Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 cramjo

cramjo

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 21 February 2012 - 05:48 AM

Hi Team,

Unfortunately my computer downloaded the "System Check" virus 3 days ago which I think was successfully removed using a variety of virus removal software. This virus does not trouble me anymore, however I now am infected with the "redirect virus" - Basically, whenever I go to a search engine and click on a search result, I will be automatically redirected to another site. Another annoying thing that has happened is the Google Instant (automatically suggests what it thinks your searching for) does not work at all anymore.

I have used the following programs to try and fix this problem to no avail:

AVG, Malwarebytes, HitmanPro, Microsoft Security Essentials, Spybot.

When running the above virus removal scans, they usually would detect 1 or 2 things and removal the items, however the google redirect problem remains.

I ran ComboFix as I thought I had tried everything. Below is the log. Could someone please analyse it and tell me what I should do next?

Thanks for your help in advance.

Regards,

Marc


ComboFix 12-02-21.01 - Marc 21/02/2012 16:49:09.1.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.8182.6418 [GMT 11:00]
Running from: c:\users\Marc\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Marc\AppData\Roaming\install
.
.
((((((((((((((((((((((((( Files Created from 2012-01-21 to 2012-02-21 )))))))))))))))))))))))))))))))
.
.
2012-02-21 07:20 . 2012-02-21 07:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-21 07:20 . 2012-02-21 07:20 -------- d-----w- c:\users\Computer\AppData\Local\temp
2012-02-20 06:28 . 2012-01-16 17:39 8602168 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{078C7200-1AB2-4B64-BC6C-2BC02E62F08E}\mpengine.dll
2012-02-19 03:00 . 2012-02-19 03:00 25160 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-19 03:00 . 2012-02-19 03:00 -------- d-----w- c:\program files\HitmanPro
2012-02-19 03:00 . 2012-02-19 03:00 -------- d-----w- c:\programdata\HitmanPro
2012-02-19 02:01 . 2012-02-19 02:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-19 02:01 . 2012-02-19 02:03 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-18 15:23 . 2012-02-18 15:23 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2012-02-18 15:23 . 2012-02-18 15:23 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2012-02-18 15:23 . 2012-02-18 15:23 134104 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2012-02-18 15:23 . 2012-02-18 15:23 97240 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2012-02-18 15:23 . 2012-02-18 15:23 801752 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2012-02-18 15:23 . 2012-02-18 15:23 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-02-18 15:23 . 2012-02-18 15:23 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-02-18 15:23 . 2012-02-18 15:23 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-02-18 15:23 . 2012-02-18 15:23 45016 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-02-18 15:23 . 2012-02-18 15:23 437208 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2012-02-18 15:23 . 2012-02-18 15:23 1911768 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
2012-02-18 15:23 . 2012-02-18 15:23 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2012-02-18 12:00 . 2012-02-18 12:00 -------- d-----w- c:\users\Computer\AppData\Local\Google
2012-02-18 11:51 . 2012-02-18 11:51 -------- d-----w- c:\users\Computer\AppData\Roaming\Malwarebytes
2012-02-18 05:19 . 2012-02-18 05:19 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-18 05:19 . 2012-02-18 05:18 476904 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2012-02-18 05:19 . 2012-02-18 05:18 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-18 05:18 . 2012-02-18 05:18 -------- d-----w- c:\program files (x86)\Java
2012-02-18 05:04 . 2012-02-18 05:04 -------- d-----w- c:\users\Marc\AppData\Roaming\Malwarebytes
2012-02-18 05:04 . 2012-02-19 03:10 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2012-02-18 05:04 . 2012-02-18 05:04 -------- d-----w- c:\programdata\Malwarebytes
2012-02-18 05:04 . 2012-02-18 05:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-18 05:04 . 2011-12-10 04:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-18 04:48 . 2012-01-16 17:39 8602168 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-17 04:28 . 2012-02-17 04:27 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6D2D1468-BDEA-4237-9A3F-5B08DB755624}\gapaengine.dll
2012-02-17 04:28 . 2012-02-09 02:17 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-02-17 04:20 . 2012-02-17 04:20 -------- d-----w- C:\CBB00E32023300082DD11295
2012-02-17 04:18 . 2012-02-17 04:18 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-02-17 04:17 . 2012-02-17 04:20 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-17 03:08 . 2012-02-17 03:08 -------- d-----w- c:\users\Marc\AppData\Roaming\33A31
2012-02-17 03:04 . 2012-02-17 03:04 -------- d-----w- c:\programdata\AVG Secure Search
2012-02-17 03:04 . 2012-02-17 03:04 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-02-17 03:04 . 2012-02-17 03:04 -------- d-----w- c:\program files (x86)\AVG Secure Search
2012-02-17 02:42 . 2012-02-17 03:12 -------- d-----w- c:\users\Marc\AppData\Roaming\C6133
2012-02-17 00:50 . 2012-02-17 00:50 -------- d-----w- C:\1D9E343BBAEF02409F70382190B1
2012-02-16 14:41 . 2012-02-17 01:01 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer
2012-02-16 13:20 . 2012-02-16 13:20 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-02-16 13:16 . 2012-02-16 13:16 -------- d-----w- c:\programdata\Symantec
2012-02-16 13:16 . 2012-02-16 13:16 -------- d-----w- c:\program files (x86)\Norton Security Scan
2012-02-16 13:16 . 2012-02-16 13:16 -------- d-----w- c:\programdata\Norton
2012-02-16 13:16 . 2012-02-16 13:16 -------- d-----w- c:\program files (x86)\NortonInstaller
2012-02-16 11:41 . 2012-02-16 11:41 -------- d-----w- c:\users\Marc\AppData\Roaming\Samsung
2012-02-16 11:39 . 2012-02-16 11:39 -------- d-----w- c:\users\Marc\{418b7556-e5b8-4737-829d-ababcc0ce3e5}
2012-02-16 11:35 . 2012-02-16 11:38 -------- d-----w- c:\program files (x86)\Samsung
2012-02-16 11:35 . 2012-02-16 11:37 -------- d-----w- c:\programdata\Samsung
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2010-11-13 04:02 279656 ------w- c:\windows\system32\MpSigStub.exe
2011-12-14 12:14 . 2011-12-14 12:14 341264 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"PC Suite Tray"="c:\program files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-12 61440]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-13 981808]
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2009-7-29 53248]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-02-24 88576]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL1AA0039E
*Deregistered* - mfeavfk01
*Deregistered* - mfenlfk
*Deregistered* - MpKsl1aa0039e
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-20 08:54]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-20 08:54]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-24 6975520]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 56320]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\dv202qz9.default\
FF - prefs.js: browser.startup.homepage - www.ninemsn.com.au
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
HKLM-Run-Skytel - c:\program files\Realtek\Audio\HDA\Skytel.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-21 21:28:46
ComboFix-quarantined-files.txt 2012-02-21 10:28
.
Pre-Run: 723,221,876,736 bytes free
Post-Run: 723,415,224,320 bytes free
.
- - End Of File - - 20C3AB37FC7929E3E71912AAD67D8E56

BC AdBot (Login to Remove)

 


#2 cramjo

cramjo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 21 February 2012 - 05:59 AM

Sorry - 2 other bits of information.

Since my computer was infected my computer has been running slower. For example, it took about 4 hours for the ComboFix program to completely run.

Also, when I ran ComboFix, Windows said 2 programs stopped running and had to be closed (I didn't click the Close button to terminate the programs, but they disappearred after a while?). The programs were called "PEV.exe" and "pev.3XE".

Thanks,
Marc

Edited by cramjo, 21 February 2012 - 06:04 AM.


#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:34 PM

Posted 22 February 2012 - 09:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 cramjo

cramjo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 22 February 2012 - 10:45 AM

Hi Gringo!! Great to have you helping me out - Thankyou!

