Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC was infected with rootkit, removed with Combofix


  • This topic is locked This topic is locked
26 replies to this topic

#1 Rod_UK

Rod_UK

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 08 March 2012 - 07:21 AM

Hi Guys,

I confess I should have asked for help before messing around with different tools to clean up my system. I have been there and I've learnt the lesson. :lmao:

At this stage I'm not sure if I am infected or not, after running so many removal tools.

The machine works fine except for the LAN/WLAN connections. I can also boot in safe mode and normal mode.

Any help will be really appreciated.

Cheers,
Rod

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:55 AM

Posted 12 March 2012 - 11:41 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Rod_UK

Rod_UK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 13 March 2012 - 07:07 AM

Thanks Gringo for your message.

I have downloaded Combofix from link1 provided using another PC and copied to infected PC's desktop.

It will run (I can see the black screen with green letters) for few seconds and it disappears, no warnings or no errors. I can see a little bit of disk activity. I waited for about 5 minutes and nothing happened.

I rebooted the machine on safe mode and run Combofix again. I am afraid the results were the same.

Looking forward to hear from you.

Thanks,
Rod

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:55 AM

Posted 13 March 2012 - 07:10 AM

Greetings Rod

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Rod_UK

Rod_UK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 15 March 2012 - 11:27 AM

Hi Gringo,

Please see below logs for TDSSKiller and aswMBR.
The only problem I had was to download extra definitions for aswMBR as the machine can not go to the internet at all.

