Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware redirecting Google search results and disables Windows Security


  • This topic is locked This topic is locked
18 replies to this topic

#1 mikemikemikemikemike

mikemikemikemikemike

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 06 March 2012 - 10:57 AM

I'm using Windows 7 Ultimate 64bit. I have tried HitmanPro, Avira, Ad-Aware, and Housecall. Some of these have detected some stuff, but none were able to fix my problem. I don't know if these are relevant or not but I figure I'll post them incase they are.

HitmanPro found:
C:\Windows\SysWOW64\pbsvc.eve
C:\Windows\SysWOW64\GameMon.dex
C:\Users\MT\AppData\Local\Temp\ICReinstall

Ad-Aware found:
Description: c:\users\mt\appdata\local\temp\gnstvn.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 799954ca0a8359b741774ba3a5e3417c
Description: c:\users\mt\appdata\local\temp\ikstun.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: cd60e5417d0c0d55b382f4f156866508
Description: c:\$recycle.bin\s-1-5-21-1088705886-981287941-3149203639-1001\$reaay32.dll Family Name: Trojan.Win32.Buzus Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5: 5855a1853c83728294ffb3285a6731b0
Description: c:\$recycle.bin\s-1-5-21-1088705886-981287941-3149203639-1001\$rm2pxe3.rar::arcane.dll Family Name: Trojan.Win32.Buzus Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5:

Avira found a few too but when I checked the logs all the scan results said No virus or unwanted programs found.

I also had problem downloading DDS Tool. I had to right click and save as to get it. Just clicking the link didn't work. Didn't have the same problem with Defogger.





DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by MT at 8:37:54 on 2012-03-06
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.2.1033.18.4063.2157 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\sppsvc.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Google Update] "C:\Users\MT\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Akamai NetSession Interface] "C:\Users\MT\AppData\Local\Akamai\netsession_win.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\Users\MT\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WHITES~1.LNK - C:\Users\MT\AppData\Local\Temp\WSBandoo.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 75.153.176.1
TCP: Interfaces\{9292E807-A438-4822-9660-453A492EE99F} : DhcpNameServer = 192.168.1.254 75.153.176.1
TCP: Interfaces\{9292E807-A438-4822-9660-453A492EE99F}\3557E6E6976716C656 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9292E807-A438-4822-9660-453A492EE99F}\37725707C202C6F637562737027786F60237475616C6 : DhcpNameServer = 64.59.184.13 64.59.184.15 64.59.190.242
TCP: Interfaces\{9292E807-A438-4822-9660-453A492EE99F}\46C696E6B6 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9292E807-A438-4822-9660-453A492EE99F}\C497E6 : DhcpNameServer = 64.59.184.13 64.59.184.15 64.59.190.242
TCP: Interfaces\{9292E807-A438-4822-9660-453A492EE99F}\C696E6B6379737 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AE1BBDBA-1272-4D9E-A71E-56FE5112E4E3} : DhcpNameServer = 64.59.184.13 64.59.184.15 64.59.190.242
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
IFEO: taskmgr.exe - "C:\PROGRAM FILES (X86)\PROCESS EXPLORER\PROCEXP.EXE"
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO-X64: uTorrentBar - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
IFEO-X64: taskmgr.exe - "C:\PROGRAM FILES (X86)\PROCESS EXPLORER\PROCEXP.EXE"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\MT\AppData\Roaming\Mozilla\Firefox\Profiles\nhg58lx6.default\
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\MT\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Windows\system32\npmproxy.dll
FF - plugin: C:\Windows\system32\npOGPPlugin.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 shpf;Sony HDD Protection Filter Driver;C:\Windows\system32\DRIVERS\shpf.sys --> C:\Windows\system32\DRIVERS\shpf.sys [?]
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R1 CSN5PDTS82x64;CSN5PDTS82x64 NDIS Protocol Driver;C:\Windows\system32\Drivers\CSN5PDTS82x64.sys --> C:\Windows\system32\Drivers\CSN5PDTS82x64.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-3-6 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-3-6 110032]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 BDVEDISK;BDVEDISK;C:\Program Files\BitDefender\BitDefender 2010\bdvedisk.sys [2009-4-1 103944]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 HitmanProScheduler;HitmanPro Scheduler;C:\Program Files\HitmanPro\hmpsched.exe [2012-3-6 96072]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys --> C:\Windows\system32\DRIVERS\SFEP.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S1 CsNdisLWF;CsNdisLWF NDIS Protocol Driver;C:\Windows\System32\drivers\CsNdisLWF.sys [2012-3-1 25688]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
.
=============== Created Last 30 ================
.
2012-03-06 15:04:34 -------- d-----w- C:\Program Files\HitmanPro
2012-03-06 15:04:16 -------- d-----w- C:\ProgramData\HitmanPro
2012-03-06 14:23:39 -------- d-----w- C:\Users\MT\AppData\Roaming\Avira
2012-03-06 14:19:08 97312 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-03-06 14:19:08 27760 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2012-03-06 14:19:07 -------- d-----w- C:\ProgramData\Avira
2012-03-06 14:19:07 -------- d-----w- C:\Program Files (x86)\Avira
2012-03-06 11:43:49 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2012-03-06 11:40:31 -------- d-----w- C:\Program Files (x86)\Lavasoft
2012-03-06 11:38:08 -------- d-----w- C:\Users\MT\AppData\Roaming\QuickScan
2012-03-06 10:38:23 -------- d-----w- C:\Users\MT\AppData\Roaming\Malwarebytes
2012-03-06 10:38:16 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-06 10:26:54 102400 ----a-w- C:\Windows\RegBootClean.exe
2012-03-06 10:20:50 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2012-03-06 10:00:15 147456 --sha-r- C:\Windows\SysWow64\taskkill8.dll
2012-03-02 23:35:33 -------- d-----w- C:\AeriaGames
2012-03-02 18:30:48 -------- d-----w- C:\Users\MT\AppData\Local\SCE
2012-03-01 18:30:26 -------- d-----w- C:\Users\MT\AppData\Roaming\Colasoft MAC Scanner
2012-03-01 18:30:26 -------- d-----w- C:\Program Files (x86)\Common Files\Colasoft Shared
2012-03-01 18:30:24 -------- d-----w- C:\ProgramData\Colasoft Capsa 7 - Enterprise Edition Demo
2012-03-01 18:28:17 34840 ----a-w- C:\Windows\System32\drivers\CSN5PDTS82x64.sys
2012-03-01 18:28:17 25688 ----a-w- C:\Windows\SysWow64\drivers\CsNdisLWF.sys
2012-03-01 18:28:17 25688 ----a-w- C:\Windows\System32\drivers\CsNdisLWF.sys
2012-03-01 18:28:07 -------- d-----w- C:\Program Files (x86)\Colasoft Capsa 7 Enterprise Demo Edition
2012-02-27 14:49:44 -------- d-----w- C:\Nexon
2012-02-16 17:12:49 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-02-16 17:12:48 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-02-16 17:12:11 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-02-16 17:12:10 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-02-16 17:12:09 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-02-16 17:12:06 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-02-16 17:12:02 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2012-02-16 17:12:02 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2012-02-11 09:15:51 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2012-02-10 20:56:30 -------- d-----w- C:\Program Files (x86)\THQ
2012-02-10 09:58:47 -------- d-----w- C:\Users\MT\AppData\Roaming\Activision
2012-02-09 05:56:14 -------- d-----w- C:\Program Files (x86)\Common Files\Steam
.
==================== Find3M ====================
.
2012-03-02 18:30:50 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2011-12-28 20:55:20 431104 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-12-28 20:55:20 136192 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-12-28 20:55:19 409600 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-12-28 20:55:19 114688 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
.
============= FINISH: 8:38:44.86 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 PM

Posted 06 March 2012 - 12:04 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mikemikemikemikemike

mikemikemikemikemike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 06 March 2012 - 08:21 PM

There was no problems with combofix but the malware is still here. Still getting redirects and windows security can't start. I should mention not every link is redirected, only about half does.

