Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirects


  • This topic is locked This topic is locked
31 replies to this topic

#1 mangel

mangel

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 21 February 2012 - 04:50 PM

So basically I dont know how but I am infected by a redirect. I had been getting redirects and tried many things to kill it but nothing is working & then I got the rude awakening when I checked my sent folder in my yahoo email that someone got in & sent was looks like spam to my email contacts. I need this thing killed & I need your help. I have prepared a DDS log per the instructions (no GMER as I am in 64bit win 7) let me know what you need me to do .
By the way, when MBAM spotted the file constantly & would try to kill it & then reboot, it kept saying it was in my svchost.exe. Dont know if that helps. I also have the PING.EXE*32 running in my processes but when I ran tdsskiller or whatever that name is, it found something, 'cured' it but the problem still persists. The thing that is scary is that it has gotten into my email. I have sinced changed my email password on another computer but still, I want this f***er dead. Pardon my **.

and thanks in advance!

P.s I am watching this topic.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by truehuss at 16:43:23 on 2012-02-21
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.7935.6743 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\SysWOW64\astsrv.exe
C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\nlsInterface.exe
C:\Windows\system32\p2csvc.exe
C:\Windows\SysWOW64\p2csvc32.exe
C:\Program Files (x86)\Photodex\ProShowProducer\ScsiAccess.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Windows\SysWOW64\DeltaIITray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [AdobeBridge]
uRun: [SoftAuto.exe] "C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe"
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [M-Audio Taskbar Icon] C:\Windows\system32\DeltaIITray.exe
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
dRun: [dplaysvr] %LOCALAPPDATA%\dplaysvr.exe
StartupFolder: C:\Users\truehuss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\P2CARD~1.LNK - C:\Program Files (x86)\Panasonic P2\Drivers\App\P2TaskTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{D3C15174-67E4-4B02-99D1-E534B618A76A} : DhcpNameServer = 75.75.75.75 75.75.76.76
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [(Default)]
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [M-Audio Taskbar Icon] C:\Windows\system32\DeltaIITray.exe
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-11 652360]
R2 nlscc;Nalpeiron X64 Service;C:\Windows\system32\nlsInterface.exe --> C:\Windows\system32\nlsInterface.exe [?]
R2 p2csvc;p2csvc;C:\Windows\system32\p2csvc.exe -service --> C:\Windows\system32\p2csvc.exe -service [?]
R2 p2csvc32;p2csvc32;C:\Windows\SysWOW64\p2csvc32.exe -service --> C:\Windows\SysWOW64\p2csvc32.exe -service [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\system32\DRIVERS\MAudioDelta.sys --> C:\Windows\system32\DRIVERS\MAudioDelta.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 PLTurbo;Prolific turbo filter driver for odd;C:\Windows\system32\drivers\plturbo.sys --> C:\Windows\system32\drivers\plturbo.sys [?]
S3 CTUPnPSv;Creative Centrale Media Server;C:\Program Files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\76D5.tmp --> C:\Windows\system32\76D5.tmp [?]
S3 p2usb;Panasonic P2 Series USB Device;C:\Windows\system32\DRIVERS\p2usb.sys --> C:\Windows\system32\DRIVERS\p2usb.sys [?]
S3 PLTurbh;Prolific turbo filter driver for hdd;C:\Windows\system32\drivers\plturbh.sys --> C:\Windows\system32\drivers\plturbh.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S4 SirefefRemover;SirefefRemover;\??\C:\Windows\system32\Drivers\SirefefRemover.sys --> C:\Windows\system32\Drivers\SirefefRemover.sys [?]
.
=============== Created Last 30 ================
.
2012-02-18 20:43:56 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-18 03:59:08 6144 ------w- C:\Windows\System32\76D5.tmp
2012-02-18 03:57:26 6144 ------w- C:\Windows\System32\E54F.tmp
2012-02-18 03:56:46 6144 ------w- C:\Windows\System32\4A68.tmp
2012-02-18 03:56:40 -------- d-----w- C:\Program Files (x86)\Sophos
2012-02-17 20:37:02 179712 ---ha-w- C:\Users\truehuss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
2012-02-17 20:37:02 178176 ---ha-w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
2012-02-17 17:17:31 16144 ----a-w- C:\Windows\System32\drivers\SirefefRemover.sys
2012-02-17 14:45:40 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-02-17 14:32:32 730456 ----a-w- C:\Windows\System32\PerfStringBackup.TMP
2012-02-10 16:16:18 -------- d-----w- C:\Program Files (x86)\56590
2012-02-10 16:16:18 -------- d-----w- C:\C6E56
2012-02-10 16:15:47 -------- d-----w- C:\Program Files (x86)\LP
2012-01-24 13:01:24 -------- d-----w- C:\Sun
.
==================== Find3M ====================
.
2011-12-23 01:43:30 122368 ---ha-w- C:\Windows\SysWow64\srrstr.dll
2011-12-10 20:24:08 23152 ---ha-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 16:44:28.56 ===============

Edited by mangel, 21 February 2012 - 05:03 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 AM

Posted 22 February 2012 - 09:02 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mangel

mangel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 23 February 2012 - 10:20 AM

I tried to run combofix but it keeps telling me I have ad-watch live running & it could damage my computer if I ran it. I dont have ad-watch live in my uninstall programs & I am sure I removed that a while ago. I cant find an answer on how to get it removed. I tried ccleaner to remove programs but it doesnt show up. I cant even find it in my processes?? should I run combofix anyway or...? Or do you know a way I can disable it with another software program so I can run combofix?

Thanks for your help.

P.s. does what I have sound like a zeroaccess rootkit & if so, would you just recommend wiping the drive?

Edited by mangel, 23 February 2012 - 10:20 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 AM

Posted 23 February 2012 - 11:35 AM

Hello

P.s. does what I have sound like a zeroaccess rootkit & if so, would you just recommend wiping the drive? - it is to early to tell


go ahead and run combofix anyway


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 mangel

mangel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 23 February 2012 - 01:25 PM

here is the Combofix log. Experienced no problems running it but I still got redirected to bing.com . Thanks again Gringo!



ComboFix 12-02-22.01 - truehuss 02/23/2012 12:42:58.1.4 - x64
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.7935.6516 [GMT -5:00]
Running from: c:\users\truehuss\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Internet Explorer\1AD0.tmp
c:\program files (x86)\Internet Explorer\63A.tmp
c:\program files (x86)\Internet Explorer\936A.tmp
c:\program files (x86)\LP
c:\users\truehuss\AppData\Local\Microsoft\MicrosoftData
c:\users\truehuss\AppData\Roaming\vso_ts_preview.xml
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\system32\consrv.dll
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\System64
I:\Autorun.inf
I:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-23 17:49 . 2012-02-23 17:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-18 20:43 . 2012-02-18 20:43 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-18 03:59 . 2011-05-12 19:03 6144 ------w- c:\windows\system32\76D5.tmp
2012-02-18 03:57 . 2011-05-12 19:03 6144 ------w- c:\windows\system32\E54F.tmp
2012-02-18 03:56 . 2011-05-12 19:03 6144 ------w- c:\windows\system32\4A68.tmp
2012-02-18 03:56 . 2012-02-22 17:10 -------- d-----w- c:\program files (x86)\Sophos
2012-02-17 20:37 . 2011-02-03 23:20 179712 ---ha-w- c:\users\truehuss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
2012-02-17 20:37 . 2010-10-21 03:22 178176 ---ha-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
2012-02-17 17:17 . 2012-02-17 17:17 16144 ----a-w- c:\windows\system32\drivers\SirefefRemover.sys
2012-02-17 14:45 . 2012-02-23 17:50 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-17 14:32 . 2012-02-23 13:40 730456 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-02-10 16:16 . 2012-02-10 16:16 -------- d-----w- c:\program files (x86)\56590
2012-02-10 16:16 . 2012-02-10 16:16 -------- d-----w- C:\C6E56
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-23 01:43 . 2011-12-23 06:00 122368 ---ha-w- c:\windows\SysWow64\srrstr.dll
2011-12-10 20:24 . 2011-09-11 16:11 23152 ---ha-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoftAuto.exe"="c:\program files (x86)\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-10-16 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-11-16 36760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-11-16 821144]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"M-Audio Taskbar Icon"="c:\windows\system32\DeltaIITray.exe" [2009-07-27 236040]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
.
c:\users\truehuss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CineFormActiveMetadataStatusViewer.exe [2011-2-3 179712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CineFormActiveMetadataStatusViewer.exe [2010-10-20 178176]
P2 Card Manager.lnk - c:\program files\Panasonic P2\Drivers\App\P2TaskTray.exe [2007-3-8 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
@=""
.
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\76D5.tmp [x]
R3 p2usb;Panasonic P2 Series USB Device;c:\windows\system32\DRIVERS\p2usb.sys [x]
R3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 SirefefRemover;SirefefRemover;c:\windows\system32\Drivers\SirefefRemover.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 nlscc;Nalpeiron X64 Service;c:\windows\system32\nlsInterface.exe [x]
S2 p2csvc;p2csvc;c:\windows\system32\p2csvc.exe [x]
S2 p2csvc32;p2csvc32;c:\windows\SysWOW64\p2csvc32.exe [2008-07-25 61440]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\MAudioDelta.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-10-16 17:49 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-09-16 497648]
"combofix"="c:\combofix\CF14598.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
n3900
savscan
se45unic
us30sys
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: mswsock.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
Wow6432Node-HKLM-Run-DivXUpdate - c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe
Wow6432Node-HKU-Default-Run-dplaysvr - %LOCALAPPDATA%\dplaysvr.exe
AddRemove-Pictage Upload Tool - c:\windows\system32\javaws.exe
AddRemove-Zookbinders ROES - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\76D5.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\S-1-5-21-3315961098-2874439530-1663773424-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A4BD4AA1-3E55-F28E-F069-4FFEE4327C00}*]
"makelapdnagpabhjbfmenimila"=hex:6a,61,68,6d,69,65,6c,6c,69,6f,61,68,6b,68,62,
70,6b,6f,68,64,00,00
"abagflfjikndeoofgahloeeefndflepdna"=hex:61,61,00,00
"mabgeljobfpfpagakpfpdpgphc"=hex:61,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\astsrv.exe
c:\program files (x86)\Creative\Shared Files\CTDevSrv.exe
c:\program files (x86)\FileZilla Server\FileZilla Server.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\Photodex\ProShowProducer\ScsiAccess.exe
c:\windows\SysWOW64\DeltaIITray.exe
c:\windows\SysWOW64\ping.exe
.
**************************************************************************
.
Completion time: 2012-02-23 13:18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-23 18:18
.
Pre-Run: 188,987,031,552 bytes free
Post-Run: 187,750,526,976 bytes free
.
- - End Of File - - 2976E7886690BA85BA00EA6F50895DF0

