Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection - maybe "variant of WIN32/InstallCore.D", "Trojan.Agent/Gen-Autorun[VB]", or something else


  • This topic is locked This topic is locked
16 replies to this topic

#1 jlips

jlips

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 10 March 2012 - 06:37 PM

I am coming over from a thread on "Am I Infected". http://www.bleepingcomputer.com/forums/topic445540.html/

My bank account was compromised. Without going into too much detail on that, there are some indications that they would have needed access to information on my computer.

I am pretty security conscious and surprised. I run ESET NOD32, MBAM with the paid real-time protection, plus some older products like Spybot Search & Destroy. When I ran ESET 2 weeks ago I got an alert (a couple of times) for "a variant of WIN32/InstallCore.D". I am not sure if this was a false positive, so I had ESET quarantine the instances..

I've run MBAM and ESET in the last few days and they came back clean. I ran SUPERAntiSpyware free edition while asking for help on the other thread. It took a long time to run and returned "Trojan.Agent/Gen-Autorun[VB] . The file that it returned that on was installed over 2 years ago. I got a similar warning on another component at the time and removed it. I know the person I got the file from, and it seems surprising it would be the cause of a problem after two years.

If someone can help me determine if the source of my bank problems is my computer that would be great. If my computer is the problem I might have a big identity theft problem, if it is just check fraud it can easily be contained.

My computer kept freezing at the end of running GMER. It took 3 tries before I could complete that and get the log. Had to reboot every time.

I run Windows XP home with all updates in place.

Thanks!

------------------

DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Jonathan at 11:07:38 on 2012-03-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1664 [GMT -8:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Box Sync\UpdateService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\WebEx\Productivity Tools\PTIM.exe
C:\Program Files\Chapura\Chapura SyncManager\SyncMgr.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://camb-ssl2.forrester.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\spybot~1\SDHelper.dll
BHO: Do Not Track Plus: {6e45f3e8-2683-4824-a6be-08108022fb36} - c:\program files\donottrackplus\ScriptHost.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
uRun: [TClockEx] c:\program files\tclockex\TCLOCKEX.EXE
uRun: [Pidgin] c:\program files\pidgin\pidgin.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uRun: [PTIM.exe] c:\program files\webex\productivity tools\PTIM.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Dimension4] c:\program files\d4\D4.exe
mRun: [Ad Muncher] "c:\program files\ad muncher\AdMunch.exe" /bt
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-100000000002}\SC_Acrobat.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Box Sync.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\chapur~1.lnk - c:\program files\chapura\chapura syncmanager\SyncMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: NoSMMyPictures = 0 (0x0)
mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
mPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_link
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_exclude
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_report
IE: Send To &Bluetooth - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\spybot~1\SDHelper.dll
Trusted Zone: forrester.com\camb-ssl
Trusted Zone: forrester.com\camb-ssl2
Trusted Zone: secunia.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemywifi.verizon.net/sdcCommon/download/WIFI/Verizon%20WiFi%20Installer.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - hxxps://camb-ssl.forrester.com/postauthI/epi.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158363856609
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - hxxps://browsercheck.qualys.com/qbc_ax.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://panduit.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc.cab
DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} - hxxps://camb-ssl2.forrester.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://camb-ssl2.forrester.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D} - hxxps://camb-ssl.forrester.com/postauthACC/SodaAgent.CAB
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{81519027-9ECC-4FC8-84CA-DE1C161BC051} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jonathan\application data\mozilla\firefox\profiles\fsyv3q6g.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?q=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\jonathan\application data\mozilla\firefox\profiles\fsyv3q6g.default\extensions\{7d2fb79e-e58c-4db5-a36f-ac1c73967f4d}\plugins\npqbc.dll
FF - plugin: c:\documents and settings\jonathan\application data\mozilla\plugins\npMeetingJoinPluginAOCUser.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npeb6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows media player\npatgpc.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-12-25 28552]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-11-26 14776]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-4-28 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-6-24 94872]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 #UpdateService;Box Sync Auto-updater;c:\program files\box sync\UpdateService.exe [2011-4-11 8704]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2011-12-9 494424]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2006-11-21 169576]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
R2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2011-7-1 298824]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2012-1-2 820568]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-24 652872]
R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacomd\x86\novacomd.exe [2011-3-15 61440]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2007-12-10 100728]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-14 1251720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-5 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-24 20464]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2006-1-1 8576]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-5-14 27632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IHA_MessageCenter;IHA_MessageCenter;"c:\program files\verizon\iha_messagecenter\bin\verizon_ihamessagecenter.exe" --> c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [?]
S3 26c10F;26c10F;c:\windows\system32\26c10F.sys [2008-1-26 185824]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-12-13 79208]
S3 e36566;e36566;c:\windows\system32\e36566.sys [2011-6-24 185824]
S3 Flash1;Flash1;c:\program files\sp35668\winphlash\FLASH1.sys [2006-3-1 3456]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-5-14 13224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-6-28 42512]
S3 NRKCTL32;NRKCTL32;c:\program files\wcpuid\nrkctl32.sys [2006-12-28 3968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-12-28 9040]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-12-28 19408]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2012-1-2 30368]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-10-18 332928]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-13 994360]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2009-10-18 13532]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2011-10-10 155344]
S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2011-3-23 26112]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2012-1-2 16208]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2012-1-2 239472]
S4 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
.
=============== Created Last 30 ================
.
2012-03-01 20:08:52 449848 ----a-w- c:\program files\windows media player\webex\1124\atgpcext.dll
2012-03-01 20:08:51 113976 ----a-w- c:\program files\windows media player\webex\1124\atgpcdec.dll
2012-02-25 05:11:52 -------- d-----w- c:\program files\VS Revo Group
2012-02-15 18:48:45 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-15 18:48:45 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-11 06:50:44 -------- d-----w- c:\documents and settings\jonathan\local settings\application data\DoNotTrackPlus
2012-02-11 06:50:28 -------- d-----w- c:\program files\DoNotTrackPlus
.
==================== Find3M ====================
.
2012-02-25 05:32:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-25 05:32:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-19 05:48:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
2011-12-10 23:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-21 23:45:15 3481968 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-02-22 00:02:53 8681984 ----a-w- c:\program files\tzmove.exe
2007-02-21 01:36:27 7101440 ----a-w- c:\program files\PocketDivXEncoder_0.3.60.exe
2006-10-14 06:12:58 959488 ----a-w- c:\program files\addremovecleaner.exe
2006-10-04 06:08:15 1161608 ----a-w- c:\program files\offkeyd.exe
2006-01-12 06:31:06 992399 ----a-w- c:\program files\JHymn.exe
2004-08-06 02:07:00 77824 ----a-w- c:\program files\Metronome.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ABD0AB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000a8[0x8ABD1A28]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IAAStorageDevice-0[0x8ABA4030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!
.
============= FINISH: 11:09:56.47 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 13 March 2012 - 09:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I need to know more about these two files.
c:\windows\system32\26c10F.sys
c:\windows\system32\e36566.sys

>>> Run Jotti's malware scan: Please copy each line from the following (in bold):
c:\windows\system32\26c10F.sys
c:\windows\system32\e36566.sys

  • Go to Jotti's malware scan and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Posted Image
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
    If more then one file submitted, return to the "Jotti's malware scan" window and click the "Next file" button to continue with the rest.
Please copy and paste these Permalinks in your next reply.
If Jotti is busy, please go to http://www.virustotal.com
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#3 jlips

jlips
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 13 March 2012 - 01:25 PM

Thanks for your help. Here are the results.