I started combofix before I thought avira was finished uninstalling. It was only a couple second difference. That shouldn't be a problem.


ComboFix 12-03-06.01 - MT 06/03/2012 17:35:18.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.2.1033.18.4063.2894 [GMT -7:00]
Running from: c:\users\MT\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
.
.
2012-03-06 15:04 . 2012-03-06 15:04 -------- d-----w- c:\program files\HitmanPro
2012-03-06 15:04 . 2012-03-06 15:13 -------- d-----w- c:\programdata\HitmanPro
2012-03-06 11:43 . 2012-03-06 11:43 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-06 11:40 . 2012-03-06 14:40 -------- d-----w- c:\program files (x86)\Lavasoft
2012-03-06 11:40 . 2012-03-06 14:26 -------- d-----w- c:\programdata\Lavasoft
2012-03-06 11:38 . 2012-03-06 11:38 -------- d-----w- c:\users\MT\AppData\Roaming\QuickScan
2012-03-06 10:38 . 2012-03-06 10:38 -------- d-----w- c:\users\MT\AppData\Roaming\Malwarebytes
2012-03-06 10:38 . 2012-03-06 10:38 -------- d-----w- c:\programdata\Malwarebytes
2012-03-06 10:26 . 2012-03-06 10:26 102400 ----a-w- c:\windows\RegBootClean.exe
2012-03-06 10:20 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-03-06 10:00 . 2012-03-06 10:00 147456 --sha-r- c:\windows\SysWow64\taskkill8.dll
2012-03-02 23:35 . 2012-03-03 17:51 -------- d-----w- C:\AeriaGames
2012-03-02 18:30 . 2012-03-02 18:30 -------- d-----w- c:\users\MT\AppData\Local\SCE
2012-03-02 18:30 . 2012-03-02 18:30 -------- d-----w- c:\users\Public\Sony Online Entertainment
2012-03-01 18:30 . 2012-03-01 18:30 -------- d-----w- c:\users\MT\AppData\Roaming\Colasoft MAC Scanner
2012-03-01 18:30 . 2012-03-01 18:30 -------- d-----w- c:\program files (x86)\Common Files\Colasoft Shared
2012-03-01 18:30 . 2012-03-01 18:30 -------- d-----w- c:\programdata\Colasoft Capsa 7 - Enterprise Edition Demo
2012-03-01 18:28 . 2010-10-11 21:57 25688 ----a-w- c:\windows\SysWow64\drivers\CsNdisLWF.sys
2012-03-01 18:28 . 2010-10-11 21:57 25688 ----a-w- c:\windows\system32\drivers\CsNdisLWF.sys
2012-03-01 18:28 . 2010-05-20 22:13 34840 ----a-w- c:\windows\system32\drivers\CSN5PDTS82x64.sys
2012-03-01 18:28 . 2012-03-01 18:44 -------- d-----w- c:\program files (x86)\Colasoft Capsa 7 Enterprise Demo Edition
2012-02-27 14:49 . 2012-03-02 18:32 -------- d-----w- C:\Nexon
2012-02-19 21:45 . 2012-02-19 21:45 -------- d-----w- c:\windows\system32\Macromed
2012-02-16 17:12 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 17:12 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-16 17:12 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 17:12 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-16 17:12 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-16 17:12 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 17:12 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 17:12 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-11 09:15 . 2012-02-11 09:15 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-02-10 20:56 . 2012-02-21 08:20 -------- d-----w- c:\program files (x86)\THQ
2012-02-10 09:58 . 2012-02-10 09:58 -------- d-----w- c:\users\MT\AppData\Roaming\Activision
2012-02-09 05:56 . 2012-02-09 05:59 -------- d-----w- c:\program files (x86)\Common Files\Steam
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-02 18:30 . 2011-11-15 16:35 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-31 12:44 . 2010-01-12 22:04 279656 ------w- c:\windows\system32\MpSigStub.exe
2011-12-28 20:55 . 2011-12-28 20:55 431104 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-28 20:55 . 2011-12-28 20:55 136192 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-28 20:55 . 2011-12-28 20:55 409600 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-12-28 20:55 . 2011-12-28 20:55 114688 ----a-w- c:\windows\SysWow64\OpenAL32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\MT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WhiteSmoke Writer 2010+.lnk - c:\users\MT\AppData\Local\Temp\WSBandoo.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 CSN5PDTS82;CSN5PDTS82 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82.sys [x]
R1 CsNdisLWF;CsNdisLWF NDIS Protocol Driver;c:\windows\system32\Drivers\CsNdisLWF.sys [2010-10-11 25688]
R3 BDFM;BDFM;c:\windows\system32\DRIVERS\bdfm.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\GamesCampus\Asdastory\system\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Gun;Gun;c:\game\SoftnyxGame\GunBoundIS\Gun64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 sj;sj;c:\aeriagames\EdenEternal\sjcs64.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 X6va001;X6va001;c:\users\MT\AppData\Local\Temp\001C042.tmp [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\DRIVERS\shpf.sys [x]
S1 CSN5PDTS82x64;CSN5PDTS82x64 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82x64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [2010-05-04 103944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-03-06 96072]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1088705886-981287941-3149203639-1001Core.job
- c:\users\MT\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-01 08:01]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1088705886-981287941-3149203639-1001UA.job
- c:\users\MT\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-01 08:01]
.
2012-03-07 c:\windows\Tasks\Tgyoc.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.254 75.153.176.1
FF - ProfilePath - c:\users\MT\AppData\Roaming\Mozilla\Firefox\Profiles\nhg58lx6.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Akamai NetSession Interface - c:\users\MT\AppData\Local\Akamai\netsession_win.exe
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va001]
"ImagePath"="\??\c:\users\MT\AppData\Local\Temp\001C042.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1088705886-981287941-3149203639-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:69,6b,45,5b,6f,44,3d,dd,37,09,fb,94,d4,6c,c0,09,41,7e,e2,ee,fd,39,39,
c6,f3,3d,6c,c7,70,a0,a2,92,19,2f,17,23,37,75,18,c0,88,dc,e4,08,50,a4,bc,70,\
"??"=hex:fc,9f,b4,ad,8c,41,1b,d0,55,8b,8b,d8,79,a9,cf,6f
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
.
**************************************************************************
.
Completion time: 2012-03-06 17:52:43 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-07 00:52
.
Pre-Run: 92,169,060,352 bytes free
Post-Run: 93,047,783,424 bytes free
.
- - End Of File - - 6F6BF8537D9165A2FDF02C36C71A8B23

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 PM

Posted 06 March 2012 - 09:04 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 mikemikemikemikemike

mikemikemikemikemike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 07 March 2012 - 02:06 AM

