Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Google redirects and MSE won't start


  • This topic is locked This topic is locked
19 replies to this topic

#1 boon_nz

boon_nz

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 03 March 2012 - 09:31 PM

Hi,

My browsers (chrome and IE) redirect off of google. The windows security centre service will also not start and if I open Microsoft Security essentials it opens then instantly closes.

I have tried to fix it myself - I've run Kaspersky TDSS Killer, Malware Bytes Anti-Malware, Spybot, Hitman and SUPERAntiSpyware with no luck. I also ran MSE in Safe mode.

Any help would be hugely appreciated. I have followed the preparation guide (I think), and logs are attached as requested.

Thanks so much.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20
Run by Boon at 21:12:21 on 2012-03-01
Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.2048.825 [GMT 13:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\MacroData Inc\NetDrive\ndsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MacroData Inc\NetDrive\netdrive.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Boon\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Boon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Boon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Boon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Boon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Boon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Boon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Boon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Boon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.nz/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Netdrive] c:\program files\macrodata inc\netdrive\netdrive.exe -tray
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\boon\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\boon\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\boon\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 58.28.4.2 58.28.6.2 58.28.5.2
TCP: Interfaces\{F807FE0A-B0A1-4D77-B6E7-866BF0B28C0B} : DhcpNameServer = 58.28.4.2 58.28.6.2 58.28.5.2
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\boon\appdata\roaming\mozilla\firefox\profiles\a00io6kb.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.funmoods.com/?f=1&a=ddrnw
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=ddrnw
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=ddrnw
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=ddrnw&q=
FF - user.js: extensions.funmoods_i.id - 60b3ef0b0000000000000014852c0dfa
FF - user.js: extensions.funmoods_i.instlDay - 15373
FF - user.js: extensions.funmoods_i.vrsn - 1.5.11.16
FF - user.js: extensions.funmoods_i.vrsni - 1.5.11.16
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.11.1619:41:44
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - ddrnw
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef -
FF - user.js: extensions.funmoods_i.dfltLng -
FF - user.js: extensions.funmoods_i.excTlbr - false
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 inpout32;inpout32;c:\windows\system32\drivers\inpout32.sys [2011-10-22 11936]
R2 ndsvc;NetDrive Service;c:\program files\macrodata inc\netdrive\ndsvc.exe [2010-10-11 2106368]
R3 hhdusbh32;HHD Software USB Monitoring Filter Driver;c:\windows\system32\drivers\hhdusbh32.sys [2010-4-3 35968]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-11-7 20080]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-10-3 27632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-18 136176]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2010-4-29 25728]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-18 136176]
S3 libusb0;Atmel - LibUsb Kernel Driver 07/07/2009, 1.12.0.1;c:\windows\system32\drivers\libusb0.sys [2010-1-28 21504]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2011-2-4 9216]
S3 MCHPUSB;MCHPUSB;c:\windows\system32\drivers\mchpusb.sys [2010-2-13 53760]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 ndfs;ndfs;c:\program files\macrodata inc\netdrive\NDFS.sys [2010-10-7 47680]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-10-3 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-10-3 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-10-3 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-10-3 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-10-3 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-10-3 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-10-3 115752]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-8 52224]
S3 usbsnoop;USB Snoopy Filter Driver Service;c:\windows\system32\drivers\USBSnoop.sys [2010-4-3 23972]
S3 usbsnpys;USB Snoopy Driver Exposer Service;c:\windows\system32\drivers\USBSnpys.sys [2010-4-3 92544]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-8 1343400]
S3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\drivers\zghsdiag.sys [2011-2-4 106752]
S3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\drivers\zghsmdm.sys [2011-2-4 106752]
S3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\drivers\zghsnmea.sys [2011-2-4 106752]
.
=============== Created Last 30 ================
.
2012-03-01 07:36:08 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-01 07:22:35 98816 ----a-w- c:\windows\sed.exe
2012-03-01 07:22:35 518144 ----a-w- c:\windows\SWREG.exe
2012-03-01 07:22:35 256000 ----a-w- c:\windows\PEV.exe
2012-03-01 07:22:35 208896 ----a-w- c:\windows\MBR.exe
2012-03-01 06:16:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-03-01 06:16:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-29 09:21:45 -------- d-----w- c:\users\boon\appdata\roaming\SUPERAntiSpyware.com
2012-02-29 09:19:50 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-29 09:19:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-29 09:16:29 -------- d-----w- c:\program files\common files\PC Tools
2012-02-29 09:15:56 -------- d-----w- c:\programdata\PC Tools
2012-02-29 09:15:55 -------- d-----w- c:\users\boon\appdata\roaming\TestApp
2012-02-29 08:23:40 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-29 08:23:26 -------- d-----w- c:\programdata\HitmanPro
2012-02-29 07:57:55 -------- d-----w- c:\programdata\Kaspersky Lab
2012-02-28 04:49:46 -------- d-----w- c:\users\boon\appdata\roaming\Malwarebytes
2012-02-28 04:49:37 -------- d-----w- c:\programdata\Malwarebytes
2012-02-28 04:49:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-28 04:49:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-26 06:01:06 147968 --sha-r- c:\windows\system32\xpssvcsw.dll
2012-02-25 21:19:09 6552120 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b97cd877-c169-4624-8eb0-9aab202f89d0}\mpengine.dll
2012-02-24 09:49:52 -------- d-----w- c:\programdata\my-books
2012-02-24 09:49:52 -------- d-----w- c:\program files\my-books
2012-02-22 09:39:00 748336 ----a-w- c:\program files\internet explorer\iexplore.exe
2012-02-22 09:39:00 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-22 09:39:00 161792 ----a-w- c:\windows\system32\msls31.dll
2012-02-22 09:39:00 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-22 06:33:59 -------- d-----w- c:\users\boon\appdata\roaming\Visan
2012-02-22 06:33:59 -------- d-----w- c:\programdata\Visan
2012-02-16 15:09:46 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 15:05:53 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 15:05:48 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 15:04:55 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-11 04:25:24 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2012-02-11 04:25:09 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6ee4c1d8-47ce-4eac-a1bf-5e26cabcda2c}\gapaengine.dll
2012-02-03 22:02:28 -------- d-----w- c:\program files\Team360h
2012-02-03 06:41:42 -------- d-----w- c:\program files\Funmoods
2012-02-03 06:39:37 -------- d-----w- c:\program files\JDownloader
2012-02-01 05:33:30 -------- d-----w- c:\program files\WinDirStat
.
==================== Find3M ====================
.
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 21:12:55.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 04 March 2012 - 02:49 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 07 March 2012 - 11:36 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 boon_nz

boon_nz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 08 March 2012 - 11:32 PM

Hi,

Sorry, I was sure I had set this up to email me if anyone replied! I will get onto this straight away and I will ensure I monitor the thread so I can I pick up any further replies straight away.

I really appreciate your help.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 09 March 2012 - 12:19 AM

no problem and I will be waiting for the report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 boon_nz

boon_nz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 March 2012 - 01:04 AM

Hi Gringo,

I have run combofix and the google directs seemed to have stopped for now. I suspect if I restart my PC, they will come back.

The windows security centre still will not start and opening MSE makes it popup then instantly close.

Thanks again for your help.