JOTI
c:\windows\system32\26c10F.sys
http://virusscan.jotti.org/en/scanresult/ea72289dca25a1bd8e08d7272fcd97e3b592eaea

c:\windows\system32\e36566.sys
http://virusscan.jotti.org/en/scanresult/ea72289dca25a1bd8e08d7272fcd97e3b592eaea/6c8ee56b8506f5058109594833fc1575ceef5f90

TDSSKILLER LOG
11:16:46.0310 5024 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
11:16:46.0919 5024 ============================================================
11:16:46.0919 5024 Current date / time: 2012/03/13 11:16:46.0919
11:16:46.0919 5024 SystemInfo:
11:16:46.0919 5024
11:16:46.0919 5024 OS Version: 5.1.2600 ServicePack: 3.0
11:16:46.0919 5024 Product type: Workstation
11:16:46.0919 5024 ComputerName: MAINCOMPUTER
11:16:46.0919 5024 UserName: Jonathan
11:16:46.0919 5024 Windows directory: C:\WINDOWS
11:16:46.0919 5024 System windows directory: C:\WINDOWS
11:16:46.0919 5024 Processor architecture: Intel x86
11:16:46.0919 5024 Number of processors: 2
11:16:46.0919 5024 Page size: 0x1000
11:16:46.0919 5024 Boot type: Normal boot
11:16:46.0919 5024 ============================================================
11:16:47.0404 5024 Drive \Device\Harddisk0\DR0 - Size: 0x2E93E36000 (186.31 Gb), SectorSize: 0x200, Cylinders: 0x5F01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
11:16:47.0404 5024 \Device\Harddisk0\DR0:
11:16:47.0404 5024 MBR used
11:16:47.0404 5024 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x15FC7C32
11:16:47.0404 5024 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0x15FC7C71, BlocksNum 0x12D05CC
11:16:47.0435 5024 Initialize success
11:16:47.0435 5024 ============================================================
11:16:49.0060 1284 ============================================================
11:16:49.0060 1284 Scan started
11:16:49.0060 1284 Mode: Manual;
11:16:49.0060 1284 ============================================================
11:16:49.0607 1284 26c10F (81991464af9c6eba9d0d4bfe066c9189) C:\WINDOWS\system32\26c10F.sys
11:16:49.0607 1284 26c10F - ok
11:16:49.0638 1284 Abiosdsk - ok
11:16:49.0701 1284 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:16:49.0701 1284 abp480n5 - ok
11:16:49.0748 1284 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:16:49.0763 1284 ACPI - ok
11:16:49.0763 1284 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
11:16:49.0763 1284 ACPIEC - ok
11:16:49.0810 1284 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:16:49.0810 1284 adpu160m - ok
11:16:49.0873 1284 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:16:49.0873 1284 aec - ok
11:16:49.0904 1284 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
11:16:49.0919 1284 AegisP - ok
11:16:49.0982 1284 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:16:49.0982 1284 AFD - ok
11:16:50.0029 1284 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:16:50.0029 1284 agp440 - ok
11:16:50.0060 1284 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:16:50.0060 1284 agpCPQ - ok
11:16:50.0154 1284 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:16:50.0154 1284 Aha154x - ok
11:16:50.0216 1284 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:16:50.0216 1284 aic78u2 - ok
11:16:50.0263 1284 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:16:50.0263 1284 aic78xx - ok
11:16:50.0279 1284 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:16:50.0279 1284 AliIde - ok
11:16:50.0326 1284 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:16:50.0326 1284 alim1541 - ok
11:16:50.0341 1284 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:16:50.0341 1284 amdagp - ok
11:16:50.0373 1284 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:16:50.0373 1284 amsint - ok
11:16:50.0404 1284 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:16:50.0404 1284 Arp1394 - ok
11:16:50.0435 1284 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:16:50.0435 1284 asc - ok
11:16:50.0451 1284 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:16:50.0451 1284 asc3350p - ok
11:16:50.0466 1284 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:16:50.0482 1284 asc3550 - ok
11:16:50.0529 1284 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
11:16:50.0529 1284 Aspi32 - ok
11:16:50.0544 1284 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:16:50.0544 1284 AsyncMac - ok
11:16:50.0654 1284 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:16:50.0654 1284 atapi - ok
11:16:50.0669 1284 Atdisk - ok
11:16:50.0716 1284 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:16:50.0748 1284 Atmarpc - ok
11:16:50.0794 1284 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:16:50.0794 1284 audstub - ok
11:16:50.0841 1284 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
11:16:50.0841 1284 BANTExt - ok
11:16:50.0857 1284 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:16:50.0873 1284 Beep - ok
11:16:50.0919 1284 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
11:16:50.0919 1284 BrScnUsb - ok
11:16:50.0982 1284 BtAudio (377a0b30edaef799d43a9676748e118e) C:\WINDOWS\system32\DRIVERS\btaudio.sys
11:16:50.0982 1284 BtAudio - ok
11:16:50.0998 1284 BTDriver (ed6b3d61578b996c55f32ace07618bbb) C:\WINDOWS\system32\DRIVERS\btport.sys
11:16:50.0998 1284 BTDriver - ok
11:16:51.0044 1284 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
11:16:51.0044 1284 BthEnum - ok
11:16:51.0076 1284 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
11:16:51.0076 1284 BTHMODEM - ok
11:16:51.0091 1284 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
11:16:51.0091 1284 BthPan - ok
11:16:51.0169 1284 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
11:16:51.0185 1284 BTHPORT - ok
11:16:51.0279 1284 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
11:16:51.0310 1284 BTHUSB - ok
11:16:51.0373 1284 BTKRNL (5d383dea11d9aff198077e06ba75bf0f) C:\WINDOWS\system32\drivers\btkrnl.sys
11:16:51.0388 1284 BTKRNL - ok
11:16:51.0451 1284 BTSERIAL (cbf5a79f3d2177e80ca79c2bc20119db) C:\WINDOWS\system32\drivers\btserial.sys
11:16:51.0451 1284 BTSERIAL - ok
11:16:51.0482 1284 BTSLBCSP (26fa6f56ce3152505d8a44cdeabe002f) C:\WINDOWS\system32\drivers\btslbcsp.sys
11:16:51.0498 1284 BTSLBCSP - ok
11:16:51.0529 1284 BTWDNDIS (899b4c1efbd86b71076ccbc15fc7eddc) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
11:16:51.0529 1284 BTWDNDIS - ok
11:16:51.0544 1284 BTWUSB - ok
11:16:51.0623 1284 catchme - ok
11:16:51.0685 1284 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:16:51.0716 1284 cbidf - ok
11:16:51.0794 1284 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:16:51.0794 1284 cbidf2k - ok
11:16:51.0841 1284 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:16:51.0841 1284 CCDECODE - ok
11:16:51.0888 1284 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:16:51.0888 1284 cd20xrnt - ok
11:16:51.0919 1284 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:16:51.0919 1284 Cdaudio - ok
11:16:51.0998 1284 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:16:51.0998 1284 Cdfs - ok
11:16:52.0044 1284 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:16:52.0044 1284 Cdrom - ok
11:16:52.0044 1284 Changer - ok
11:16:52.0123 1284 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:16:52.0123 1284 CmBatt - ok
11:16:52.0138 1284 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:16:52.0138 1284 CmdIde - ok
11:16:52.0169 1284 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:16:52.0169 1284 Compbatt - ok
11:16:52.0216 1284 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:16:52.0216 1284 Cpqarray - ok
11:16:52.0263 1284 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:16:52.0263 1284 dac2w2k - ok
11:16:52.0326 1284 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:16:52.0326 1284 dac960nt - ok
11:16:52.0341 1284 DgiVecp - ok
11:16:52.0357 1284 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:16:52.0357 1284 Disk - ok
11:16:52.0435 1284 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:16:52.0435 1284 dmboot - ok
11:16:52.0513 1284 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:16:52.0529 1284 dmio - ok
11:16:52.0560 1284 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:16:52.0560 1284 dmload - ok
11:16:52.0591 1284 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:16:52.0591 1284 DMusic - ok