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 AM

Posted 23 February 2012 - 02:52 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 mangel

mangel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 24 February 2012 - 12:30 AM

Ok, I ran Tdsskiller & nothing showed up. I ran aswMBR and it crashed 2x & then the 3rd time it went through...now, I of course without thinking, saw that aswMBR showed 3 infections & decided without you telling me to of course, to choose the 'fix' option. Comp rebooted and then had the error about not being able to start, chose to repair but at the same time it was being repaired a window for the recovery console came up I checked ok, so I think I may have just went back to the combofix recovery point!! wow. anyway, I ran everything again, except aswMBR as it now keeps crashing. I am uploading the aswMBR that did go through though & shows the infections. And by the way, one of them is -Win64:ZAccess-A- so does that mean this is a zeroaccess rootkit?

anyway, sorry for not listening and being rebellious. Here are the logs.

Tdsskiller Log

23:05:31.0452 2276 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
23:05:31.0717 2276 ============================================================
23:05:31.0717 2276 Current date / time: 2012/02/23 23:05:31.0717
23:05:31.0717 2276 SystemInfo:
23:05:31.0717 2276
23:05:31.0717 2276 OS Version: 6.1.7600 ServicePack: 0.0
23:05:31.0717 2276 Product type: Workstation
23:05:31.0717 2276 ComputerName: TRUEHUSS-PC
23:05:31.0717 2276 UserName: truehuss
23:05:31.0717 2276 Windows directory: C:\Windows
23:05:31.0717 2276 System windows directory: C:\Windows
23:05:31.0717 2276 Running under WOW64
23:05:31.0717 2276 Processor architecture: Intel x64
23:05:31.0717 2276 Number of processors: 4
23:05:31.0717 2276 Page size: 0x1000
23:05:31.0717 2276 Boot type: Normal boot
23:05:31.0717 2276 ============================================================
23:05:32.0778 2276 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:05:32.0794 2276 Drive \Device\Harddisk1\DR1 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:05:32.0809 2276 Drive \Device\Harddisk2\DR2 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:05:32.0825 2276 Drive \Device\Harddisk3\DR3 - Size: 0xE8E0DB5E00 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
23:05:32.0840 2276 \Device\Harddisk0\DR0:
23:05:32.0840 2276 MBR used
23:05:32.0840 2276 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
23:05:32.0840 2276 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x4A825000
23:05:32.0840 2276 \Device\Harddisk1\DR1:
23:05:32.0840 2276 MBR used
23:05:32.0840 2276 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A852FC1
23:05:32.0840 2276 \Device\Harddisk2\DR2:
23:05:32.0840 2276 MBR used
23:05:32.0840 2276 \Device\Harddisk2\DR2\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A18A82
23:05:32.0840 2276 \Device\Harddisk3\DR3:
23:05:32.0840 2276 MBR used
23:05:32.0840 2276 \Device\Harddisk3\DR3\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x747059C1
23:05:32.0934 2276 Initialize success
23:05:32.0934 2276 ============================================================
23:05:41.0982 2732 ============================================================
23:05:41.0982 2732 Scan started
23:05:41.0982 2732 Mode: Manual; TDLFS;
23:05:41.0982 2732 ============================================================
23:05:43.0152 2732 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
23:05:43.0152 2732 1394ohci - ok
23:05:43.0199 2732 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
23:05:43.0214 2732 ACPI - ok
23:05:43.0246 2732 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
23:05:43.0246 2732 AcpiPmi - ok
23:05:43.0308 2732 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
23:05:43.0308 2732 adp94xx - ok
23:05:43.0339 2732 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
23:05:43.0339 2732 adpahci - ok
23:05:43.0370 2732 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
23:05:43.0370 2732 adpu320 - ok
23:05:43.0433 2732 AFD (6ef20ddf3172e97d69f596fb90602f29) C:\Windows\system32\drivers\afd.sys
23:05:43.0448 2732 AFD - ok
23:05:43.0448 2732 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
23:05:43.0464 2732 agp440 - ok
23:05:43.0464 2732 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
23:05:43.0464 2732 aliide - ok
23:05:43.0495 2732 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
23:05:43.0495 2732 amdide - ok
23:05:43.0511 2732 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
23:05:43.0511 2732 AmdK8 - ok
23:05:43.0714 2732 amdkmdag (bbab5b28253fe0fc7255d8775ba05c1d) C:\Windows\system32\DRIVERS\atikmdag.sys
23:05:43.0885 2732 amdkmdag - ok
23:05:43.0885 2732 amdkmdap (cba35ff4092b91e105d93ed11a0250b6) C:\Windows\system32\DRIVERS\atikmpag.sys
23:05:43.0885 2732 amdkmdap - ok
23:05:43.0932 2732 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
23:05:43.0932 2732 AmdPPM - ok
23:05:43.0963 2732 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
23:05:43.0963 2732 amdsata - ok
23:05:43.0994 2732 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
23:05:43.0994 2732 amdsbs - ok
23:05:44.0010 2732 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
23:05:44.0010 2732 amdxata - ok
23:05:44.0041 2732 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
23:05:44.0041 2732 AppID - ok
23:05:44.0088 2732 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
23:05:44.0088 2732 arc - ok
23:05:44.0104 2732 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
23:05:44.0104 2732 arcsas - ok
23:05:44.0150 2732 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
23:05:44.0150 2732 AsyncMac - ok
23:05:44.0166 2732 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
23:05:44.0166 2732 atapi - ok
23:05:44.0182 2732 AtiHDAudioService (fda1e117a7e880bff5540d180c06ea87) C:\Windows\system32\drivers\AtihdW76.sys
23:05:44.0182 2732 AtiHDAudioService - ok
23:05:44.0353 2732 atikmdag (bbab5b28253fe0fc7255d8775ba05c1d) C:\Windows\system32\DRIVERS\atikmdag.sys
23:05:44.0400 2732 atikmdag - ok
23:05:44.0447 2732 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
23:05:44.0462 2732 b06bdrv - ok
23:05:44.0494 2732 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
23:05:44.0509 2732 b57nd60a - ok
23:05:44.0540 2732 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
23:05:44.0540 2732 Beep - ok
23:05:44.0572 2732 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
23:05:44.0572 2732 blbdrive - ok
23:05:44.0587 2732 bowser (19d20159708e152267e53b66677a4995) C:\Windows\system32\DRIVERS\bowser.sys
23:05:44.0587 2732 bowser - ok
23:05:44.0603 2732 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
23:05:44.0603 2732 BrFiltLo - ok
23:05:44.0603 2732 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
23:05:44.0603 2732 BrFiltUp - ok
23:05:44.0618 2732 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
23:05:44.0634 2732 BridgeMP - ok
23:05:44.0650 2732 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
23:05:44.0650 2732 Brserid - ok
23:05:44.0665 2732 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
23:05:44.0665 2732 BrSerWdm - ok
23:05:44.0681 2732 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
23:05:44.0681 2732 BrUsbMdm - ok
23:05:44.0696 2732 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
23:05:44.0696 2732 BrUsbSer - ok
23:05:44.0712 2732 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
23:05:44.0712 2732 BTHMODEM - ok
23:05:44.0728 2732 catchme - ok
23:05:44.0743 2732 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
23:05:44.0743 2732 cdfs - ok
23:05:44.0774 2732 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
23:05:44.0774 2732 cdrom - ok
23:05:44.0806 2732 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
23:05:44.0806 2732 circlass - ok
23:05:44.0837 2732 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
23:05:44.0837 2732 CLFS - ok
23:05:44.0884 2732 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
23:05:44.0884 2732 CmBatt - ok
23:05:44.0899 2732 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
23:05:44.0899 2732 cmdide - ok
23:05:44.0930 2732 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
23:05:44.0946 2732 CNG - ok
23:05:44.0962 2732 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
23:05:44.0962 2732 Compbatt - ok
23:05:44.0993 2732 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
23:05:44.0993 2732 CompositeBus - ok
23:05:45.0008 2732 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
23:05:45.0008 2732 crcdisk - ok
23:05:45.0071 2732 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
23:05:45.0086 2732 CSC - ok
23:05:45.0164 2732 DELTAII (877c5f051024231f5774bf8184c78d4a) C:\Windows\system32\DRIVERS\MAudioDelta.sys
23:05:45.0164 2732 DELTAII - ok
23:05:45.0180 2732 DfsC (9c253ce7311ca60fc11c774692a13208) C:\Windows\system32\Drivers\dfsc.sys
23:05:45.0196 2732 DfsC - ok
23:05:45.0227 2732 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
23:05:45.0242 2732 discache - ok
23:05:45.0258 2732 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
23:05:45.0258 2732 Disk - ok
23:05:45.0320 2732 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
23:05:45.0336 2732 drmkaud - ok
23:05:45.0383 2732 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys
23:05:45.0398 2732 DXGKrnl - ok
23:05:45.0414 2732 E1G60 (edc6e9c057c9d7f83eea22b4cef5dcad) C:\Windows\system32\DRIVERS\E1G6032E.sys
23:05:45.0430 2732 E1G60 - ok
23:05:45.0539 2732 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
23:05:45.0601 2732 ebdrv - ok
23:05:45.0632 2732 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
23:05:45.0632 2732 elxstor - ok
23:05:45.0648 2732 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
23:05:45.0648 2732 ErrDev - ok
23:05:45.0664 2732 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
23:05:45.0679 2732 exfat - ok
23:05:45.0695 2732 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
23:05:45.0695 2732 fastfat - ok
23:05:45.0742 2732 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
23:05:45.0757 2732 fdc - ok
23:05:45.0773 2732 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
23:05:45.0773 2732 FileInfo - ok
23:05:45.0788 2732 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
23:05:45.0788 2732 Filetrace - ok
23:05:45.0851 2732 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
23:05:45.0851 2732 flpydisk - ok
23:05:45.0866 2732 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
23:05:45.0882 2732 FltMgr - ok
23:05:45.0929 2732 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
23:05:45.0944 2732 FsDepends - ok
23:05:45.0960 2732 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
23:05:45.0960 2732 Fs_Rec - ok
23:05:46.0022 2732 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