Please see attached log:


ComboFix 12-03-08.04 - Boon 09/03/2012 17:37:28.2.1 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.2048.1506 [GMT 13:00]
Running from: d:\boon\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-03-09 04:45 . 2012-03-09 04:45 -------- d-----w- c:\users\Temp\AppData\Local\temp
2012-03-09 04:45 . 2012-03-09 04:45 -------- d-----w- c:\users\Mcx1-BOON\AppData\Local\temp
2012-03-09 04:45 . 2012-03-09 04:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-09 04:45 . 2012-03-09 04:45 -------- d-----w- c:\users\Craig\AppData\Local\temp
2012-03-01 06:16 . 2012-03-01 07:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-03-01 06:16 . 2012-03-01 06:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-29 09:21 . 2012-02-29 09:21 -------- d-----w- c:\users\Boon\AppData\Roaming\SUPERAntiSpyware.com
2012-02-29 09:19 . 2012-02-29 09:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-29 09:19 . 2012-02-29 09:19 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-29 09:16 . 2012-02-29 18:32 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-29 09:15 . 2012-02-29 09:15 -------- d-----w- c:\programdata\PC Tools
2012-02-29 09:15 . 2012-02-29 09:15 -------- d-----w- c:\users\Boon\AppData\Roaming\TestApp
2012-02-29 08:23 . 2012-02-29 08:31 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-29 08:23 . 2012-02-29 08:29 -------- d-----w- c:\programdata\HitmanPro
2012-02-29 07:57 . 2012-02-29 07:57 -------- d-----w- c:\programdata\Kaspersky Lab
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\users\Boon\AppData\Roaming\Malwarebytes
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\programdata\Malwarebytes
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-28 04:49 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-26 06:01 . 2012-02-26 06:01 147968 --sha-r- c:\windows\system32\xpssvcsw.dll
2012-02-25 21:19 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B97CD877-C169-4624-8EB0-9AAB202F89D0}\mpengine.dll
2012-02-24 09:49 . 2012-02-27 05:46 -------- d-----w- c:\programdata\my-books
2012-02-24 09:49 . 2012-02-24 09:50 -------- d-----w- c:\program files\my-books
2012-02-22 09:39 . 2012-02-22 09:39 748336 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2012-02-22 09:39 . 2012-02-22 09:39 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-22 09:39 . 2012-02-22 09:39 161792 ----a-w- c:\windows\system32\msls31.dll
2012-02-22 09:39 . 2012-02-22 09:39 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-22 06:33 . 2012-02-22 06:33 -------- d-----w- c:\users\Boon\AppData\Roaming\Visan
2012-02-22 06:33 . 2012-02-22 06:33 -------- d-----w- c:\programdata\Visan
2012-02-16 15:09 . 2011-12-30 05:27 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 15:05 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 15:05 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 15:04 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-11 04:25 . 2011-10-28 14:36 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-02-11 04:25 . 2012-02-11 04:24 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6EE4C1D8-47CE-4EAC-A1BF-5E26CABCDA2C}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2011-10-28 14:37 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-31 12:44 . 2009-10-01 08:49 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-06-18 399736]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-06 1866864]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-20 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-13 604704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-17 248040]
"Netdrive"="c:\program files\MacroData Inc\NetDrive\netdrive.exe" [2010-10-08 3284992]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 843712]
.
c:\users\Boon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Boon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 DLPortIO;DriverLINX Port I/O Driver; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 136176]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-08-07 25728]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 45464]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 136176]
R3 libusb0;Atmel - LibUsb Kernel Driver 07/07/2009, 1.12.0.1;c:\windows\system32\DRIVERS\libusb0.sys [2010-01-27 21504]
R3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-06-27 9216]
R3 MCHPUSB;MCHPUSB;c:\windows\system32\DRIVERS\mchpusb.sys [2007-12-19 53760]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 ndfs;ndfs;c:\program files\MacroData Inc\NetDrive\ndfs.sys [2010-10-07 47680]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 PsSdk30;PsSdk30;c:\windows\system32\Drivers\PsSdk30.drv [x]
R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-15 89256]
R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-15 15016]
R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-15 120744]
R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-15 114216]
R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-15 25512]
R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-15 110632]
R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-15 115752]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 usbsnoop;USB Snoopy Filter Driver Service;c:\windows\system32\drivers\usbsnoop.sys [2010-04-03 23972]
R3 usbsnpys;USB Snoopy Driver Exposer Service;c:\windows\system32\drivers\usbsnpys.sys [2010-04-03 92544]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]
R3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\DRIVERS\zghsdiag.sys [2010-09-07 106752]
R3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\DRIVERS\zghsmdm.sys [2010-09-07 106752]
R3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\DRIVERS\zghsnmea.sys [2010-09-07 106752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 inpout32;inpout32;c:\windows\system32\Drivers\inpout32.sys [2011-10-22 11936]
S2 ndsvc;NetDrive Service;c:\program files\MacroData Inc\NetDrive\ndsvc.exe [2010-10-11 2106368]
S3 hhdusbh32;HHD Software USB Monitoring Filter Driver;c:\windows\system32\DRIVERS\hhdusbh32.sys [2010-04-02 35968]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-08 27632]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-09 c:\windows\Tasks\BXWUHA.job
- c:\windows\system32\xpssvcsw.dll [2012-02-26 06:01]
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 05:04]
.
2012-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 05:04]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1429542791-999459522-532515822-1004Core.job
- c:\users\Boon\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-31 05:47]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1429542791-999459522-532515822-1004UA.job
- c:\users\Boon\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-31 05:47]
.
2012-02-22 c:\windows\Tasks\my-books Communicator.job
- c:\programdata\my-books\MessageCheck.exe [2012-02-24 09:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/
TCP: DhcpNameServer = 58.28.4.2 58.28.6.2 58.28.5.2
FF - ProfilePath - c:\users\Boon\AppData\Roaming\Mozilla\Firefox\Profiles\a00io6kb.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.funmoods.com/?f=1&a=ddrnw
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=ddrnw
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=ddrnw
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=ddrnw&q=
FF - user.js: extensions.funmoods_i.id - 60b3ef0b0000000000000014852c0dfa
FF - user.js: extensions.funmoods_i.instlDay - 15373
FF - user.js: extensions.funmoods_i.vrsn - 1.5.11.16
FF - user.js: extensions.funmoods_i.vrsni - 1.5.11.16
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.11.1619:41
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - ddrnw
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef -
FF - user.js: extensions.funmoods_i.dfltLng -
FF - user.js: extensions.funmoods_i.excTlbr - false
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PsSdk30]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3276)
c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
Completion time: 2012-03-09 17:48:06
ComboFix-quarantined-files.txt 2012-03-09 04:48
ComboFix2.txt 2012-03-01 07:37
.
Pre-Run: 7,790,100,480 bytes free
Post-Run: 7,754,874,880 bytes free
.
- - End Of File - - 3373277F4BB3C90D6B5FDA73687D9B87

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 09 March 2012 - 01:41 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 boon_nz

boon_nz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 March 2012 - 02:13 AM

Hi Gringo,

Nothing found by TDSSKiller (I had independently ran that before) but aswMBR looked promising. No problems running either.


TDSSKiller:

19:55:19.0823 2776 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
19:55:20.0799 2776 ============================================================
19:55:20.0799 2776 Current date / time: 2012/03/09 19:55:20.0799
19:55:20.0799 2776 SystemInfo:
19:55:20.0799 2776
19:55:20.0799 2776 OS Version: 6.1.7601 ServicePack: 1.0
19:55:20.0799 2776 Product type: Workstation
19:55:20.0799 2776 ComputerName: BOON
19:55:20.0809 2776 UserName: Boon
19:55:20.0809 2776 Windows directory: C:\Windows
19:55:20.0809 2776 System windows directory: C:\Windows
19:55:20.0809 2776 Processor architecture: Intel x86
19:55:20.0809 2776 Number of processors: 1
19:55:20.0809 2776 Page size: 0x1000
19:55:20.0810 2776 Boot type: Normal boot
19:55:20.0810 2776 ============================================================
19:55:25.0189 2776 Drive \Device\Harddisk1\DR1 - Size: 0x7470AFDE00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
19:55:25.0226 2776 Drive \Device\Harddisk0\DR0 - Size: 0x3A38A25E00 (232.88 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
19:55:25.0228 2776 \Device\Harddisk1\DR1:
19:55:25.0228 2776 MBR used
19:55:25.0228 2776 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
19:55:25.0228 2776 \Device\Harddisk0\DR0:
19:55:25.0228 2776 MBR used
19:55:25.0228 2776 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A962B1
19:55:25.0242 2776 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3A9632F, BlocksNum 0x1972E252
19:55:25.0329 2776 Initialize success
19:55:25.0329 2776 ============================================================
19:55:26.0786 4008 ============================================================
19:55:26.0786 4008 Scan started
19:55:26.0786 4008 Mode: Manual;
19:55:26.0786 4008 ============================================================
19:55:27.0443 4008 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
19:55:27.0446 4008 1394ohci - ok
19:55:27.0517 4008 a016bus (b021d0ae4605ce5df67f06e741278cdf) C:\Windows\system32\DRIVERS\a016bus.sys
19:55:27.0519 4008 a016bus - ok
19:55:27.0577 4008 a016mdfl (5b6bc2de851012906d4aae84c802e3f2) C:\Windows\system32\DRIVERS\a016mdfl.sys
19:55:27.0578 4008 a016mdfl - ok
19:55:27.0620 4008 a016mdm (c80cffb5819ccfc97f2b09e2259dfde6) C:\Windows\system32\DRIVERS\a016mdm.sys
19:55:27.0622 4008 a016mdm - ok
19:55:27.0661 4008 a016mgmt (415243177ff67d3cfba44d931b809bf3) C:\Windows\system32\DRIVERS\a016mgmt.sys
19:55:27.0663 4008 a016mgmt - ok
19:55:27.0702 4008 a016obex (3a853f9b8b69541cde714a83a0a6434e) C:\Windows\system32\DRIVERS\a016obex.sys
19:55:27.0704 4008 a016obex - ok
19:55:27.0763 4008 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
19:55:27.0768 4008 ACPI - ok
19:55:27.0804 4008 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
19:55:27.0804 4008 AcpiPmi - ok
19:55:27.0861 4008 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
19:55:27.0869 4008 adp94xx - ok
19:55:27.0912 4008 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
19:55:27.0919 4008 adpahci - ok
19:55:27.0958 4008 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
19:55:27.0958 4008 adpu320 - ok
19:55:28.0044 4008 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
19:55:28.0044 4008 AFD - ok
19:55:28.0091 4008 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
19:55:28.0091 4008 agp440 - ok
19:55:28.0169 4008 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
19:55:28.0169 4008 aic78xx - ok
19:55:28.0318 4008 ALCXWDM (7997b6f02cbda0e31fa18cc85871b938) C:\Windows\system32\drivers\RTKVAC.SYS
19:55:28.0412 4008 ALCXWDM - ok
19:55:28.0490 4008 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
19:55:28.0490 4008 aliide - ok
19:55:28.0537 4008 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
19:55:28.0537 4008 amdagp - ok
19:55:28.0568 4008 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
19:55:28.0576 4008 amdide - ok
19:55:28.0638 4008 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
19:55:28.0638 4008 AmdK8 - ok
19:55:28.0669 4008 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
19:55:28.0669 4008 AmdPPM - ok
19:55:28.0724 4008 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
19:55:28.0732 4008 amdsata - ok
19:55:28.0771 4008 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
19:55:28.0779 4008 amdsbs - ok
19:55:28.0810 4008 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
19:55:28.0810 4008 amdxata - ok
19:55:28.0865 4008 androidusb (e94e2ea7faaa05c776a711edb198b9fd) C:\Windows\system32\Drivers\androidusb.sys
19:55:28.0865 4008 androidusb - ok
19:55:28.0917 4008 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
19:55:28.0919 4008 AppID - ok
19:55:29.0002 4008 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
19:55:29.0005 4008 arc - ok
19:55:29.0028 4008 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
19:55:29.0030 4008 arcsas - ok
19:55:29.0090 4008 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
19:55:29.0091 4008 AsyncMac - ok
19:55:29.0126 4008 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
19:55:29.0127 4008 atapi - ok
19:55:29.0241 4008 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
19:55:29.0250 4008 b06bdrv - ok
19:55:29.0291 4008 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
19:55:29.0295 4008 b57nd60x - ok
19:55:29.0362 4008 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
19:55:29.0364 4008 Beep - ok
19:55:29.0405 4008 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
19:55:29.0407 4008 blbdrive - ok
19:55:29.0451 4008 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
19:55:29.0453 4008 bowser - ok
19:55:29.0480 4008 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
19:55:29.0481 4008 BrFiltLo - ok
19:55:29.0510 4008 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
19:55:29.0511 4008 BrFiltUp - ok
19:55:29.0568 4008 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
19:55:29.0572 4008 BridgeMP - ok
19:55:29.0607 4008 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
19:55:29.0612 4008 Brserid - ok
19:55:29.0636 4008 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
19:55:29.0640 4008 BrSerWdm - ok
19:55:29.0661 4008 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
19:55:29.0662 4008 BrUsbMdm - ok
19:55:29.0682 4008 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
19:55:29.0683 4008 BrUsbSer - ok
19:55:29.0707 4008 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
19:55:29.0708 4008 BTHMODEM - ok
19:55:29.0955 4008 catchme - ok
19:55:30.0017 4008 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
19:55:30.0020 4008 cdfs - ok
19:55:30.0096 4008 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
19:55:30.0099 4008 cdrom - ok
19:55:30.0150 4008 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
19:55:30.0151 4008 circlass - ok
19:55:30.0206 4008 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
19:55:30.0211 4008 CLFS - ok
19:55:30.0289 4008 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
19:55:30.0290 4008 CmBatt - ok
19:55:30.0349 4008 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
19:55:30.0350 4008 cmdide - ok
19:55:30.0415 4008 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
19:55:30.0420 4008 CNG - ok
19:55:30.0467 4008 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
19:55:30.0468 4008 Compbatt - ok
19:55:30.0519 4008 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
19:55:30.0520 4008 CompositeBus - ok
19:55:30.0560 4008 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
19:55:30.0561 4008 crcdisk - ok
19:55:30.0634 4008 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
19:55:30.0642 4008 CSC - ok
19:55:30.0700 4008 dc3d (734bbe7c66e6fd6047a1bd29b9343b30) C:\Windows\system32\DRIVERS\dc3d.sys
19:55:30.0701 4008 dc3d - ok
19:55:30.0764 4008 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
19:55:30.0766 4008 DfsC - ok
19:55:30.0803 4008 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
19:55:30.0804 4008 discache - ok
19:55:30.0838 4008 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
19:55:30.0839 4008 Disk - ok
19:55:30.0864 4008 DLPortIO - ok
19:55:30.0927 4008 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
19:55:30.0928 4008 drmkaud - ok
19:55:30.0984 4008 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
19:55:31.0007 4008 DXGKrnl - ok
19:55:31.0117 4008 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
19:55:31.0203 4008 ebdrv - ok
19:55:31.0265 4008 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
19:55:31.0273 4008 elxstor - ok
19:55:31.0312 4008 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
19:55:31.0312 4008 ErrDev - ok
19:55:31.0376 4008 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
19:55:31.0382 4008 exfat - ok
19:55:31.0422 4008 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
19:55:31.0426 4008 fastfat - ok
19:55:31.0459 4008 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
19:55:31.0461 4008 fdc - ok
19:55:31.0504 4008 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
19:55:31.0505 4008 FileInfo - ok
19:55:31.0536 4008 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
19:55:31.0538 4008 Filetrace - ok
19:55:31.0562 4008 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
19:55:31.0565 4008 flpydisk - ok
19:55:31.0601 4008 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
19:55:31.0605 4008 FltMgr - ok
19:55:31.0655 4008 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
19:55:31.0657 4008 FsDepends - ok
19:55:31.0707 4008 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
19:55:31.0708 4008 Fs_Rec - ok
19:55:31.0807 4008 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
19:55:31.0810 4008 fvevol - ok
19:55:31.0861 4008 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
19:55:31.0865 4008 gagp30kx - ok
19:55:31.0956 4008 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
19:55:31.0957 4008 hcw85cir - ok
19:55:32.0014 4008 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
19:55:32.0017 4008 HDAudBus - ok
19:55:32.0085 4008 hhdusbh32 (b9af5746c6848a88cdd509a45436d118) C:\Windows\system32\DRIVERS\hhdusbh32.sys
19:55:32.0086 4008 hhdusbh32 - ok
19:55:32.0145 4008 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
19:55:32.0148 4008 HidBatt - ok
19:55:32.0199 4008 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
19:55:32.0201 4008 HidBth - ok
19:55:32.0247 4008 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
19:55:32.0249 4008 HidIr - ok
19:55:32.0331 4008 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
19:55:32.0333 4008 HidUsb - ok
19:55:32.0407 4008 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
19:55:32.0409 4008 HpSAMD - ok
19:55:32.0481 4008 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
19:55:32.0490 4008 HTTP - ok
19:55:32.0544 4008 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
19:55:32.0547 4008 hwpolicy - ok
19:55:32.0631 4008 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
19:55:32.0633 4008 i8042prt - ok
19:55:32.0698 4008 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
19:55:32.0705 4008 iaStorV - ok