23:45:34.0665 4320 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
23:45:35.0086 4320 ============================================================
23:45:35.0086 4320 Current date / time: 2012/03/06 23:45:35.0086
23:45:35.0086 4320 SystemInfo:
23:45:35.0086 4320
23:45:35.0086 4320 OS Version: 6.1.7601 ServicePack: 1.0
23:45:35.0086 4320 Product type: Workstation
23:45:35.0086 4320 ComputerName: MTM
23:45:35.0086 4320 UserName: MT
23:45:35.0086 4320 Windows directory: C:\Windows
23:45:35.0086 4320 System windows directory: C:\Windows
23:45:35.0086 4320 Running under WOW64
23:45:35.0086 4320 Processor architecture: Intel x64
23:45:35.0086 4320 Number of processors: 2
23:45:35.0086 4320 Page size: 0x1000
23:45:35.0086 4320 Boot type: Normal boot
23:45:35.0086 4320 ============================================================
23:45:36.0350 4320 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:45:36.0365 4320 \Device\Harddisk0\DR0:
23:45:36.0365 4320 MBR used
23:45:36.0365 4320 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x13F4000, BlocksNum 0x2403A2B0
23:45:36.0396 4320 Initialize success
23:45:36.0396 4320 ============================================================
23:45:39.0126 4180 ============================================================
23:45:39.0126 4180 Scan started
23:45:39.0126 4180 Mode: Manual;
23:45:39.0126 4180 ============================================================
23:45:44.0446 4180 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
23:45:44.0462 4180 1394ohci - ok
23:45:44.0540 4180 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
23:45:44.0555 4180 ACPI - ok
23:45:44.0587 4180 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
23:45:44.0587 4180 AcpiPmi - ok
23:45:44.0649 4180 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
23:45:44.0649 4180 adp94xx - ok
23:45:44.0696 4180 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
23:45:44.0711 4180 adpahci - ok
23:45:44.0743 4180 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
23:45:44.0743 4180 adpu320 - ok
23:45:44.0821 4180 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
23:45:44.0821 4180 AFD - ok
23:45:44.0883 4180 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
23:45:44.0899 4180 agp440 - ok
23:45:44.0961 4180 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
23:45:44.0961 4180 aliide - ok
23:45:45.0008 4180 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
23:45:45.0008 4180 amdide - ok
23:45:45.0086 4180 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
23:45:45.0086 4180 AmdK8 - ok
23:45:45.0133 4180 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
23:45:45.0133 4180 AmdPPM - ok
23:45:45.0195 4180 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
23:45:45.0195 4180 amdsata - ok
23:45:45.0257 4180 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
23:45:45.0257 4180 amdsbs - ok
23:45:45.0320 4180 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
23:45:45.0335 4180 amdxata - ok
23:45:45.0398 4180 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
23:45:45.0398 4180 AppID - ok
23:45:45.0476 4180 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
23:45:45.0476 4180 arc - ok
23:45:45.0507 4180 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
23:45:45.0507 4180 arcsas - ok
23:45:45.0569 4180 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
23:45:45.0569 4180 AsyncMac - ok
23:45:45.0632 4180 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
23:45:45.0632 4180 atapi - ok
23:45:45.0835 4180 atikmdag (a29087680a1c3b049e3c05438e8ff2b8) C:\Windows\system32\DRIVERS\atikmdag.sys
23:45:45.0866 4180 atikmdag - ok
23:45:45.0944 4180 atksgt (09149d03629a44f4773e621c432d1d89) C:\Windows\system32\DRIVERS\atksgt.sys
23:45:45.0959 4180 atksgt - ok
23:45:46.0037 4180 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
23:45:46.0037 4180 b06bdrv - ok
23:45:46.0115 4180 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
23:45:46.0115 4180 b57nd60a - ok
23:45:46.0147 4180 BDFM - ok
23:45:46.0209 4180 bdfsfltr (abd97bfb299713a51fe36aaab71f73a2) C:\Windows\system32\DRIVERS\bdfsfltr.sys
23:45:46.0209 4180 bdfsfltr - ok
23:45:46.0303 4180 BDVEDISK (b89deff4817b4cc6fc2bcd8f83b4e75d) C:\Program Files\BitDefender\BitDefender 2010\bdvedisk.sys
23:45:46.0303 4180 BDVEDISK - ok
23:45:46.0334 4180 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
23:45:46.0334 4180 Beep - ok
23:45:46.0396 4180 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
23:45:46.0396 4180 blbdrive - ok
23:45:46.0459 4180 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
23:45:46.0459 4180 bowser - ok
23:45:46.0521 4180 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
23:45:46.0521 4180 BrFiltLo - ok
23:45:46.0552 4180 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
23:45:46.0552 4180 BrFiltUp - ok
23:45:46.0615 4180 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
23:45:46.0615 4180 BridgeMP - ok
23:45:46.0661 4180 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
23:45:46.0661 4180 Brserid - ok
23:45:46.0693 4180 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
23:45:46.0693 4180 BrSerWdm - ok
23:45:46.0739 4180 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
23:45:46.0739 4180 BrUsbMdm - ok
23:45:46.0786 4180 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
23:45:46.0786 4180 BrUsbSer - ok
23:45:46.0849 4180 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\Windows\system32\drivers\BthEnum.sys
23:45:46.0849 4180 BthEnum - ok
23:45:46.0895 4180 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
23:45:46.0895 4180 BTHMODEM - ok
23:45:46.0958 4180 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\Windows\system32\DRIVERS\bthpan.sys
23:45:46.0958 4180 BthPan - ok
23:45:47.0036 4180 BTHPORT (64c198198501f7560ee41d8d1efa7952) C:\Windows\System32\Drivers\BTHport.sys
23:45:47.0036 4180 BTHPORT - ok
23:45:47.0083 4180 BTHUSB (f188b7394d81010767b6df3178519a37) C:\Windows\System32\Drivers\BTHUSB.sys
23:45:47.0083 4180 BTHUSB - ok
23:45:47.0114 4180 catchme - ok
23:45:47.0176 4180 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
23:45:47.0176 4180 cdfs - ok
23:45:47.0254 4180 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\drivers\cdrom.sys
23:45:47.0254 4180 cdrom - ok
23:45:47.0301 4180 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
23:45:47.0301 4180 circlass - ok
23:45:47.0348 4180 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
23:45:47.0363 4180 CLFS - ok
23:45:47.0426 4180 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
23:45:47.0426 4180 CmBatt - ok
23:45:47.0488 4180 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
23:45:47.0488 4180 cmdide - ok
23:45:47.0566 4180 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
23:45:47.0566 4180 CNG - ok
23:45:47.0644 4180 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
23:45:47.0644 4180 Compbatt - ok
23:45:47.0722 4180 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
23:45:47.0722 4180 CompositeBus - ok
23:45:47.0785 4180 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
23:45:47.0785 4180 crcdisk - ok
23:45:47.0878 4180 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
23:45:47.0878 4180 CSC - ok
23:45:47.0956 4180 CSN5PDTS82 - ok
23:45:48.0019 4180 CSN5PDTS82x64 (e7956db62954eca3ffd2ac88f6b83bb4) C:\Windows\system32\Drivers\CSN5PDTS82x64.sys
23:45:48.0019 4180 CSN5PDTS82x64 - ok
23:45:48.0081 4180 CsNdisLWF (7728f26b6660c96e87a4fcd89d8fb56c) C:\Windows\system32\Drivers\CsNdisLWF.sys
23:45:48.0081 4180 CsNdisLWF - ok
23:45:48.0175 4180 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
23:45:48.0175 4180 DfsC - ok
23:45:48.0221 4180 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
23:45:48.0221 4180 discache - ok
23:45:48.0284 4180 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
23:45:48.0284 4180 Disk - ok
23:45:48.0362 4180 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
23:45:48.0362 4180 drmkaud - ok
23:45:48.0424 4180 dump_wmimmc - ok
23:45:48.0502 4180 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
23:45:48.0518 4180 DXGKrnl - ok
23:45:48.0565 4180 EagleX64 - ok
23:45:48.0721 4180 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
23:45:48.0752 4180 ebdrv - ok
23:45:48.0830 4180 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
23:45:48.0830 4180 elxstor - ok
23:45:48.0877 4180 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
23:45:48.0877 4180 ErrDev - ok
23:45:48.0923 4180 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
23:45:48.0923 4180 exfat - ok
23:45:48.0970 4180 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
23:45:48.0970 4180 fastfat - ok
23:45:49.0017 4180 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
23:45:49.0017 4180 fdc - ok
23:45:49.0079 4180 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
23:45:49.0079 4180 FileInfo - ok
23:45:49.0111 4180 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
23:45:49.0111 4180 Filetrace - ok
23:45:49.0157 4180 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
23:45:49.0157 4180 flpydisk - ok
23:45:49.0204 4180 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
23:45:49.0204 4180 FltMgr - ok
23:45:49.0251 4180 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
23:45:49.0251 4180 FsDepends - ok
23:45:49.0282 4180 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
23:45:49.0282 4180 Fs_Rec - ok
23:45:49.0329 4180 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
23:45:49.0329 4180 fvevol - ok
23:45:49.0438 4180 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
23:45:49.0454 4180 gagp30kx - ok
23:45:49.0485 4180 Gun - ok
23:45:49.0547 4180 hamachi (1e6438d4ea6e1174a3b3b1edc4de660b) C:\Windows\system32\DRIVERS\hamachi.sys
23:45:49.0563 4180 hamachi - ok
23:45:49.0579 4180 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
23:45:49.0579 4180 hcw85cir - ok
23:45:49.0641 4180 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
23:45:49.0657 4180 HdAudAddService - ok
23:45:49.0735 4180 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
23:45:49.0735 4180 HDAudBus - ok
23:45:49.0797 4180 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
23:45:49.0797 4180 HidBatt - ok
23:45:49.0844 4180 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
23:45:49.0844 4180 HidBth - ok
23:45:49.0875 4180 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
23:45:49.0875 4180 HidIr - ok
23:45:49.0922 4180 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\drivers\hidusb.sys