11:16:52.0638 1284 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:16:52.0638 1284 dpti2o - ok
11:16:52.0685 1284 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:16:52.0685 1284 drmkaud - ok
11:16:52.0763 1284 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:16:52.0779 1284 E100B - ok
11:16:52.0810 1284 e36566 (81991464af9c6eba9d0d4bfe066c9189) C:\WINDOWS\system32\e36566.sys
11:16:52.0810 1284 e36566 - ok
11:16:52.0857 1284 eabfiltr (e88b0cfcecf745211bba87f44f85d0dd) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
11:16:52.0857 1284 eabfiltr - ok
11:16:52.0904 1284 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys
11:16:52.0904 1284 eabusb - ok
11:16:52.0966 1284 eamon (d42dd9021acd47683b33adf21bca49aa) C:\WINDOWS\system32\DRIVERS\eamon.sys
11:16:52.0966 1284 eamon - ok
11:16:53.0013 1284 ehdrv (fe7824239d132ad9ebd8645fe1199b30) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
11:16:53.0013 1284 ehdrv - ok
11:16:53.0138 1284 ElbyCDIO (44996a2addd2db7454f2ca40b67d8941) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
11:16:53.0138 1284 ElbyCDIO - ok
11:16:53.0185 1284 epfwtdir (aa0667eb9a92414abb784c101a6c7fec) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
11:16:53.0185 1284 epfwtdir - ok
11:16:53.0216 1284 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:16:53.0216 1284 Fastfat - ok
11:16:53.0263 1284 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
11:16:53.0263 1284 Fdc - ok
11:16:53.0404 1284 FileMonitor (f1fc45d2712d0aafee45a728fbe16062) C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys
11:16:53.0419 1284 FileMonitor - ok
11:16:53.0482 1284 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:16:53.0482 1284 Fips - ok
11:16:53.0544 1284 Flash1 (c532970d4dc83c42c2af56943f2998ae) C:\Program Files\SP35668\winphlash\Flash1.sys
11:16:53.0544 1284 Flash1 - ok
11:16:53.0576 1284 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:16:53.0591 1284 Flpydisk - ok
11:16:53.0638 1284 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:16:53.0638 1284 FltMgr - ok
11:16:53.0669 1284 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:16:53.0669 1284 Fs_Rec - ok
11:16:53.0685 1284 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:16:53.0685 1284 Ftdisk - ok
11:16:53.0732 1284 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
11:16:53.0732 1284 GEARAspiWDM - ok
11:16:53.0857 1284 ggflt (007aea2e06e7cef7372e40c277163959) C:\WINDOWS\system32\DRIVERS\ggflt.sys
11:16:53.0857 1284 ggflt - ok
11:16:53.0873 1284 ggsemc (c73de35960ca75c5ab4ae636b127c64e) C:\WINDOWS\system32\DRIVERS\ggsemc.sys
11:16:53.0873 1284 ggsemc - ok
11:16:53.0935 1284 ghslpjdgvfdw (34d44edd829476e085f5c22ac9dfe315) C:\WINDOWS\system32\drivers\ghslpjdgvfdw.sys
11:16:53.0935 1284 ghslpjdgvfdw - ok
11:16:53.0998 1284 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:16:53.0998 1284 Gpc - ok
11:16:54.0029 1284 HBtnKey (cef316dbbd1b3845a6d53ed620eb1aeb) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
11:16:54.0060 1284 HBtnKey - ok
11:16:54.0107 1284 HdAudAddService (5436705caaa08c9070251f3e949b83b7) C:\WINDOWS\system32\drivers\CHDAud.sys
11:16:54.0107 1284 HdAudAddService - ok
11:16:54.0201 1284 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:16:54.0201 1284 HDAudBus - ok
11:16:54.0248 1284 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:16:54.0248 1284 HidUsb - ok
11:16:54.0294 1284 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:16:54.0310 1284 hpn - ok
11:16:54.0357 1284 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
11:16:54.0373 1284 HPZid412 - ok
11:16:54.0451 1284 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
11:16:54.0466 1284 HPZipr12 - ok
11:16:54.0513 1284 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
11:16:54.0513 1284 HPZius12 - ok
11:16:54.0560 1284 HSFHWAZL (89e256c5f5346be265d9f86ac8625d4f) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
11:16:54.0560 1284 HSFHWAZL - ok
11:16:54.0638 1284 HSF_DPV (0e44af3828111d4c3e73c33ac95226d8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
11:16:54.0685 1284 HSF_DPV - ok
11:16:54.0748 1284 HssDrv (4f28652ec514fa1ba473bc1a695a5c98) C:\WINDOWS\system32\DRIVERS\HssDrv.sys
11:16:54.0748 1284 HssDrv - ok
11:16:54.0810 1284 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:16:54.0826 1284 HTTP - ok
11:16:54.0935 1284 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:16:54.0935 1284 i2omgmt - ok
11:16:54.0982 1284 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:16:54.0982 1284 i2omp - ok
11:16:55.0029 1284 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:16:55.0029 1284 i8042prt - ok
11:16:55.0123 1284 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
11:16:55.0138 1284 ialm - ok
11:16:55.0248 1284 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
11:16:55.0248 1284 iaStor - ok
11:16:55.0373 1284 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:16:55.0373 1284 Imapi - ok
11:16:55.0435 1284 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:16:55.0435 1284 ini910u - ok
11:16:55.0451 1284 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:16:55.0451 1284 IntelIde - ok
11:16:55.0498 1284 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:16:55.0498 1284 intelppm - ok
11:16:55.0544 1284 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:16:55.0544 1284 Ip6Fw - ok
11:16:55.0591 1284 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:16:55.0591 1284 IpFilterDriver - ok
11:16:55.0607 1284 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:16:55.0607 1284 IpInIp - ok
11:16:55.0638 1284 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:16:55.0638 1284 IpNat - ok
11:16:55.0669 1284 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:16:55.0669 1284 IPSec - ok
11:16:55.0701 1284 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:16:55.0701 1284 IRENUM - ok
11:16:55.0763 1284 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:16:55.0763 1284 isapnp - ok
11:16:55.0794 1284 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:16:55.0794 1284 Kbdclass - ok
11:16:55.0810 1284 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:16:55.0810 1284 kbdhid - ok
11:16:55.0841 1284 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:16:55.0857 1284 kmixer - ok
11:16:55.0888 1284 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:16:55.0888 1284 KSecDD - ok
11:16:55.0904 1284 lbrtfdc - ok
11:16:55.0966 1284 lgljjvlewjpj (34d44edd829476e085f5c22ac9dfe315) C:\WINDOWS\system32\drivers\lgljjvlewjpj.sys
11:16:55.0966 1284 lgljjvlewjpj - ok
11:16:56.0076 1284 lufgihloybbf (34d44edd829476e085f5c22ac9dfe315) C:\WINDOWS\system32\drivers\lufgihloybbf.sys
11:16:56.0076 1284 lufgihloybbf - ok
11:16:56.0138 1284 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
11:16:56.0138 1284 MBAMProtector - ok
11:16:56.0185 1284 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:16:56.0201 1284 mdmxsdk - ok
11:16:56.0248 1284 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:16:56.0248 1284 mnmdd - ok
11:16:56.0279 1284 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:16:56.0279 1284 Modem - ok
11:16:56.0294 1284 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:16:56.0294 1284 Mouclass - ok
11:16:56.0341 1284 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:16:56.0341 1284 mouhid - ok
11:16:56.0404 1284 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:16:56.0404 1284 MountMgr - ok
11:16:56.0451 1284 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:16:56.0451 1284 mraid35x - ok
11:16:56.0513 1284 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
11:16:56.0529 1284 MREMP50 - ok
11:16:56.0529 1284 MREMPR5 - ok
11:16:56.0529 1284 MRENDIS5 - ok
11:16:56.0544 1284 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
11:16:56.0544 1284 MRESP50 - ok
11:16:56.0654 1284 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:16:56.0654 1284 MRxDAV - ok
11:16:56.0716 1284 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:16:56.0716 1284 MRxSmb - ok
11:16:56.0748 1284 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:16:56.0763 1284 Msfs - ok
11:16:56.0810 1284 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:16:56.0810 1284 MSKSSRV - ok