19:55:32.0764 4008 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
19:55:32.0766 4008 iirsp - ok
19:55:32.0876 4008 inpout32 (f08ebaf4493e99f4f095a4f7696287d4) C:\Windows\system32\Drivers\inpout32.sys
19:55:32.0876 4008 inpout32 - ok
19:55:32.0947 4008 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
19:55:32.0948 4008 intelide - ok
19:55:33.0009 4008 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
19:55:33.0011 4008 intelppm - ok
19:55:33.0061 4008 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
19:55:33.0063 4008 IpFilterDriver - ok
19:55:33.0130 4008 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
19:55:33.0159 4008 IPMIDRV - ok
19:55:33.0427 4008 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
19:55:33.0430 4008 IPNAT - ok
19:55:33.0491 4008 irda (9f7e491fb0ba0f9e370163834fc1fe31) C:\Windows\system32\DRIVERS\irda.sys
19:55:33.0494 4008 irda - ok
19:55:33.0536 4008 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
19:55:33.0537 4008 IRENUM - ok
19:55:33.0585 4008 irsir (5896b5ff6332ab2be1582523e9656a67) C:\Windows\system32\DRIVERS\irsir.sys
19:55:33.0587 4008 irsir - ok
19:55:33.0638 4008 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
19:55:33.0640 4008 isapnp - ok
19:55:33.0677 4008 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
19:55:33.0681 4008 iScsiPrt - ok
19:55:33.0736 4008 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
19:55:33.0738 4008 kbdclass - ok
19:55:33.0769 4008 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
19:55:33.0771 4008 kbdhid - ok
19:55:33.0811 4008 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
19:55:33.0813 4008 KSecDD - ok
19:55:33.0843 4008 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
19:55:33.0845 4008 KSecPkg - ok
19:55:33.0934 4008 libusb0 (c9914934118add9afe928a16a3379016) C:\Windows\system32\DRIVERS\libusb0.sys
19:55:33.0942 4008 libusb0 - ok
19:55:33.0989 4008 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
19:55:33.0997 4008 lltdio - ok
19:55:34.0059 4008 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
19:55:34.0067 4008 LSI_FC - ok
19:55:34.0090 4008 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
19:55:34.0098 4008 LSI_SAS - ok
19:55:34.0129 4008 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
19:55:34.0137 4008 LSI_SAS2 - ok
19:55:34.0168 4008 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
19:55:34.0168 4008 LSI_SCSI - ok
19:55:34.0223 4008 ltmodem5 (838df9675a08116f057b6bc530fbbe15) C:\Windows\system32\DRIVERS\ltmdmnt.sys
19:55:34.0231 4008 ltmodem5 - ok
19:55:34.0286 4008 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
19:55:34.0286 4008 luafv - ok
19:55:34.0340 4008 massfilter_hs (6d0667d493702b4ac7cf0399c7f9b656) C:\Windows\system32\drivers\massfilter_hs.sys
19:55:34.0340 4008 massfilter_hs - ok
19:55:34.0403 4008 MCHPUSB (5a4268fa5157c7c9352bf3d2625a3b32) C:\Windows\system32\DRIVERS\mchpusb.sys
19:55:34.0403 4008 MCHPUSB - ok
19:55:34.0450 4008 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
19:55:34.0450 4008 megasas - ok
19:55:34.0504 4008 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
19:55:34.0504 4008 MegaSR - ok
19:55:34.0543 4008 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
19:55:34.0543 4008 Modem - ok
19:55:34.0575 4008 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
19:55:34.0575 4008 monitor - ok
19:55:34.0637 4008 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
19:55:34.0637 4008 mouclass - ok
19:55:34.0684 4008 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
19:55:34.0684 4008 mouhid - ok
19:55:34.0731 4008 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
19:55:34.0731 4008 mountmgr - ok
19:55:34.0793 4008 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\Windows\system32\DRIVERS\MpFilter.sys
19:55:34.0793 4008 MpFilter - ok
19:55:34.0840 4008 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
19:55:34.0840 4008 mpio - ok
19:55:34.0887 4008 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\Windows\system32\DRIVERS\MpNWMon.sys
19:55:34.0887 4008 MpNWMon - ok
19:55:34.0936 4008 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
19:55:34.0939 4008 mpsdrv - ok
19:55:34.0992 4008 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
19:55:34.0995 4008 MRxDAV - ok
19:55:35.0039 4008 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
19:55:35.0041 4008 mrxsmb - ok
19:55:35.0084 4008 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
19:55:35.0089 4008 mrxsmb10 - ok
19:55:35.0118 4008 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
19:55:35.0120 4008 mrxsmb20 - ok
19:55:35.0159 4008 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
19:55:35.0160 4008 msahci - ok
19:55:35.0207 4008 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
19:55:35.0209 4008 msdsm - ok
19:55:35.0287 4008 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
19:55:35.0289 4008 Msfs - ok
19:55:35.0319 4008 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
19:55:35.0319 4008 mshidkmdf - ok
19:55:35.0376 4008 MSIRCOMM (98223d892d0d59a78e7a3a8d4e113616) C:\Windows\system32\DRIVERS\MSIRCOMM.sys
19:55:35.0377 4008 MSIRCOMM - ok
19:55:35.0424 4008 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
19:55:35.0424 4008 msisadrv - ok
19:55:35.0506 4008 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
19:55:35.0507 4008 MSKSSRV - ok
19:55:35.0585 4008 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
19:55:35.0585 4008 MSPCLOCK - ok
19:55:35.0622 4008 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
19:55:35.0624 4008 MSPQM - ok
19:55:35.0678 4008 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
19:55:35.0681 4008 MsRPC - ok
19:55:35.0727 4008 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
19:55:35.0727 4008 mssmbios - ok
19:55:35.0770 4008 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
19:55:35.0771 4008 MSTEE - ok
19:55:35.0804 4008 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
19:55:35.0805 4008 MTConfig - ok
19:55:35.0829 4008 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
19:55:35.0830 4008 Mup - ok
19:55:35.0885 4008 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
19:55:35.0892 4008 NativeWifiP - ok
19:55:35.0987 4008 ndfs (b5b69ecec13a00588009e0c1040a86b0) C:\Program Files\MacroData Inc\NetDrive\ndfs.sys
19:55:35.0988 4008 ndfs - ok
19:55:36.0093 4008 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
19:55:36.0099 4008 NDIS - ok
19:55:36.0164 4008 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
19:55:36.0166 4008 NdisCap - ok
19:55:36.0197 4008 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
19:55:36.0198 4008 NdisTapi - ok
19:55:36.0240 4008 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
19:55:36.0242 4008 Ndisuio - ok
19:55:36.0289 4008 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
19:55:36.0291 4008 NdisWan - ok
19:55:36.0331 4008 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
19:55:36.0333 4008 NDProxy - ok
19:55:36.0404 4008 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
19:55:36.0405 4008 NetBIOS - ok
19:55:36.0457 4008 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
19:55:36.0460 4008 NetBT - ok
19:55:36.0591 4008 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
19:55:36.0592 4008 nfrd960 - ok
19:55:36.0633 4008 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
19:55:36.0634 4008 NisDrv - ok
19:55:36.0701 4008 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
19:55:36.0702 4008 Npfs - ok
19:55:36.0729 4008 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
19:55:36.0730 4008 nsiproxy - ok
19:55:36.0808 4008 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
19:55:36.0819 4008 Ntfs - ok
19:55:36.0887 4008 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
19:55:36.0888 4008 Null - ok
19:55:36.0934 4008 NVENETFD (b5e37e31c053bc9950455a257526514b) C:\Windows\system32\DRIVERS\nvm62x32.sys
19:55:36.0941 4008 NVENETFD - ok
19:55:37.0221 4008 nvlddmkm (b0881dda5a8160422561ffab7f0008b1) C:\Windows\system32\DRIVERS\nvlddmkm.sys
19:55:37.0309 4008 nvlddmkm - ok
19:55:37.0355 4008 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
19:55:37.0358 4008 nvraid - ok
19:55:37.0390 4008 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
19:55:37.0393 4008 nvstor - ok
19:55:37.0423 4008 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
19:55:37.0425 4008 nv_agp - ok
19:55:37.0460 4008 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
19:55:37.0461 4008 ohci1394 - ok
19:55:37.0515 4008 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
19:55:37.0516 4008 Parport - ok
19:55:37.0563 4008 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
19:55:37.0564 4008 partmgr - ok
19:55:37.0592 4008 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
19:55:37.0594 4008 Parvdm - ok
19:55:37.0646 4008 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
19:55:37.0647 4008 pci - ok
19:55:37.0672 4008 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
19:55:37.0673 4008 pciide - ok
19:55:37.0710 4008 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
19:55:37.0714 4008 pcmcia - ok
19:55:37.0745 4008 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
19:55:37.0746 4008 pcw - ok
19:55:37.0790 4008 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
19:55:37.0794 4008 PEAUTH - ok
19:55:37.0890 4008 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
19:55:37.0891 4008 PptpMiniport - ok
19:55:37.0922 4008 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
19:55:37.0923 4008 Processor - ok
19:55:37.0997 4008 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
19:55:37.0999 4008 Psched - ok
19:55:38.0048 4008 PsSdk30 - ok
19:55:38.0112 4008 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
19:55:38.0123 4008 ql2300 - ok
19:55:38.0146 4008 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
19:55:38.0148 4008 ql40xx - ok
19:55:38.0185 4008 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
19:55:38.0186 4008 QWAVEdrv - ok
19:55:38.0216 4008 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
19:55:38.0217 4008 RasAcd - ok
19:55:38.0260 4008 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
19:55:38.0262 4008 RasAgileVpn - ok
19:55:38.0299 4008 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
19:55:38.0300 4008 Rasl2tp - ok
19:55:38.0352 4008 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
19:55:38.0354 4008 RasPppoe - ok
19:55:38.0383 4008 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
19:55:38.0385 4008 RasSstp - ok
19:55:38.0434 4008 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
19:55:38.0436 4008 rdbss - ok
19:55:38.0515 4008 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
19:55:38.0516 4008 rdpbus - ok
19:55:38.0559 4008 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
19:55:38.0560 4008 RDPCDD - ok
19:55:38.0609 4008 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
19:55:38.0611 4008 RDPDR - ok
19:55:38.0662 4008 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
19:55:38.0663 4008 RDPENCDD - ok
19:55:38.0693 4008 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