I can not open TDSSKiller. When I double click on the file, Windows User Account Control asks my permission to continue to the run the program. I click "continue" but nothing happens. I tried restarting the computer and turning off user account control. This still didn't work. I disabled/turned off all Anti-virus software (except Windows Security Essentials) as I saw an "Anti-Rootkit" function in AVG, TDSSKiller still would not open.

What would you like me to do so I can run this program?


I could run the aswMBR file. While this scan occurred, Microsoft Security Essentials detected a threat called "Trojan:DOS/Alureon.E" and automatically removed it. Below is the log from aswMBR:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 01:59:20
-----------------------------
01:59:20.802 OS Version: Windows x64 6.0.6001 Service Pack 1
01:59:20.802 Number of processors: 8 586 0x1A05
01:59:20.802 ComputerName: MARC-PC UserName: Marc
01:59:25.170 Initialize success
02:00:33.023 AVAST engine defs: 12022101
02:00:51.509 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
02:00:51.509 Disk 0 Vendor: ST31000528AS CC44 Size: 953869MB BusType: 3
02:00:51.524 Disk 0 MBR read successfully
02:00:51.524 Disk 0 MBR scan
02:00:51.540 Disk 0 Windows VISTA default MBR code
02:00:51.540 Disk 0 MBR hidden
02:00:51.540 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
02:00:51.602 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
02:00:51.618 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 938445 MB offset 31586304
02:00:51.665 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 1953521664
02:00:51.758 Disk 0 Partition 4 **SUSPICIOUS**
02:00:51.836 Disk 0 scanning C:\Windows\system32\drivers
02:01:06.454 Service scanning
02:01:32.833 Modules scanning
02:01:32.833 Disk 0 trace - called modules:
02:01:32.864 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys >>UNKNOWN [0xfffffa8009646334]<<ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
02:01:32.864 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80091ef4a0]
02:01:32.864 3 CLASSPNP.SYS[fffffa6000b31b3a] -> nt!IofCallDriver -> [0xfffffa8007dc5520]
02:01:32.880 5 acpi.sys[fffffa600081cfde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007dc1520]
02:01:32.880 \Driver\atapi[0xfffffa8007db1060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8009646334
02:01:37.030 AVAST engine scan C:\Windows
02:01:42.178 AVAST engine scan C:\Windows\system32
02:05:40.873 AVAST engine scan C:\Windows\system32\drivers
02:05:57.331 AVAST engine scan C:\Users\Marc
02:19:00.685 AVAST engine scan C:\ProgramData
02:21:11.117 Scan finished successfully
02:25:24.367 Disk 0 MBR has been saved successfully to "C:\Users\Marc\Desktop\MBR.dat"
02:25:24.383 The log file has been saved successfully to "C:\Users\Marc\Desktop\aswMBR.txt"


Thanks for your help again.
Marc

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:34 PM

Posted 22 February 2012 - 10:55 AM

Hello Marc

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 cramjo

cramjo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 22 February 2012 - 11:13 AM

Hi Gringo,

Thanks for your quick response.

I ran FixTDSS. After rebooting it said "Infected MBR detected". I clicked Repair and this was successful. Then I rebooted the computer again.

I could then run TDSSKiller. It said it found nothing. Here is the log:

03:08:28.0616 2260 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
03:08:29.0661 2260 ============================================================
03:08:29.0661 2260 Current date / time: 2012/02/23 03:08:29.0661
03:08:29.0661 2260 SystemInfo:
03:08:29.0661 2260
03:08:29.0661 2260 OS Version: 6.0.6001 ServicePack: 1.0
03:08:29.0661 2260 Product type: Workstation
03:08:29.0661 2260 ComputerName: MARC-PC
03:08:29.0661 2260 UserName: Marc
03:08:29.0661 2260 Windows directory: C:\Windows
03:08:29.0661 2260 System windows directory: C:\Windows
03:08:29.0661 2260 Running under WOW64
03:08:29.0661 2260 Processor architecture: Intel x64
03:08:29.0661 2260 Number of processors: 8
03:08:29.0661 2260 Page size: 0x1000
03:08:29.0661 2260 Boot type: Normal boot
03:08:29.0661 2260 ============================================================
03:08:31.0861 2260 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
03:08:31.0939 2260 \Device\Harddisk0\DR0:
03:08:31.0954 2260 MBR used
03:08:31.0954 2260 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1F800, BlocksNum 0x1E00000
03:08:31.0954 2260 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1E1F800, BlocksNum 0x728E6800
03:08:32.0048 2260 Initialize success
03:08:32.0048 2260 ============================================================
03:09:47.0084 1384 ============================================================
03:09:47.0084 1384 Scan started
03:09:47.0084 1384 Mode: Manual;
03:09:47.0084 1384 ============================================================
03:09:47.0957 1384 ACPI (af3a1aa81f875169dd9e55b1320057d6) C:\Windows\system32\drivers\acpi.sys
03:09:47.0957 1384 ACPI - ok
03:09:48.0035 1384 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
03:09:48.0035 1384 adp94xx - ok
03:09:48.0051 1384 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
03:09:48.0051 1384 adpahci - ok
03:09:48.0082 1384 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
03:09:48.0082 1384 adpu160m - ok
03:09:48.0191 1384 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
03:09:48.0191 1384 adpu320 - ok
03:09:48.0285 1384 AFD (9bb97042fa331a0fb4bdd98b9280a50a) C:\Windows\system32\drivers\afd.sys
03:09:48.0285 1384 AFD - ok
03:09:48.0332 1384 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
03:09:48.0332 1384 agp440 - ok
03:09:48.0347 1384 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
03:09:48.0347 1384 aic78xx - ok
03:09:48.0379 1384 aliide (9544c2c55541c0c6bfd7b489d0e7d430) C:\Windows\system32\drivers\aliide.sys
03:09:48.0379 1384 aliide - ok
03:09:48.0394 1384 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
03:09:48.0394 1384 amdide - ok
03:09:48.0425 1384 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
03:09:48.0425 1384 AmdK8 - ok
03:09:48.0457 1384 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
03:09:48.0457 1384 arc - ok
03:09:48.0488 1384 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
03:09:48.0488 1384 arcsas - ok
03:09:48.0503 1384 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
03:09:48.0519 1384 AsyncMac - ok
03:09:48.0535 1384 atapi (f988bb0690cd660318037908e9b8dbf7) C:\Windows\system32\drivers\atapi.sys
03:09:48.0535 1384 atapi - ok
03:09:48.0628 1384 atikmdag (b66ed1a0739f78b01b2dad5e61e58570) C:\Windows\system32\DRIVERS\atikmdag.sys
03:09:48.0722 1384 atikmdag - ok
03:09:48.0847 1384 AVGIDSDriver (fa46adf6e497cf185160f09e603ce2a3) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
03:09:48.0847 1384 AVGIDSDriver - ok
03:09:48.0862 1384 AVGIDSEH (d6b93e5d8b96a66f55a4d2ee7f24667c) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
03:09:48.0862 1384 AVGIDSEH - ok
03:09:48.0878 1384 AVGIDSFilter (ff6551f1ab0da3b30c9dec923f21b504) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
03:09:48.0878 1384 AVGIDSFilter - ok
03:09:48.0893 1384 Avgldx64 (979cf8912449a10b987218bff80a1fa3) C:\Windows\system32\DRIVERS\avgldx64.sys
03:09:48.0909 1384 Avgldx64 - ok
03:09:48.0909 1384 Avgmfx64 (36b1a5843695766eac714daffc5b84d1) C:\Windows\system32\DRIVERS\avgmfx64.sys
03:09:48.0909 1384 Avgmfx64 - ok
03:09:48.0956 1384 Avgrkx64 (1102239fb724527f1febbbbccf6bf313) C:\Windows\system32\DRIVERS\avgrkx64.sys
03:09:48.0956 1384 Avgrkx64 - ok
03:09:49.0081 1384 Avgtdia (11f36d3ea82d9db9aa05a476a210551b) C:\Windows\system32\DRIVERS\avgtdia.sys
03:09:49.0081 1384 Avgtdia - ok
03:09:49.0143 1384 Beep - ok
03:09:49.0159 1384 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
03:09:49.0159 1384 blbdrive - ok
03:09:49.0174 1384 bowser (f0f035fcec3554cc1b70c5611bd87951) C:\Windows\system32\DRIVERS\bowser.sys
03:09:49.0190 1384 bowser - ok
03:09:49.0205 1384 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
03:09:49.0205 1384 BrFiltLo - ok
03:09:49.0221 1384 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
03:09:49.0221 1384 BrFiltUp - ok
03:09:49.0237 1384 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
03:09:49.0237 1384 Brserid - ok
03:09:49.0252 1384 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
03:09:49.0252 1384 BrSerWdm - ok
03:09:49.0283 1384 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
03:09:49.0283 1384 BrUsbMdm - ok
03:09:49.0393 1384 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
03:09:49.0393 1384 BrUsbSer - ok
03:09:49.0439 1384 BthEnum (12b275fd8ea054a719d024d7017eb932) C:\Windows\system32\DRIVERS\BthEnum.sys
03:09:49.0439 1384 BthEnum - ok
03:09:49.0471 1384 BTHMODEM (752fc84a394ca712d51dd9bd53f58e73) C:\Windows\system32\DRIVERS\bthmodem.sys
03:09:49.0471 1384 BTHMODEM - ok
03:09:49.0486 1384 BthPan (befc5311736b475ac5b60c14ff7c775a) C:\Windows\system32\DRIVERS\bthpan.sys
03:09:49.0486 1384 BthPan - ok
03:09:49.0502 1384 BTHPORT (516cdda5b7f6c6999db7eb7425337a19) C:\Windows\system32\Drivers\BTHport.sys
03:09:49.0502 1384 BTHPORT - ok
03:09:49.0517 1384 BTHUSB (264cc52d69337ce5d12d13d71220b612) C:\Windows\system32\Drivers\BTHUSB.sys
03:09:49.0517 1384 BTHUSB - ok
03:09:49.0580 1384 btwaudio (a44ad9ab3bf98a65eb58662e3c78eae0) C:\Windows\system32\drivers\btwaudio.sys
03:09:49.0580 1384 btwaudio - ok
03:09:49.0611 1384 btwavdt (a441d453821a6336f516f97f79bbfa17) C:\Windows\system32\drivers\btwavdt.sys
03:09:49.0611 1384 btwavdt - ok
03:09:49.0642 1384 btwrchid (b550c75397d96251a92391555fe5534c) C:\Windows\system32\DRIVERS\btwrchid.sys
03:09:49.0642 1384 btwrchid - ok
03:09:49.0673 1384 catchme - ok
03:09:49.0814 1384 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
03:09:49.0814 1384 cdfs - ok
03:09:49.0845 1384 cdrom (3b2fb35363423ed60c8fbf15fc8680bd) C:\Windows\system32\DRIVERS\cdrom.sys
03:09:49.0845 1384 cdrom - ok
03:09:49.0876 1384 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
03:09:49.0876 1384 circlass - ok
03:09:50.0017 1384 CLFS (c12c4ee07843b595036da0baa6317936) C:\Windows\system32\CLFS.sys
03:09:50.0017 1384 CLFS - ok
03:09:50.0297 1384 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
03:09:50.0297 1384 cmdide - ok
03:09:50.0391 1384 Compbatt (34a6aa82aa36c87fc8816f2097efa345) C:\Windows\system32\drivers\compbatt.sys
03:09:50.0391 1384 Compbatt - ok
03:09:50.0485 1384 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
03:09:50.0485 1384 crcdisk - ok
03:09:50.0516 1384 DfsC (3725c43c9e90731eca651d506cc599a3) C:\Windows\system32\Drivers\dfsc.sys
03:09:50.0531 1384 DfsC - ok
03:09:50.0578 1384 disk (2dc415fc05fb8a079f896cbbacb19324) C:\Windows\system32\drivers\disk.sys
03:09:50.0578 1384 disk - ok
03:09:50.0594 1384 drmkaud (97dc2a789c1be458976507846a1a8ced) C:\Windows\system32\drivers\drmkaud.sys
03:09:50.0594 1384 drmkaud - ok
03:09:50.0625 1384 DXGKrnl (412964040ce920ff83aff6b5b551bf99) C:\Windows\System32\drivers\dxgkrnl.sys
03:09:50.0625 1384 DXGKrnl - ok
03:09:50.0656 1384 e1express (17d40652ef3e55eeae187a89df40965a) C:\Windows\system32\DRIVERS\e1e6032e.sys