23:05:46.0022 2732 fvevol - ok
23:05:46.0038 2732 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
23:05:46.0038 2732 gagp30kx - ok
23:05:46.0054 2732 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
23:05:46.0054 2732 hcw85cir - ok
23:05:46.0085 2732 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
23:05:46.0100 2732 HdAudAddService - ok
23:05:46.0116 2732 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
23:05:46.0116 2732 HDAudBus - ok
23:05:46.0132 2732 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
23:05:46.0132 2732 HidBatt - ok
23:05:46.0147 2732 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
23:05:46.0163 2732 HidBth - ok
23:05:46.0163 2732 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
23:05:46.0163 2732 HidIr - ok
23:05:46.0210 2732 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
23:05:46.0210 2732 HidUsb - ok
23:05:46.0225 2732 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
23:05:46.0225 2732 HpSAMD - ok
23:05:46.0288 2732 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
23:05:46.0288 2732 HTTP - ok
23:05:46.0303 2732 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
23:05:46.0303 2732 hwpolicy - ok
23:05:46.0350 2732 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
23:05:46.0350 2732 i8042prt - ok
23:05:46.0366 2732 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
23:05:46.0381 2732 iaStorV - ok
23:05:46.0412 2732 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
23:05:46.0428 2732 iirsp - ok
23:05:46.0459 2732 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
23:05:46.0459 2732 intelide - ok
23:05:46.0490 2732 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
23:05:46.0490 2732 intelppm - ok
23:05:46.0522 2732 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
23:05:46.0522 2732 IpFilterDriver - ok
23:05:46.0568 2732 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
23:05:46.0568 2732 IPMIDRV - ok
23:05:46.0600 2732 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
23:05:46.0600 2732 IPNAT - ok
23:05:46.0662 2732 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
23:05:46.0662 2732 IRENUM - ok
23:05:46.0678 2732 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
23:05:46.0678 2732 isapnp - ok
23:05:46.0709 2732 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
23:05:46.0709 2732 iScsiPrt - ok
23:05:46.0740 2732 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
23:05:46.0740 2732 kbdclass - ok
23:05:46.0771 2732 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
23:05:46.0771 2732 kbdhid - ok
23:05:46.0802 2732 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
23:05:46.0802 2732 KSecDD - ok
23:05:46.0818 2732 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
23:05:46.0818 2732 KSecPkg - ok
23:05:46.0834 2732 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
23:05:46.0834 2732 ksthunk - ok
23:05:46.0865 2732 L1E (b8e670d7ef61615fa03104552854fac9) C:\Windows\system32\DRIVERS\L1E62x64.sys
23:05:46.0865 2732 L1E - ok
23:05:46.0912 2732 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
23:05:46.0912 2732 lltdio - ok
23:05:46.0927 2732 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
23:05:46.0927 2732 LSI_FC - ok
23:05:46.0943 2732 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
23:05:46.0943 2732 LSI_SAS - ok
23:05:46.0958 2732 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
23:05:46.0958 2732 LSI_SAS2 - ok
23:05:46.0974 2732 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
23:05:46.0974 2732 LSI_SCSI - ok
23:05:46.0990 2732 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
23:05:46.0990 2732 luafv - ok
23:05:47.0021 2732 MBAMProtector (79da94b35371b9e7104460c7693dcb2c) C:\Windows\system32\drivers\mbam.sys
23:05:47.0021 2732 MBAMProtector - ok
23:05:47.0052 2732 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
23:05:47.0052 2732 megasas - ok
23:05:47.0068 2732 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
23:05:47.0068 2732 MegaSR - ok
23:05:47.0130 2732 MEMSWEEP2 (f9ce67e9e0226079b59107b649851f96) C:\Windows\system32\76D5.tmp
23:05:47.0130 2732 MEMSWEEP2 - ok
23:05:47.0161 2732 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
23:05:47.0161 2732 Modem - ok
23:05:47.0208 2732 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
23:05:47.0208 2732 monitor - ok
23:05:47.0224 2732 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
23:05:47.0224 2732 mouclass - ok
23:05:47.0239 2732 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
23:05:47.0239 2732 mouhid - ok
23:05:47.0255 2732 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
23:05:47.0255 2732 mountmgr - ok
23:05:47.0270 2732 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
23:05:47.0286 2732 mpio - ok
23:05:47.0302 2732 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
23:05:47.0302 2732 mpsdrv - ok
23:05:47.0348 2732 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
23:05:47.0348 2732 MRxDAV - ok
23:05:47.0380 2732 mrxsmb (040d62a9d8ad28922632137acdd984f2) C:\Windows\system32\DRIVERS\mrxsmb.sys
23:05:47.0380 2732 mrxsmb - ok
23:05:47.0395 2732 mrxsmb10 (f0067552f8f9b33d7c59403ab808a3cb) C:\Windows\system32\DRIVERS\mrxsmb10.sys
23:05:47.0395 2732 mrxsmb10 - ok
23:05:47.0426 2732 mrxsmb20 (3c142d31de9f2f193218a53fe2632051) C:\Windows\system32\DRIVERS\mrxsmb20.sys
23:05:47.0426 2732 mrxsmb20 - ok
23:05:47.0442 2732 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
23:05:47.0458 2732 msahci - ok
23:05:47.0473 2732 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
23:05:47.0473 2732 msdsm - ok
23:05:47.0504 2732 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
23:05:47.0504 2732 Msfs - ok
23:05:47.0551 2732 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
23:05:47.0551 2732 mshidkmdf - ok
23:05:47.0567 2732 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
23:05:47.0567 2732 msisadrv - ok
23:05:47.0614 2732 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
23:05:47.0614 2732 MSKSSRV - ok
23:05:47.0660 2732 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
23:05:47.0676 2732 MSPCLOCK - ok
23:05:47.0676 2732 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
23:05:47.0676 2732 MSPQM - ok
23:05:47.0707 2732 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
23:05:47.0723 2732 MsRPC - ok
23:05:47.0738 2732 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
23:05:47.0738 2732 mssmbios - ok
23:05:47.0754 2732 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
23:05:47.0754 2732 MSTEE - ok
23:05:47.0770 2732 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
23:05:47.0770 2732 MTConfig - ok
23:05:47.0801 2732 MTsensor (03b7145c889603537e9ffeabb1ad1089) C:\Windows\system32\DRIVERS\ASACPI.sys
23:05:47.0801 2732 MTsensor - ok
23:05:47.0832 2732 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
23:05:47.0832 2732 Mup - ok
23:05:47.0863 2732 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
23:05:47.0863 2732 NativeWifiP - ok
23:05:47.0941 2732 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
23:05:47.0957 2732 NDIS - ok
23:05:47.0972 2732 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
23:05:47.0988 2732 NdisCap - ok
23:05:48.0035 2732 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
23:05:48.0035 2732 NdisTapi - ok
23:05:48.0066 2732 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
23:05:48.0066 2732 Ndisuio - ok
23:05:48.0082 2732 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
23:05:48.0097 2732 NdisWan - ok
23:05:48.0113 2732 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
23:05:48.0113 2732 NDProxy - ok
23:05:48.0175 2732 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
23:05:48.0175 2732 NetBIOS - ok
23:05:48.0206 2732 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
23:05:48.0206 2732 NetBT - ok
23:05:48.0253 2732 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
23:05:48.0253 2732 nfrd960 - ok
23:05:48.0316 2732 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
23:05:48.0316 2732 Npfs - ok
23:05:48.0331 2732 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
23:05:48.0331 2732 nsiproxy - ok
23:05:48.0394 2732 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
23:05:48.0394 2732 Ntfs - ok
23:05:48.0440 2732 NTIDrvr (7d397449aaf52b0e7c79b64f6ad4473e) C:\Windows\system32\Drivers\NTIDrvr.sys
23:05:48.0440 2732 NTIDrvr - ok
23:05:48.0456 2732 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
23:05:48.0456 2732 Null - ok
23:05:48.0503 2732 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
23:05:48.0503 2732 nvraid - ok
23:05:48.0518 2732 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
23:05:48.0534 2732 nvstor - ok
23:05:48.0550 2732 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
23:05:48.0550 2732 nv_agp - ok
23:05:48.0565 2732 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
23:05:48.0565 2732 ohci1394 - ok
23:05:48.0596 2732 p2usb (6aff92b698340720fa9f40ba7f5249cd) C:\Windows\system32\DRIVERS\p2usb.sys
23:05:48.0596 2732 p2usb - ok
23:05:48.0612 2732 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
23:05:48.0612 2732 Parport - ok
23:05:48.0628 2732 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
23:05:48.0628 2732 partmgr - ok
23:05:48.0659 2732 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
23:05:48.0659 2732 pci - ok
23:05:48.0674 2732 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
23:05:48.0674 2732 pciide - ok
23:05:48.0690 2732 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
23:05:48.0690 2732 pcmcia - ok
23:05:48.0706 2732 pcouffin (af7ce12c4f3dc8cb2b07685c916bbcfe) C:\Windows\system32\Drivers\pcouffin.sys
23:05:48.0706 2732 pcouffin - ok
23:05:48.0737 2732 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
23:05:48.0737 2732 pcw - ok
23:05:48.0768 2732 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
23:05:48.0768 2732 PEAUTH - ok
23:05:48.0815 2732 PLTurbh (42b13d2f086de0e45a9bf660b9bdfe49) C:\Windows\system32\drivers\plturbh.sys
23:05:48.0815 2732 PLTurbh - ok
23:05:48.0830 2732 PLTurbo (0ad28d803e5562fb3d54fc736b332eba) C:\Windows\system32\drivers\plturbo.sys
23:05:48.0830 2732 PLTurbo - ok
23:05:48.0862 2732 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
23:05:48.0877 2732 PptpMiniport - ok
23:05:48.0893 2732 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
23:05:48.0893 2732 Processor - ok
23:05:48.0955 2732 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
23:05:48.0955 2732 Psched - ok
23:05:48.0986 2732 PxHlpa64 (4712cc14e720ecccc0aa16949d18aaf1) C:\Windows\system32\Drivers\PxHlpa64.sys
23:05:48.0986 2732 PxHlpa64 - ok
23:05:49.0049 2732 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
23:05:49.0096 2732 ql2300 - ok
23:05:49.0111 2732 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
23:05:49.0111 2732 ql40xx - ok