23:45:49.0922 4180 HidUsb - ok
23:45:50.0047 4180 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
23:45:50.0047 4180 HpSAMD - ok
23:45:50.0125 4180 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
23:45:50.0125 4180 HTTP - ok
23:45:50.0171 4180 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
23:45:50.0187 4180 hwpolicy - ok
23:45:50.0218 4180 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
23:45:50.0234 4180 i8042prt - ok
23:45:50.0281 4180 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
23:45:50.0281 4180 iaStorV - ok
23:45:50.0359 4180 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
23:45:50.0359 4180 iirsp - ok
23:45:50.0421 4180 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
23:45:50.0421 4180 intelide - ok
23:45:50.0483 4180 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
23:45:50.0483 4180 intelppm - ok
23:45:50.0530 4180 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
23:45:50.0530 4180 IpFilterDriver - ok
23:45:50.0608 4180 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
23:45:50.0608 4180 IPMIDRV - ok
23:45:50.0671 4180 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
23:45:50.0686 4180 IPNAT - ok
23:45:50.0749 4180 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
23:45:50.0749 4180 IRENUM - ok
23:45:50.0811 4180 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
23:45:50.0811 4180 isapnp - ok
23:45:50.0889 4180 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
23:45:50.0889 4180 iScsiPrt - ok
23:45:50.0936 4180 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
23:45:50.0936 4180 kbdclass - ok
23:45:50.0998 4180 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
23:45:50.0998 4180 kbdhid - ok
23:45:51.0061 4180 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
23:45:51.0061 4180 KSecDD - ok
23:45:51.0139 4180 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
23:45:51.0139 4180 KSecPkg - ok
23:45:51.0201 4180 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
23:45:51.0201 4180 ksthunk - ok
23:45:51.0295 4180 lirsgt (5ea407821bb3104c31a705175ab4f309) C:\Windows\system32\DRIVERS\lirsgt.sys
23:45:51.0295 4180 lirsgt - ok
23:45:51.0357 4180 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
23:45:51.0357 4180 lltdio - ok
23:45:51.0419 4180 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
23:45:51.0419 4180 LSI_FC - ok
23:45:51.0466 4180 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
23:45:51.0466 4180 LSI_SAS - ok
23:45:51.0529 4180 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
23:45:51.0529 4180 LSI_SAS2 - ok
23:45:51.0560 4180 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
23:45:51.0575 4180 LSI_SCSI - ok
23:45:51.0622 4180 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
23:45:51.0622 4180 luafv - ok
23:45:51.0669 4180 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
23:45:51.0669 4180 megasas - ok
23:45:51.0716 4180 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
23:45:51.0716 4180 MegaSR - ok
23:45:51.0763 4180 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
23:45:51.0763 4180 Modem - ok
23:45:51.0809 4180 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
23:45:51.0809 4180 monitor - ok
23:45:51.0887 4180 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\drivers\mouclass.sys
23:45:51.0887 4180 mouclass - ok
23:45:51.0965 4180 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
23:45:51.0965 4180 mouhid - ok
23:45:52.0012 4180 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
23:45:52.0012 4180 mountmgr - ok
23:45:52.0075 4180 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
23:45:52.0090 4180 MpFilter - ok
23:45:52.0137 4180 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
23:45:52.0137 4180 mpio - ok
23:45:52.0199 4180 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
23:45:52.0199 4180 MpNWMon - ok
23:45:52.0231 4180 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
23:45:52.0246 4180 mpsdrv - ok
23:45:52.0309 4180 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
23:45:52.0309 4180 MRxDAV - ok
23:45:52.0355 4180 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
23:45:52.0355 4180 mrxsmb - ok
23:45:52.0418 4180 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
23:45:52.0418 4180 mrxsmb10 - ok
23:45:52.0465 4180 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
23:45:52.0465 4180 mrxsmb20 - ok
23:45:52.0511 4180 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
23:45:52.0511 4180 msahci - ok
23:45:52.0589 4180 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
23:45:52.0605 4180 msdsm - ok
23:45:52.0636 4180 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
23:45:52.0652 4180 Msfs - ok
23:45:52.0683 4180 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
23:45:52.0683 4180 mshidkmdf - ok
23:45:52.0714 4180 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
23:45:52.0714 4180 msisadrv - ok
23:45:52.0777 4180 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
23:45:52.0777 4180 MSKSSRV - ok
23:45:52.0823 4180 msloop (103b3bbe23ab774b009d182276ec6786) C:\Windows\system32\DRIVERS\loop.sys
23:45:52.0823 4180 msloop - ok
23:45:52.0886 4180 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
23:45:52.0886 4180 MSPCLOCK - ok
23:45:52.0917 4180 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
23:45:52.0917 4180 MSPQM - ok
23:45:52.0979 4180 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
23:45:52.0995 4180 MsRPC - ok
23:45:53.0042 4180 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
23:45:53.0042 4180 mssmbios - ok
23:45:53.0089 4180 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
23:45:53.0089 4180 MSTEE - ok
23:45:53.0104 4180 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
23:45:53.0120 4180 MTConfig - ok
23:45:53.0135 4180 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
23:45:53.0135 4180 Mup - ok
23:45:53.0213 4180 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
23:45:53.0213 4180 NativeWifiP - ok
23:45:53.0307 4180 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
23:45:53.0307 4180 NDIS - ok
23:45:53.0354 4180 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
23:45:53.0354 4180 NdisCap - ok
23:45:53.0401 4180 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
23:45:53.0401 4180 NdisTapi - ok
23:45:53.0447 4180 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
23:45:53.0447 4180 Ndisuio - ok
23:45:53.0494 4180 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
23:45:53.0494 4180 NdisWan - ok
23:45:53.0525 4180 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
23:45:53.0525 4180 NDProxy - ok
23:45:53.0588 4180 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
23:45:53.0588 4180 NetBIOS - ok
23:45:53.0635 4180 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
23:45:53.0635 4180 NetBT - ok
23:45:53.0853 4180 netw5v64 (64428dfdaf6e88366cb51f45a79c5f69) C:\Windows\system32\DRIVERS\netw5v64.sys
23:45:53.0900 4180 netw5v64 - ok
23:45:53.0947 4180 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
23:45:53.0947 4180 nfrd960 - ok
23:45:53.0993 4180 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
23:45:53.0993 4180 NisDrv - ok
23:45:54.0040 4180 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
23:45:54.0040 4180 Npfs - ok
23:45:54.0071 4180 NPPTNT2 - ok
23:45:54.0118 4180 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
23:45:54.0118 4180 nsiproxy - ok
23:45:54.0196 4180 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
23:45:54.0212 4180 Ntfs - ok
23:45:54.0243 4180 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
23:45:54.0243 4180 Null - ok
23:45:54.0321 4180 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
23:45:54.0321 4180 nvraid - ok
23:45:54.0383 4180 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
23:45:54.0383 4180 nvstor - ok
23:45:54.0430 4180 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
23:45:54.0430 4180 nv_agp - ok
23:45:54.0493 4180 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
23:45:54.0508 4180 ohci1394 - ok
23:45:54.0571 4180 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
23:45:54.0571 4180 Parport - ok
23:45:54.0617 4180 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
23:45:54.0617 4180 partmgr - ok
23:45:54.0695 4180 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
23:45:54.0695 4180 pci - ok
23:45:54.0758 4180 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
23:45:54.0758 4180 pciide - ok
23:45:54.0805 4180 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
23:45:54.0805 4180 pcmcia - ok
23:45:54.0851 4180 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
23:45:54.0851 4180 pcw - ok
23:45:54.0898 4180 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
23:45:54.0914 4180 PEAUTH - ok
23:45:55.0007 4180 Point64 (33328fa8a580885ab0065be6db266e9f) C:\Windows\system32\DRIVERS\point64.sys
23:45:55.0023 4180 Point64 - ok
23:45:55.0085 4180 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
23:45:55.0085 4180 PptpMiniport - ok
23:45:55.0132 4180 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
23:45:55.0148 4180 Processor - ok
23:45:55.0241 4180 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
23:45:55.0241 4180 ql2300 - ok
23:45:55.0304 4180 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
23:45:55.0304 4180 ql40xx - ok
23:45:55.0351 4180 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
23:45:55.0351 4180 QWAVEdrv - ok
23:45:55.0397 4180 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
23:45:55.0397 4180 RasAcd - ok
23:45:55.0460 4180 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
23:45:55.0460 4180 RasAgileVpn - ok
23:45:55.0538 4180 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
23:45:55.0538 4180 Rasl2tp - ok
23:45:55.0600 4180 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
23:45:55.0616 4180 RasPppoe - ok
23:45:55.0647 4180 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
23:45:55.0647 4180 RasSstp - ok
23:45:55.0678 4180 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
23:45:55.0694 4180 rdbss - ok
23:45:55.0725 4180 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
23:45:55.0725 4180 rdpbus - ok
23:45:55.0756 4180 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
23:45:55.0756 4180 RDPCDD - ok
23:45:55.0803 4180 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
23:45:55.0803 4180 RDPDR - ok
23:45:55.0865 4180 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
23:45:55.0865 4180 RDPENCDD - ok