03:09:50.0656 1384 e1express - ok
03:09:50.0687 1384 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
03:09:50.0687 1384 E1G60 - ok
03:09:50.0719 1384 e1yexpress (b37f6853d6e0c6f5f8efde33e831b5f8) C:\Windows\system32\DRIVERS\e1y60x64.sys
03:09:50.0719 1384 e1yexpress - ok
03:09:50.0734 1384 Ecache (7343d950a34a95dcb7441642e3e6beef) C:\Windows\system32\drivers\ecache.sys
03:09:50.0734 1384 Ecache - ok
03:09:50.0765 1384 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
03:09:50.0765 1384 elxstor - ok
03:09:50.0781 1384 ErrDev (991fab6aa066e1214efb5b496fb7959a) C:\Windows\system32\drivers\errdev.sys
03:09:50.0781 1384 ErrDev - ok
03:09:50.0812 1384 exfat (2a546b9a84658b0554b1ec35cd9adaf5) C:\Windows\system32\drivers\exfat.sys
03:09:50.0812 1384 exfat - ok
03:09:50.0843 1384 fastfat (fe731d345ed9eeabbc72a59b35941834) C:\Windows\system32\drivers\fastfat.sys
03:09:50.0843 1384 fastfat - ok
03:09:50.0875 1384 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
03:09:50.0875 1384 fdc - ok
03:09:50.0875 1384 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
03:09:50.0875 1384 FileInfo - ok
03:09:50.0921 1384 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
03:09:50.0921 1384 Filetrace - ok
03:09:50.0953 1384 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
03:09:50.0953 1384 flpydisk - ok
03:09:50.0953 1384 FltMgr (7dacf1a3a4219575070c6dc7c957428a) C:\Windows\system32\drivers\fltmgr.sys
03:09:50.0953 1384 FltMgr - ok
03:09:50.0984 1384 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
03:09:50.0984 1384 Fs_Rec - ok
03:09:51.0015 1384 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
03:09:51.0015 1384 gagp30kx - ok
03:09:51.0062 1384 HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys
03:09:51.0077 1384 HdAudAddService - ok
03:09:51.0093 1384 HDAudBus (0c0d0f8a3ff09ecc81963d09ec6a0a84) C:\Windows\system32\DRIVERS\HDAudBus.sys
03:09:51.0093 1384 HDAudBus - ok
03:09:51.0109 1384 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
03:09:51.0109 1384 HidBth - ok
03:09:51.0155 1384 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
03:09:51.0155 1384 HidIr - ok
03:09:51.0187 1384 HidUsb (128e2da8483fdd4dd0c7b3f9abd6f323) C:\Windows\system32\DRIVERS\hidusb.sys
03:09:51.0187 1384 HidUsb - ok
03:09:51.0233 1384 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
03:09:51.0233 1384 HpCISSs - ok
03:09:51.0405 1384 HTTP (e690736da6c543f5d99c8fa27bea31db) C:\Windows\system32\drivers\HTTP.sys
03:09:51.0467 1384 HTTP - ok
03:09:51.0483 1384 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
03:09:51.0483 1384 i2omp - ok
03:09:51.0530 1384 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
03:09:51.0530 1384 i8042prt - ok
03:09:51.0592 1384 iaStor (fc28e90f2204d8fd147fa9bfa8a51c01) C:\Windows\system32\drivers\iastor.sys
03:09:51.0592 1384 iaStor - ok
03:09:51.0717 1384 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
03:09:51.0717 1384 iaStorV - ok
03:09:51.0748 1384 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
03:09:51.0748 1384 iirsp - ok
03:09:51.0889 1384 IntcAzAudAddService (e28edf74900e68184f44cfcdd66f1bc3) C:\Windows\system32\drivers\RTKVHD64.sys
03:09:51.0904 1384 IntcAzAudAddService - ok
03:09:51.0935 1384 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\DRIVERS\intelide.sys
03:09:51.0935 1384 intelide - ok
03:09:51.0951 1384 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
03:09:51.0951 1384 intelppm - ok
03:09:51.0982 1384 IpFilterDriver (99b821f5bebd6a3cc3fe564f802ae0fd) C:\Windows\system32\DRIVERS\ipfltdrv.sys
03:09:51.0982 1384 IpFilterDriver - ok
03:09:52.0029 1384 IpInIp - ok
03:09:52.0060 1384 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
03:09:52.0060 1384 IPMIDRV - ok
03:09:52.0091 1384 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
03:09:52.0091 1384 IPNAT - ok
03:09:52.0123 1384 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
03:09:52.0123 1384 IRENUM - ok
03:09:52.0138 1384 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
03:09:52.0138 1384 isapnp - ok
03:09:52.0169 1384 iScsiPrt (49e4ccbf74783fce5d2cc1ff6480e1f4) C:\Windows\system32\DRIVERS\msiscsi.sys
03:09:52.0169 1384 iScsiPrt - ok
03:09:52.0185 1384 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
03:09:52.0185 1384 iteatapi - ok
03:09:52.0232 1384 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
03:09:52.0247 1384 iteraid - ok
03:09:52.0279 1384 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
03:09:52.0279 1384 kbdclass - ok
03:09:52.0325 1384 kbdhid (bf8783a5066cfecf45095459e8010fa7) C:\Windows\system32\DRIVERS\kbdhid.sys
03:09:52.0357 1384 kbdhid - ok
03:09:52.0419 1384 KSecDD (ccdcce6224e1e207e953af826b98a9d9) C:\Windows\system32\Drivers\ksecdd.sys
03:09:52.0419 1384 KSecDD - ok
03:09:52.0435 1384 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
03:09:52.0435 1384 ksthunk - ok
03:09:52.0450 1384 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
03:09:52.0450 1384 lltdio - ok
03:09:52.0481 1384 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
03:09:52.0497 1384 LSI_FC - ok
03:09:52.0513 1384 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
03:09:52.0513 1384 LSI_SAS - ok
03:09:52.0528 1384 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
03:09:52.0528 1384 LSI_SCSI - ok
03:09:52.0544 1384 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
03:09:52.0544 1384 luafv - ok
03:09:52.0606 1384 MBAMProtector (79da94b35371b9e7104460c7693dcb2c) C:\Windows\system32\drivers\mbam.sys
03:09:52.0606 1384 MBAMProtector - ok
03:09:52.0637 1384 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
03:09:52.0637 1384 megasas - ok
03:09:52.0653 1384 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
03:09:52.0653 1384 MegaSR - ok
03:09:52.0715 1384 mfebopk (2064b902db521a23fca30dc256c2acca) C:\Windows\system32\drivers\mfebopk.sys
03:09:52.0715 1384 mfebopk - ok
03:09:52.0747 1384 mferkdk (624d717b11e5004f68442b5740f17f21) C:\Windows\system32\drivers\mferkdk.sys
03:09:52.0747 1384 mferkdk - ok
03:09:52.0762 1384 mfesmfk (0cd9de7b96735f33f078c4ea044e8b34) C:\Windows\system32\drivers\mfesmfk.sys
03:09:52.0762 1384 mfesmfk - ok
03:09:52.0793 1384 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
03:09:52.0793 1384 Modem - ok
03:09:52.0809 1384 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
03:09:52.0809 1384 monitor - ok
03:09:52.0809 1384 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
03:09:52.0809 1384 mouclass - ok
03:09:52.0825 1384 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
03:09:52.0825 1384 mouhid - ok
03:09:52.0825 1384 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
03:09:52.0825 1384 MountMgr - ok
03:09:52.0887 1384 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
03:09:52.0887 1384 MpFilter - ok
03:09:52.0903 1384 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
03:09:52.0903 1384 mpio - ok
03:09:52.0918 1384 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
03:09:52.0918 1384 MpNWMon - ok
03:09:52.0934 1384 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
03:09:52.0934 1384 mpsdrv - ok
03:09:52.0996 1384 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
03:09:53.0012 1384 Mraid35x - ok
03:09:53.0027 1384 MRxDAV (fe2706c15f8345c342820e4e4583fea0) C:\Windows\system32\drivers\mrxdav.sys
03:09:53.0027 1384 MRxDAV - ok
03:09:53.0059 1384 mrxsmb (b698eb9acc7ecd4927d99d268918f912) C:\Windows\system32\DRIVERS\mrxsmb.sys
03:09:53.0059 1384 mrxsmb - ok
03:09:53.0090 1384 mrxsmb10 (9a797e27fd28500ee13d43000c931435) C:\Windows\system32\DRIVERS\mrxsmb10.sys
03:09:53.0090 1384 mrxsmb10 - ok
03:09:53.0152 1384 mrxsmb20 (f9425d610712533107a264e2d5b2154b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