Thanks again,
Rodrigo



16:15:13.0215 5816 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
16:15:13.0231 5816 ============================================================
16:15:13.0246 5816 Current date / time: 2012/03/15 16:15:13.0231
16:15:13.0246 5816 SystemInfo:
16:15:13.0246 5816
16:15:13.0246 5816 OS Version: 6.1.7601 ServicePack: 1.0
16:15:13.0246 5816 Product type: Workstation
16:15:13.0246 5816 ComputerName: LPC113
16:15:13.0246 5816 UserName: Administrator
16:15:13.0246 5816 Windows directory: C:\Windows
16:15:13.0246 5816 System windows directory: C:\Windows
16:15:13.0246 5816 Processor architecture: Intel x86
16:15:13.0246 5816 Number of processors: 2
16:15:13.0246 5816 Page size: 0x1000
16:15:13.0246 5816 Boot type: Normal boot
16:15:13.0246 5816 ============================================================
16:15:14.0260 5816 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
16:15:14.0260 5816 Drive \Device\Harddisk1\DR2 - Size: 0xF2E00000 (3.79 Gb), SectorSize: 0x200, Cylinders: 0x1EF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
16:15:14.0260 5816 \Device\Harddisk0\DR0:
16:15:14.0260 5816 MBR used
16:15:14.0260 5816 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x258000
16:15:14.0260 5816 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x258800, BlocksNum 0x1BBE4800
16:15:14.0260 5816 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1BE3D000, BlocksNum 0x1388000
16:15:14.0260 5816 \Device\Harddisk1\DR2:
16:15:14.0260 5816 MBR used
16:15:14.0260 5816 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xB, StartLBA 0x2, BlocksNum 0x796FFE
16:15:14.0338 5816 Initialize success
16:15:14.0338 5816 ============================================================
16:15:20.0110 5900 ============================================================
16:15:20.0110 5900 Scan started
16:15:20.0110 5900 Mode: Manual;
16:15:20.0110 5900 ============================================================
16:15:20.0235 5900 1394ohci - ok
16:15:20.0266 5900 5U875UVC - ok
16:15:20.0282 5900 ACPI - ok
16:15:20.0298 5900 AcpiPmi - ok
16:15:20.0422 5900 adp94xx - ok
16:15:20.0422 5900 adpahci - ok
16:15:20.0438 5900 adpu320 - ok
16:15:20.0500 5900 AFD - ok
16:15:20.0500 5900 agp440 - ok
16:15:20.0547 5900 aic78xx - ok
16:15:20.0610 5900 aliide - ok
16:15:20.0610 5900 amdagp - ok
16:15:20.0625 5900 amdide - ok
16:15:20.0641 5900 AmdK8 - ok
16:15:20.0656 5900 AmdPPM - ok
16:15:20.0672 5900 amdsata - ok
16:15:20.0672 5900 amdsbs - ok
16:15:20.0688 5900 amdxata - ok
16:15:20.0703 5900 AppID - ok
16:15:20.0750 5900 arc - ok
16:15:20.0766 5900 arcsas - ok
16:15:20.0766 5900 AsyncMac - ok
16:15:20.0797 5900 atapi - ok
16:15:20.0828 5900 ATSwpWDF - ok
16:15:20.0906 5900 AVG Anti-Rootkit - ok
16:15:20.0922 5900 AvgArCln - ok
16:15:20.0953 5900 b06bdrv - ok
16:15:20.0953 5900 b57nd60x - ok
16:15:21.0000 5900 Beep - ok
16:15:21.0031 5900 blbdrive - ok
16:15:21.0062 5900 bmdrvr - ok
16:15:21.0109 5900 bowser - ok
16:15:21.0124 5900 BrFiltLo - ok
16:15:21.0140 5900 BrFiltUp - ok
16:15:21.0171 5900 BridgeMP - ok
16:15:21.0187 5900 Brserid - ok
16:15:21.0202 5900 BrSerWdm - ok
16:15:21.0202 5900 BrUsbMdm - ok
16:15:21.0218 5900 BrUsbSer - ok
16:15:21.0234 5900 BthEnum - ok
16:15:21.0249 5900 BTHMODEM - ok
16:15:21.0265 5900 BthPan - ok
16:15:21.0280 5900 BTHPORT - ok
16:15:21.0296 5900 BTHUSB - ok
16:15:21.0312 5900 btwaudio - ok
16:15:21.0327 5900 btwavdt - ok
16:15:21.0374 5900 btwl2cap - ok
16:15:21.0390 5900 btwrchid - ok
16:15:21.0405 5900 catchme - ok
16:15:21.0436 5900 cdfs - ok
16:15:21.0468 5900 cdrom - ok
16:15:21.0483 5900 circlass - ok
16:15:21.0499 5900 CLFS - ok
16:15:21.0530 5900 CmBatt - ok
16:15:21.0546 5900 cmdide - ok
16:15:21.0546 5900 CNG - ok
16:15:21.0577 5900 CnxtHdAudService - ok
16:15:21.0577 5900 Compbatt - ok
16:15:21.0592 5900 CompositeBus - ok
16:15:21.0608 5900 crcdisk - ok
16:15:21.0686 5900 CSC - ok
16:15:21.0702 5900 DfsC - ok
16:15:21.0733 5900 DgiVecp - ok
16:15:21.0733 5900 discache - ok
16:15:21.0764 5900 Disk - ok
16:15:21.0780 5900 drmkaud - ok
16:15:21.0795 5900 dsNcAdpt - ok
16:15:21.0842 5900 DXGKrnl - ok
16:15:21.0858 5900 e1yexpress - ok
16:15:21.0873 5900 ebdrv - ok
16:15:21.0889 5900 elxstor - ok
16:15:21.0904 5900 ErrDev - ok
16:15:21.0967 5900 exfat - ok
16:15:21.0967 5900 fastfat - ok
16:15:21.0982 5900 fdc - ok
16:15:21.0998 5900 FileInfo - ok
16:15:22.0014 5900 Filetrace - ok
16:15:22.0029 5900 flpydisk - ok
16:15:22.0045 5900 FltMgr - ok
16:15:22.0076 5900 FsDepends - ok
16:15:22.0092 5900 Fs_Rec - ok
16:15:22.0107 5900 fvevol - ok
16:15:22.0107 5900 gagp30kx - ok
16:15:22.0154 5900 GbpKm - ok
16:15:22.0216 5900 GEARAspiWDM - ok
16:15:22.0232 5900 GTUHSBUS - ok
16:15:22.0263 5900 GTUHSNDISIPXP - ok
16:15:22.0294 5900 GTUHSSER - ok
16:15:22.0326 5900 hcw85cir - ok
16:15:22.0341 5900 HdAudAddService - ok
16:15:22.0357 5900 HDAudBus - ok
16:15:22.0372 5900 HECI - ok
16:15:22.0388 5900 HidBatt - ok
16:15:22.0404 5900 HidBth - ok
16:15:22.0419 5900 HidIr - ok
16:15:22.0450 5900 HidUsb - ok
16:15:22.0497 5900 HpSAMD - ok
16:15:22.0528 5900 HSF_DPV - ok
16:15:22.0528 5900 HSXHWAZL - ok
16:15:22.0544 5900 HTTP - ok
16:15:22.0560 5900 huawei_enumerator - ok
16:15:22.0606 5900 hwpolicy - ok
16:15:22.0638 5900 i8042prt - ok
16:15:22.0653 5900 iaStor - ok
16:15:22.0669 5900 iaStorV - ok
16:15:22.0684 5900 IBMPMDRV - ok
16:15:22.0700 5900 igfx - ok
16:15:22.0716 5900 iirsp - ok
16:15:22.0747 5900 intelide - ok
16:15:22.0762 5900 intelppm - ok
16:15:22.0794 5900 IpFilterDriver - ok
16:15:22.0840 5900 IPMIDRV - ok
16:15:22.0856 5900 IPNAT - ok
16:15:22.0887 5900 IRENUM - ok
16:15:22.0903 5900 isapnp - ok
16:15:22.0918 5900 iScsiPrt - ok
16:15:22.0934 5900 kbdclass - ok
16:15:22.0950 5900 kbdhid - ok
16:15:22.0965 5900 KSecDD - ok
16:15:22.0981 5900 KSecPkg - ok
16:15:23.0074 5900 lenovo.smi - ok
16:15:23.0121 5900 lltdio - ok
16:15:23.0184 5900 LSI_FC - ok
16:15:23.0184 5900 LSI_SAS - ok
16:15:23.0199 5900 LSI_SAS2 - ok
16:15:23.0215 5900 LSI_SCSI - ok
16:15:23.0246 5900 luafv - ok
16:15:23.0262 5900 mdmxsdk - ok
16:15:23.0277 5900 megasas - ok
16:15:23.0293 5900 MegaSR - ok
16:15:23.0324 5900 Modem - ok
16:15:23.0340 5900 monitor - ok
16:15:23.0355 5900 mouclass - ok
16:15:23.0371 5900 mouhid - ok
16:15:23.0386 5900 mountmgr - ok
16:15:23.0402 5900 mpio - ok
16:15:23.0402 5900 mpsdrv - ok
