February 2012 - 02:15 PM

You are more than welcome and Glad I was able to help



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:07 PM

Posted 27 February 2012 - 12:43 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users