11:16:56.0826 1284 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:16:56.0826 1284 MSPCLOCK - ok
11:16:56.0857 1284 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:16:56.0857 1284 MSPQM - ok
11:16:56.0904 1284 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:16:56.0904 1284 mssmbios - ok
11:16:56.0966 1284 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:16:56.0966 1284 MSTEE - ok
11:16:57.0029 1284 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:16:57.0029 1284 Mup - ok
11:16:57.0060 1284 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:16:57.0060 1284 NABTSFEC - ok
11:16:57.0091 1284 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:16:57.0091 1284 NDIS - ok
11:16:57.0138 1284 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:16:57.0154 1284 NdisIP - ok
11:16:57.0248 1284 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:16:57.0248 1284 NdisTapi - ok
11:16:57.0294 1284 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:16:57.0294 1284 Ndisuio - ok
11:16:57.0357 1284 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:16:57.0357 1284 NdisWan - ok
11:16:57.0373 1284 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:16:57.0373 1284 NDProxy - ok
11:16:57.0404 1284 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:16:57.0404 1284 NetBIOS - ok
11:16:57.0419 1284 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:16:57.0419 1284 NetBT - ok
11:16:57.0544 1284 NETw3x32 (f43da6b7e26fff9ac4d3210f2f9b5d8c) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
11:16:57.0560 1284 NETw3x32 - ok
11:16:57.0701 1284 NETw4x32 (88100ebdd10309fbd445ef8e42452eae) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
11:16:57.0716 1284 NETw4x32 - ok
11:16:57.0826 1284 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:16:57.0826 1284 NIC1394 - ok
11:16:57.0873 1284 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
11:16:57.0873 1284 nm - ok
11:16:57.0935 1284 NPF (243126da7ba441d7c7c3262dcf435a9c) C:\WINDOWS\system32\drivers\npf.sys
11:16:57.0935 1284 NPF - ok
11:16:57.0982 1284 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:16:57.0982 1284 Npfs - ok
11:16:58.0060 1284 NRKCTL32 (b61d7dd76df5646f35e88eb9d210aff3) C:\Program Files\wcpuid\NRKCTL32.SYS
11:16:58.0060 1284 NRKCTL32 - ok
11:16:58.0138 1284 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS
11:16:58.0138 1284 NSNDIS5 - ok
11:16:58.0248 1284 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:16:58.0248 1284 Ntfs - ok
11:16:58.0279 1284 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:16:58.0279 1284 Null - ok
11:16:58.0310 1284 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:16:58.0310 1284 NwlnkFlt - ok
11:16:58.0341 1284 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:16:58.0341 1284 NwlnkFwd - ok
11:16:58.0435 1284 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:16:58.0435 1284 ohci1394 - ok
11:16:58.0482 1284 PalmUSBD (dc450992eba6f914080c1f7fbeeed72c) C:\WINDOWS\system32\drivers\PalmUSBD.sys
11:16:58.0482 1284 PalmUSBD - ok
11:16:58.0513 1284 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
11:16:58.0513 1284 Parport - ok
11:16:58.0544 1284 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:16:58.0544 1284 PartMgr - ok
11:16:58.0576 1284 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:16:58.0576 1284 ParVdm - ok
11:16:58.0623 1284 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
11:16:58.0623 1284 pavboot - ok
11:16:58.0638 1284 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:16:58.0638 1284 PCI - ok
11:16:58.0654 1284 PCIDump - ok
11:16:58.0669 1284 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:16:58.0669 1284 PCIIde - ok
11:16:58.0701 1284 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
11:16:58.0716 1284 Pcmcia - ok
11:16:58.0779 1284 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
11:16:58.0779 1284 pcouffin - ok
11:16:58.0794 1284 PDCOMP - ok
11:16:58.0810 1284 PDFRAME - ok
11:16:58.0888 1284 PDRELI - ok
11:16:58.0904 1284 PDRFRAME - ok
11:16:58.0982 1284 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:16:58.0982 1284 perc2 - ok
11:16:59.0013 1284 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:16:59.0013 1284 perc2hib - ok
11:16:59.0076 1284 pnetmdm (750318586b5ea1e7f48e2dbe54074c7e) C:\WINDOWS\system32\DRIVERS\pnetmdm.sys
11:16:59.0076 1284 pnetmdm - ok
11:16:59.0138 1284 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:16:59.0138 1284 PptpMiniport - ok
11:16:59.0154 1284 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:16:59.0154 1284 PSched - ok
11:16:59.0201 1284 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
11:16:59.0201 1284 PSI - ok
11:16:59.0232 1284 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:16:59.0232 1284 Ptilink - ok
11:16:59.0248 1284 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:16:59.0263 1284 PxHelp20 - ok
11:16:59.0279 1284 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:16:59.0279 1284 ql1080 - ok
11:16:59.0294 1284 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:16:59.0310 1284 Ql10wnt - ok
11:16:59.0326 1284 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:16:59.0326 1284 ql12160 - ok
11:16:59.0341 1284 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:16:59.0357 1284 ql1240 - ok
11:16:59.0404 1284 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:16:59.0404 1284 ql1280 - ok
11:16:59.0498 1284 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:16:59.0498 1284 RasAcd - ok
11:16:59.0529 1284 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:16:59.0560 1284 Rasl2tp - ok
11:16:59.0576 1284 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:16:59.0576 1284 RasPppoe - ok
11:16:59.0607 1284 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:16:59.0607 1284 Raspti - ok
11:16:59.0623 1284 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:16:59.0638 1284 Rdbss - ok
11:16:59.0654 1284 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:16:59.0654 1284 RDPCDD - ok
11:16:59.0701 1284 RDPDISPM (a862a3a8d7d2d75bdc41b556325e9876) C:\WINDOWS\system32\DRIVERS\rdpdispm.sys
11:16:59.0701 1284 RDPDISPM - ok
11:16:59.0748 1284 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:16:59.0748 1284 rdpdr - ok
11:16:59.0779 1284 RDPVDD (95508469d4da5c13bbfef9c35f3e5c61) C:\WINDOWS\system32\DRIVERS\rdpvmp.sys
11:16:59.0779 1284 RDPVDD - ok
11:16:59.0826 1284 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:16:59.0826 1284 RDPWD - ok
11:16:59.0857 1284 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:16:59.0857 1284 redbook - ok
11:16:59.0998 1284 RegFilter (2ca761ce3abb7bbbb9c5519b2fb54f5e) C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys
11:16:59.0998 1284 RegFilter - ok
11:17:00.0169 1284 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
11:17:00.0169 1284 RFCOMM - ok
11:17:00.0216 1284 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
11:17:00.0216 1284 rimmptsk - ok
11:17:00.0232 1284 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
11:17:00.0232 1284 rimsptsk - ok
11:17:00.0263 1284 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
11:17:00.0263 1284 rismxdp - ok
11:17:00.0326 1284 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
11:17:00.0326 1284 ROOTMODEM - ok
11:17:00.0357 1284 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
11:17:00.0357 1284 rtl8139 - ok
11:17:00.0419 1284 RTLWUSB (5a850259b849a899990379a75460a4eb) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
11:17:00.0419 1284 RTLWUSB - ok
11:17:00.0498 1284 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
11:17:00.0498 1284 SASDIFSV - ok
11:17:00.0513 1284 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
11:17:00.0513 1284 SASKUTIL - ok
11:17:00.0576 1284 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
11:17:00.0576 1284 sbp2port - ok
11:17:00.0638 1284 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
11:17:00.0638 1284 sdbus - ok
11:17:00.0669 1284 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:17:00.0669 1284 Secdrv - ok
11:17:00.0794 1284 seehcri (e5b56569a9f79b70314fede6c953641e) C:\WINDOWS\system32\DRIVERS\seehcri.sys
11:17:00.0794 1284 seehcri - ok