16:15:23.0433 5900 MRxDAV - ok
16:15:23.0433 5900 mrxsmb - ok
16:15:23.0449 5900 mrxsmb10 - ok
16:15:23.0464 5900 mrxsmb20 - ok
16:15:23.0480 5900 msahci - ok
16:15:23.0496 5900 msdsm - ok
16:15:23.0527 5900 Msfs - ok
16:15:23.0542 5900 mshidkmdf - ok
16:15:23.0558 5900 msisadrv - ok
16:15:23.0589 5900 MSKSSRV - ok
16:15:23.0605 5900 MSPCLOCK - ok
16:15:23.0620 5900 MSPQM - ok
16:15:23.0636 5900 MsRPC - ok
16:15:23.0652 5900 mssmbios - ok
16:15:23.0683 5900 MSTEE - ok
16:15:23.0683 5900 MTConfig - ok
16:15:23.0698 5900 Mup - ok
16:15:23.0714 5900 NativeWifiP - ok
16:15:23.0745 5900 NDIS - ok
16:15:23.0761 5900 NdisCap - ok
16:15:23.0839 5900 NdisTapi - ok
16:15:23.0839 5900 Ndisuio - ok
16:15:23.0854 5900 NdisWan - ok
16:15:23.0870 5900 NDProxy - ok
16:15:23.0886 5900 Netaapl - ok
16:15:23.0901 5900 NetBIOS - ok
16:15:23.0917 5900 NetBT - ok
16:15:23.0964 5900 netw5v32 - ok
16:15:23.0995 5900 NETwNs32 - ok
16:15:24.0026 5900 NetworkX - ok
16:15:24.0042 5900 nfrd960 - ok
16:15:24.0073 5900 nm3 - ok
16:15:24.0088 5900 Npfs - ok
16:15:24.0088 5900 nsiproxy - ok
16:15:24.0104 5900 Ntfs - ok
16:15:24.0120 5900 Null - ok
16:15:24.0135 5900 nvraid - ok
16:15:24.0135 5900 nvstor - ok
16:15:24.0151 5900 nv_agp - ok
16:15:24.0151 5900 ohci1394 - ok
16:15:24.0182 5900 Parport - ok
16:15:24.0198 5900 partmgr - ok
16:15:24.0213 5900 Parvdm - ok
16:15:24.0229 5900 pci - ok
16:15:24.0244 5900 pciide - ok
16:15:24.0244 5900 pcmcia - ok
16:15:24.0291 5900 pcw - ok
16:15:24.0291 5900 PEAUTH - ok
16:15:24.0354 5900 Point32 - ok
16:15:24.0416 5900 PptpMiniport - ok
16:15:24.0416 5900 Processor - ok
16:15:24.0463 5900 prot_2k - ok
16:15:24.0478 5900 psadd - ok
16:15:24.0510 5900 Psched - ok
16:15:24.0525 5900 ql2300 - ok
16:15:24.0525 5900 ql40xx - ok
16:15:24.0541 5900 QWAVEdrv - ok
16:15:24.0556 5900 RasAcd - ok
16:15:24.0572 5900 RasAgileVpn - ok
16:15:24.0588 5900 Rasl2tp - ok
16:15:24.0603 5900 RasPppoe - ok
16:15:24.0619 5900 RasSstp - ok
16:15:24.0634 5900 rdbss - ok
16:15:24.0634 5900 rdpbus - ok
16:15:24.0650 5900 RDPCDD - ok
16:15:24.0666 5900 RDPDR - ok
16:15:24.0681 5900 RDPENCDD - ok
16:15:24.0697 5900 RDPREFMP - ok
16:15:24.0697 5900 RDPWD - ok
16:15:24.0712 5900 rdyboost - ok
16:15:24.0759 5900 RFCOMM - ok
16:15:24.0790 5900 rspndr - ok
16:15:24.0790 5900 s3cap - ok
16:15:24.0806 5900 sbp2port - ok
16:15:24.0837 5900 scfilter - ok
16:15:24.0868 5900 sdbus - ok
16:15:24.0884 5900 secdrv - ok
16:15:24.0931 5900 Serenum - ok
16:15:24.0931 5900 Serial - ok
16:15:24.0946 5900 sermouse - ok
16:15:24.0978 5900 sffdisk - ok
16:15:24.0993 5900 sffp_mmc - ok
16:15:25.0009 5900 sffp_sd - ok
16:15:25.0009 5900 sfloppy - ok
16:15:25.0040 5900 Shockprf - ok
16:15:25.0040 5900 sisagp - ok
16:15:25.0056 5900 SiSRaid2 - ok
16:15:25.0071 5900 SiSRaid4 - ok
16:15:25.0071 5900 Smb - ok
16:15:25.0102 5900 spldr - ok
16:15:25.0134 5900 srv - ok
16:15:25.0149 5900 srv2 - ok
16:15:25.0149 5900 SrvHsfHDA - ok
16:15:25.0165 5900 SrvHsfV92 - ok
16:15:25.0180 5900 SrvHsfWinac - ok
16:15:25.0196 5900 srvnet - ok
16:15:25.0212 5900 SSPORT - ok
16:15:25.0227 5900 stexstor - ok
16:15:25.0243 5900 storflt - ok
16:15:25.0258 5900 storvsc - ok
16:15:25.0274 5900 swenum - ok
16:15:25.0321 5900 Tcpip - ok
16:15:25.0336 5900 TCPIP6 - ok
16:15:25.0352 5900 tcpipreg - ok
16:15:25.0368 5900 TDPIPE - ok
16:15:25.0383 5900 TDTCP - ok
16:15:25.0399 5900 tdx - ok
16:15:25.0399 5900 TermDD - ok
16:15:25.0446 5900 Tp4Track - ok
16:15:25.0461 5900 TPDIGIMN - ok
16:15:25.0492 5900 TPM - ok
16:15:25.0524 5900 TPPWRIF - ok
16:15:25.0555 5900 tssecsrv - ok
16:15:25.0570 5900 TsUsbFlt - ok
16:15:25.0570 5900 tunnel - ok
16:15:25.0602 5900 TVTI2C - ok
16:15:25.0617 5900 uagp35 - ok
16:15:25.0633 5900 udfs - ok
16:15:25.0680 5900 uliagpkx - ok
16:15:25.0711 5900 umbus - ok
16:15:25.0726 5900 UmPass - ok
16:15:25.0758 5900 USBAAPL - ok
16:15:25.0773 5900 usbccgp - ok
16:15:25.0789 5900 usbcir - ok
16:15:25.0804 5900 usbehci - ok
16:15:25.0836 5900 usbhub - ok
16:15:25.0851 5900 usbohci - ok
16:15:25.0867 5900 usbprint - ok
16:15:25.0882 5900 USBSTOR - ok
16:15:25.0898 5900 usbuhci - ok
16:15:25.0914 5900 usbvideo - ok
16:15:25.0945 5900 vdrvroot - ok
16:15:25.0976 5900 vga - ok
16:15:25.0992 5900 VgaSave - ok
16:15:26.0007 5900 vhdmp - ok
16:15:26.0023 5900 viaagp - ok
16:15:26.0023 5900 ViaC7 - ok
16:15:26.0038 5900 viaide - ok
16:15:26.0054 5900 vmbus - ok
16:15:26.0070 5900 VMBusHID - ok
16:15:26.0116 5900 volmgr - ok
16:15:26.0132 5900 volmgrx - ok
16:15:26.0132 5900 volsnap - ok
16:15:26.0148 5900 vpnva - ok
16:15:26.0179 5900 vsmraid - ok
16:15:26.0241 5900 vstor2-mntapi10 - ok
16:15:26.0241 5900 vwifibus - ok
16:15:26.0304 5900 VWiFiFlt - ok
16:15:26.0319 5900 vwifimp - ok
16:15:26.0350 5900 WacomPen - ok
16:15:26.0428 5900 WANARP - ok
16:15:26.0428 5900 Wanarpv6 - ok
16:15:26.0522 5900 Wd - ok
16:15:26.0522 5900 Wdf01000 - ok
16:15:26.0600 5900 WfpLwf - ok
16:15:26.0616 5900 WIMMount - ok
16:15:26.0631 5900 winachsf - ok
16:15:26.0709 5900 WinUsb - ok
16:15:26.0740 5900 WmiAcpi - ok
16:15:26.0787 5900 ws2ifsl - ok
16:15:26.0850 5900 WudfPf - ok
16:15:26.0865 5900 WUDFRd - ok
16:15:26.0896 5900 XAudio - ok
16:15:27.0068 5900 MBR (0x1B8) (0623866b01e1f295775c893cecdeb342) \Device\Harddisk0\DR0
16:15:27.0115 5900 \Device\Harddisk0\DR0 - ok
16:15:27.0130 5900 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
16:15:27.0146 5900 \Device\Harddisk1\DR2 - ok
16:15:27.0177 5900 Boot (0x1200) (59d386b0db2506ebd73db5c88851a125) \Device\Harddisk0\DR0\Partition0
16:15:27.0177 5900 \Device\Harddisk0\DR0\Partition0 - ok
16:15:27.0208 5900 Boot (0x1200) (ee3b136aef94acfa594f23e93d392639) \Device\Harddisk0\DR0\Partition1
16:15:27.0208 5900 \Device\Harddisk0\DR0\Partition1 - ok
16:15:27.0255 5900 Boot (0x1200) (78c3463ed3d0cbe590db21af0832b7f7) \Device\Harddisk0\DR0\Partition2
16:15:27.0255 5900 \Device\Harddisk0\DR0\Partition2 - ok
16:15:27.0271 5900 Boot (0x1200) (5d11e71ff030866709c0a05122c8ee67) \Device\Harddisk1\DR2\Partition0
16:15:27.0271 5900 \Device\Harddisk1\DR2\Partition0 - ok
16:15:27.0271 5900 ============================================================
16:15:27.0271 5900 Scan finished
16:15:27.0271 5900 ============================================================
16:15:27.0302 5892 Detected object count: 0
16:15:27.0302 5892 Actual detected object count: 0