23:05:49.0142 2732 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
23:05:49.0142 2732 QWAVEdrv - ok
23:05:49.0158 2732 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
23:05:49.0158 2732 RasAcd - ok
23:05:49.0189 2732 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
23:05:49.0189 2732 RasAgileVpn - ok
23:05:49.0205 2732 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
23:05:49.0205 2732 Rasl2tp - ok
23:05:49.0220 2732 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
23:05:49.0220 2732 RasPppoe - ok
23:05:49.0236 2732 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
23:05:49.0236 2732 RasSstp - ok
23:05:49.0267 2732 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
23:05:49.0267 2732 rdbss - ok
23:05:49.0283 2732 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
23:05:49.0298 2732 rdpbus - ok
23:05:49.0314 2732 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
23:05:49.0314 2732 RDPCDD - ok
23:05:49.0345 2732 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
23:05:49.0345 2732 RDPDR - ok
23:05:49.0392 2732 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
23:05:49.0392 2732 RDPENCDD - ok
23:05:49.0392 2732 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
23:05:49.0392 2732 RDPREFMP - ok
23:05:49.0423 2732 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
23:05:49.0423 2732 RDPWD - ok
23:05:49.0454 2732 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
23:05:49.0454 2732 rdyboost - ok
23:05:49.0517 2732 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
23:05:49.0517 2732 rspndr - ok
23:05:49.0579 2732 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
23:05:49.0579 2732 s3cap - ok
23:05:49.0657 2732 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
23:05:49.0657 2732 sbp2port - ok
23:05:49.0688 2732 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
23:05:49.0688 2732 scfilter - ok
23:05:49.0735 2732 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
23:05:49.0735 2732 secdrv - ok
23:05:49.0798 2732 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
23:05:49.0813 2732 Serenum - ok
23:05:49.0829 2732 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
23:05:49.0829 2732 Serial - ok
23:05:49.0844 2732 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
23:05:49.0844 2732 sermouse - ok
23:05:49.0876 2732 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
23:05:49.0876 2732 sffdisk - ok
23:05:49.0891 2732 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
23:05:49.0891 2732 sffp_mmc - ok
23:05:49.0907 2732 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
23:05:49.0907 2732 sffp_sd - ok
23:05:49.0907 2732 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
23:05:49.0907 2732 sfloppy - ok
23:05:49.0922 2732 SirefefRemover (cb172725d1c49c79fe60634e29ab4b72) C:\Windows\system32\Drivers\SirefefRemover.sys
23:05:49.0922 2732 SirefefRemover - ok
23:05:49.0938 2732 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
23:05:49.0938 2732 SiSRaid2 - ok
23:05:49.0938 2732 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
23:05:49.0954 2732 SiSRaid4 - ok
23:05:50.0000 2732 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
23:05:50.0000 2732 Smb - ok
23:05:50.0047 2732 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
23:05:50.0047 2732 spldr - ok
23:05:50.0141 2732 sptd (602884696850c86434530790b110e8eb) C:\Windows\System32\Drivers\sptd.sys
23:05:50.0156 2732 sptd - ok
23:05:50.0188 2732 srv (2408c0366d96bcdf63e8f1c78e4a29c5) C:\Windows\system32\DRIVERS\srv.sys
23:05:50.0188 2732 srv - ok
23:05:50.0219 2732 srv2 (76548f7b818881b47d8d1ae1be9c11f8) C:\Windows\system32\DRIVERS\srv2.sys
23:05:50.0219 2732 srv2 - ok
23:05:50.0234 2732 srvnet (0af6e19d39c70844c5caa8fb0183c36e) C:\Windows\system32\DRIVERS\srvnet.sys
23:05:50.0234 2732 srvnet - ok
23:05:50.0281 2732 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
23:05:50.0281 2732 stexstor - ok
23:05:50.0359 2732 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
23:05:50.0359 2732 storflt - ok
23:05:50.0375 2732 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
23:05:50.0375 2732 storvsc - ok
23:05:50.0390 2732 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
23:05:50.0390 2732 swenum - ok
23:05:50.0531 2732 Tcpip (b9d87c7707f058ac652a398cd28de14b) C:\Windows\system32\drivers\tcpip.sys
23:05:50.0531 2732 Tcpip - ok
23:05:50.0578 2732 TCPIP6 (b9d87c7707f058ac652a398cd28de14b) C:\Windows\system32\DRIVERS\tcpip.sys
23:05:50.0593 2732 TCPIP6 - ok
23:05:50.0609 2732 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
23:05:50.0609 2732 tcpipreg - ok
23:05:50.0640 2732 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
23:05:50.0656 2732 TDPIPE - ok
23:05:50.0656 2732 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
23:05:50.0671 2732 TDTCP - ok
23:05:50.0687 2732 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
23:05:50.0702 2732 tdx - ok
23:05:50.0718 2732 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
23:05:50.0718 2732 TermDD - ok
23:05:50.0765 2732 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
23:05:50.0765 2732 tssecsrv - ok
23:05:50.0812 2732 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
23:05:50.0827 2732 tunnel - ok
23:05:50.0827 2732 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
23:05:50.0843 2732 uagp35 - ok
23:05:50.0874 2732 UBHelper (00c8ce31657624a125fdb90efd554371) C:\Windows\system32\drivers\UBHelper.sys
23:05:50.0874 2732 UBHelper - ok
23:05:50.0921 2732 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
23:05:50.0921 2732 udfs - ok
23:05:50.0968 2732 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
23:05:50.0968 2732 uliagpkx - ok
23:05:51.0014 2732 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
23:05:51.0014 2732 umbus - ok
23:05:51.0030 2732 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
23:05:51.0030 2732 UmPass - ok
23:05:51.0061 2732 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
23:05:51.0061 2732 usbccgp - ok
23:05:51.0092 2732 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
23:05:51.0092 2732 usbcir - ok
23:05:51.0124 2732 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
23:05:51.0124 2732 usbehci - ok
23:05:51.0155 2732 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
23:05:51.0155 2732 usbhub - ok
23:05:51.0170 2732 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
23:05:51.0170 2732 usbohci - ok
23:05:51.0186 2732 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
23:05:51.0186 2732 usbprint - ok
23:05:51.0217 2732 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
23:05:51.0217 2732 USBSTOR - ok
23:05:51.0233 2732 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
23:05:51.0233 2732 usbuhci - ok
23:05:51.0248 2732 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
23:05:51.0248 2732 vdrvroot - ok
23:05:51.0264 2732 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
23:05:51.0264 2732 vga - ok
23:05:51.0295 2732 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
23:05:51.0295 2732 VgaSave - ok
23:05:51.0326 2732 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
23:05:51.0342 2732 vhdmp - ok
23:05:51.0342 2732 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
23:05:51.0342 2732 viaide - ok
23:05:51.0373 2732 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
23:05:51.0373 2732 vmbus - ok
23:05:51.0389 2732 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
23:05:51.0389 2732 VMBusHID - ok
23:05:51.0404 2732 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
23:05:51.0404 2732 volmgr - ok
23:05:51.0436 2732 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
23:05:51.0436 2732 volmgrx - ok
23:05:51.0451 2732 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
23:05:51.0451 2732 volsnap - ok
23:05:51.0467 2732 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
23:05:51.0467 2732 vsmraid - ok
23:05:51.0498 2732 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
23:05:51.0498 2732 vwifibus - ok
23:05:51.0514 2732 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
23:05:51.0514 2732 WacomPen - ok
23:05:51.0560 2732 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
23:05:51.0560 2732 WANARP - ok
23:05:51.0560 2732 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
23:05:51.0560 2732 Wanarpv6 - ok
23:05:51.0576 2732 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
23:05:51.0576 2732 Wd - ok
23:05:51.0607 2732 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
23:05:51.0607 2732 Wdf01000 - ok
23:05:51.0670 2732 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
23:05:51.0670 2732 WfpLwf - ok
23:05:51.0685 2732 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
23:05:51.0685 2732 WIMMount - ok
23:05:51.0763 2732 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
23:05:51.0763 2732 WinUsb - ok
23:05:51.0810 2732 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
23:05:51.0810 2732 WmiAcpi - ok
23:05:51.0857 2732 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
23:05:51.0872 2732 ws2ifsl - ok
23:05:51.0904 2732 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
23:05:51.0904 2732 WudfPf - ok
23:05:51.0919 2732 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
23:05:51.0919 2732 WUDFRd - ok
23:05:51.0966 2732 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
23:05:52.0075 2732 \Device\Harddisk0\DR0 - ok
23:05:52.0091 2732 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk1\DR1
23:05:52.0153 2732 \Device\Harddisk1\DR1 - ok
23:05:52.0169 2732 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2
23:05:52.0231 2732 \Device\Harddisk2\DR2 - ok
23:05:52.0247 2732 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk3\DR3
23:05:52.0403 2732 \Device\Harddisk3\DR3 - ok
23:05:52.0403 2732 Boot (0x1200) (bafb0cda06ff9d31e2c89f007d25686f) \Device\Harddisk0\DR0\Partition0
23:05:52.0403 2732 \Device\Harddisk0\DR0\Partition0 - ok
23:05:52.0418 2732 Boot (0x1200) (d4c4381fde66e73a964059ec6ff7138d) \Device\Harddisk0\DR0\Partition1
23:05:52.0418 2732 \Device\Harddisk0\DR0\Partition1 - ok
23:05:52.0434 2732 Boot (0x1200) (2699725fed90d8a4a553412b2efda60d) \Device\Harddisk1\DR1\Partition0
23:05:52.0434 2732 \Device\Harddisk1\DR1\Partition0 - ok
23:05:52.0434 2732 Boot (0x1200) (58e53e8dbf156a7d2afd53c4c07ad2f6) \Device\Harddisk2\DR2\Partition0
23:05:52.0434 2732 \Device\Harddisk2\DR2\Partition0 - ok
23:05:52.0434 2732 Boot (0x1200) (d12c64838245874ad3d36200efa2f3c8) \Device\Harddisk3\DR3\Partition0
23:05:52.0434 2732 \Device\Harddisk3\DR3\Partition0 - ok
23:05:52.0434 2732 ============================================================
23:05:52.0434 2732 Scan finished
23:05:52.0434 2732 ============================================================
23:05:52.0512 2296 Detected object count: 0
23:05:52.0512 2296 Actual detected object count: 0
23:06:38.0080 2552 Deinitialize success