11:17:00.0826 1284 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:17:00.0826 1284 Serenum - ok
11:17:00.0857 1284 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:17:00.0857 1284 Serial - ok
11:17:00.0904 1284 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
11:17:00.0919 1284 sffdisk - ok
11:17:00.0998 1284 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
11:17:00.0998 1284 sffp_sd - ok
11:17:01.0013 1284 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:17:01.0013 1284 Sfloppy - ok
11:17:01.0029 1284 Simbad - ok
11:17:01.0076 1284 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:17:01.0076 1284 sisagp - ok
11:17:01.0107 1284 SjyPkt (3d7ef286e806f9bd9339aa52e28dcd67) C:\WINDOWS\System32\Drivers\SjyPkt.sys
11:17:01.0107 1284 SjyPkt - ok
11:17:01.0169 1284 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:17:01.0169 1284 SLIP - ok
11:17:01.0216 1284 SmartDefragDriver (14bb60a4f1c5291217a05d5728c403e6) C:\WINDOWS\system32\Drivers\SmartDefragDriver.sys
11:17:01.0232 1284 SmartDefragDriver - ok
11:17:01.0279 1284 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:17:01.0279 1284 Sparrow - ok
11:17:01.0294 1284 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:17:01.0294 1284 splitter - ok
11:17:01.0326 1284 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:17:01.0326 1284 sr - ok
11:17:01.0373 1284 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:17:01.0373 1284 Srv - ok
11:17:01.0498 1284 ssoftnt4 (f9dadfeee46448b820f2e91ad6b7caae) C:\WINDOWS\system32\Drivers\ssoftnt4.sys
11:17:01.0513 1284 ssoftnt4 - ok
11:17:01.0529 1284 SSPORT - ok
11:17:01.0560 1284 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:17:01.0560 1284 streamip - ok
11:17:01.0576 1284 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:17:01.0576 1284 swenum - ok
11:17:01.0607 1284 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:17:01.0607 1284 swmidi - ok
11:17:01.0685 1284 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:17:01.0685 1284 symc810 - ok
11:17:01.0701 1284 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:17:01.0701 1284 symc8xx - ok
11:17:01.0716 1284 symlcbrd (5220576ee29bea7c18dff9ecabf18bbc) C:\WINDOWS\system32\drivers\symlcbrd.sys
11:17:01.0716 1284 symlcbrd - ok
11:17:01.0748 1284 SymSnap (5d1bc28a5a2784f4f0319ecd5f1c93b0) C:\WINDOWS\system32\drivers\SymSnap.sys
11:17:01.0763 1284 SymSnap - ok
11:17:01.0779 1284 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:17:01.0779 1284 sym_hi - ok
11:17:01.0794 1284 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:17:01.0794 1284 sym_u3 - ok
11:17:01.0826 1284 SynTP (0f332c0ba9b968ebc8cbb906416f8597) C:\WINDOWS\system32\DRIVERS\SynTP.sys
11:17:01.0826 1284 SynTP - ok
11:17:01.0888 1284 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:17:01.0888 1284 sysaudio - ok
11:17:02.0013 1284 tap0901 (1e89de7a4fb7a854ebb241d0aa8996dd) C:\WINDOWS\system32\DRIVERS\tap0901.sys
11:17:02.0013 1284 tap0901 - ok
11:17:02.0060 1284 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys
11:17:02.0060 1284 taphss - ok
11:17:02.0091 1284 tapoas (827c8058c284ff0013e4462efe2591a3) C:\WINDOWS\system32\DRIVERS\tapoas.sys
11:17:02.0091 1284 tapoas - ok
11:17:02.0169 1284 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:17:02.0169 1284 Tcpip - ok
11:17:02.0232 1284 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:17:02.0232 1284 TDPIPE - ok
11:17:02.0263 1284 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:17:02.0263 1284 TDTCP - ok
11:17:02.0294 1284 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:17:02.0294 1284 TermDD - ok
11:17:02.0341 1284 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:17:02.0341 1284 TosIde - ok
11:17:02.0404 1284 truecrypt (be45dad1c73a3216edc8c485916f6594) C:\WINDOWS\system32\drivers\truecrypt.sys
11:17:02.0404 1284 truecrypt - ok
11:17:02.0435 1284 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:17:02.0435 1284 Udfs - ok
11:17:02.0560 1284 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:17:02.0560 1284 ultra - ok
11:17:02.0623 1284 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:17:02.0623 1284 Update - ok
11:17:02.0779 1284 UrlFilter (62551ba687f1d0f582810cfa37384bb0) C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys
11:17:02.0779 1284 UrlFilter - ok
11:17:02.0857 1284 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
11:17:02.0857 1284 USBAAPL - ok
11:17:02.0904 1284 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:17:02.0904 1284 usbccgp - ok
11:17:02.0966 1284 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:17:02.0966 1284 usbehci - ok
11:17:02.0998 1284 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:17:02.0998 1284 usbhub - ok
11:17:03.0013 1284 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:17:03.0013 1284 usbprint - ok
11:17:03.0029 1284 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:17:03.0044 1284 usbscan - ok
11:17:03.0076 1284 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
11:17:03.0091 1284 usbser - ok
11:17:03.0216 1284 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:17:03.0232 1284 USBSTOR - ok
11:17:03.0279 1284 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:17:03.0279 1284 usbuhci - ok
11:17:03.0326 1284 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
11:17:03.0326 1284 usbvideo - ok
11:17:03.0388 1284 V2IMount (b413e1467c92a65610166c932877e147) C:\WINDOWS\system32\drivers\V2IMount.sys
11:17:03.0388 1284 V2IMount - ok
11:17:03.0419 1284 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\WINDOWS\system32\DRIVERS\VClone.sys
11:17:03.0419 1284 VClone - ok
11:17:03.0466 1284 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:17:03.0482 1284 VgaSave - ok
11:17:03.0529 1284 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:17:03.0529 1284 viaagp - ok
11:17:03.0560 1284 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:17:03.0560 1284 ViaIde - ok
11:17:03.0701 1284 vnbesirpvmmj (34d44edd829476e085f5c22ac9dfe315) C:\WINDOWS\system32\drivers\vnbesirpvmmj.sys
11:17:03.0701 1284 vnbesirpvmmj - ok
11:17:03.0732 1284 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:17:03.0732 1284 VolSnap - ok
11:17:03.0826 1284 w39n51 (4e7b07653f4f9937cf62ad2869fba520) C:\WINDOWS\system32\DRIVERS\w39n51.sys
11:17:03.0841 1284 w39n51 - ok
11:17:03.0888 1284 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:17:03.0888 1284 Wanarp - ok
11:17:03.0998 1284 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
11:17:04.0044 1284 Wdf01000 - ok
11:17:04.0060 1284 WDICA - ok
11:17:04.0123 1284 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:17:04.0123 1284 wdmaud - ok
11:17:04.0248 1284 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:17:04.0248 1284 winachsf - ok
11:17:04.0326 1284 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
11:17:04.0341 1284 WinUSB - ok
11:17:04.0357 1284 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
11:17:04.0357 1284 WmiAcpi - ok
11:17:04.0419 1284 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
11:17:04.0419 1284 WpdUsb - ok
11:17:04.0482 1284 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:17:04.0482 1284 WS2IFSL - ok
11:17:04.0591 1284 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:17:04.0591 1284 WSTCODEC - ok
11:17:04.0669 1284 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:17:04.0669 1284 WudfPf - ok
11:17:04.0701 1284 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:17:04.0701 1284 WudfRd - ok
11:17:04.0794 1284 MBR (0x1B8) (81a54cdf8594870d5a1628bc9455fe84) \Device\Harddisk0\DR0
11:17:04.0810 1284 \Device\Harddisk0\DR0 - ok
11:17:04.0826 1284 Boot (0x1200) (06ac8f9436c672c51f1f69113adcb625) \Device\Harddisk0\DR0\Partition0
11:17:04.0826 1284 \Device\Harddisk0\DR0\Partition0 - ok
11:17:04.0841 1284 Boot (0x1200) (08b25ccf73814ef93869e343bdba17ed) \Device\Harddisk0\DR0\Partition1
11:17:04.0841 1284 \Device\Harddisk0\DR0\Partition1 - ok
11:17:04.0841 1284 ============================================================
11:17:04.0841 1284 Scan finished
11:17:04.0841 1284 ============================================================
11:17:04.0857 4504 Detected object count: 0
11:17:04.0857 4504 Actual detected object count: 0