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-15 16:17:10
-----------------------------
16:17:10.605 OS Version: Windows 6.1.7601 Service Pack 1
16:17:10.605 Number of processors: 2 586 0x170A
16:17:10.605 ComputerName: LPC113 UserName:
16:17:32.321 Initialize success
16:17:40.526 AVAST engine download error: 0
16:18:13.130 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:18:13.130 Disk 0 Vendor: WDC_WD25 14.0 Size: 238475MB BusType: 3
16:18:13.146 Disk 0 MBR read successfully
16:18:13.146 Disk 0 MBR scan
16:18:13.161 Disk 0 unknown MBR code
16:18:13.177 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
16:18:13.208 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 227273 MB offset 2459648
16:18:13.239 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 467914752
16:18:13.255 Disk 0 scanning sectors +488394752
16:18:13.380 Disk 0 scanning C:\Windows\system32\drivers
16:18:13.411 Service scanning
16:20:03.142 Service GbpKm C:\Windows\system32\drivers\gbpkm.sys **LOCKED** 32
16:20:37.571 Modules scanning
16:21:06.587 Disk 0 trace - called modules:
16:21:06.665 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll intelppm.sys dxgkrnl.sys igdkmd32.sys dxgmms1.sys
16:21:06.681 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x874d77c8]
16:21:06.696 3 CLASSPNP.SYS[83f6659e] -> nt!IofCallDriver -> [0x86a8d958]
16:21:06.712 Scan finished successfully
16:21:28.474 Disk 0 MBR has been saved successfully to "E:\blepping_help\MBR.dat"
16:21:28.723 The log file has been saved successfully to "E:\blepping_help\aswMBR_log.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:55 AM