aswMBR log

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 19:18:47
-----------------------------
19:18:47.578 OS Version: Windows x64 6.1.7600
19:18:47.578 Number of processors: 4 586 0x402
19:18:47.578 ComputerName: TRUEHUSS-PC UserName: truehuss
19:18:49.887 Initialize success
19:18:53.756 AVAST engine defs: 12022301
19:18:58.841 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:18:58.841 Disk 0 Vendor: WDC_WD6401AALS-00E8B0 05.00K05 Size: 610480MB BusType: 3
19:18:58.841 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-1
19:18:58.841 Disk 1 Vendor: WDC_WD6401AALS-00L3B2 01.03B01 Size: 610480MB BusType: 3
19:18:58.857 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP2T0L0-3
19:18:58.857 Disk 2 Vendor: SAMSUNG_SP1614N TM100-24 Size: 152627MB BusType: 3
19:18:59.063 Disk 0 MBR read successfully
19:18:59.073 Disk 0 MBR scan
19:18:59.083 Disk 0 Windows 7 default MBR code
19:18:59.093 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
19:18:59.153 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 610378 MB offset 206848
19:18:59.303 Disk 0 scanning C:\Windows\system32\drivers
19:20:03.404 Service scanning
19:20:16.966 Modules scanning
19:20:16.966 Disk 0 trace - called modules:
19:20:16.997 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
19:20:16.997 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80077c6060]
19:20:16.997 3 CLASSPNP.SYS[fffff880018eb43f] -> nt!IofCallDriver -> [0xfffffa8007156580]
19:20:16.997 5 ACPI.sys[fffff88000f34781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80074fa060]
19:20:19.428 AVAST engine scan C:\Windows
19:22:33.083 AVAST engine scan C:\Windows\system32
19:23:28.821 File: C:\Windows\system32\consrv.dll.vir **INFECTED** Win32:Sirefef-HO [Rtk]
19:26:42.277 Disk 0 MBR has been saved successfully to "C:\Users\truehuss\Desktop\MBR.dat"
19:26:42.277 The log file has been saved successfully to "C:\Users\truehuss\Desktop\aswMBR1.txt"
19:27:21.539 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
19:27:21.632 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
19:27:22.740 AVAST engine scan C:\Windows\system32\drivers
19:27:26.499 Disk 0 MBR has been saved successfully to "C:\Users\truehuss\Desktop\MBR.dat"
19:27:30.897 AVAST engine scan C:\Users\truehuss
19:43:05.497 Disk 0 MBR has been saved successfully to "C:\Users\truehuss\Desktop\MBR.dat"
19:43:05.512 The log file has been saved successfully to "C:\Users\truehuss\Desktop\aswMBR3.txt"
19:48:42.980 AVAST engine scan C:\ProgramData
19:50:13.210 Scan finished successfully
20:48:47.663 Disk 0 MBR has been saved successfully to "C:\Users\truehuss\Desktop\MBR.dat"
20:48:47.663 The log file has been saved successfully to "C:\Users\truehuss\Desktop\aswMBR.txt"


Thanks again Gringo! Let me know what you would recommend

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 AM

Posted 24 February 2012 - 12:50 AM

Hello


Please don't do anything on your own anymore.


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 mangel

mangel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 24 February 2012 - 04:28 PM

Sorry dude, wont happen again (being rebelious)

Here is the frst log

Scan result of Farbar Recovery Scan Tool Version: 23-02-2012 01
Ran by SYSTEM at 2012-02-24 16:00:07
Running from J:\
Microsoft Windows XP (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto [294400 2007-02-16] (Microsoft Corporation)
HKLM-x32\...\Run: [VIAJDS] "C:\Program Files (x86)\VIA\VIAudioi\HDADeck\VIAJDS.exe" [463872 2008-12-07] (TODO: <Company name>)
HKLM\...\Policies\Explorer\Run: [59t4] C:\DOCUME~1\mangel\LOCALS~1\Temp\1biq.exe
HKLM-x32\...\Winlogon: [Userinit] userinit [x]
HKLM\...\Winlogon: [UIHost] %SystemRoot%\system32\logonui.exe [x ] ()
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\avgrsstarter: avgrssta.dll (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\crypt32chain: crypt32.dll (Microsoft Corporation)
Winlogon\Notify\cryptnet: cryptnet.dll (Microsoft Corporation)
Winlogon\Notify\cscdll: cscdll.dll (Microsoft Corporation)
Winlogon\Notify\dimsntfy: dimsntfy.dll (Microsoft Corporation)
Winlogon\Notify\ScCertProp: wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\Schedule: wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\sclgntfy: sclgntfy.dll (Microsoft Corporation)
Winlogon\Notify\SensLogn: WlNotify.dll (Microsoft Corporation)
Winlogon\Notify\termsrv: wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\wlballoon: wlnotify.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 68.87.64.150 68.87.75.198

==================== Services (Whitelisted) ======

4 Adobe Version Cue CS4; "C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service [284016 2008-08-15] (Adobe Systems Incorporated)
4 Alerter; C:\Windows\System32\alrsvc.dll [29696 2005-03-25] (Microsoft Corporation)
4 Ati HotKey Poller; C:\Windows\System32\Ati2evxx.exe [892928 2010-03-02] (ATI Technologies Inc.)
4 ATI Smart; C:\WINDOWS\system32\ati2saag.exe [665088 2009-09-25] ()
4 avg9emc; "C:\Program Files (x86)\AVG\AVG9\avgemc.exe" [921952 2010-09-08] (AVG Technologies CZ, s.r.o.)
4 avg9wd; "C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe" [308136 2010-09-08] (AVG Technologies CZ, s.r.o.)
4 BUNAgentSvc; "C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe" [16384 2008-03-03] (NewTech Infosystems, Inc.)
4 CiSvc; C:\Windows\System32\cisvc.exe [8704 2005-03-25] (Microsoft Corporation)
3 ClipSrv; C:\Windows\System32\clipsrv.exe [49664 2005-03-25] (Microsoft Corporation)
4 CTDevice_Srv; C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe [61440 2007-04-01] (Creative Technology Ltd)
4 CTUPnPSv; C:\Program Files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [64000 2008-05-21] (Creative Technology Ltd)
3 dmadmin; C:\Windows\System32\dmadmin.exe /com [399872 2007-02-16] (Microsoft Corporation)
2 dmserver; C:\Windows\System32\dmserver.dll [37376 2007-02-16] (Microsoft Corporation)
2 ERSvc; C:\Windows\System32\ersvc.dll [31744 2005-03-25] (Microsoft Corporation)
2 Eventlog; C:\Windows\System32\services.exe [227840 2009-03-19] (Microsoft Corporation)
3 FLEXnet Licensing Service 64; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe" [1315592 2010-02-08] (Acresso Software Inc.)
2 helpsvc; C:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [77312 2007-02-16] (Microsoft Corporation)
3 HTTPFilter; C:\Windows\System32\w3ssl.dll [21504 2005-03-25] (Microsoft Corporation)
3 IASJet; C:\Windows\SysWOW64\iasrecst.dll [162816 2005-03-25] (Microsoft Corporation)
3 ImapiService; C:\WINDOWS\system32\imapi.exe [265728 2007-02-16] (Microsoft Corporation)
4 IntuitUpdateService; "C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [13088 2009-09-29] (Intuit Inc.)
2 iReboot; "C:\Program Files (x86)\NeoSmart Technologies\iReboot\iRebootd.exe" [9216 2008-04-27] ()
4 Messenger; C:\Windows\System32\msgsvc.dll [57344 2007-02-16] (Microsoft Corporation)
4 Mhost; C:\Program Files (x86)\massive_mhost\mhost.exe [67584 2007-08-31] ()
4 mi-raysat_3dsmax2010_64; "C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_64server.exe" [86016 2009-03-12] ()
3 NetDDE; C:\Windows\System32\netdde.exe [160768 2007-02-16] (Microsoft Corporation)
3 NetDDEdsdm; C:\Windows\System32\netdde.exe [160768 2007-02-16] (Microsoft Corporation)
3 Nla; C:\Windows\System32\mswsock.dll [492544 2008-06-21] (Microsoft Corporation)
4 NTISchedulerSvc; C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-03-07] ()
3 NtLmSsp; C:\Windows\System32\lsass.exe [14336 2005-03-25] (Microsoft Corporation)
3 NtmsSvc; C:\Windows\System32\ntmssvc.dll [794112 2007-02-16] (Microsoft Corporation)
2 PlugPlay; C:\Windows\System32\services.exe [227840 2009-03-19] (Microsoft Corporation)
2 PolicyAgent; C:\Windows\System32\lsass.exe [14336 2005-03-25] (Microsoft Corporation)
3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [212480 2007-02-16] (Microsoft Corporation)
3 SCardSvr; C:\Windows\System32\SCardSvr.exe [166400 2007-02-16] (Microsoft Corporation)
2 srservice; C:\WINDOWS\system32\srsvc.dll [231424 2007-02-16] (Microsoft Corporation)
2 SysmonLog; C:\Windows\System32\smlogsvc.exe [133120 2007-02-16] (Microsoft Corporation)
4 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [113152 2007-02-16] (Microsoft Corporation)
3 UPS; C:\Windows\System32\ups.exe [34816 2005-03-25] (Microsoft Corporation)
3 WmdmPmSN; C:\WINDOWS\SysWOW64\mspmsnsv.dll [25088 2007-02-18] (Microsoft Corporation)
3 Wmi; C:\Windows\System32\advapi32.dll [1052160 2009-03-19] (Microsoft Corporation)
3 WMPNetworkSvc; "C:\Program Files (x86)\Windows Media Player\WMPNetwk.exe" [913408 2006-10-18] (Microsoft Corporation)
2 wuauserv; C:\WINDOWS\system32\wuauserv.dll [12288 2005-03-25] (Microsoft Corporation)
2 WZCSVC; C:\Windows\System32\wzcsvc.dll [659968 2007-02-18] (Microsoft Corporation)
3 xmlprov; C:\Windows\System32\xmlprov.dll [326144 2007-02-16] (Microsoft Corporation)
4 ASTCC; C:\WINDOWS\SYSTEM32\astsrv.exe [x]
4 ASTSRV; C:\WINDOWS\system32\ASTSRV.EXE [x]
3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe [x]
4 HidServ; C:\Windows\System32\hidserv.dll [x]
4 idsvc; "c:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe" [x]
4 JavaQuickStarterService; "C:\Program Files (x86)\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
4 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [x]
4 NetTcpPortSharing; "c:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [x]
3 WinHttpAutoProxySvc; winhttp.dll [x]