03:09:53.0152 1384 mrxsmb20 - ok
03:09:53.0183 1384 msahci (730b784962d22d2c6481eae2370e7c8c) C:\Windows\system32\drivers\msahci.sys
03:09:53.0199 1384 msahci - ok
03:09:53.0199 1384 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
03:09:53.0215 1384 msdsm - ok
03:09:53.0230 1384 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
03:09:53.0230 1384 Msfs - ok
03:09:53.0277 1384 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
03:09:53.0277 1384 msisadrv - ok
03:09:53.0293 1384 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
03:09:53.0293 1384 MSKSSRV - ok
03:09:53.0324 1384 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
03:09:53.0324 1384 MSPCLOCK - ok
03:09:53.0339 1384 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
03:09:53.0339 1384 MSPQM - ok
03:09:53.0355 1384 MsRPC (b8e32e6103fbba9fbb1d0c11ff0d13b5) C:\Windows\system32\drivers\MsRPC.sys
03:09:53.0355 1384 MsRPC - ok
03:09:53.0417 1384 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
03:09:53.0417 1384 mssmbios - ok
03:09:53.0449 1384 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
03:09:53.0449 1384 MSTEE - ok
03:09:53.0449 1384 Mup (ddf133501f68d6988a0f55dfa88637b4) C:\Windows\system32\Drivers\mup.sys
03:09:53.0449 1384 Mup - ok
03:09:53.0542 1384 NativeWifiP (73b99c98fa3a2ed1566e02d6fe1913a5) C:\Windows\system32\DRIVERS\nwifi.sys
03:09:53.0542 1384 NativeWifiP - ok
03:09:53.0589 1384 NDIS (f9a3ae5c9f047d71a36a99f9abca7d02) C:\Windows\system32\drivers\ndis.sys
03:09:53.0589 1384 NDIS - ok
03:09:53.0605 1384 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
03:09:53.0605 1384 NdisTapi - ok
03:09:53.0636 1384 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
03:09:53.0636 1384 Ndisuio - ok
03:09:53.0667 1384 NdisWan (52e3e8e35101399be9b2938c992aa087) C:\Windows\system32\DRIVERS\ndiswan.sys
03:09:53.0667 1384 NdisWan - ok
03:09:53.0683 1384 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
03:09:53.0683 1384 NDProxy - ok
03:09:53.0683 1384 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
03:09:53.0683 1384 NetBIOS - ok
03:09:53.0698 1384 netbt (7a29ca243a629230799754162d80120f) C:\Windows\system32\DRIVERS\netbt.sys
03:09:53.0714 1384 netbt - ok
03:09:53.0729 1384 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
03:09:53.0729 1384 nfrd960 - ok
03:09:53.0776 1384 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
03:09:53.0776 1384 NisDrv - ok
03:09:53.0854 1384 nmwcd (985a3f046dfcd58e26d3a95283bb8f1d) C:\Windows\system32\drivers\ccdcmbx64.sys
03:09:53.0870 1384 nmwcd - ok
03:09:53.0917 1384 nmwcdc (5eb41a9656388dc21119ccc33f0ee22a) C:\Windows\system32\drivers\ccdcmbox64.sys
03:09:53.0917 1384 nmwcdc - ok
03:09:53.0948 1384 nmwcdnsucx64 (c1bdac035fa94c04664a73b24d8ad251) C:\Windows\system32\drivers\nmwcdnsucx64.sys
03:09:53.0948 1384 nmwcdnsucx64 - ok
03:09:54.0010 1384 nmwcdnsux64 (0001545a029ef57c2b0fd62776afb005) C:\Windows\system32\drivers\nmwcdnsux64.sys
03:09:54.0010 1384 nmwcdnsux64 - ok
03:09:54.0010 1384 Npfs (b06154e2a2c91e9be5599fca53bc4cd0) C:\Windows\system32\drivers\Npfs.sys
03:09:54.0010 1384 Npfs - ok
03:09:54.0026 1384 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
03:09:54.0026 1384 nsiproxy - ok
03:09:54.0104 1384 Ntfs (fe86ba5ac3b50e2ca911e9c60c07b638) C:\Windows\system32\drivers\Ntfs.sys
03:09:54.0166 1384 Ntfs - ok
03:09:54.0182 1384 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
03:09:54.0182 1384 Null - ok
03:09:54.0213 1384 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
03:09:54.0213 1384 nvraid - ok
03:09:54.0244 1384 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
03:09:54.0244 1384 nvstor - ok
03:09:54.0275 1384 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
03:09:54.0275 1384 nv_agp - ok
03:09:54.0291 1384 NwlnkFlt - ok
03:09:54.0291 1384 NwlnkFwd - ok
03:09:54.0338 1384 ohci1394 (1b30103fde512915a9214b108b6e7a9c) C:\Windows\system32\DRIVERS\ohci1394.sys
03:09:54.0338 1384 ohci1394 - ok
03:09:54.0431 1384 Packet (43e24699a18126f11e3d9bf6db85518b) C:\Windows\system32\DRIVERS\packet.sys
03:09:54.0431 1384 Packet - ok
03:09:54.0447 1384 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
03:09:54.0447 1384 Parport - ok
03:09:54.0463 1384 partmgr (5ab40c36894f4c06bdab0c9a2fba282d) C:\Windows\system32\drivers\partmgr.sys
03:09:54.0463 1384 partmgr - ok
03:09:54.0494 1384 pccsmcfd (bc0018c2d29f655188a0ed3fa94fdb24) C:\Windows\system32\DRIVERS\pccsmcfdx64.sys
03:09:54.0494 1384 pccsmcfd - ok
03:09:54.0509 1384 pci (2a5b2a51559066ea84742909b5b2cd69) C:\Windows\system32\drivers\pci.sys
03:09:54.0509 1384 pci - ok
03:09:54.0525 1384 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
03:09:54.0525 1384 pciide - ok
03:09:54.0556 1384 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
03:09:54.0556 1384 pcmcia - ok
03:09:54.0587 1384 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
03:09:54.0603 1384 PEAUTH - ok
03:09:54.0650 1384 PptpMiniport (f5739f2c6db2534c384ad5150808e8f5) C:\Windows\system32\DRIVERS\raspptp.sys
03:09:54.0650 1384 PptpMiniport - ok
03:09:54.0697 1384 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
03:09:54.0697 1384 Processor - ok
03:09:54.0728 1384 PSched (0e0e205a296095fe4c631e6a4775ad6c) C:\Windows\system32\DRIVERS\pacer.sys
03:09:54.0728 1384 PSched - ok
03:09:54.0743 1384 PxHlpa64 (46851bc18322da70f3f2299a1007c479) C:\Windows\system32\Drivers\PxHlpa64.sys
03:09:54.0743 1384 PxHlpa64 - ok
03:09:54.0868 1384 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
03:09:54.0868 1384 ql2300 - ok
03:09:54.0884 1384 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
03:09:54.0884 1384 ql40xx - ok
03:09:54.0915 1384 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
03:09:54.0915 1384 QWAVEdrv - ok
03:09:55.0165 1384 R300 (b66ed1a0739f78b01b2dad5e61e58570) C:\Windows\system32\DRIVERS\atikmdag.sys
03:09:55.0196 1384 R300 - ok
03:09:55.0196 1384 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
03:09:55.0196 1384 RasAcd - ok
03:09:55.0227 1384 Rasl2tp (3b9085f91ef00abd15a6f36570e90e12) C:\Windows\system32\DRIVERS\rasl2tp.sys
03:09:55.0227 1384 Rasl2tp - ok
03:09:55.0274 1384 RasPppoe (2ce1703c27196094fb6e4c6e439f2c21) C:\Windows\system32\DRIVERS\raspppoe.sys
03:09:55.0274 1384 RasPppoe - ok
03:09:55.0289 1384 RasSstp (fcd04fa67e8b40fa0ad361dd38593942) C:\Windows\system32\DRIVERS\rassstp.sys
03:09:55.0289 1384 RasSstp - ok
03:09:55.0305 1384 rdbss (33fa5b6136d92ee0f53f021c79091300) C:\Windows\system32\DRIVERS\rdbss.sys
03:09:55.0305 1384 rdbss - ok
03:09:55.0367 1384 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
03:09:55.0367 1384 RDPCDD - ok
03:09:55.0399 1384 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
03:09:55.0414 1384 rdpdr - ok
03:09:55.0430 1384 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
03:09:55.0430 1384 RDPENCDD - ok
03:09:55.0477 1384 RDPWD (7747082f672aa2846235c9cea42e2e72) C:\Windows\system32\drivers\RDPWD.sys
03:09:55.0477 1384 RDPWD - ok
03:09:55.0508 1384 RFCOMM (a5fd55b4ccd5307f71c2c246f56c4d4f) C:\Windows\system32\DRIVERS\rfcomm.sys
03:09:55.0508 1384 RFCOMM - ok
03:09:55.0523 1384 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
03:09:55.0539 1384 rspndr - ok
03:09:55.0570 1384 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
03:09:55.0570 1384 sbp2port - ok
03:09:55.0617 1384 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
03:09:55.0617 1384 secdrv - ok
03:09:55.0648 1384 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
03:09:55.0648 1384 Serenum - ok
03:09:55.0664 1384 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
03:09:55.0664 1384 Serial - ok
03:09:55.0695 1384 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
03:09:55.0695 1384 sermouse - ok