Posted 15 March 2012 - 01:03 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Rod_UK

Rod_UK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 15 March 2012 - 01:16 PM

Hi Gringo,

Here is the FSS's log.

Cheers,
Rodrigo

Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 15-03-2012 at 18:13:44
Running from "C:\Users\Administrator\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Defender:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-03-18 11:57] - [2010-11-20 08:40] - 0338944 ____A () 2639EDA7B2D1B54AC99BDF35A4DDD151

C:\Windows\system32\Drivers\tdx.sys
[2011-03-18 11:57] - [2010-11-20 08:39] - 0074752 ____A () 8E38DC51666F97100024BF2B5B8DA437

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll
[2011-03-18 11:58] - [2010-11-20 12:18] - 0132608 ____N (Microsoft Corporation) 2FE30D71919C51131405797620E0A714

C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:55 AM

Posted 15 March 2012 - 05:19 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
afd.*
tdx.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Rod_UK

Rod_UK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 15 March 2012 - 06:16 PM

Hi Gringo,

See SystemLook's log below.

Thanks,
Rod


SystemLook 30.07.11 by jpshortstuff
Log created at 23:12 on 15/03/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.*"
C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys ------- 338944 bytes [11:57 18/03/2011] [08:40 20/11/2010] 3A61619BB78E13D965792DCD38380833
C:\Windows\System32\drivers\afd.sys --a---- 338944 bytes [11:57 18/03/2011] [08:40 20/11/2010] 2639EDA7B2D1B54AC99BDF35A4DDD151
C:\Windows\System32\drivers\en-US\afd.sys.mui ------- 14848 bytes [04:55 14/07/2009] [02:08 14/07/2009] 2F1E1E5CE5927E156F0B30163119960D
C:\Windows\winsxs\x86_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4bbf167edfba3058\afd.sys.mui ------- 14848 bytes [04:55 14/07/2009] [02:08 14/07/2009] 2F1E1E5CE5927E156F0B30163119960D
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys ------- 338944 bytes [23:12 13/07/2009] [23:12 13/07/2009] DDC040FDB01EF1712A6B13E52AFB104C
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [11:57 18/03/2011] [08:40 20/11/2010] 2639EDA7B2D1B54AC99BDF35A4DDD151

Searching for "tdx.*"
C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys ------- 74752 bytes [11:57 18/03/2011] [08:39 20/11/2010] B459575348C20E8121D6039DA063C704
C:\Windows\System32\drivers\tdx.sys --a---- 74752 bytes [11:57 18/03/2011] [08:39 20/11/2010] 8E38DC51666F97100024BF2B5B8DA437
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys ------- 74240 bytes [23:12 13/07/2009] [23:12 13/07/2009] CB39E896A2A83702D1737BFD402B3542
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys --a---- 74752 bytes [11:57 18/03/2011] [08:39 20/11/2010] 8E38DC51666F97100024BF2B5B8DA437

-= EOF =-

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:55 AM

Posted 15 March 2012 - 10:38 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys | C:\Windows\System32\drivers\afd.sys
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys | C:\Windows\System32\drivers\tdx.sys

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Rod_UK

Rod_UK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 17 March 2012 - 05:44 AM

Hi Gringo,

Not much luck here I am afraid.

Combofix will run after drag and drop CFScript.txt to it (I can see the black screen with green letters) for few seconds and it disappears, no warnings or no errors. I can see a little bit of disk activity. I waited for about 5-10 minutes and nothing happened.

I rebooted the machine on safe mode and drag and drop CFScript.txt to Combofix again. I am afraid the results were the same.

Rodrigo

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:55 AM

Posted 17 March 2012 - 01:17 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
CopyFile:
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys C:\Windows\System32\drivers\afd.sys
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys C:\Windows\System32\drivers\tdx.sys

  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Rod_UK

Rod_UK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 18 March 2012 - 05:24 AM

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys", destinationFile = "\??\c:\windows\system32\drivers\afd.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys", destinationFile = "\??\c:\windows\system32\drivers\tdx.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:55 AM

Posted 18 March 2012 - 07:42 AM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Rod_UK

Rod_UK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 18 March 2012 - 08:05 AM

Hi Gringo,

Please see log below.

Cheers,
Rod

OTL logfile created on: 3/18/2012 12:52:47 PM - Run 1
OTL by OldTimer - Version 3.2.39.1 Folder = C:\Users\Administrator\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.96 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 72.52% Memory free
5.92 Gb Paging File | 5.07 Gb Available in Paging File | 85.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.95 Gb Total Space | 139.03 Gb Free Space | 62.64% Space Free | Partition Type: NTFS
Drive E: | 3.79 Gb Total Space | 1.91 Gb Free Space | 50.52% Space Free | Partition Type: FAT32
Drive L: | 9.77 Gb Total Space | 4.22 Gb Free Space | 43.23% Space Free | Partition Type: NTFS

Computer Name: LPC113 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks)
PRC - C:\Program Files\GbPlugin\gbpsv.exe ( )
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Windows\System32\atashost.exe (WebEx Communications, Inc.)
PRC - C:\Program Files\Lenovo\ZOOM\TpScrex.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\System Update\SUService.exe (Lenovo Group Limited)
PRC - C:\Prey\platform\windows\cronsvc.exe (Fork Ltd.)
PRC - C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\Communications Utility\CamMute.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\tphkload.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\DTS.exe ()
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
PRC - C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe (Lenovo)
PRC - C:\Program Files\Lenovo\Access Connections\AcSvc.exe (Lenovo)
PRC - C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe (Lenovo)
PRC - C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Hitachi Software Engr. Co.,Ltd.)
PRC - C:\Windows\System32\pstartSr.exe (Hitachi Software Engr. Co.,Ltd.)
PRC - C:\Windows\System32\Prot_srv.exe (Hitachi Software Engr. Co.,Ltd.)
PRC - C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe (Lenovo Group Limited)
PRC - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited)
PRC - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files\Intel\AMT\LMS.exe (Intel Corporation)
PRC - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
PRC - C:\Program Files\Lenovo\TrackPoint\tp4serv.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe ()
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Windows\System32\Crypserv.exe (CrypKey (Canada) Ltd.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\ThinkPad\Utilities\US\PWMRT32V.DLL ()
MOD - C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe ()