========================== Drivers (Whitelisted) =============

3 61883; C:\Windows\System32\DRIVERS\61883.sys [78080 2007-02-16] (Microsoft Corporation)
4 ACPIEC; C:\Windows\System32\Drivers\ACPIEC.sys [18432 2005-03-25] (Microsoft Corporation)
2 adfs; C:\Windows\System32\Drivers\adfs.sys [88632 2008-06-27] (Adobe Systems, Inc.)
3 aec; C:\Windows\System32\drivers\aec.sys [188928 2005-03-24] (Microsoft Corporation)
0 amdide64; C:\Windows\System32\DRIVERS\amdide64.sys [10632 2007-10-12] (Advanced Micro Devices)
1 AmdPPM64; C:\Windows\System32\DRIVERS\AmdPPM64.sys [44544 2007-04-16] (Advanced Micro Devices)
3 Arp1394; C:\Windows\System32\DRIVERS\arp1394.sys [111104 2007-02-16] (Microsoft Corporation)
1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [14392 2007-12-17] ()
3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [6127104 2010-03-02] (ATI Technologies Inc.)
3 Atmarpc; C:\Windows\System32\DRIVERS\atmarpc.sys [106496 2007-02-16] (Microsoft Corporation)
3 audstub; C:\Windows\System32\DRIVERS\audstub.sys [5632 2005-03-24] (Microsoft Corporation)
1 AvgLdx64; C:\Windows\System32\Drivers\avgldx64.sys [269904 2010-09-08] (AVG Technologies CZ, s.r.o.)
1 AvgMfx64; C:\Windows\System32\Drivers\avgmfx64.sys [35536 2010-09-08] (AVG Technologies CZ, s.r.o.)
0 AvgRkx64; C:\Windows\System32\Drivers\avgrkx64.sys [56008 2010-09-08] (AVG Technologies CZ, s.r.o.)
1 AvgTdiA; C:\Windows\System32\Drivers\avgtdia.sys [317520 2010-09-08] (AVG Technologies CZ, s.r.o.)
3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [24576 2007-02-16] (Microsoft Corporation)
2 CdaC15BA; C:\Windows\System32\DRIVERS\CdaC15BA.sys [13312 2005-03-25] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
2 CdaD10BA; C:\Windows\System32\DRIVERS\CdaD10BA.sys [13312 2005-03-25] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
3 DELTAII; C:\Windows\System32\DRIVERS\deltaII.sys [393736 2008-11-04] (Avid Technology, Inc.)
4 dmboot; C:\Windows\System32\drivers\dmboot.sys [415232 2007-02-16] (Microsoft Corporation)
0 dmio; C:\Windows\System32\drivers\dmio.sys [244224 2007-02-16] (Microsoft Corporation)
0 dmload; C:\Windows\System32\drivers\dmload.sys [9216 2005-03-25] (Microsoft Corporation)
1 Fips; C:\Windows\System32\Drivers\Fips.sys [50176 2007-02-16] (Microsoft Corporation)
0 Ftdisk; C:\Windows\System32\DRIVERS\ftdisk.sys [240128 2007-02-16] (Microsoft Corporation)
3 Gpc; C:\Windows\System32\DRIVERS\msgpc.sys [71168 2007-02-16] (Microsoft Corporation)
3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [239616 2005-07-13] (Windows ® Server 2003 DDK provider)
1 imapi; C:\Windows\System32\DRIVERS\imapi.sys [72704 2005-03-25] (Microsoft Corporation)
3 Ip6Fw; C:\Windows\System32\DRIVERS\Ip6Fw.sys [57856 2007-02-16] (Microsoft Corporation)
1 IPSec; C:\Windows\System32\DRIVERS\ipsec.sys [156672 2007-02-16] (Microsoft Corporation)
3 kmixer; C:\Windows\System32\drivers\kmixer.sys [204288 2005-03-24] (Microsoft Corporation)
3 L1e; C:\Windows\System32\DRIVERS\l1e51x64.sys [44032 2008-09-23] (Atheros Communications, Inc.)
1 mnmdd; C:\Windows\System32\Drivers\mnmdd.sys [8192 2005-03-25] (Microsoft Corporation)
3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1854976 2008-02-13] (Creative Technology Ltd.)
3 MSDV; C:\Windows\System32\DRIVERS\msdv.sys [71680 2007-02-16] (Microsoft Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2008-01-21] ()
3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [103680 2007-02-16] (Microsoft Corporation)
3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [17408 2005-03-24] (Microsoft Corporation)
3 NIC1394; C:\Windows\System32\DRIVERS\nic1394.sys [92160 2005-03-24] (Microsoft Corporation)
3 NTIDrvr; C:\Windows\System32\Drivers\NTIDrvr.sys [16384 2008-01-30] (NewTech Infosystems, Inc.)
3 PSched; C:\Windows\System32\DRIVERS\psched.sys [106496 2007-02-16] (Microsoft Corporation)
3 Ptilink; C:\Windows\System32\DRIVERS\ptilink.sys [31232 2005-03-25] (Parallel Technologies, Inc.)
3 Raspti; C:\Windows\System32\DRIVERS\raspti.sys [31232 2005-03-25] (Microsoft Corporation)
1 redbook; C:\Windows\System32\DRIVERS\redbook.sys [64000 2005-03-24] (Microsoft Corporation)
3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [19968 2005-03-24] (Microsoft Corporation)
3 splitter; C:\Windows\System32\drivers\splitter.sys [10240 2007-02-16] (Microsoft Corporation)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [868848 2009-07-03] (Duplex Secure Ltd.)
4 sr; C:\Windows\System32\DRIVERS\sr.sys [123904 2005-03-25] (Microsoft Corporation)
3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [24576 2005-03-24] (Microsoft Corporation)
3 swmidi; C:\Windows\System32\drivers\swmidi.sys [86528 2005-03-24] (Microsoft Corporation)
3 sysaudio; C:\Windows\System32\drivers\sysaudio.sys [147456 2007-02-16] (Microsoft Corporation)
0 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [22016 2008-01-30] (NewTech Infosystems Corporation)
3 Update; C:\Windows\System32\DRIVERS\update.sys [81920 2007-02-16] (Microsoft Corporation)
3 wdmaud; C:\Windows\System32\drivers\wdmaud.sys [187904 2007-02-16] (Microsoft Corporation)
3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [24192 2007-02-16] (Microsoft Corporation)
4 Abiosdsk; [x]
4 adpu160m; [x]
4 adpu320; [x]
4 aic78u2; [x]
4 aic78xx; [x]
4 AliIde; [x]
4 AmdIde; [x]
4 arc; [x]
2 Aspi32; C:\Windows\System32\drivers\aspi32.sys [x]
4 Atdisk; [x]
1 Changer; [x]
4 CmdIde; [x]
3 cpuz132; \??\C:\DOCUME~1\mangel\LOCALS~1\Temp\cpuz132\cpuz132_x64.sys [x]
4 dpti2o; [x]
3 GearAspiWDM; C:\Windows\System32\drivers\gearaspiwdm.sys [x]
1 i2omgmt; [x]
4 iirsp; [x]
4 IntelIde; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
4 mraid35x; [x]
3 PDCOMP; [x]
3 PDFRAME; [x]
3 PDRELI; [x]
3 PDRFRAME; [x]
4 Simbad; [x]
4 symc8xx; [x]
4 symmpi; [x]
4 sym_hi; [x]
4 sym_u3; [x]
4 TosIde; [x]
4 ultra; [x]
4 ViaIde; [x]
3 WDICA; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-02-24 16:00 - 2012-02-24 16:00 - 0000000 ____D C:\FRST