ASWMBR LOG
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-13 11:11:48
-----------------------------
11:11:48.511 OS Version: Windows 5.1.2600 Service Pack 3
11:11:48.511 Number of processors: 2 586 0xE08
11:11:48.511 ComputerName: MAINCOMPUTER UserName: Jonathan
11:12:11.120 Initialize success
11:13:34.841 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
11:13:34.841 Disk 0 Vendor: Size: 0MB BusType: 0
11:13:34.873 Disk 0 MBR read successfully
11:13:34.873 Disk 0 MBR scan
11:13:34.888 Disk 0 unknown MBR code
11:13:34.888 Disk 0 MBR hidden
11:13:34.904 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 180111 MB offset 63
11:13:34.951 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 9632 MB offset 368868465
11:13:34.966 Disk 0 Partition 3 00 D7 NTFS 1035 MB offset 388596285
11:13:35.029 Disk 0 scanning C:\WINDOWS\system32\drivers
11:13:50.216 Service scanning
11:14:10.873 Modules scanning
11:14:21.138 Disk 0 trace - called modules:
11:14:21.154 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
11:14:21.154 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aba8ab8]
11:14:21.154 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\000000a8[0x8abf49e0]
11:14:21.154 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8ac0a030]
11:14:21.154 Scan finished successfully
11:15:15.060 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jonathan\Desktop\MBR.dat"
11:15:15.076 The log file has been saved successfully to "C:\Documents and Settings\Jonathan\Desktop\aswMBR.txt"