========== Win32 Services (SafeList) ==========

SRV - (adobeactivefilemonitor4.0) -- %systemroot%\system32\vrservice.dll File not found
SRV - (dsNcService) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks)
SRV - (GbpSv) -- C:\Program Files\GbPlugin\gbpsv.exe ( )
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (atashost) -- C:\Windows\System32\atashost.exe (WebEx Communications, Inc.)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (SUService) -- C:\Program Files\Lenovo\System Update\SUService.exe (Lenovo Group Limited)
SRV - (CronService) -- C:\Prey\platform\windows\cronsvc.exe (Fork Ltd.)
SRV - (LENOVO.TPKNRSVC) -- C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe (Lenovo Group Limited)
SRV - (LENOVO.CAMMUTE) -- C:\Program Files\Lenovo\Communications Utility\CamMute.exe (Lenovo Group Limited)
SRV - (TPHKLOAD) -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe (Lenovo Group Limited)
SRV - (TPHKSVC) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
SRV - (LENOVO.MICMUTE) -- C:\Program Files\Lenovo\HOTKEY\micmute.exe (Lenovo Group Limited)
SRV - (dtsvc) -- C:\Windows\System32\DTS.exe ()
SRV - (ADMonitor) -- C:\Windows\System32\ADMonitor.exe ()
SRV - (ATService) -- C:\Windows\System32\AtService.exe (AuthenTec, Inc.)
SRV - (EvtEng) Intel® -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV - (RegSrvc) Intel® -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV - (AcSvc) -- C:\Program Files\Lenovo\Access Connections\AcSvc.exe (Lenovo)
SRV - (AcPrfMgrSvc) -- C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe (Lenovo)
SRV - (Pointsec_start) -- C:\Windows\System32\pstartSr.exe (Hitachi Software Engr. Co.,Ltd.)
SRV - (Pointsec) -- C:\Windows\System32\Prot_srv.exe (Hitachi Software Engr. Co.,Ltd.)
SRV - (vmware-converter-server) -- C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe (VMware, Inc.)
SRV - (vmware-converter-agent) -- C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe (VMware, Inc.)
SRV - (Lenovo.VIRTSCRLSVC) -- C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe (Lenovo Group Limited)
SRV - (ThinkVantage Registry Monitor Service) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited)
SRV - (Power Manager DBC Service) -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe (Lenovo)
SRV - (UNS) Intel® -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) Intel® -- C:\Program Files\Intel\AMT\LMS.exe (Intel Corporation)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (btwdins) -- C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
SRV - (HsfXAudioService) -- C:\Windows\System32\XAudio32.dll (Conexant Systems, Inc.)
SRV - (Crypkey License) -- C:\Windows\System32\Crypserv.exe (CrypKey (Canada) Ltd.)


========== Driver Services (SafeList) ==========

DRV - (vpnva) -- system32\DRIVERS\vpnva.sys File not found
DRV - (nm3) -- system32\DRIVERS\nm3.sys File not found
DRV - (catchme) -- C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys File not found
DRV - (tdx) -- C:\Windows\System32\drivers\tdx.sys ()
DRV - (AFD) -- C:\Windows\System32\drivers\afd.sys ()
DRV - (dsNcAdpt) -- C:\Windows\System32\drivers\dsNcAdpt.sys (Juniper Networks)
DRV - (GbpKm) -- C:\Windows\System32\drivers\GbpKm.sys (GAS Tecnologia)
DRV - (Netaapl) -- C:\Windows\System32\drivers\netaapl.sys (Apple Inc.)
DRV - (GTUHSNDISIPXP) -- C:\Windows\System32\drivers\gtuhs51.sys (Option N.V.)
DRV - (GTUHSBUS) -- C:\Windows\System32\drivers\gtuhsbus.sys (Option N.V.)
DRV - (GTUHSSER) -- C:\Windows\System32\drivers\gtuhsser.sys (Option N.V.)
DRV - (huawei_enumerator) -- C:\Windows\System32\drivers\ew_jubusenum.sys (Huawei Technologies Co., Ltd.)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (CSC) -- C:\Windows\System32\drivers\csc.sys ()
DRV - (DfsC) -- C:\Windows\System32\drivers\dfsc.sys ()
DRV - (NetBT) -- C:\Windows\System32\drivers\netbt.sys ()
DRV - (ATSwpWDF) -- C:\Windows\System32\drivers\ATSwpWDF.sys (AuthenTec, Inc.)
DRV - (NETwNs32) ___ Intel® -- C:\Windows\System32\drivers\NETwNs32.sys (Intel Corporation)
DRV - (lenovo.smi) -- C:\Windows\System32\drivers\smiif32.sys (Lenovo Group Limited)
DRV - (prot_2k) -- C:\Windows\System32\drivers\prot_2k.sys (Hitachi Software Engr. Co.,Ltd.)
DRV - (vstor2-mntapi10) -- C:\Program Files\VMware\VMware vCenter Converter Standalone\vstor2-mntapi10.sys (VMware, Inc.)
DRV - (bmdrvr) -- C:\Windows\System32\drivers\bmdrvr.sys (VMware, Inc.)
DRV - (psadd) -- C:\Windows\System32\drivers\psadd.sys (Lenovo (United States) Inc.)
DRV - (TPPWRIF) -- C:\Windows\System32\drivers\TPPWR32V.SYS (Lenovo Group Limited)
DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys ()
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (e1yexpress) Intel® -- C:\Windows\System32\drivers\e1y6032.sys (Intel Corporation)
DRV - (5U875UVC) -- C:\Windows\System32\drivers\5U875.sys (Ricoh co.,Ltd.)
DRV - (TVTI2C) -- C:\Windows\System32\drivers\tvti2c.sys (Lenovo (United States) Inc.)
DRV - (Shockprf) -- C:\Windows\System32\drivers\ApsX86.sys (Lenovo.)
DRV - (TPDIGIMN) -- C:\Windows\System32\drivers\ApsHM86.sys (Lenovo.)
DRV - (HECI) Intel® -- C:\Windows\System32\drivers\HECI.sys (Intel Corporation)
DRV - (netw5v32) Intel® -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio32.sys (Conexant Systems, Inc.)
DRV - (DgiVecp) -- C:\Windows\System32\drivers\DGIVECP.SYS (Samsung Electronics Co., Ltd.)
DRV - (SSPORT) -- C:\Windows\System32\drivers\SSPORT.SYS (Samsung Electronics)
DRV - (NetworkX) -- C:\Windows\System32\Ckldrv.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {B73C75D1-9223-46F2-8351-C40B104AAE64}
IE - HKLM\..\SearchScopes\{B73C75D1-9223-46F2-8351-C40B104AAE64}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox;