19:55:38.0695 4008 RDPREFMP - ok
19:55:38.0742 4008 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
19:55:38.0745 4008 RDPWD - ok
19:55:38.0807 4008 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
19:55:38.0809 4008 rdyboost - ok
19:55:38.0890 4008 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
19:55:38.0891 4008 rspndr - ok
19:55:38.0958 4008 s0016bus (59509ad6cbc28f2c73056268985b3e48) C:\Windows\system32\DRIVERS\s0016bus.sys
19:55:38.0958 4008 s0016bus - ok
19:55:39.0005 4008 s0016mdfl (b98c3a6f91f4fba285af9606a240c6b4) C:\Windows\system32\DRIVERS\s0016mdfl.sys
19:55:39.0005 4008 s0016mdfl - ok
19:55:39.0044 4008 s0016mdm (8a83426f4fb7b5212825d9de76368b1a) C:\Windows\system32\DRIVERS\s0016mdm.sys
19:55:39.0044 4008 s0016mdm - ok
19:55:39.0091 4008 s0016mgmt (7a78bba97feb5e6d24c49e93a3bf7287) C:\Windows\system32\DRIVERS\s0016mgmt.sys
19:55:39.0091 4008 s0016mgmt - ok
19:55:39.0123 4008 s0016nd5 (34ef7b5f611957b73e7219dd5a222ad1) C:\Windows\system32\DRIVERS\s0016nd5.sys
19:55:39.0123 4008 s0016nd5 - ok
19:55:39.0162 4008 s0016obex (36792935847143e4a3cda0dc87248487) C:\Windows\system32\DRIVERS\s0016obex.sys
19:55:39.0169 4008 s0016obex - ok
19:55:39.0201 4008 s0016unic (927208754fb27fc3e7a659e77500c5d1) C:\Windows\system32\DRIVERS\s0016unic.sys
19:55:39.0201 4008 s0016unic - ok
19:55:39.0255 4008 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
19:55:39.0255 4008 s3cap - ok
19:55:39.0373 4008 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
19:55:39.0373 4008 SASDIFSV - ok
19:55:39.0412 4008 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
19:55:39.0412 4008 SASKUTIL - ok
19:55:39.0505 4008 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
19:55:39.0505 4008 sbp2port - ok
19:55:39.0576 4008 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
19:55:39.0576 4008 scfilter - ok
19:55:39.0638 4008 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
19:55:39.0638 4008 secdrv - ok
19:55:39.0685 4008 seehcri (e5b56569a9f79b70314fede6c953641e) C:\Windows\system32\DRIVERS\seehcri.sys
19:55:39.0693 4008 seehcri - ok
19:55:39.0748 4008 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
19:55:39.0748 4008 Serenum - ok
19:55:39.0771 4008 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
19:55:39.0779 4008 Serial - ok
19:55:39.0826 4008 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
19:55:39.0826 4008 sermouse - ok
19:55:39.0880 4008 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
19:55:39.0880 4008 sffdisk - ok
19:55:39.0912 4008 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
19:55:39.0912 4008 sffp_mmc - ok
19:55:39.0954 4008 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
19:55:39.0955 4008 sffp_sd - ok
19:55:39.0989 4008 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
19:55:39.0992 4008 sfloppy - ok
19:55:40.0045 4008 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
19:55:40.0046 4008 sisagp - ok
19:55:40.0083 4008 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
19:55:40.0083 4008 SiSRaid2 - ok
19:55:40.0114 4008 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
19:55:40.0116 4008 SiSRaid4 - ok
19:55:40.0153 4008 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
19:55:40.0156 4008 Smb - ok
19:55:40.0210 4008 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
19:55:40.0211 4008 spldr - ok
19:55:40.0286 4008 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
19:55:40.0289 4008 srv - ok
19:55:40.0319 4008 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
19:55:40.0322 4008 srv2 - ok
19:55:40.0359 4008 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
19:55:40.0361 4008 srvnet - ok
19:55:40.0442 4008 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
19:55:40.0443 4008 stexstor - ok
19:55:40.0502 4008 STIrUsb (2fd8d04caea633365564324282056abc) C:\Windows\system32\DRIVERS\irstusb.sys
19:55:40.0503 4008 STIrUsb - ok
19:55:40.0553 4008 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
19:55:40.0554 4008 storflt - ok
19:55:40.0591 4008 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
19:55:40.0592 4008 storvsc - ok
19:55:40.0631 4008 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
19:55:40.0632 4008 swenum - ok
19:55:40.0769 4008 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
19:55:40.0780 4008 Tcpip - ok
19:55:40.0852 4008 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
19:55:40.0862 4008 TCPIP6 - ok
19:55:40.0922 4008 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
19:55:40.0922 4008 tcpipreg - ok
19:55:40.0969 4008 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
19:55:40.0977 4008 TDPIPE - ok
19:55:41.0008 4008 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
19:55:41.0008 4008 TDTCP - ok
19:55:41.0047 4008 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
19:55:41.0055 4008 tdx - ok
19:55:41.0102 4008 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
19:55:41.0102 4008 TermDD - ok
19:55:41.0204 4008 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
19:55:41.0204 4008 tssecsrv - ok
19:55:41.0250 4008 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
19:55:41.0258 4008 TsUsbFlt - ok
19:55:41.0305 4008 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
19:55:41.0313 4008 tunnel - ok
19:55:41.0344 4008 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
19:55:41.0352 4008 uagp35 - ok
19:55:41.0399 4008 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
19:55:41.0399 4008 udfs - ok
19:55:41.0469 4008 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
19:55:41.0469 4008 uliagpkx - ok
19:55:41.0508 4008 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
19:55:41.0516 4008 umbus - ok
19:55:41.0555 4008 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
19:55:41.0555 4008 UmPass - ok
19:55:41.0618 4008 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
19:55:41.0618 4008 usbccgp - ok
19:55:41.0672 4008 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
19:55:41.0680 4008 usbcir - ok
19:55:41.0719 4008 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
19:55:41.0719 4008 usbehci - ok
19:55:41.0766 4008 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
19:55:41.0766 4008 usbhub - ok
19:55:41.0797 4008 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\DRIVERS\usbohci.sys
19:55:41.0797 4008 usbohci - ok
19:55:41.0868 4008 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
19:55:41.0875 4008 usbprint - ok
19:55:41.0954 4008 usbsnoop (63c75cf80bc4ea04bd330d227af357a3) C:\Windows\system32\drivers\usbsnoop.sys
19:55:41.0955 4008 usbsnoop - ok
19:55:42.0010 4008 usbsnpys (953fce539e3fd5788272800b91385d85) C:\Windows\system32\drivers\usbsnpys.sys
19:55:42.0012 4008 usbsnpys - ok
19:55:42.0058 4008 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
19:55:42.0063 4008 USBSTOR - ok
19:55:42.0101 4008 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
19:55:42.0102 4008 usbuhci - ok
19:55:42.0179 4008 VClone (fce98c43b5c5db8e0da8ea0e2b45e044) C:\Windows\system32\DRIVERS\VClone.sys
19:55:42.0180 4008 VClone - ok
19:55:42.0234 4008 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
19:55:42.0235 4008 vdrvroot - ok
19:55:42.0287 4008 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
19:55:42.0288 4008 vga - ok
19:55:42.0320 4008 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
19:55:42.0322 4008 VgaSave - ok
19:55:42.0358 4008 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
19:55:42.0364 4008 vhdmp - ok
19:55:42.0407 4008 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
19:55:42.0408 4008 viaagp - ok
19:55:42.0449 4008 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
19:55:42.0450 4008 ViaC7 - ok
19:55:42.0481 4008 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
19:55:42.0482 4008 viaide - ok
19:55:42.0511 4008 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
19:55:42.0513 4008 vmbus - ok
19:55:42.0543 4008 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
19:55:42.0544 4008 VMBusHID - ok
19:55:42.0579 4008 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
19:55:42.0580 4008 volmgr - ok
19:55:42.0622 4008 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
19:55:42.0628 4008 volmgrx - ok
19:55:42.0662 4008 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
19:55:42.0665 4008 volsnap - ok
19:55:42.0708 4008 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
19:55:42.0711 4008 vsmraid - ok
19:55:42.0784 4008 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
19:55:42.0785 4008 vwifibus - ok
19:55:42.0827 4008 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
19:55:42.0828 4008 WacomPen - ok
19:55:42.0882 4008 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
19:55:42.0884 4008 WANARP - ok
19:55:42.0898 4008 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
19:55:42.0899 4008 Wanarpv6 - ok
19:55:42.0989 4008 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
19:55:42.0997 4008 Wd - ok
19:55:43.0036 4008 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
19:55:43.0043 4008 Wdf01000 - ok
19:55:43.0114 4008 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
19:55:43.0114 4008 WfpLwf - ok
19:55:43.0145 4008 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
19:55:43.0145 4008 WIMMount - ok
19:55:43.0262 4008 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
19:55:43.0262 4008 WmiAcpi - ok
19:55:43.0325 4008 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
19:55:43.0325 4008 ws2ifsl - ok
19:55:43.0395 4008 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
19:55:43.0395 4008 WudfPf - ok
19:55:43.0434 4008 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
19:55:43.0434 4008 WUDFRd - ok
19:55:43.0520 4008 zghsdiag (5565a88c7be30aa31c71e8aa37e45791) C:\Windows\system32\DRIVERS\zghsdiag.sys
19:55:43.0528 4008 zghsdiag - ok
19:55:43.0559 4008 zghsmdm (5565a88c7be30aa31c71e8aa37e45791) C:\Windows\system32\DRIVERS\zghsmdm.sys
19:55:43.0567 4008 zghsmdm - ok
19:55:43.0606 4008 zghsnmea (5565a88c7be30aa31c71e8aa37e45791) C:\Windows\system32\DRIVERS\zghsnmea.sys
19:55:43.0606 4008 zghsnmea - ok
19:55:43.0645 4008 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
19:55:43.0645 4008 \Device\Harddisk1\DR1 - ok
19:55:43.0668 4008 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
19:55:43.0692 4008 \Device\Harddisk0\DR0 - ok
19:55:43.0700 4008 Boot (0x1200) (85357f148242b5f0dcd2502db6a39db7) \Device\Harddisk1\DR1\Partition0
19:55:43.0700 4008 \Device\Harddisk1\DR1\Partition0 - ok
19:55:43.0715 4008 Boot (0x1200) (895f0491c6779e6637fb869043ab98c9) \Device\Harddisk0\DR0\Partition0
19:55:43.0723 4008 \Device\Harddisk0\DR0\Partition0 - ok
19:55:43.0747 4008 Boot (0x1200) (8ab675a974173e11e866399e728e5756) \Device\Harddisk0\DR0\Partition1
19:55:43.0754 4008 \Device\Harddisk0\DR0\Partition1 - ok
19:55:43.0754 4008 ============================================================
19:55:43.0754 4008 Scan finished
19:55:43.0754 4008 ============================================================
19:55:43.0778 1704 Detected object count: 0
19:55:43.0778 1704 Actual detected object count: 0