03:09:55.0726 1384 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
03:09:55.0726 1384 sffdisk - ok
03:09:55.0742 1384 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
03:09:55.0742 1384 sffp_mmc - ok
03:09:55.0757 1384 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
03:09:55.0757 1384 sffp_sd - ok
03:09:55.0773 1384 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
03:09:55.0773 1384 sfloppy - ok
03:09:55.0913 1384 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
03:09:55.0913 1384 SiSRaid2 - ok
03:09:55.0929 1384 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
03:09:55.0945 1384 SiSRaid4 - ok
03:09:55.0976 1384 Smb (41eb2e8e005feedcafce301983eff932) C:\Windows\system32\DRIVERS\smb.sys
03:09:55.0976 1384 Smb - ok
03:09:55.0991 1384 spldr (f9cb0672162f7f04248e2b82c1ff4617) C:\Windows\system32\drivers\spldr.sys
03:09:55.0991 1384 spldr - ok
03:09:56.0054 1384 srv (a8abd7d0d907b45cf3831f4dd8644349) C:\Windows\system32\DRIVERS\srv.sys
03:09:56.0054 1384 srv - ok
03:09:56.0069 1384 srv2 (6c72eea39e1c37b436a6d1532999f9ec) C:\Windows\system32\DRIVERS\srv2.sys
03:09:56.0069 1384 srv2 - ok
03:09:56.0132 1384 srvnet (7f69bcf9e6fa3d93c82ee6b87812666d) C:\Windows\system32\DRIVERS\srvnet.sys
03:09:56.0132 1384 srvnet - ok
03:09:56.0179 1384 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
03:09:56.0194 1384 swenum - ok
03:09:56.0210 1384 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
03:09:56.0210 1384 Symc8xx - ok
03:09:56.0241 1384 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
03:09:56.0241 1384 Sym_hi - ok
03:09:56.0241 1384 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
03:09:56.0257 1384 Sym_u3 - ok
03:09:56.0303 1384 Tcpip (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\drivers\tcpip.sys
03:09:56.0319 1384 Tcpip - ok
03:09:56.0350 1384 Tcpip6 (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\DRIVERS\tcpip.sys
03:09:56.0350 1384 Tcpip6 - ok
03:09:56.0366 1384 tcpipreg (c29d4b3b08ad0b7e8564814e4ff6a57b) C:\Windows\system32\drivers\tcpipreg.sys
03:09:56.0381 1384 tcpipreg - ok
03:09:56.0428 1384 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
03:09:56.0428 1384 TDPIPE - ok
03:09:56.0459 1384 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
03:09:56.0459 1384 TDTCP - ok
03:09:56.0491 1384 tdx (8c39c72e0e853de04748c0337d9b9216) C:\Windows\system32\DRIVERS\tdx.sys
03:09:56.0491 1384 tdx - ok
03:09:56.0537 1384 TermDD (3f0ebf6ee609f2a276c0d5faf244ec90) C:\Windows\system32\DRIVERS\termdd.sys
03:09:56.0537 1384 TermDD - ok
03:09:56.0569 1384 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
03:09:56.0569 1384 tssecsrv - ok
03:09:56.0584 1384 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
03:09:56.0584 1384 tunmp - ok
03:09:56.0647 1384 tunnel (2dc2c423572946e9a3131425bda73cb6) C:\Windows\system32\DRIVERS\tunnel.sys
03:09:56.0647 1384 tunnel - ok
03:09:56.0678 1384 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
03:09:56.0678 1384 uagp35 - ok
03:09:56.0709 1384 udfs (eca6629e33f122afff18a2ab7c3eb033) C:\Windows\system32\DRIVERS\udfs.sys
03:09:56.0709 1384 udfs - ok
03:09:56.0740 1384 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
03:09:56.0740 1384 uliagpkx - ok
03:09:56.0756 1384 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
03:09:56.0756 1384 uliahci - ok
03:09:56.0771 1384 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
03:09:56.0771 1384 UlSata - ok
03:09:56.0803 1384 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
03:09:56.0803 1384 ulsata2 - ok
03:09:56.0818 1384 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
03:09:56.0818 1384 umbus - ok
03:09:56.0881 1384 upperdev (afa3a0937b7044a8322d8bc91722c53b) C:\Windows\system32\DRIVERS\usbser_lowerfltx64.sys
03:09:56.0881 1384 upperdev - ok
03:09:56.0912 1384 usbccgp (ae3dea342f01249317b2bb3df0424238) C:\Windows\system32\DRIVERS\usbccgp.sys
03:09:56.0912 1384 usbccgp - ok
03:09:56.0959 1384 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
03:09:56.0974 1384 usbcir - ok
03:09:56.0990 1384 usbehci (b89f9fe9fc1e7c9cb03acb8819eb511d) C:\Windows\system32\DRIVERS\usbehci.sys
03:09:56.0990 1384 usbehci - ok
03:09:57.0005 1384 usbhub (f2c1d8eff9c7cf84ff0235408acd3f4b) C:\Windows\system32\DRIVERS\usbhub.sys
03:09:57.0005 1384 usbhub - ok
03:09:57.0021 1384 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
03:09:57.0037 1384 usbohci - ok
03:09:57.0052 1384 usbprint (acfee697af477021bb3ec78c5431fed2) C:\Windows\system32\drivers\usbprint.sys
03:09:57.0052 1384 usbprint - ok
03:09:57.0099 1384 usbser (5a8d98330f21e69d19459ed65847111d) C:\Windows\system32\drivers\usbser.sys
03:09:57.0099 1384 usbser - ok
03:09:57.0146 1384 UsbserFilt (b826f3ff5a1975cc9096b4caadde77b6) C:\Windows\system32\DRIVERS\usbser_lowerfltjx64.sys
03:09:57.0146 1384 UsbserFilt - ok
03:09:57.0161 1384 USBSTOR (586d9876a4945779c8eea926c0d16889) C:\Windows\system32\DRIVERS\USBSTOR.SYS
03:09:57.0177 1384 USBSTOR - ok
03:09:57.0224 1384 usbuhci (225e107785315874ba5c1abc7dda7bfc) C:\Windows\system32\DRIVERS\usbuhci.sys
03:09:57.0224 1384 usbuhci - ok
03:09:57.0255 1384 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
03:09:57.0255 1384 vga - ok
03:09:57.0271 1384 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
03:09:57.0271 1384 VgaSave - ok
03:09:57.0317 1384 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
03:09:57.0317 1384 viaide - ok
03:09:57.0333 1384 volmgr (793d9b32a1c462c91f6f70358283ac97) C:\Windows\system32\drivers\volmgr.sys
03:09:57.0333 1384 volmgr - ok
03:09:57.0349 1384 volmgrx (5aa217da5dc4ff5b9ac9ab86563b3223) C:\Windows\system32\drivers\volmgrx.sys
03:09:57.0349 1384 volmgrx - ok
03:09:57.0395 1384 volsnap (de4307412d98050239026e56a7dff3c0) C:\Windows\system32\drivers\volsnap.sys
03:09:57.0427 1384 volsnap - ok
03:09:57.0458 1384 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
03:09:57.0458 1384 vsmraid - ok
03:09:57.0489 1384 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
03:09:57.0489 1384 WacomPen - ok
03:09:57.0520 1384 Wanarp (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys
03:09:57.0520 1384 Wanarp - ok
03:09:57.0551 1384 Wanarpv6 (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys
03:09:57.0551 1384 Wanarpv6 - ok
03:09:57.0583 1384 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
03:09:57.0583 1384 Wd - ok
03:09:57.0614 1384 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
03:09:57.0614 1384 Wdf01000 - ok
03:09:57.0661 1384 WmiAcpi (7999dfb1c555efc0db69576f70027867) C:\Windows\system32\drivers\wmiacpi.sys
03:09:57.0661 1384 WmiAcpi - ok
03:09:57.0692 1384 WpdUsb (6329d1990db931073b86ab5946d8e317) C:\Windows\system32\DRIVERS\wpdusb.sys
03:09:57.0707 1384 WpdUsb - ok
03:09:57.0723 1384 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
03:09:57.0739 1384 ws2ifsl - ok
03:09:57.0785 1384 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
03:09:57.0785 1384 WudfPf - ok
03:09:57.0848 1384 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
03:09:57.0848 1384 WUDFRd - ok
03:09:57.0879 1384 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
03:09:57.0926 1384 \Device\Harddisk0\DR0 - ok
03:09:57.0941 1384 Boot (0x1200) (29751e3324689d74ac4b7a487fe6cadf) \Device\Harddisk0\DR0\Partition0
03:09:57.0941 1384 \Device\Harddisk0\DR0\Partition0 - ok
03:09:57.0941 1384 Boot (0x1200) (50cf64738900ccc243a32da1e6609b2c) \Device\Harddisk0\DR0\Partition1
03:09:57.0941 1384 \Device\Harddisk0\DR0\Partition1 - ok
03:09:57.0941 1384 ============================================================
03:09:57.0941 1384 Scan finished
03:09:57.0941 1384 ============================================================
03:09:57.0957 5260 Detected object count: 0
03:09:57.0957 5260 Actual detected object count: 0