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.0.0.*;192.168.23.*;192.168.19.*;<local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 192.168.9.7:80

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.0.0.*;192.168.23.*;192.168.19.*;<local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 192.168.9.7:80



IE - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
IE - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..\SearchScopes,DefaultScope = {B73C75D1-9223-46F2-8351-C40B104AAE64}
IE - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/17 11:24:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/03/07 16:50:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2012/01/17 11:32:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/17 11:24:06 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/01/17 11:23:59 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/01/17 11:23:59 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/17 11:23:59 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/01/17 11:23:59 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/01/17 11:23:59 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/03/07 21:41:15 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehAbn.dll (Banco Real)
O2 - BHO: (kikin Plugin) - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Program Files\kikin\ie_kikin.dll (kikin)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AcWin7Hlpr] C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe (Lenovo)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [FingerPrintSoftware] C:\Program Files\Lenovo Fingerprint Software\fpapp.exe (AuthenTec)
O4 - HKLM..\Run: [FingerPrintSoftwareSplashScreen] C:\Program Files\Lenovo Fingerprint Software\SplashScreen.exe (AuthenTec, Inc.)
O4 - HKLM..\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe ()
O4 - HKLM..\Run: [p2vbcast] C:\Program Files\VMware\VMware vCenter Converter Standalone\p2vbcast.exe (VMware, Inc.)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Hitachi Software Engr. Co.,Ltd.)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe (Lenovo Group Limited)
O4 - Startup: C:\Users\rcarrilho.UKNE-ETC1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll (kikin)
O9 - Extra Button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: bancoreal.com.br ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: bancosantander.com.br ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: bancosantander.com.br ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: realsecureweb.com.br ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: realsecureweb.com.br ([www2] https in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: realsecureweb.com.br ([wwws] https in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: santander.com.br ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: santanderempresarial.com.br ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: santandernet.com.br ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: santandernet.com.br ([wwws] https in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: santandernetibe.com.br ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2001722190-2078802506-3168509936-500\..Trusted Domains: secureweb.com.br ([www] https in Trusted sites)
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} https://secure.logmeinrescue.com/UK/TechConsole/x86/RescueControl.cab (LogMeIn Rescue Technician Console)
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} https://remoteaccess.prostrakan.com/CACHE/stc/1/binaries/vpnweb.cab (Cisco AnyConnect VPN Client Web Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} http://server2.ctg.local:8059/SMB/console/html/root/AtxEnc.cab (Encrypt Class)
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} http://server2.ctg.local:8059/SMB/console/html/root/AtxConsole.cab (Security Server Management Console)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://supportcenter-uk.webex.com/client/T27L/support/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} https://wwws.santandernet.com.br/mps/plugin/Cab/GbPluginABN.cab (GbPluginObj Class)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=724 (Performance Viewer Activex Control)
O16 - DPF: iLO 2 Remote Console Applet https://10.0.0.14/dvc.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukne-etc1.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{73E0D827-795D-499A-B969-69B08417C2EE}: DhcpNameServer = 10.206.65.70 10.206.65.68
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C8DBB3BA-A9D4-49D4-81B7-B0AFCE50E488}: DhcpNameServer = 10.206.65.70 10.206.65.68
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (pssogina.dll) - File not found
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\ GbPluginAbn: DllName - (C:\PROGRA~1\GbPlugin\gbiehAbn.dll) - C:\Program Files\GbPlugin\gbiehAbn.dll (Banco Real)
O28 - HKLM ShellExecuteHooks: {E37CB5F0-51F5-4395-A808-5FA49E399007} - C:\Program Files\GbPlugin\gbiehAbn.dll (Banco Real)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/18 12:51:28 | 000,594,432 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2012/03/18 10:14:01 | 001,153,912 | ---- | C] (Emsi Software GmbH) -- C:\Users\Administrator\Desktop\BlitzBlank.exe
[2012/03/15 16:14:53 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe
[2012/03/15 16:12:44 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2012/03/13 11:50:55 | 004,435,063 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
[2012/03/08 09:36:57 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/03/08 09:34:03 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/03/07 21:41:19 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012/03/07 21:32:04 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\temp
[2012/03/07 20:56:52 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/03/07 20:56:52 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/03/07 20:56:52 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/03/07 20:56:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/03/07 20:56:47 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/03/07 20:56:18 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/07 16:50:59 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Malwarebytes
[2012/03/07 16:50:15 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Mozilla
[2012/03/07 16:50:15 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Mozilla
[2012/03/07 16:39:23 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\kikin
[2012/03/07 16:30:02 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
[2012/03/07 13:25:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/03/07 12:44:43 | 000,000,000 | ---D | C] -- C:\Program Files\Cisco
[2012/03/07 12:44:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Intel
[2012/03/07 12:41:59 | 000,000,000 | ---D | C] -- C:\DRIVERS
[2012/03/07 12:33:58 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%