============ 3 Months Modified Files and Folders =============

2012-02-24 16:00 - 2012-02-24 16:00 - 0000000 ____D C:\FRST
2012-02-16 12:10 - 2010-05-05 09:35 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\F15D83928385A492DFF8281DF2F5A092
2012-01-17 19:12 - 2012-01-17 19:12 - 0000000 ____D C:\New folder

========================= Known DLLs (Whitelisted) ============

[2005-03-25 00:00] - [2005-03-25 00:00] - 0003072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\lz32.dll
[2007-02-16 20:42] - [2007-02-16 20:42] - 0131584 ____A (Microsoft Corporation) C:\Windows\System32\olecli32.dll
[2007-02-18 07:05] - [2007-02-18 07:05] - 0076288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\olecli32.dll
[2007-02-16 20:42] - [2007-02-16 20:42] - 0056832 ____A (Microsoft Corporation) C:\Windows\System32\olecnv32.dll
[2007-02-18 07:05] - [2007-02-18 07:05] - 0038912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\olecnv32.dll
[2005-03-25 00:00] - [2005-03-25 00:00] - 0038912 ____A (Microsoft Corporation) C:\Windows\System32\olesvr32.dll
[2005-03-25 00:00] - [2005-03-25 00:00] - 0024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\olesvr32.dll
[2009-03-08 00:34] - [2009-03-08 00:34] - 0105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
[2007-02-16 21:04] - [2007-02-16 21:04] - 0250368 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
C:\Windows\SysWOW64\wow64.dll is missing
[2005-03-25 00:00] - [2005-03-25 00:00] - 0018944 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
C:\Windows\SysWOW64\wow64cpu.dll is missing
[2007-02-16 21:04] - [2007-02-16 21:04] - 0286720 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wow64win.dll is missing

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe
[2007-02-16 21:02] - [2007-02-16 21:02] - 0944128 ____A (Microsoft Corporation) 901C7E44D11C00CA9D48BA1A866FDC4B

C:\Windows\System32\wininit.exe is missing.
C:\Windows\SysWOW64\wininit.exe is missing.
C:\Windows\explorer.exe
[2007-02-16 20:20] - [2007-02-16 20:20] - 1364480 ____A (Microsoft Corporation) AE7A08C05F72A9242734C03230A5CD7F

C:\Windows\SysWOW64\explorer.exe
[2007-02-18 07:05] - [2007-02-18 07:05] - 1053184 ____A (Microsoft Corporation) A26C39540F8BE3729846E360E2C57344

C:\Windows\System32\svchost.exe
[2007-02-16 20:59] - [2007-02-16 20:59] - 0025600 ____A (Microsoft Corporation) 46300880A5062A41C16DF5E3E836A6C9

C:\Windows\SysWOW64\svchost.exe
[2007-02-18 07:05] - [2007-02-18 07:05] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

C:\Windows\System32\User32.dll
[2007-03-01 21:54] - [2007-03-01 21:54] - 1086464 ____A (Microsoft Corporation) C34683231AA9162B2106CA149B729D38

C:\Windows\SysWOW64\User32.dll
[2007-03-01 21:54] - [2007-03-01 21:54] - 0602624 ____A (Microsoft Corporation) 8BE4E29DA25073BF7894E2A61C9525DE

C:\Windows\System32\Drivers\volsnap.sys
[2007-02-16 21:01] - [2007-02-16 21:01] - 0288768 ____A (Microsoft Corporation) FD6D28D1BBF31C719D9C5EC2D20FB5C2


========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 7935.18 MB
Available physical RAM: 7178.27 MB
Total Pagefile: 7933.33 MB
Available Pagefile: 7172.61 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

2 Drive c: (6-) (Fixed) (Total:596.16 GB) (Free:112.43 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (New Volume) (Fixed) (Total:149.05 GB) (Free:28.85 GB) NTFS
4 Drive f: (FreeAgent GoFlex Drive) (Fixed) (Total:931.51 GB) (Free:655.98 GB) NTFS
5 Drive g: () (Fixed) (Total:596.07 GB) (Free:175.79 GB) NTFS
6 Drive h: (WORKFLOWFINAL) (CDROM) (Total:7.16 GB) (Free:0 GB) UDF
8 Drive j: (WindowsPE) (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 596 GB 9 MB
Disk 2 Online 149 GB 0 B
Disk 3 Online 931 GB 0 B
Disk 4 Online 3824 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 596 GB 101 MB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y System Rese NTFS Partition 100 MB Healthy

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G NTFS Partition 596 GB Healthy

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 596 GB 31 KB

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C 6- NTFS Partition 596 GB Healthy

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 31 KB

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 E New Volume NTFS Partition 149 GB Healthy

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 31 KB

Disk: 3
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 F FreeAgent G NTFS Partition 931 GB Healthy

Partitions of Disk 4:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 31 KB

Disk: 4
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J WindowsPE FAT32 Removable 3823 MB Healthy


======================= End Of Log ==========================

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 AM

Posted 24 February 2012 - 05:10 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
C:\Windows\system32\consrv.dll.vir
C:\Windows\assembly\temp\U\80000004.@
C:\Windows\assembly\temp\U\80000032.@

Folder::
C:\Windows\assembly\temp\U

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 mangel

mangel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 24 February 2012 - 07:02 PM

Cant tell if the redirects are gone, but so far havent gotten one. It did trick me earlier & then started up so i dont know. Will keep you updated but heres the log.

And by the way, was this a zeroaccess rootkit? I have changed most of my passwords but should I be worried?

Thanks for all your help bro!

ComboFix 12-02-22.01 - truehuss 02/24/2012 17:44:48.1.4 - x64
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.7935.6668 [GMT -5:00]
Running from: c:\users\truehuss\Desktop\ComboFix.exe
Command switches used :: c:\users\truehuss\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\assembly\temp\U\80000004.@"
"c:\windows\assembly\temp\U\80000032.@"
"c:\windows\system32\consrv.dll.vir"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\truehuss\Desktop\Internet Explorer.lnk
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\assembly\temp\U
c:\windows\assembly\temp\U\00000001.@
c:\windows\assembly\temp\U\00000002.@
c:\windows\assembly\temp\U\00000004.@
c:\windows\assembly\temp\U\000000c0.@
c:\windows\assembly\temp\U\000000cb.@
c:\windows\assembly\temp\U\000000cf.@
c:\windows\assembly\temp\U\80000000.@
c:\windows\assembly\temp\U\80000004.@
c:\windows\assembly\temp\U\80000032.@
c:\windows\assembly\temp\U\80000064.@
c:\windows\assembly\temp\U\800000c0.@
c:\windows\assembly\temp\U\800000cb.@
c:\windows\assembly\temp\U\800000cf.@
c:\windows\system32\consrv.dll
c:\windows\system32\consrv.dll.vir
c:\windows\system32\drivers\etc\hosts.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-18 20:43 . 2012-02-18 20:43 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-18 03:59 . 2011-05-12 19:03 6144 ----a-w- c:\windows\system32\76D5.tmp
2012-02-18 03:57 . 2011-05-12 19:03 6144 ----a-w- c:\windows\system32\E54F.tmp
2012-02-18 03:56 . 2011-05-12 19:03 6144 ----a-w- c:\windows\system32\4A68.tmp
2012-02-18 03:56 . 2012-02-22 17:10 -------- d-----w- c:\program files (x86)\Sophos
2012-02-17 20:37 . 2011-02-03 23:20 179712 ---ha-w- c:\users\truehuss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
2012-02-17 20:37 . 2010-10-21 03:22 178176 ---ha-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
2012-02-17 17:17 . 2012-02-17 17:17 16144 ----a-w- c:\windows\system32\drivers\SirefefRemover.sys
2012-02-17 14:45 . 2012-02-24 22:52 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-17 14:32 . 2012-02-24 22:56 730456 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-02-10 16:16 . 2012-02-10 16:16 -------- d-----w- c:\program files (x86)\56590
2012-02-10 16:16 . 2012-02-10 16:16 -------- d-----w- C:\C6E56
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-23 01:43 . 2011-12-23 06:00 122368 ---ha-w- c:\windows\SysWow64\srrstr.dll
2011-12-10 20:24 . 2011-09-11 16:11 23152 ---ha-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [BU]
"SoftAuto.exe"="c:\program files (x86)\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-10-16 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-11-16 36760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-11-16 821144]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"M-Audio Taskbar Icon"="c:\windows\system32\DeltaIITray.exe" [2009-07-27 236040]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [BU]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dplaysvr"="%LOCALAPPDATA%\dplaysvr.exe" [BU]
.
c:\users\truehuss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CineFormActiveMetadataStatusViewer.exe [2011-2-3 179712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CineFormActiveMetadataStatusViewer.exe [2010-10-20 178176]
P2 Card Manager.lnk - c:\program files\Panasonic P2\Drivers\App\P2TaskTray.exe [2007-3-8 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
@=""
.
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\76D5.tmp [x]
R3 p2usb;Panasonic P2 Series USB Device;c:\windows\system32\DRIVERS\p2usb.sys [x]
R3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 SirefefRemover;SirefefRemover;c:\windows\system32\Drivers\SirefefRemover.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 nlscc;Nalpeiron X64 Service;c:\windows\system32\nlsInterface.exe [x]
S2 p2csvc;p2csvc;c:\windows\system32\p2csvc.exe [x]
S2 p2csvc32;p2csvc32;c:\windows\SysWOW64\p2csvc32.exe [2008-07-25 61440]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\MAudioDelta.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-10-16 17:49 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-09-16 497648]
"combofix"="c:\combofix\CF28315.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
n3900
savscan
se45unic
us30sys
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: mswsock.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\76D5.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\S-1-5-21-3315961098-2874439530-1663773424-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A4BD4AA1-3E55-F28E-F069-4FFEE4327C00}*]
"makelapdnagpabhjbfmenimila"=hex:6a,61,68,6d,69,65,6c,6c,69,6f,61,68,6b,68,62,
70,6b,6f,68,64,00,00
"abagflfjikndeoofgahloeeefndflepdna"=hex:61,61,00,00
"mabgeljobfpfpagakpfpdpgphc"=hex:61,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\astsrv.exe
c:\program files (x86)\Creative\Shared Files\CTDevSrv.exe
c:\program files (x86)\FileZilla Server\FileZilla Server.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\Photodex\ProShowProducer\ScsiAccess.exe
c:\windows\SysWOW64\DeltaIITray.exe
c:\windows\SysWOW64\ping.exe
.
**************************************************************************
.
Completion time: 2012-02-24 18:46:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 23:46
ComboFix2.txt 2012-02-24 03:52
ComboFix3.txt 2012-02-23 18:18
.
Pre-Run: 188,641,103,872 bytes free
Post-Run: 187,611,045,888 bytes free
.
- - End Of File - - 53742202D61BE80A8E2D5C126BA0618B

Edited by mangel, 24 February 2012 - 07:04 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 AM

Posted 24 February 2012 - 09:06 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
c:\windows\system32\76D5.tmp
c:\windows\system32\E54F.tmp
c:\windows\system32\4A68.tmp

Folder::
c:\program files (x86)\56590
C:\C6E56

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 mangel

mangel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 24 February 2012 - 10:12 PM

Here it is.