Thanks for your help.

Marc

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:34 PM

Posted 22 February 2012 - 11:16 AM

Greetings Marc

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::

Folder::
c:\users\Marc\AppData\Roaming\33A31
c:\users\Marc\AppData\Roaming\C6133

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 cramjo

cramjo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 22 February 2012 - 11:19 AM

I just thought I would see where the virus was at. Did a random google search, clicked on heaps of links and none were redirected! Also, Google instant is working again! Looks good :) !!!!

Please let me know if I should run anything else to confirm my system is clean.

As an aside, it seems this redirect virus is getting around, would you be able to explain (or do you have a link that explains) why no normal anti-virus software can remove this virus?

Thanks again Gringo!

Marc

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:34 PM

Posted 22 February 2012 - 11:24 AM

Hello

why no normal anti-virus software can remove this virus? - because it keeps changing everyday -

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 cramjo

cramjo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 22 February 2012 - 11:49 AM

Hi Gringo,

It changes everyday... wow. I wish the person that created this put his/her intelligence to actual good use.

Anyway, I ran the script you wrote with no problems.

Below is the ComboFix log:

ComboFix 12-02-21.01 - Marc 23/02/2012 3:27.2.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.8182.6182 [GMT 11:00]
Running from: c:\users\Marc\Desktop\ComboFix.exe
Command switches used :: c:\users\Marc\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Marc\AppData\Roaming\33A31
c:\users\Marc\AppData\Roaming\C6133
c:\users\Marc\AppData\Roaming\C6133\3A31.613
.
.
((((((((((((((((((((((((( Files Created from 2012-01-22 to 2012-02-22 )))))))))))))))))))))))))))))))
.
.
2012-02-22 16:34 . 2012-02-22 16:34 -------- d-----w- c:\users\Test\AppData\Local\temp
2012-02-22 16:34 . 2012-02-22 16:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-19 03:00 . 2012-02-19 03:00 25160 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-19 03:00 . 2012-02-19 03:00 -------- d-----w- c:\program files\HitmanPro
2012-02-19 03:00 . 2012-02-19 03:00 -------- d-----w- c:\programdata\HitmanPro
2012-02-19 02:01 . 2012-02-19 02:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-19 02:01 . 2012-02-19 02:03 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-18 15:23 . 2012-02-18 15:23 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2012-02-18 15:23 . 2012-02-18 15:23 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2012-02-18 15:23 . 2012-02-18 15:23 134104 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2012-02-18 15:23 . 2012-02-18 15:23 97240 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2012-02-18 15:23 . 2012-02-18 15:23 801752 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2012-02-18 15:23 . 2012-02-18 15:23 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-02-18 15:23 . 2012-02-18 15:23 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-02-18 15:23 . 2012-02-18 15:23 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-02-18 15:23 . 2012-02-18 15:23 45016 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-02-18 15:23 . 2012-02-18 15:23 437208 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2012-02-18 15:23 . 2012-02-18 15:23 1911768 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
2012-02-18 15:23 . 2012-02-18 15:23 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2012-02-18 12:00 . 2012-02-18 12:00 -------- d-----w- c:\users\Computer\AppData\Local\Google
2012-02-18 11:51 . 2012-02-18 11:51 -------- d-----w- c:\users\Computer\AppData\Roaming\Malwarebytes
2012-02-18 05:19 . 2012-02-18 05:19 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-18 05:19 . 2012-02-18 05:18 476904 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2012-02-18 05:19 . 2012-02-18 05:18 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-18 05:18 . 2012-02-18 05:18 -------- d-----w- c:\program files (x86)\Java
2012-02-18 05:04 . 2012-02-18 05:04 -------- d-----w- c:\users\Marc\AppData\Roaming\Malwarebytes
2012-02-18 05:04 . 2012-02-19 03:10 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2012-02-18 05:04 . 2012-02-18 05:04 -------- d-----w- c:\programdata\Malwarebytes
2012-02-18 05:04 . 2012-02-18 05:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-18 05:04 . 2011-12-10 04:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-18 04:48 . 2012-02-07 12:14 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-17 04:28 . 2012-02-17 04:27 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6D2D1468-BDEA-4237-9A3F-5B08DB755624}\gapaengine.dll
2012-02-17 04:28 . 2012-02-09 02:17 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-02-17 04:20 . 2012-02-17 04:20 -------- d-----w- C:\CBB00E32023300082DD11295
2012-02-17 04:18 . 2012-02-17 04:18 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-02-17 04:17 . 2012-02-17 04:20 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-17 03:04 . 2012-02-17 03:04 -------- d-----w- c:\programdata\AVG Secure Search
2012-02-17 03:04 . 2012-02-17 03:04 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-02-17 03:04 . 2012-02-17 03:04 -------- d-----w- c:\program files (x86)\AVG Secure Search
2012-02-17 00:50 . 2012-02-17 00:50 -------- d-----w- C:\1D9E343BBAEF02409F70382190B1
2012-02-16 14:41 . 2012-02-17 01:01 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer
2012-02-16 13:20 . 2012-02-16 13:20 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-02-16 13:16 . 2012-02-16 13:16 -------- d-----w- c:\programdata\Symantec
2012-02-16 13:16 . 2012-02-16 13:16 -------- d-----w- c:\program files (x86)\Norton Security Scan
2012-02-16 13:16 . 2012-02-16 13:16 -------- d-----w- c:\programdata\Norton
2012-02-16 13:16 . 2012-02-16 13:16 -------- d-----w- c:\program files (x86)\NortonInstaller
2012-02-16 11:41 . 2012-02-16 11:41 -------- d-----w- c:\users\Marc\AppData\Roaming\Samsung
2012-02-16 11:39 . 2012-02-16 11:39 -------- d-----w- c:\users\Marc\{418b7556-e5b8-4737-829d-ababcc0ce3e5}
2012-02-16 11:35 . 2012-02-16 11:38 -------- d-----w- c:\program files (x86)\Samsung
2012-02-16 11:35 . 2012-02-16 11:37 -------- d-----w- c:\programdata\Samsung
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2010-11-13 04:02 279656 ------w- c:\windows\system32\MpSigStub.exe
2011-12-14 12:14 . 2011-12-14 12:14 341264 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-21_10.10.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2012-02-21 06:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-02-21 10:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-02-21 10:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-02-21 06:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-02-22 16:07 56160 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-02-22 16:07 87892 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-04 13:41 . 2012-02-22 16:07 11172 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2164913448-1643566587-2904783538-1000_UserData.bin
+ 2009-11-29 10:29 . 2012-02-22 15:30 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-29 10:29 . 2012-02-18 12:14 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-02-16 13:19 . 2012-02-22 15:31 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-02-16 13:19 . 2012-02-18 12:23 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2012-02-16 13:19 . 2012-02-22 15:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2012-02-16 13:19 . 2012-02-18 12:23 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2012-02-16 13:19 . 2012-02-18 12:23 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2012-02-16 13:19 . 2012-02-22 15:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2009-11-29 10:29 . 2012-02-22 15:31 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-29 10:29 . 2012-02-18 12:23 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-29 10:29 . 2012-02-22 15:30 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-29 10:29 . 2012-02-18 12:14 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-17 05:12 . 2012-02-18 12:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-17 05:12 . 2012-02-22 16:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-17 05:12 . 2012-02-22 16:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-17 05:12 . 2012-02-18 12:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-18 12:14 . 2012-02-18 12:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-22 16:35 . 2012-02-22 16:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-22 16:35 . 2012-02-22 16:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-18 12:14 . 2012-02-18 12:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-29 16:46 . 2012-02-22 16:34 1660 c:\windows\bthservsdp.dat
+ 2008-01-21 03:20 . 2012-02-21 10:26 458752 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-02-21 06:26 458752 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-04 14:20 . 2012-02-22 07:07 428220 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"PC Suite Tray"="c:\program files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-12 61440]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-13 981808]
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2009-7-29 53248]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 0179821329568329mcinstcleanup;McAfee Application Installer Cleanup (0179821329568329);c:\users\Marc\AppData\Local\Temp\017982~1.EXE [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-02-24 88576]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-20 08:54]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-20 08:54]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-24 6975520]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [BU]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 56320]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\dv202qz9.default\
FF - prefs.js: browser.startup.homepage - www.ninemsn.com.au
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Notify-GoToAssist - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\DellDock\DockLogin.exe
c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Dell Remote Access\ezi_ra.exe
c:\program files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
c:\program files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
c:\program files (x86)\PC Connectivity Solution\ServiceLayer.exe
c:\program files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files (x86)\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-02-23 03:41:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-22 16:41
ComboFix2.txt 2012-02-21 10:29
.
Pre-Run: 718,224,867,328 bytes free
Post-Run: 718,070,571,008 bytes free
.
- - End Of File - - 0629E55CAEB52A62698E9CCC20541F57