========== Files - Modified Within 30 Days ==========

[2012/03/18 12:56:43 | 000,016,976 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/18 12:56:43 | 000,016,976 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/18 12:56:11 | 000,633,540 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/18 12:56:11 | 000,112,118 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/18 12:49:14 | 000,000,029 | ---- | M] () -- C:\Windows\System32\TempWmicBatchFile.bat
[2012/03/18 12:49:12 | 000,131,072 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2012/03/18 12:49:00 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2012/03/18 12:48:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/18 12:48:49 | 2384,437,248 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/18 10:15:46 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\tdx.sys
[2012/03/18 10:15:46 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\afd.sys
[2012/03/18 10:11:32 | 001,153,912 | ---- | M] (Emsi Software GmbH) -- C:\Users\Administrator\Desktop\BlitzBlank.exe
[2012/03/16 11:08:39 | 000,007,605 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
[2012/03/15 22:51:28 | 000,139,264 | ---- | M] () -- C:\Users\Administrator\Desktop\SystemLook.exe
[2012/03/15 18:09:24 | 000,337,137 | ---- | M] () -- C:\Users\Administrator\Desktop\FSS.exe
[2012/03/15 16:11:06 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe
[2012/03/15 16:10:36 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2012/03/13 11:48:10 | 004,435,063 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
[2012/03/08 11:38:08 | 000,000,000 | ---- | M] () -- C:\Users\Administrator\defogger_reenable
[2012/03/07 21:41:15 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/03/07 16:59:53 | 000,002,503 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2012/03/07 16:59:53 | 000,002,479 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2012/03/07 16:38:56 | 000,001,418 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

========== Files Created - No Company Name ==========

[2012/03/16 11:08:39 | 000,007,605 | ---- | C] () -- C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
[2012/03/15 23:11:37 | 000,139,264 | ---- | C] () -- C:\Users\Administrator\Desktop\SystemLook.exe
[2012/03/15 18:10:26 | 000,337,137 | ---- | C] () -- C:\Users\Administrator\Desktop\FSS.exe
[2012/03/08 11:38:08 | 000,000,000 | ---- | C] () -- C:\Users\Administrator\defogger_reenable
[2012/03/08 10:09:04 | 000,001,918 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
[2012/03/08 10:09:04 | 000,000,890 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
[2012/03/07 20:56:52 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/03/07 20:56:52 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/03/07 20:56:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/03/07 20:56:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/03/07 20:56:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/03/07 16:59:53 | 000,002,503 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2012/03/07 16:38:56 | 000,001,418 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/02/13 15:23:36 | 000,034,308 | ---- | C] () -- C:\Windows\System32\BASSMOD.dll
[2012/01/20 11:24:08 | 000,004,133 | ---- | C] () -- C:\Windows\entrust.ini
[2011/12/21 21:06:58 | 000,000,028 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/12/14 20:06:03 | 000,000,020 | ---- | C] () -- C:\Windows\groupwar.ini
[2011/12/14 19:43:54 | 000,000,070 | ---- | C] () -- C:\Windows\fine.ini
[2011/11/14 16:25:40 | 000,000,004 | ---- | C] () -- C:\Windows\vx86036.dat
[2011/11/14 16:25:02 | 000,000,127 | ---- | C] () -- C:\Windows\Crypkey.ini
[2011/11/14 16:24:35 | 000,019,584 | ---- | C] () -- C:\Windows\System32\Ckldrv.sys
[2011/11/14 16:24:34 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2011/11/14 16:24:34 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2011/11/14 16:24:34 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2011/07/20 12:26:57 | 000,000,400 | ---- | C] () -- C:\Windows\g_oirotq614.ini
[2011/07/20 12:26:57 | 000,000,400 | ---- | C] () -- C:\Windows\System32\drivers\biusvhm144.dat
[2011/06/01 17:12:32 | 000,189,736 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2011/04/20 10:02:57 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/04/06 11:31:35 | 000,002,516 | ---- | C] () -- C:\Windows\System32\drivers\default.bin
[2011/04/06 11:31:35 | 000,002,516 | ---- | C] () -- C:\Windows\System32\default.bin
[2011/03/18 12:43:46 | 000,005,784 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/03/18 11:58:18 | 000,388,096 | ---- | C] () -- C:\Windows\System32\drivers\csc.sys
[2011/03/18 11:58:00 | 000,187,904 | ---- | C] () -- C:\Windows\System32\drivers\netbt.sys
[2011/03/18 11:57:54 | 000,000,000 | ---- | C] () -- C:\Windows\System32\drivers\afd.sys
[2011/03/18 11:57:50 | 000,000,000 | ---- | C] () -- C:\Windows\System32\drivers\tdx.sys
[2011/03/18 11:57:44 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/03/18 11:57:42 | 000,078,336 | ---- | C] () -- C:\Windows\System32\drivers\dfsc.sys
[2010/10/21 03:07:36 | 000,098,304 | ---- | C] () -- C:\Windows\System32\DTS.exe
[2010/10/21 03:07:32 | 000,106,496 | ---- | C] () -- C:\Windows\System32\ADMonitor.exe
[2010/07/24 10:59:20 | 000,720,896 | ---- | C] () -- C:\Windows\System32\ImageDll.dll
[2010/07/24 10:59:20 | 000,258,048 | ---- | C] () -- C:\Windows\System32\vec.dll
[2010/07/24 10:59:20 | 000,159,744 | ---- | C] () -- C:\Windows\System32\fio.dll
[2010/07/24 10:59:20 | 000,081,920 | ---- | C] () -- C:\Windows\System32\imgs.dll
[2010/07/24 10:59:20 | 000,045,056 | ---- | C] () -- C:\Windows\System32\vecom.dll
[2010/07/09 14:28:06 | 000,135,168 | ---- | C] () -- C:\Windows\System32\LogonAgentAPI.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 208 bytes -> C:\Windows\System32\drivers:GbpKmAp.lst

< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users