23:45:55.0943 4180 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
23:45:55.0943 4180 RDPREFMP - ok
23:45:56.0006 4180 RdpVideoMiniport (70cba1a0c98600a2aa1863479b35cb90) C:\Windows\system32\drivers\rdpvideominiport.sys
23:45:56.0006 4180 RdpVideoMiniport - ok
23:45:56.0068 4180 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
23:45:56.0068 4180 RDPWD - ok
23:45:56.0131 4180 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
23:45:56.0131 4180 rdyboost - ok
23:45:56.0224 4180 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\Windows\system32\DRIVERS\rfcomm.sys
23:45:56.0224 4180 RFCOMM - ok
23:45:56.0302 4180 rimsptsk (9ae85fe1cdb4f89a38b7f47e0e68bd71) C:\Windows\system32\DRIVERS\rimssn64.sys
23:45:56.0302 4180 rimsptsk - ok
23:45:56.0380 4180 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
23:45:56.0380 4180 rspndr - ok
23:45:56.0411 4180 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
23:45:56.0411 4180 s3cap - ok
23:45:56.0458 4180 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
23:45:56.0458 4180 sbp2port - ok
23:45:56.0521 4180 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
23:45:56.0521 4180 scfilter - ok
23:45:56.0583 4180 sdbus (111e0ebc0ad79cb0fa014b907b231cf0) C:\Windows\system32\drivers\sdbus.sys
23:45:56.0583 4180 sdbus - ok
23:45:56.0645 4180 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
23:45:56.0645 4180 secdrv - ok
23:45:56.0677 4180 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
23:45:56.0692 4180 Serenum - ok
23:45:56.0739 4180 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
23:45:56.0739 4180 Serial - ok
23:45:56.0786 4180 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
23:45:56.0786 4180 sermouse - ok
23:45:56.0864 4180 SFEP (70f9c476b62de4f2823e918a6c181ade) C:\Windows\system32\DRIVERS\SFEP.sys
23:45:56.0864 4180 SFEP - ok
23:45:56.0911 4180 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
23:45:56.0911 4180 sffdisk - ok
23:45:56.0957 4180 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
23:45:56.0957 4180 sffp_mmc - ok
23:45:57.0020 4180 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
23:45:57.0020 4180 sffp_sd - ok
23:45:57.0067 4180 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
23:45:57.0082 4180 sfloppy - ok
23:45:57.0145 4180 shpf (c06ccd29f5c15b610237e86f82085e77) C:\Windows\system32\DRIVERS\shpf.sys
23:45:57.0145 4180 shpf - ok
23:45:57.0191 4180 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
23:45:57.0191 4180 SiSRaid2 - ok
23:45:57.0223 4180 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
23:45:57.0223 4180 SiSRaid4 - ok
23:45:57.0269 4180 sj - ok
23:45:57.0316 4180 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
23:45:57.0316 4180 Smb - ok
23:45:57.0394 4180 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
23:45:57.0394 4180 spldr - ok
23:45:57.0488 4180 sptd (602884696850c86434530790b110e8eb) C:\Windows\System32\Drivers\sptd.sys
23:45:57.0488 4180 sptd - ok
23:45:57.0566 4180 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
23:45:57.0566 4180 srv - ok
23:45:57.0628 4180 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
23:45:57.0628 4180 srv2 - ok
23:45:57.0706 4180 SrvHsfHDA (0c4540311e11664b245a263e1154cef8) C:\Windows\system32\DRIVERS\VSTAZL6.SYS
23:45:57.0706 4180 SrvHsfHDA - ok
23:45:57.0769 4180 SrvHsfV92 (02071d207a9858fbe3a48cbfd59c4a04) C:\Windows\system32\DRIVERS\VSTDPV6.SYS
23:45:57.0784 4180 SrvHsfV92 - ok
23:45:57.0847 4180 SrvHsfWinac (18e40c245dbfaf36fd0134a7ef2df396) C:\Windows\system32\DRIVERS\VSTCNXT6.SYS
23:45:57.0847 4180 SrvHsfWinac - ok
23:45:57.0925 4180 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
23:45:57.0925 4180 srvnet - ok
23:45:57.0987 4180 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
23:45:57.0987 4180 stexstor - ok
23:45:58.0081 4180 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
23:45:58.0081 4180 storflt - ok
23:45:58.0143 4180 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
23:45:58.0143 4180 storvsc - ok
23:45:58.0221 4180 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
23:45:58.0221 4180 swenum - ok
23:45:58.0268 4180 Synth3dVsc - ok
23:45:58.0330 4180 SynTP (8f63178d1db81bb79270ae55ecdd8321) C:\Windows\system32\DRIVERS\SynTP.sys
23:45:58.0346 4180 SynTP - ok
23:45:58.0424 4180 tap0901 (bcd6a90d6fd757ce9c29ddc850f7f231) C:\Windows\system32\DRIVERS\tap0901.sys
23:45:58.0424 4180 tap0901 - ok
23:45:58.0486 4180 taphss (f33fdc72298df4bf9813a55d21f4eb31) C:\Windows\system32\DRIVERS\taphss.sys
23:45:58.0486 4180 taphss - ok
23:45:58.0627 4180 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
23:45:58.0642 4180 Tcpip - ok
23:45:58.0751 4180 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
23:45:58.0783 4180 TCPIP6 - ok
23:45:58.0829 4180 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
23:45:58.0829 4180 tcpipreg - ok
23:45:58.0876 4180 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
23:45:58.0876 4180 TDPIPE - ok
23:45:58.0907 4180 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
23:45:58.0907 4180 TDTCP - ok
23:45:58.0970 4180 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
23:45:58.0970 4180 tdx - ok
23:45:59.0048 4180 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
23:45:59.0048 4180 TermDD - ok
23:45:59.0110 4180 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
23:45:59.0110 4180 tssecsrv - ok
23:45:59.0173 4180 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
23:45:59.0173 4180 TsUsbFlt - ok
23:45:59.0204 4180 tsusbhub - ok
23:45:59.0266 4180 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
23:45:59.0266 4180 tunnel - ok
23:45:59.0329 4180 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
23:45:59.0329 4180 uagp35 - ok
23:45:59.0407 4180 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
23:45:59.0407 4180 udfs - ok
23:45:59.0469 4180 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
23:45:59.0469 4180 uliagpkx - ok
23:45:59.0547 4180 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
23:45:59.0547 4180 umbus - ok
23:45:59.0594 4180 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
23:45:59.0594 4180 UmPass - ok
23:45:59.0672 4180 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
23:45:59.0672 4180 usbccgp - ok
23:45:59.0734 4180 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
23:45:59.0734 4180 usbcir - ok
23:45:59.0812 4180 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
23:45:59.0812 4180 usbehci - ok
23:45:59.0890 4180 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
23:45:59.0890 4180 usbhub - ok
23:45:59.0937 4180 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
23:45:59.0937 4180 usbohci - ok
23:45:59.0999 4180 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
23:45:59.0999 4180 usbprint - ok
23:46:00.0046 4180 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
23:46:00.0062 4180 usbscan - ok
23:46:00.0109 4180 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
23:46:00.0109 4180 USBSTOR - ok
23:46:00.0155 4180 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\DRIVERS\usbuhci.sys
23:46:00.0155 4180 usbuhci - ok
23:46:00.0265 4180 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\System32\Drivers\usbvideo.sys
23:46:00.0265 4180 usbvideo - ok
23:46:00.0358 4180 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
23:46:00.0358 4180 vdrvroot - ok
23:46:00.0405 4180 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
23:46:00.0421 4180 vga - ok
23:46:00.0452 4180 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
23:46:00.0452 4180 VgaSave - ok
23:46:00.0467 4180 VGPU - ok
23:46:00.0514 4180 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
23:46:00.0514 4180 vhdmp - ok
23:46:00.0592 4180 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
23:46:00.0592 4180 viaide - ok
23:46:00.0655 4180 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
23:46:00.0670 4180 vmbus - ok
23:46:00.0733 4180 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
23:46:00.0733 4180 VMBusHID - ok
23:46:00.0795 4180 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
23:46:00.0795 4180 volmgr - ok
23:46:00.0873 4180 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
23:46:00.0873 4180 volmgrx - ok
23:46:00.0951 4180 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
23:46:00.0951 4180 volsnap - ok
23:46:01.0029 4180 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
23:46:01.0029 4180 vsmraid - ok
23:46:01.0076 4180 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
23:46:01.0076 4180 vwifibus - ok
23:46:01.0107 4180 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
23:46:01.0107 4180 WacomPen - ok
23:46:01.0154 4180 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
23:46:01.0154 4180 WANARP - ok
23:46:01.0169 4180 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
23:46:01.0169 4180 Wanarpv6 - ok
23:46:01.0232 4180 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
23:46:01.0232 4180 Wd - ok
23:46:01.0294 4180 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
23:46:01.0310 4180 Wdf01000 - ok
23:46:01.0388 4180 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
23:46:01.0388 4180 WfpLwf - ok
23:46:01.0419 4180 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
23:46:01.0419 4180 WIMMount - ok
23:46:01.0497 4180 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUSB.sys
23:46:01.0497 4180 WinUsb - ok
23:46:01.0575 4180 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
23:46:01.0575 4180 WmiAcpi - ok
23:46:01.0606 4180 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
23:46:01.0606 4180 ws2ifsl - ok
23:46:01.0684 4180 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
23:46:01.0684 4180 WudfPf - ok
23:46:01.0747 4180 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
23:46:01.0747 4180 WUDFRd - ok
23:46:01.0840 4180 X6va001 - ok
23:46:01.0918 4180 yukonw7 (b3eeacf62445e24fbb2cd4b0fb4db026) C:\Windows\system32\DRIVERS\yk62x64.sys
23:46:01.0934 4180 yukonw7 - ok
23:46:01.0965 4180 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
23:46:02.0027 4180 \Device\Harddisk0\DR0 - ok
23:46:02.0027 4180 Boot (0x1200) (26ab7678908667117049695a48812722) \Device\Harddisk0\DR0\Partition0
23:46:02.0043 4180 \Device\Harddisk0\DR0\Partition0 - ok
23:46:02.0043 4180 ============================================================
23:46:02.0043 4180 Scan finished
23:46:02.0043 4180 ============================================================
23:46:02.0059 1992 Detected object count: 0
23:46:02.0059 1992 Actual detected object count: 0









aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-06 23:47:24
-----------------------------
23:47:24.369 OS Version: Windows x64 6.1.7601 Service Pack 1
23:47:24.369 Number of processors: 2 586 0x170A
23:47:24.369 ComputerName: MTM UserName: MT
23:47:26.022 Initialize success
23:47:28.893 AVAST engine defs: 12030600
23:47:31.342 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:47:31.342 Disk 0 Vendor: FUJITSU_MHZ2320BJ_G1 0000001E Size: 305245MB BusType: 11
23:47:31.358 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000007f
23:47:31.358 Disk 1 Vendor: RICOH 02 Size: 305245MB BusType: 0
23:47:31.404 Disk 0 MBR read successfully
23:47:31.404 Disk 0 MBR scan
23:47:31.404 Disk 0 Windows 7 default MBR code
23:47:31.436 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10215 MB offset 2048
23:47:31.436 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 295028 MB offset 20922368
23:47:31.482 Disk 0 scanning C:\Windows\system32\drivers
23:47:42.761 Service scanning
23:48:06.193 Modules scanning
23:48:06.208 Disk 0 trace - called modules:
23:48:06.255 ntoskrnl.exe CLASSPNP.SYS disk.sys shpf.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
23:48:06.255 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049b4790]
23:48:06.271 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa80049b36e0]
23:48:06.286 5 shpf.sys[fffff88001baf944] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80046bf060]
23:48:07.675 AVAST engine scan C:\Windows
23:48:11.387 AVAST engine scan C:\Windows\system32
23:50:07.186 AVAST engine scan C:\Windows\system32\drivers
23:50:20.010 AVAST engine scan C:\Users\MT
23:57:11.788 AVAST engine scan C:\ProgramData
00:05:03.252 Scan finished successfully
00:05:20.771 Disk 0 MBR has been saved successfully to "C:\Users\MT\Desktop\MBR.dat"
00:05:20.771 The log file has been saved successfully to "C:\Users\MT\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 PM