Edited by jlips, 13 March 2012 - 01:26 PM.


#4 jlips

jlips
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 13 March 2012 - 01:30 PM

I forgot to attach this.

Thanks.

Attached Files

  • Attached File  MBR.zip   593bytes   1 downloads


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 14 March 2012 - 07:53 AM

Please download MBRCheck.exe and save it to your desktop - not a folder on the desktop - save it directly to the desktop.


* Be sure to disable your security programs.
* Double-Click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
* A window will open on your desktop.
* if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
* If nothing unusual is found just press Enter
* A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
* In your next reply, please include the log from MBRChecker.
====

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Please post the logs for my review.

#6 jlips

jlips
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 17 March 2012 - 03:46 PM

I ran MBRCheck and Combofix. When I was running Combofix, it can an error and had the option to debug or end the program. I chose debug and it eventually finished. So, I ran Combofix a second time. I am attaching the logs from both runs.

Thanks.

MBRCHECK LOG
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 167):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7497000 ohci1394.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF798D000 viaide.sys
0xF798F000 aliide.sys
0xF7329000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF730A000 ftdisk.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF7717000 pavboot.sys
0xF74C7000 VolSnap.sys
0xF72F2000 atapi.sys
0xF721C000 iaStor.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF71FC000 fltmgr.sys
0xF71EA000 sr.sys
0xF771F000 PxHelp20.sys
0xF71D4000 SymSnap.sys
0xF71BD000 KSecDD.sys
0xF71AA000 WudfPf.sys
0xF711D000 Ntfs.sys
0xF70F0000 NDIS.sys
0xF7991000 SmartDefragDriver.sys
0xF74F7000 sbp2port.sys
0xF70D6000 Mup.sys
0xF6FA6000 btkrnl.sys
0xF7527000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6555000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7957000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xF6545000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF776F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF795B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF59F0000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF59DC000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF59B4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5792000 \SystemRoot\system32\DRIVERS\NETw4x32.sys
0xF7777000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF576E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF777F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF5747000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF5733000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF7787000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF6535000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF56E7000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF796F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6525000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF778F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF56B2000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79F5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7797000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7677000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7687000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7697000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF568F000 \SystemRoot\system32\DRIVERS\ks.sys
0xF779F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7B19000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\HssDrv.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF797B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5678000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF5B9D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77A7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5667000 \SystemRoot\system32\DRIVERS\psched.sys
0xF5B8D000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77AF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77B7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\taphss.sys
0xF5B7D000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF7983000 \SystemRoot\system32\DRIVERS\pnetmdm.sys
0xF77C7000 \SystemRoot\System32\Drivers\Modem.SYS
0xF5B6D000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF5B5D000 \SystemRoot\system32\DRIVERS\VClone.sys
0xF564F000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0xF77CF000 \SystemRoot\system32\DRIVERS\seehcri.sys
0xF79F7000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF55F1000 \SystemRoot\system32\DRIVERS\update.sys
0xF6F82000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6F7E000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF5B4D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA67E000 \SystemRoot\system32\drivers\CHDAud.sys
0xAA65A000 \SystemRoot\system32\drivers\portcls.sys
0xF2BC4000 \SystemRoot\system32\drivers\drmk.sys
0xAA628000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xAA52B000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xAA47B000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xA4E22000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA5142000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79B3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF0A94000 \SystemRoot\System32\Drivers\Null.SYS
0xF79B5000 \SystemRoot\System32\Drivers\Beep.SYS
0xA3F98000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0xA4DC4000 \SystemRoot\System32\drivers\vga.sys
0xF79B7000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79B9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA4DBC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA4DB4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA513A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA3F65000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA3F0C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA3EE4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA3EBE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA3EA6000 \SystemRoot\system32\DRIVERS\epfwtdir.sys
0xA49C1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA512E000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA3E84000 \SystemRoot\System32\drivers\afd.sys
0xA49B1000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA4991000 \SystemRoot\System32\Drivers\V2IMount.SYS
0xA3E4D000 \SystemRoot\System32\drivers\truecrypt.sys
0xA4981000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA3E2B000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xA4D9C000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA3E00000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA3D90000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA4971000 \SystemRoot\System32\Drivers\Fips.SYS
0xA4009000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xA9A3B000 \SystemRoot\System32\Drivers\BANTExt.sys
0xA3D6C000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA3FF9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA3D4E000 \SystemRoot\System32\Drivers\usbvideo.sys
0xF0938000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA3FE9000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF6F35000 \SystemRoot\system32\DRIVERS\BrScnUsb.sys
0xF6F2D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7967000 \SystemRoot\System32\drivers\Dxapi.sys
0xA3FD9000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA42BE000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBF16E000 \SystemRoot\System32\ATMFD.DLL
0xA3CA7000 \SystemRoot\system32\DRIVERS\eamon.sys
0xF794B000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xF438C000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA3C9F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA3B62000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA3BC3000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xF4FAA000 \??\C:\WINDOWS\system32\drivers\btserial.sys
0xA3AB8000 \??\C:\WINDOWS\system32\drivers\btslbcsp.sys
0xA3970000 \SystemRoot\system32\DRIVERS\srv.sys
0xA3B2E000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA3A20000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA3869000 \??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys
0xF1167000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xA328C000 \SystemRoot\system32\drivers\wdmaud.sys
0xA3809000 \SystemRoot\system32\drivers\sysaudio.sys
0xA2E51000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xA1ED0000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
1788 C:\WINDOWS\system32\smss.exe
800 csrss.exe
1152 C:\WINDOWS\system32\winlogon.exe
1340 C:\WINDOWS\system32\services.exe
1352 C:\WINDOWS\system32\lsass.exe
1688 C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
1820 C:\WINDOWS\system32\svchost.exe
2024 svchost.exe
348 C:\WINDOWS\system32\svchost.exe
384 C:\WINDOWS\system32\svchost.exe
380 svchost.exe
1056 svchost.exe
1928 C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
1984 C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
460 C:\WINDOWS\system32\spoolsv.exe
500 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
656 svchost.exe
876 C:\Program Files\Box Sync\UpdateService.exe
904 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
944 C:\Program Files\Bonjour\mDNSResponder.exe
964 svchost.exe
1188 C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
1844 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
624 C:\WINDOWS\system32\gearsec.exe
228 C:\Program Files\Hotspot Shield\bin\openvpnas.exe
388 C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
920 C:\Program Files\Hotspot Shield\bin\hsswd.exe
1044 C:\Program Files\Java\jre6\bin\jqs.exe
1584 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1892 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
824 C:\Program Files\Common Files\Motive\McciCMService.exe
1008 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
1116 C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe
1168 C:\WINDOWS\system32\HPZipm12.exe
1260 C:\WINDOWS\system32\cryptainersrv.exe
1300 C:\WINDOWS\system32\svchost.exe
1512 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
2096 C:\Program Files\Viewpoint\Common\ViewpointService.exe
2148 C:\WINDOWS\system32\searchindexer.exe
2364 C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
2692 alg.exe
3304 C:\WINDOWS\explorer.exe
1712 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
2252 C:\WINDOWS\system32\TaskSwitch.exe
2052 wmiprvse.exe
1748 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3956 C:\Program Files\D4\D4.exe
792 C:\Program Files\Ad Muncher\AdMunch.exe
2664 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
3220 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
2940 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
2304 C:\Program Files\SugarSync\SugarSyncManager.exe
4064 C:\Program Files\Pidgin\pidgin.exe
3456 C:\Program Files\WebEx\Productivity Tools\ptim.exe
1020 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
2984 C:\Program Files\Chapura\Chapura SyncManager\SyncMgr.exe
3896 C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
3460 C:\Program Files\WebEx\Productivity Tools\ptsrv.exe
3476 C:\Program Files\Hp\QuickPlay\QPService.exe
3252 C:\Program Files\Mozilla Firefox\firefox.exe
3996 C:\WINDOWS\system32\wscntfy.exe
508 C:\Documents and Settings\Jonathan\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002b`f8f8e200 (FAT32)