ASWMBR

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-09 19:56:17
-----------------------------
19:56:17.624 OS Version: Windows 6.1.7601 Service Pack 1
19:56:17.624 Number of processors: 1 586 0x2F02
19:56:17.629 ComputerName: BOON UserName: Boon
19:56:18.141 Initialize success
19:59:07.956 AVAST engine defs: 12030801
19:59:54.801 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3
19:59:54.807 Disk 0 Vendor: ST3250823AS 3.03 Size: 238474MB BusType: 3
19:59:54.824 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2
19:59:54.830 Disk 1 Vendor: ST3500410AS CC33 Size: 476938MB BusType: 3
19:59:54.843 Disk 0 MBR read successfully
19:59:54.850 Disk 0 MBR scan
19:59:54.857 Disk 0 Windows 7 default MBR code
19:59:54.864 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 29996 MB offset 63
19:59:54.871 Disk 0 Partition - 00 0F Extended LBA 208476 MB offset 61432560
19:59:54.892 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 208476 MB offset 61432623
19:59:54.904 Disk 0 scanning sectors +488392065
19:59:54.969 Disk 0 scanning C:\Windows\system32\drivers
20:00:06.801 Service scanning
20:00:32.003 Modules scanning
20:00:41.257 Disk 0 trace - called modules:
20:00:41.274 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
20:00:41.284 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a41620]
20:00:41.291 3 CLASSPNP.SYS[88f8559e] -> nt!IofCallDriver -> [0x85983918]
20:00:41.302 5 ACPI.sys[8339c3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-3[0x85981030]
20:00:41.664 AVAST engine scan C:\Windows
20:00:44.163 AVAST engine scan C:\Windows\system32
20:03:30.847 File: C:\Windows\system32\xpssvcsw.dll **INFECTED** Win32:Diller-CD [Trj]
20:04:20.500 AVAST engine scan C:\Windows\system32\drivers
20:04:38.216 AVAST engine scan C:\Users\Boon
20:07:31.195 Disk 0 MBR has been saved successfully to "C:\Users\Boon\Desktop\MBR.dat"
20:07:31.212 The log file has been saved successfully to "C:\Users\Boon\Desktop\aswMBR.txt"
20:10:41.708 AVAST engine scan C:\ProgramData
20:11:39.571 Scan finished successfully
20:11:51.602 Disk 0 MBR has been saved successfully to "C:\Users\Boon\Desktop\MBR.dat"
20:11:51.613 The log file has been saved successfully to "C:\Users\Boon\Desktop\aswMBR.txt"