Posted 07 March 2012 - 11:52 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
c:\windows\SysWow64\taskkill8.dll
c:\users\MT\AppData\Local\Temp\WSBandoo.exe
c:\windows\Tasks\Tgyoc.job

Folder::
c:\program files (x86)\uTorrentBar

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 mikemikemikemikemike

mikemikemikemikemike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 07 March 2012 - 09:22 PM

ComboFix still says I have Avira running even though I don't have it installed. I can now open up the window for Microsoft Security, but if I try to start it, it returns error 0x80070422. Should I try out Google? Getting redirected to these shady sites won't put be at further risk?



ComboFix 12-03-06.01 - MT 07/03/2012 18:49:43.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.2.1033.18.4063.2901 [GMT -7:00]
Running from: c:\users\MT\Desktop\ComboFix.exe
Command switches used :: c:\users\MT\Desktop\CFScript.txt
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\MT\AppData\Local\Temp\WSBandoo.exe"
"c:\windows\SysWow64\taskkill8.dll"
"c:\windows\Tasks\Tgyoc.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\uTorrentBar
c:\program files (x86)\uTorrentBar\GottenAppsContextMenu.xml
c:\program files (x86)\uTorrentBar\ldrtbuTor.dll
c:\program files (x86)\uTorrentBar\OtherAppsContextMenu.xml
c:\program files (x86)\uTorrentBar\prxtbuTor.dll
c:\program files (x86)\uTorrentBar\SharedAppsContextMenu.xml
c:\program files (x86)\uTorrentBar\tbuTor.dll
c:\program files (x86)\uTorrentBar\toolbar.cfg
c:\program files (x86)\uTorrentBar\ToolbarContextMenu.xml
c:\program files (x86)\uTorrentBar\uninstall.exe
c:\program files (x86)\uTorrentBar\uTorrentBarToolbarHelper.exe
c:\windows\SysWow64\taskkill8.dll
c:\windows\Tasks\Tgyoc.job
.
.
((((((((((((((((((((((((( Files Created from 2012-02-08 to 2012-03-08 )))))))))))))))))))))))))))))))
.
.
2012-03-08 01:59 . 2012-03-08 01:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-08 01:59 . 2012-03-08 01:59 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-03-07 01:23 . 2012-03-07 01:23 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-03-07 01:23 . 2012-03-07 01:23 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-06 15:04 . 2012-03-06 15:04 -------- d-----w- c:\program files\HitmanPro
2012-03-06 15:04 . 2012-03-06 15:13 -------- d-----w- c:\programdata\HitmanPro
2012-03-06 11:43 . 2012-03-06 11:43 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-06 11:40 . 2012-03-06 14:40 -------- d-----w- c:\program files (x86)\Lavasoft
2012-03-06 11:40 . 2012-03-06 14:26 -------- d-----w- c:\programdata\Lavasoft
2012-03-06 11:38 . 2012-03-06 11:38 -------- d-----w- c:\users\MT\AppData\Roaming\QuickScan
2012-03-06 10:38 . 2012-03-06 10:38 -------- d-----w- c:\users\MT\AppData\Roaming\Malwarebytes
2012-03-06 10:38 . 2012-03-06 10:38 -------- d-----w- c:\programdata\Malwarebytes
2012-03-06 10:26 . 2012-03-06 10:26 102400 ----a-w- c:\windows\RegBootClean.exe
2012-03-06 10:20 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-03-02 23:35 . 2012-03-03 17:51 -------- d-----w- C:\AeriaGames
2012-03-02 18:30 . 2012-03-02 18:30 -------- d-----w- c:\users\MT\AppData\Local\SCE
2012-03-02 18:30 . 2012-03-02 18:30 -------- d-----w- c:\users\Public\Sony Online Entertainment
2012-03-01 18:30 . 2012-03-01 18:30 -------- d-----w- c:\users\MT\AppData\Roaming\Colasoft MAC Scanner
2012-03-01 18:30 . 2012-03-01 18:30 -------- d-----w- c:\program files (x86)\Common Files\Colasoft Shared
2012-03-01 18:30 . 2012-03-01 18:30 -------- d-----w- c:\programdata\Colasoft Capsa 7 - Enterprise Edition Demo
2012-03-01 18:28 . 2010-10-11 21:57 25688 ----a-w- c:\windows\SysWow64\drivers\CsNdisLWF.sys
2012-03-01 18:28 . 2010-10-11 21:57 25688 ----a-w- c:\windows\system32\drivers\CsNdisLWF.sys
2012-03-01 18:28 . 2010-05-20 22:13 34840 ----a-w- c:\windows\system32\drivers\CSN5PDTS82x64.sys
2012-03-01 18:28 . 2012-03-01 18:44 -------- d-----w- c:\program files (x86)\Colasoft Capsa 7 Enterprise Demo Edition
2012-02-27 14:49 . 2012-03-02 18:32 -------- d-----w- C:\Nexon
2012-02-19 21:45 . 2012-02-19 21:45 -------- d-----w- c:\windows\system32\Macromed
2012-02-16 17:12 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 17:12 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-16 17:12 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 17:12 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-16 17:12 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-16 17:12 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 17:12 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 17:12 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-11 09:15 . 2012-02-11 09:15 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-02-10 20:56 . 2012-02-21 08:20 -------- d-----w- c:\program files (x86)\THQ
2012-02-10 09:58 . 2012-02-10 09:58 -------- d-----w- c:\users\MT\AppData\Roaming\Activision
2012-02-09 05:56 . 2012-02-09 05:59 -------- d-----w- c:\program files (x86)\Common Files\Steam
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-02 18:30 . 2011-11-15 16:35 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-31 12:44 . 2010-01-12 22:04 279656 ------w- c:\windows\system32\MpSigStub.exe
2011-12-28 20:55 . 2011-12-28 20:55 431104 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-28 20:55 . 2011-12-28 20:55 136192 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-28 20:55 . 2011-12-28 20:55 409600 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-12-28 20:55 . 2011-12-28 20:55 114688 ----a-w- c:\windows\SysWow64\OpenAL32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-07_00.44.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-03-07 00:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-08 01:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-03-07 00:44 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-08 01:42 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-08 01:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-07 00:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-12 22:51 . 2012-03-08 01:45 50998 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-08 01:45 42250 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-01-12 22:51 . 2012-03-08 01:45 20914 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1088705886-981287941-3149203639-1001_UserData.bin
+ 2011-04-27 22:25 . 2011-04-27 22:25 84864 c:\windows\system32\drivers\NisDrvWFP.sys
+ 2011-04-18 20:18 . 2011-04-18 20:18 40832 c:\windows\system32\drivers\MpNWMon.sys
+ 2010-01-12 19:59 . 2012-03-08 02:00 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-12 19:59 . 2012-03-07 00:44 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-12 19:59 . 2012-03-08 02:00 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-12 19:59 . 2012-03-07 00:44 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-07 00:44 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-08 02:00 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-03-07 02:40 84808 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2010-01-12 22:41 . 2012-03-07 00:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-12 22:41 . 2012-03-08 01:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-12 22:41 . 2012-03-08 01:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-12 22:41 . 2012-03-07 00:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-13 04:03 . 2012-03-07 01:15 3038 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2010-10-29 22:54 . 2012-03-07 00:46 1532 c:\windows\system32\wdi\{b171ab1c-60e9-4301-a338-beab1c70b3e9}.bin
+ 2012-03-08 02:00 . 2012-03-08 02:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-07 00:44 . 2012-03-07 00:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-07 00:44 . 2012-03-07 00:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-08 02:00 . 2012-03-08 02:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-03-08 01:48 675888 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-08 01:48 130750 c:\windows\system32\perfc009.dat
+ 2011-04-18 20:18 . 2011-04-18 20:18 189440 c:\windows\system32\drivers\MpFilter.sys
- 2009-07-14 05:01 . 2012-03-07 00:43 398900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-08 01:59 398900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-05-20 00:23 . 2011-05-20 00:23 2708992 c:\windows\Installer\73118.msi
+ 2011-06-15 21:51 . 2011-06-15 21:51 1911808 c:\windows\Installer\73112.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\MT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WhiteSmoke Writer 2010+.lnk - c:\users\MT\AppData\Local\Temp\WSBandoo.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 CSN5PDTS82;CSN5PDTS82 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82.sys [x]
R1 CsNdisLWF;CsNdisLWF NDIS Protocol Driver;c:\windows\system32\Drivers\CsNdisLWF.sys [2010-10-11 25688]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BDFM;BDFM;c:\windows\system32\DRIVERS\bdfm.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\GamesCampus\Asdastory\system\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Gun;Gun;c:\game\SoftnyxGame\GunBoundIS\Gun64.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 sj;sj;c:\aeriagames\EdenEternal\sjcs64.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 X6va001;X6va001;c:\users\MT\AppData\Local\Temp\001C042.tmp [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\DRIVERS\shpf.sys [x]
S1 CSN5PDTS82x64;CSN5PDTS82x64 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82x64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [2010-05-04 103944]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-03-06 96072]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1088705886-981287941-3149203639-1001Core.job
- c:\users\MT\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-01 08:01]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1088705886-981287941-3149203639-1001UA.job
- c:\users\MT\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-01 08:01]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.254 75.153.176.1
FF - ProfilePath - c:\users\MT\AppData\Roaming\Mozilla\Firefox\Profiles\nhg58lx6.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files (x86)\uTorrentBar\prxtbuTor.dll
BHO-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files (x86)\uTorrentBar\prxtbuTor.dll
Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files (x86)\uTorrentBar\prxtbuTor.dll
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
AddRemove-uTorrentBar Toolbar - c:\program files (x86)\uTorrentBar\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va001]
"ImagePath"="\??\c:\users\MT\AppData\Local\Temp\001C042.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1088705886-981287941-3149203639-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:69,6b,45,5b,6f,44,3d,dd,37,09,fb,94,d4,6c,c0,09,41,7e,e2,ee,fd,39,39,
c6,f3,3d,6c,c7,70,a0,a2,92,19,2f,17,23,37,75,18,c0,88,dc,e4,08,50,a4,bc,70,\
"??"=hex:fc,9f,b4,ad,8c,41,1b,d0,55,8b,8b,d8,79,a9,cf,6f
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
.
**************************************************************************
.
Completion time: 2012-03-07 19:09:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-08 02:09
ComboFix2.txt 2012-03-07 00:52
.
Pre-Run: 92,987,228,160 bytes free
Post-Run: 92,803,330,048 bytes free
.
- - End Of File - - 804C88DA4C193E388604D8BA468F7964