ComboFix 12-02-22.01 - truehuss 02/24/2012 21:28:03.2.4 - x64
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.7935.6259 [GMT -5:00]
Running from: c:\users\truehuss\Desktop\ComboFix.exe
Command switches used :: c:\users\truehuss\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\4A68.tmp"
"c:\windows\system32\76D5.tmp"
"c:\windows\system32\E54F.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\C6E56
c:\program files (x86)\56590
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\4A68.tmp
c:\windows\system32\76D5.tmp
c:\windows\system32\E54F.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2012-01-25 to 2012-02-25 )))))))))))))))))))))))))))))))
.
.
2012-02-18 20:43 . 2012-02-18 20:43 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-18 03:56 . 2012-02-22 17:10 -------- d-----w- c:\program files (x86)\Sophos
2012-02-17 20:37 . 2011-02-03 23:20 179712 ----a-w- c:\users\truehuss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
2012-02-17 20:37 . 2010-10-21 03:22 178176 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
2012-02-17 17:17 . 2012-02-17 17:17 16144 ----a-w- c:\windows\system32\drivers\SirefefRemover.sys
2012-02-17 14:45 . 2012-02-24 23:40 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-23 01:43 . 2011-12-23 06:00 122368 ----a-w- c:\windows\SysWow64\srrstr.dll
2011-12-10 20:24 . 2011-09-11 16:11 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-24_23.26.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 05:10 . 2012-02-24 23:28 46046 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-10-28 16:43 . 2012-02-24 23:28 13224 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3315961098-2874439530-1663773424-1000_UserData.bin
+ 2010-10-28 19:18 . 2012-02-24 23:44 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-10-28 19:18 . 2012-02-24 23:25 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-10-28 19:18 . 2012-02-24 23:44 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-10-28 19:18 . 2012-02-24 23:25 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-24 23:44 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-24 23:25 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-02-25 02:32 . 2012-02-25 02:32 1604 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2012-02-24 22:52 . 2012-02-24 22:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-25 02:33 . 2012-02-25 02:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-25 02:33 . 2012-02-25 02:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-24 22:52 . 2012-02-24 22:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-02-25 02:37 627336 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-25 02:37 107514 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-02-24 22:51 435272 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-02-25 02:32 435272 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-09-11 16:21 . 2012-02-24 22:51 7042148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3315961098-2874439530-1663773424-1000-4096.dat
+ 2011-09-11 16:21 . 2012-02-25 02:32 7042148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3315961098-2874439530-1663773424-1000-4096.dat
- 2009-07-14 02:34 . 2012-02-24 21:37 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-02-25 01:17 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [BU]
"SoftAuto.exe"="c:\program files (x86)\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-10-16 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-11-16 36760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-11-16 821144]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"M-Audio Taskbar Icon"="c:\windows\system32\DeltaIITray.exe" [2009-07-27 236040]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [BU]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dplaysvr"="%LOCALAPPDATA%\dplaysvr.exe" [BU]
.
c:\users\truehuss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CineFormActiveMetadataStatusViewer.exe [2011-2-3 179712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CineFormActiveMetadataStatusViewer.exe [2010-10-20 178176]
P2 Card Manager.lnk - c:\program files\Panasonic P2\Drivers\App\P2TaskTray.exe [2007-3-8 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
@=""
.
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 p2usb;Panasonic P2 Series USB Device;c:\windows\system32\DRIVERS\p2usb.sys [x]
R3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 SirefefRemover;SirefefRemover;c:\windows\system32\Drivers\SirefefRemover.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 nlscc;Nalpeiron X64 Service;c:\windows\system32\nlsInterface.exe [x]
S2 p2csvc;p2csvc;c:\windows\system32\p2csvc.exe [x]
S2 p2csvc32;p2csvc32;c:\windows\SysWOW64\p2csvc32.exe [2008-07-25 61440]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\MAudioDelta.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-10-16 17:49 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-09-16 497648]
"combofix"="c:\combofix\CF6658.3XE" [2009-07-14 344576]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
n3900
savscan
se45unic
us30sys
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: mswsock.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\S-1-5-21-3315961098-2874439530-1663773424-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A4BD4AA1-3E55-F28E-F069-4FFEE4327C00}*]
"makelapdnagpabhjbfmenimila"=hex:6a,61,68,6d,69,65,6c,6c,69,6f,61,68,6b,68,62,
70,6b,6f,68,64,00,00
"abagflfjikndeoofgahloeeefndflepdna"=hex:61,61,00,00
"mabgeljobfpfpagakpfpdpgphc"=hex:61,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\astsrv.exe
c:\program files (x86)\Creative\Shared Files\CTDevSrv.exe
c:\program files (x86)\FileZilla Server\FileZilla Server.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\Photodex\ProShowProducer\ScsiAccess.exe
c:\windows\SysWOW64\DeltaIITray.exe
.
**************************************************************************
.
Completion time: 2012-02-24 21:59:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-25 02:59
ComboFix2.txt 2012-02-24 23:46
ComboFix3.txt 2012-02-24 03:52
ComboFix4.txt 2012-02-23 18:18
.
Pre-Run: 187,345,448,960 bytes free
Post-Run: 187,211,005,952 bytes free
.
- - End Of File - - 872564E4A18F5F46D06DD1DC7A9AF30A

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 AM

Posted 24 February 2012 - 10:17 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 mangel

mangel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 25 February 2012 - 01:01 AM

Here it is

Adobe Acrobat X Pro - English, Russian
Adobe AIR
Adobe Community Help
Adobe Creative Suite 5 Master Collection
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 9.5.0
Advanced Archive Password Recovery
Advertising Center
Apple Application Support
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
ATI Catalyst Registration
AVS Update Manager 1.0
AVS Video Converter 8
AVS4YOU Software Navigator 1.4
BitLord 1.1
Blurb Template Creator CS5 v1.1.0.1d5
CANON iMAGE GATEWAY MyCamera Download Plugin
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
ccc-core-static
CCC Help English
CineForm NeoPlayer 5.2
CineForm NeoScene 5.3
Composite Suite Pro for Adobe After Effects (64 Bit)
ConvertXtoDVD 4.0.3.312
Cool Edit Pro 2.1
Creative Centrale
Creative Removable Disk Manager
Creative Software Update
Creative ZEN Mozaic User's Guide
Dfx for Adobe After Effects (64 Bit)
DivX Setup
DolbyFiles
FileZilla Client 3.5.2
FileZilla Server
FotoFusion v4
FotoFusionV4
Free M4a to MP3 Converter 6.2
Genuine Fractals 6.0.4 Professional Edition
ImagXpress
Instant HD Advanced
Java Auto Updater
Java™ 6 Update 31
Key Correct
LightScribe System Software
Magic Bullet Colorista II 64 Bit
Magic Bullet Looks
Malwarebytes Anti-Malware version 1.60.1.1000
Menu Templates - Starter Kit
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Movie Templates - Starter Kit
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero StartSmart OEM
Nero Vision
Nero Vision Help
NeroExpress
neroxml
NTI Media Maker 8
Panasonic P2 Viewer
PDF Settings CS5
Photodex Presenter
Pictage Upload Tool
Power Matte for Adobe After Effects (64 Bit)
Power Stroke for Adobe After Effects (64 Bit)
ProShow Producer
PxMergeModule
QuickTime
RAR Password Cracker 4.12
RAR Password Recovery v1.1 RC16 (remove only)
Sorenson Squeeze 6.0
Spybot - Search & Destroy
Spyder3Elite
The Lord of the Rings FREE Trial
Topaz Adjust 4
Topaz Adjust 4 (64-bit)
Topaz Clean 3
Topaz Clean 3 (64-bit)
Topaz DeJpeg 4
Topaz DeJpeg 4 (64-bit)
Topaz DeNoise 5
Topaz DeNoise 5 (64-bit)
Topaz Detail 2
Topaz Fusion Express 2
Topaz Fusion Express 2 (64-bit)
Topaz ReMask 2
Topaz ReMask 2 (64-bit)
Topaz Simplify 3
Topaz Simplify 3 (64-bit)
Topaz Vivacity
Trapcode Form
Trapcode Lux
Trapcode Particular
Trapcode Shine
Trapcode SoundKeys
Trapcode Starglow
USBFast
VC80CRTRedist - 8.0.50727.4053
Wondershare DVD Slideshow Builder Deluxe(Build 6.0.0.22)
Wondershare Photo Story Platinum 3.1.0
Wondershare Photo Story Platinum 3.1.0 trial version
zMatte for Adobe After Effects (64 Bit)
Zookbinders ROES




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users