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 09 March 2012 - 02:38 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
C:\Windows\system32\xpssvcsw.dll 

FireFox::
FF - ProfilePath - c:\users\Boon\AppData\Roaming\Mozilla\Firefox\Profiles\a00io6kb.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.funmoods.com/?f=1&a=ddrnw
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=ddrnw
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=ddrnw
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=ddrnw&q=
FF - user.js: extensions.funmoods_i.id - 60b3ef0b0000000000000014852c0dfa
FF - user.js: extensions.funmoods_i.instlDay - 15373
FF - user.js: extensions.funmoods_i.vrsn - 1.5.11.16
FF - user.js: extensions.funmoods_i.vrsni - 1.5.11.16
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.11.1619:41
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - ddrnw
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef -
FF - user.js: extensions.funmoods_i.dfltLng -
FF - user.js: extensions.funmoods_i.excTlbr - false

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 boon_nz

boon_nz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 March 2012 - 04:36 AM

Hi Gringo,

The google redirect still seems to be gone but MSE still won't start and the windows security centre service can't be started.

Thanks again for all the help.

Combofix ran no problems, log is as follows:


ComboFix 12-03-08.04 - Boon 09/03/2012 22:02:16.3.1 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.2048.1516 [GMT 13:00]
Running from: c:\users\Boon\Desktop\ComboFix.exe
Command switches used :: c:\users\Boon\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\xpssvcsw.dll"
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-03-09 09:09 . 2012-03-09 09:09 -------- d-----w- c:\users\Temp\AppData\Local\temp
2012-03-09 09:09 . 2012-03-09 09:09 -------- d-----w- c:\users\Mcx1-BOON\AppData\Local\temp
2012-03-09 09:09 . 2012-03-09 09:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-01 06:16 . 2012-03-01 07:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-03-01 06:16 . 2012-03-01 06:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-29 09:21 . 2012-02-29 09:21 -------- d-----w- c:\users\Boon\AppData\Roaming\SUPERAntiSpyware.com
2012-02-29 09:19 . 2012-02-29 09:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-29 09:19 . 2012-02-29 09:19 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-29 09:16 . 2012-02-29 18:32 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-29 09:15 . 2012-02-29 09:15 -------- d-----w- c:\programdata\PC Tools
2012-02-29 09:15 . 2012-02-29 09:15 -------- d-----w- c:\users\Boon\AppData\Roaming\TestApp
2012-02-29 08:23 . 2012-02-29 08:31 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-29 08:23 . 2012-02-29 08:29 -------- d-----w- c:\programdata\HitmanPro
2012-02-29 07:57 . 2012-02-29 07:57 -------- d-----w- c:\programdata\Kaspersky Lab
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\users\Boon\AppData\Roaming\Malwarebytes
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\programdata\Malwarebytes
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-28 04:49 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-26 06:01 . 2012-02-26 06:01 147968 --sha-r- c:\windows\system32\xpssvcsw.dll
2012-02-25 21:19 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B97CD877-C169-4624-8EB0-9AAB202F89D0}\mpengine.dll
2012-02-24 09:49 . 2012-02-27 05:46 -------- d-----w- c:\programdata\my-books
2012-02-24 09:49 . 2012-02-24 09:50 -------- d-----w- c:\program files\my-books
2012-02-22 09:39 . 2012-02-22 09:39 748336 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2012-02-22 09:39 . 2012-02-22 09:39 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-22 09:39 . 2012-02-22 09:39 161792 ----a-w- c:\windows\system32\msls31.dll
2012-02-22 09:39 . 2012-02-22 09:39 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-22 06:33 . 2012-02-22 06:33 -------- d-----w- c:\users\Boon\AppData\Roaming\Visan
2012-02-22 06:33 . 2012-02-22 06:33 -------- d-----w- c:\programdata\Visan
2012-02-16 15:09 . 2011-12-30 05:27 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 15:05 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 15:05 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 15:04 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-11 04:25 . 2011-10-28 14:36 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-02-11 04:25 . 2012-02-11 04:24 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6EE4C1D8-47CE-4EAC-A1BF-5E26CABCDA2C}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2011-10-28 14:37 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-31 12:44 . 2009-10-01 08:49 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-06-18 399736]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-06 1866864]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-20 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-13 604704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-17 248040]
"Netdrive"="c:\program files\MacroData Inc\NetDrive\netdrive.exe" [2010-10-08 3284992]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 843712]
.
c:\users\Boon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Boon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 DLPortIO;DriverLINX Port I/O Driver; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 136176]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-08-07 25728]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 45464]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 136176]
R3 libusb0;Atmel - LibUsb Kernel Driver 07/07/2009, 1.12.0.1;c:\windows\system32\DRIVERS\libusb0.sys [2010-01-27 21504]
R3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-06-27 9216]
R3 MCHPUSB;MCHPUSB;c:\windows\system32\DRIVERS\mchpusb.sys [2007-12-19 53760]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 ndfs;ndfs;c:\program files\MacroData Inc\NetDrive\ndfs.sys [2010-10-07 47680]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 PsSdk30;PsSdk30;c:\windows\system32\Drivers\PsSdk30.drv [x]
R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-15 89256]
R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-15 15016]
R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-15 120744]
R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-15 114216]
R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-15 25512]
R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-15 110632]
R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-15 115752]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 usbsnoop;USB Snoopy Filter Driver Service;c:\windows\system32\drivers\usbsnoop.sys [2010-04-03 23972]
R3 usbsnpys;USB Snoopy Driver Exposer Service;c:\windows\system32\drivers\usbsnpys.sys [2010-04-03 92544]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]
R3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\DRIVERS\zghsdiag.sys [2010-09-07 106752]
R3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\DRIVERS\zghsmdm.sys [2010-09-07 106752]
R3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\DRIVERS\zghsnmea.sys [2010-09-07 106752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 inpout32;inpout32;c:\windows\system32\Drivers\inpout32.sys [2011-10-22 11936]
S2 ndsvc;NetDrive Service;c:\program files\MacroData Inc\NetDrive\ndsvc.exe [2010-10-11 2106368]
S3 hhdusbh32;HHD Software USB Monitoring Filter Driver;c:\windows\system32\DRIVERS\hhdusbh32.sys [2010-04-02 35968]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-06 20080]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-08 27632]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-09 c:\windows\Tasks\BXWUHA.job
- c:\windows\system32\xpssvcsw.dll [2012-02-26 06:01]
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 05:04]
.
2012-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 05:04]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1429542791-999459522-532515822-1004Core.job
- c:\users\Boon\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-31 05:47]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1429542791-999459522-532515822-1004UA.job
- c:\users\Boon\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-31 05:47]
.
2012-02-22 c:\windows\Tasks\my-books Communicator.job
- c:\programdata\my-books\MessageCheck.exe [2012-02-24 09:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/
TCP: DhcpNameServer = 58.28.4.2 58.28.6.2 58.28.5.2
FF - ProfilePath - c:\users\Boon\AppData\Roaming\Mozilla\Firefox\Profiles\a00io6kb.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PsSdk30]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2696)
c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\conhost.exe
c:\windows\SOUNDMAN.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-03-09 22:16:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-09 09:16
ComboFix2.txt 2012-03-09 04:48
ComboFix3.txt 2012-03-01 07:37
.
Pre-Run: 7,658,921,984 bytes free
Post-Run: 7,739,289,600 bytes free
.
- - End Of File - - 066ACD99CC943204453CBD68AB2664FC

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 09 March 2012 - 11:58 AM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
c:\windows\Tasks\BXWUHA.job
c:\windows\system32\xpssvcsw.dll

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 boon_nz

boon_nz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 March 2012 - 02:20 PM

Hi Gringo,

I ran the script and there doesn't appear to be any change. If I start the windows security centre via services, it stops itself after ~10 seconds. If I try and turn it on via the action centre, it just says the windows security service cannot be started.