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 PM

Posted 07 March 2012 - 09:54 PM

try out google and let me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 mikemikemikemikemike

mikemikemikemikemike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 08 March 2012 - 12:01 AM

No redirects. Looks pretty good to me. I think I'm just gonna use Kaspersky. Do you think there's still something on my computer blocking Windows Security or is that Windows being Windows.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 PM

Posted 08 March 2012 - 12:18 AM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 mikemikemikemikemike

mikemikemikemikemike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 08 March 2012 - 12:31 AM

Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 10 ActiveX
µTorrent
D3DX10
DAEMON Tools Toolbar
Diablo II
Fallout New Vegas
foobar2000 v1.1.10
Foxit Reader
GOM Player
GOMTV Streamer
Google Chrome
Hero Editor V0.96
Java Auto Updater
Java™ 6 Update 29
K-Lite Codec Pack 5.9.0 (Standard)
League of Legends
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server System CLR Types
Microsoft Visual C# 2010 Express - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
Microsoft XNA Game Studio 4.0
Microsoft XNA Game Studio 4.0 (ARP entry)
Microsoft XNA Game Studio 4.0 (Redists)
Microsoft XNA Game Studio 4.0 (Shared Components)
Microsoft XNA Game Studio 4.0 (Visual Studio)
Microsoft XNA Game Studio 4.0 (XnaLiveProxy)
Microsoft XNA Game Studio 4.0 Documentation
Microsoft XNA Game Studio Platform Tools
Mozilla Firefox 10.0.2 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
NVIDIA PhysX
OpenAL
PCSX2 - Playstation 2 Emulator
PunkBuster Services
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Visual C# 2010 Express - ENU (KB2251489)
Skype™ 5.5
Starcraft
StarCraft II
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597998) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
uTorrentBar Toolbar
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Player Firefox Plugin

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 PM

Posted 08 March 2012 - 12:55 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

µTorrent
DAEMON Tools Toolbar
Java™ 6 Update 29
uTorrentBar Toolbar
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 mikemikemikemikemike

mikemikemikemikemike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 08 March 2012 - 01:41 AM

No problems and computer is the same.


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.08.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
MT :: MTM [administrator]

Protection: Disabled

07/03/2012 11:33:22 PM
mbam-log-2012-03-07 (23-33-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213480
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)







Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:40:08 PM, on 07/03/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\MT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (file missing)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: WhiteSmoke Writer 2010+.lnk = MT\AppData\Local\Temp\WSBandoo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 7657 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 PM

Posted 08 March 2012 - 02:20 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
      O4 - Global Startup: WhiteSmoke Writer 2010+.lnk = MT\AppData\Local\Temp\WSBandoo.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 mikemikemikemikemike

mikemikemikemikemike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 09 March 2012 - 12:47 AM

Got redirected again, only once today. I'm not sure if there is suppose to be a detailed log of the ESET scan, I don't see one. But here is the result.


C:\Qoobox\Quarantine\C\Windows\SysWOW64\taskkill8.dll.vir a variant of Win32/Ponmocup.BD trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users