Report from pasting C:\Qoobox\Add-Remove Programs.txt in dialog box:

ACA Screen Recorder 4.00
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.6
ATI Catalyst Control Center
µTorrent
Bing Bar
CamStudio
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help English
CCC Help French
CCC Help German
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Turkish
Compatibility Pack for the 2007 Office system
Cool Edit Pro 2.1
Dell DataSafe Online
Dell Getting Started Guide
Dell Remote Access
e-tax 2011
gBurner
Google Chrome
Google Update Helper
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java™ 6 Update 31
Junk Mail filter update
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft Choice Guard
Microsoft Default Manager
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Standard Edition 2003
Microsoft Office Suite Activation Assistant
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mozilla Firefox 10.0.2 (x86 en-US)
MSVC80_x86_v2
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia Software Updater
PC Connectivity Solution
PhotobookShop.com.au
PowerDVD DX
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Skins
Spybot - Search & Destroy
swMSM
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual Studio 2008 x64 Redistributables
VLC media player 1.0.1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer


It appears the Google redirect virus is not working anymore :)

Thanks for your help. Please let me know if you want me to run anymore programs or wish to see if my computer is fully clean.

Marc

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:34 PM

Posted 22 February 2012 - 11:57 AM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 cramjo

cramjo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 22 February 2012 - 11:59 AM

Hi Gringo,

Here is the report:

ACA Screen Recorder 4.00
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.6
ATI Catalyst Control Center
µTorrent
Bing Bar
CamStudio
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help English
CCC Help French
CCC Help German
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Turkish
Compatibility Pack for the 2007 Office system
Cool Edit Pro 2.1
Dell DataSafe Online
Dell Getting Started Guide
Dell Remote Access
e-tax 2011
gBurner
Google Chrome
Google Update Helper
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java™ 6 Update 31
Junk Mail filter update
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft Choice Guard
Microsoft Default Manager
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Standard Edition 2003
Microsoft Office Suite Activation Assistant
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mozilla Firefox 10.0.2 (x86 en-US)
MSVC80_x86_v2
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia Software Updater
PC Connectivity Solution
PhotobookShop.com.au
PowerDVD DX
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Skins
Spybot - Search & Destroy
swMSM
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual Studio 2008 x64 Redistributables
VLC media player 1.0.1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer


I posted this before though. Am I posting the wrong report?

Cheers,
Marc

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:34 PM

Posted 22 February 2012 - 12:19 PM

Hello

sorry about that Marc

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.1
µTorrent
Bing Bar
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]



TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 cramjo

cramjo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 22 February 2012 - 11:27 PM

Hi Gringo,

Thanks for your help again.

I successfully uninstalled Adobe Reader 9.1 & Bing Bar using Revo Uninstaller. I did not uninstall uTorrent as I use this program quite frequently for work. I've set up the settings of the program so I can only seed at max 1kb/sec (the lowest possible) and seeding stops when I have completed a download. Also when I download a torrent a dialog box shows me all the files I'm about to download so I can check for any nasties. Is there a compromise we can make here? Is there something I can run in the background/change settings to make uTorrent more safe?

I ran TFC(Temp File Cleaner) with no trouble.

I ran Malware Bytes with no trouble & nothing being found. Log is below:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.23.01

Windows Vista Service Pack 1 x64 NTFS
Internet Explorer 7.0.6001.18000
Marc :: MARC-PC [administrator]

Protection: Enabled

23/02/2012 2:09:18 PM
mbam-log-2012-02-23 (14-09-18).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 384074
Time elapsed: 48 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




-----------------------------------------------------------------------------------------------------------------------------------------------------




I ran HiJack This with no problems. Log is below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:14:33 PM, on 23/02/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/USCON/19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~2\mcafee\msk\mskapbho.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Remote Access.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} (WRC Class) - http://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: GoToAssist - Invalid registry found
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0179821329568329) (0179821329568329mcinstcleanup) - Unknown owner - C:\Users\Marc\AppData\Local\Temp\017982~1.EXE (file missing)
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Advanced Networking Service (hnmsvc) - Dell Inc. - c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10649 bytes


My computer appears to be running fine now. No redirects and it is running a lot faster than before when it was infected.

I have quite a few anti-virus/malware programs on my computer now (AVG, McAfee, Spybot, MalwareBytes, HitmanPro & Microsoft Security Essentials). After we are done, do you think I should uninstall all of them except for Microsoft Security Essentials?

Also, I have another user account on my computer called "Computer". Do I need to run any processes when logged into this account?

Finally, could you pls tell me the name of the virus I actually had?

Let me know if you would like me to run/uninstall anything else.

Thanks again,.

Cheers,
Marc

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:34 PM

Posted 23 February 2012 - 09:00 AM

Hello Marc

I did not uninstall uTorrent as I use this program quite frequently for work.

It has been my experience that any P2P activity WILL lead to reinfection sooner or later - I am not here to make you remove it - but I am here to give you my best advice possible and that being said my best advice is to remove it - whether or not you take my advice is up to you

I have quite a few anti-virus/malware programs on my computer now (AVG, McAfee, Spybot, MalwareBytes, HitmanPro & Microsoft Security Essentials). After we are done, do you think I should uninstall all of them except for Microsoft Security Essentials?

My set up that I use and has worked well for me is

MSE
Malwarebytes
winpatrol

Finally, could you pls tell me the name of the virus I actually had?

you had a TDL4 variant that makes a hidden pertition on the harddrive




:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
      O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
      O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
      O4 - Global Startup: Dell Remote Access.lnk = ?
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users