Combofix log is attached below. Thanks again.


ComboFix 12-03-08.04 - Boon 10/03/2012 8:02.4.1 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.2048.1445 [GMT 13:00]
Running from: c:\users\Boon\Desktop\ComboFix.exe
Command switches used :: c:\users\Boon\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-03-09 19:10 . 2012-03-09 19:10 -------- d-----w- c:\users\Temp\AppData\Local\temp
2012-03-09 19:10 . 2012-03-09 19:10 -------- d-----w- c:\users\Mcx1-BOON\AppData\Local\temp
2012-03-09 19:10 . 2012-03-09 19:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-09 19:10 . 2012-03-09 19:10 -------- d-----w- c:\users\Craig\AppData\Local\temp
2012-03-01 06:16 . 2012-03-01 07:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-03-01 06:16 . 2012-03-01 06:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-29 09:21 . 2012-02-29 09:21 -------- d-----w- c:\users\Boon\AppData\Roaming\SUPERAntiSpyware.com
2012-02-29 09:19 . 2012-02-29 09:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-29 09:19 . 2012-02-29 09:19 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-29 09:16 . 2012-02-29 18:32 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-29 09:15 . 2012-02-29 09:15 -------- d-----w- c:\programdata\PC Tools
2012-02-29 09:15 . 2012-02-29 09:15 -------- d-----w- c:\users\Boon\AppData\Roaming\TestApp
2012-02-29 08:23 . 2012-02-29 08:31 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-29 08:23 . 2012-02-29 08:29 -------- d-----w- c:\programdata\HitmanPro
2012-02-29 07:57 . 2012-02-29 07:57 -------- d-----w- c:\programdata\Kaspersky Lab
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\users\Boon\AppData\Roaming\Malwarebytes
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\programdata\Malwarebytes
2012-02-28 04:49 . 2012-02-28 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-28 04:49 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-26 06:01 . 2012-02-26 06:01 147968 --sha-r- c:\windows\system32\xpssvcsw.dll
2012-02-25 21:19 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B97CD877-C169-4624-8EB0-9AAB202F89D0}\mpengine.dll
2012-02-24 09:49 . 2012-02-27 05:46 -------- d-----w- c:\programdata\my-books
2012-02-24 09:49 . 2012-02-24 09:50 -------- d-----w- c:\program files\my-books
2012-02-22 09:39 . 2012-02-22 09:39 748336 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2012-02-22 09:39 . 2012-02-22 09:39 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-22 09:39 . 2012-02-22 09:39 161792 ----a-w- c:\windows\system32\msls31.dll
2012-02-22 09:39 . 2012-02-22 09:39 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-22 06:33 . 2012-02-22 06:33 -------- d-----w- c:\users\Boon\AppData\Roaming\Visan
2012-02-22 06:33 . 2012-02-22 06:33 -------- d-----w- c:\programdata\Visan
2012-02-16 15:09 . 2011-12-30 05:27 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 15:05 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 15:05 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 15:04 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-11 04:25 . 2011-10-28 14:36 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-02-11 04:25 . 2012-02-11 04:24 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6EE4C1D8-47CE-4EAC-A1BF-5E26CABCDA2C}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2011-10-28 14:37 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-31 12:44 . 2009-10-01 08:49 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-06-18 399736]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-06 1866864]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-20 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-13 604704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-17 248040]
"Netdrive"="c:\program files\MacroData Inc\NetDrive\netdrive.exe" [2010-10-08 3284992]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 843712]
.
c:\users\Boon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Boon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 DLPortIO;DriverLINX Port I/O Driver; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 136176]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-08-07 25728]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 45464]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 136176]
R3 libusb0;Atmel - LibUsb Kernel Driver 07/07/2009, 1.12.0.1;c:\windows\system32\DRIVERS\libusb0.sys [2010-01-27 21504]
R3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-06-27 9216]
R3 MCHPUSB;MCHPUSB;c:\windows\system32\DRIVERS\mchpusb.sys [2007-12-19 53760]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 ndfs;ndfs;c:\program files\MacroData Inc\NetDrive\ndfs.sys [2010-10-07 47680]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 PsSdk30;PsSdk30;c:\windows\system32\Drivers\PsSdk30.drv [x]
R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-15 89256]
R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-15 15016]
R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-15 120744]
R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-15 114216]
R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-15 25512]
R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-15 110632]
R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-15 115752]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 usbsnoop;USB Snoopy Filter Driver Service;c:\windows\system32\drivers\usbsnoop.sys [2010-04-03 23972]
R3 usbsnpys;USB Snoopy Driver Exposer Service;c:\windows\system32\drivers\usbsnpys.sys [2010-04-03 92544]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]
R3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\DRIVERS\zghsdiag.sys [2010-09-07 106752]
R3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\DRIVERS\zghsmdm.sys [2010-09-07 106752]
R3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\DRIVERS\zghsnmea.sys [2010-09-07 106752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 inpout32;inpout32;c:\windows\system32\Drivers\inpout32.sys [2011-10-22 11936]
S2 ndsvc;NetDrive Service;c:\program files\MacroData Inc\NetDrive\ndsvc.exe [2010-10-11 2106368]
S3 hhdusbh32;HHD Software USB Monitoring Filter Driver;c:\windows\system32\DRIVERS\hhdusbh32.sys [2010-04-02 35968]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-06 20080]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-08 27632]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-09 c:\windows\Tasks\BXWUHA.job
- c:\windows\system32\xpssvcsw.dll [2012-02-26 06:01]
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 05:04]
.
2012-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-18 05:04]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1429542791-999459522-532515822-1004Core.job
- c:\users\Boon\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-31 05:47]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1429542791-999459522-532515822-1004UA.job
- c:\users\Boon\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-31 05:47]
.
2012-02-22 c:\windows\Tasks\my-books Communicator.job
- c:\programdata\my-books\MessageCheck.exe [2012-02-24 09:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/
TCP: DhcpNameServer = 58.28.4.2 58.28.6.2 58.28.5.2
FF - ProfilePath - c:\users\Boon\AppData\Roaming\Mozilla\Firefox\Profiles\a00io6kb.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PsSdk30]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3868)
c:\users\Boon\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
Completion time: 2012-03-10 08:13:31
ComboFix-quarantined-files.txt 2012-03-09 19:13
ComboFix2.txt 2012-03-09 09:16
ComboFix3.txt 2012-03-09 04:48
ComboFix4.txt 2012-03-01 07:37
.
Pre-Run: 7,817,510,912 bytes free
Post-Run: 7,762,919,424 bytes free
.
- - End Of File - - E10D9A65B1A603C01CBAFDFC4555A4E0

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 09 March 2012 - 03:06 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
DeleteFile:
c:\windows\Tasks\BXWUHA.job
c:\windows\system32\xpssvcsw.dll
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 boon_nz

boon_nz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 March 2012 - 03:33 PM

Hi Gringo,

That seemed to do it! MSE started fine. I started the windows security service and updated MSE and all seems OK!

Is there anything more I should do? I cannot see any remaining problems.

Your help has been incredible and I will be making a donation as a thank you.

Log is attached:



BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\windows\tasks\bxwuha.job", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\windows\system32\xpssvcsw.dll", destinationFile = "(null)", replaceWithDummy = 0

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:35 PM

Posted 09 March 2012 - 03:37 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.5.0
µTorrent
Java™ 6 Update 20
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users