PhysicalDrive0 Model Number: HitachiHTS722020K9SA00, Rev: DC4OC76A

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F19F100B4DC860880BDC331CC9D56B1C13F605D5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

COMBOFIX LOG FIRST RUN
ComboFix 12-03-14.01 - Jonathan 03/17/2012 13:08:01.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1508 [GMT -7:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-02-17 to 2012-03-17 )))))))))))))))))))))))))))))))
.
.
2012-03-01 20:08 . 2012-03-01 20:08 449848 ----a-w- c:\program files\Windows Media Player\WebEx\1124\atgpcext.dll
2012-03-01 20:08 . 2012-03-01 20:08 113976 ----a-w- c:\program files\Windows Media Player\WebEx\1124\atgpcdec.dll
2012-02-25 05:11 . 2012-02-25 05:32 -------- d-----w- c:\program files\VS Revo Group
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-25 05:32 . 2010-04-18 22:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-25 05:32 . 2010-04-10 15:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-19 05:48 . 2011-05-20 15:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 21:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 18:48 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-04 21:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-07-21 23:45 . 2009-07-21 23:44 3481968 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-02-22 00:02 . 2007-02-22 00:02 8681984 ----a-w- c:\program files\tzmove.exe
2007-02-21 01:36 . 2007-02-21 01:34 7101440 ----a-w- c:\program files\PocketDivXEncoder_0.3.60.exe
2006-10-14 06:12 . 2006-10-14 06:12 959488 ----a-w- c:\program files\addremovecleaner.exe
2006-10-04 06:08 . 2006-10-04 06:08 1161608 ----a-w- c:\program files\offkeyd.exe
2006-01-12 06:31 . 2007-02-25 21:11 992399 ----a-w- c:\program files\JHymn.exe
2004-08-06 02:07 . 2004-08-06 02:07 77824 ----a-w- c:\program files\Metronome.exe
2012-02-17 18:13 . 2011-08-26 14:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}]
2012-02-09 07:39 582872 ----a-w- c:\program files\DoNotTrackPlus\ScriptHost.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopFileLocked]
@="{C253B817-3A00-475f-A5A3-6F2DD704B48D}"
[HKEY_CLASSES_ROOT\CLSID\{C253B817-3A00-475f-A5A3-6F2DD704B48D}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopNotSynced]
@="{19ACC806-F7AA-46AA-A80A-726A07CA6637}"
[HKEY_CLASSES_ROOT\CLSID\{19ACC806-F7AA-46AA-A80A-726A07CA6637}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopNotSyncedCollabs]
@="{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}"
[HKEY_CLASSES_ROOT\CLSID\{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopSynced]
@="{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}"
[HKEY_CLASSES_ROOT\CLSID\{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopSyncedCollab]
@="{9E48C232-F601-4E41-BB3E-16CBAF317AA4}"
[HKEY_CLASSES_ROOT\CLSID\{9E48C232-F601-4E41-BB3E-16CBAF317AA4}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-02-03 9401424]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2011-08-20 48618]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2012-02-19 405816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Dimension4"="c:\program files\D4\D4.exe" [2004-02-04 200704]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2011-06-11 540872]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-13 2219184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2011-5-27 25214]
Box Sync.lnk.disabled [2011-9-20 1637]
Chapura SyncManager.lnk - c:\program files\Chapura\Chapura SyncManager\SyncMgr.exe [2011-7-5 2182656]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk.disabled [2006-6-12 1703]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_1_0 -reboot 1
"Aim6"=
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"OfotoNow USB Detection"=c:\windows\system32\RunDLL32.exe c:\progra~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"Sony Ericsson PC Companion"="c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" /systray /nologon
"PTIM.exe"=c:\program files\WebEx\Productivity Tools\PTIM.exe
"PTOneClick"=c:\program files\WebEx\Productivity Tools\ptoneclk.exe /AutoRunning="2"
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" /Manual
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CitiVAN"=c:\program files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe"
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" -osboot
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"High Definition Audio Property Page Shortcut"=CHDAudPropShortcut.exe
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"ControlCenter3"=c:\program files\Brother\ControlCenter3\brctrcen.exe /autorun
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"igfxtray"=c:\windows\system32\igfxtray.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe"
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"BrMfcWnd"=c:\program files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
"Cpqset"=c:\program files\HPQ\Default Settings\cpqset.exe
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"WINZIPDUDriverUpdater"="c:\program files\WinZip Driver Updater\winzipdu.exe" /schedule
"Intellisync Handheld Launcher"="c:\program files\Intellisync Corporation\Intellisync Handheld Edition\ishhlauncher.exe" /logon
"BoxSyncHelper"="c:\program files\Box Sync\BoxSyncHelper.exe"
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" /R
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\D4\\D4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Intellisync Corporation\\Intellisync Handheld Edition\\ishhlauncher.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Jonathan\\Local Settings\\Application Data\\Microsoft Lync Attendee\\AttendeeCommunicator.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Chapura\\Chapura SyncManager\\SyncMgr.exe"=
"c:\\Program Files\\SugarSync\\SugarSyncManager.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Jonathan\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/25/2011 11:40 AM 28552]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [11/26/2011 5:25 PM 14776]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/28/2010 8:17 AM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/24/2010 9:27 AM 94872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 #UpdateService;Box Sync Auto-updater;c:\program files\Box Sync\UpdateService.exe [4/11/2011 6:10 PM 8704]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [12/9/2011 7:19 PM 494424]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [1/12/2011 5:41 PM 810144]
R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [7/1/2011 11:38 AM 298824]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [1/2/2012 9:15 PM 820568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/24/2009 7:52 AM 652872]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [3/15/2011 4:35 PM 61440]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [12/10/2007 6:15 PM 100728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2008 9:04 AM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/24/2009 7:52 AM 20464]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/2/2008 9:02 PM 47360]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [1/1/2006 10:20 PM 8576]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [5/14/2010 5:35 PM 27632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 IHA_MessageCenter;IHA_MessageCenter;"c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" --> c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [?]
S3 26c10F;26c10F;c:\windows\system32\26c10F.sys [1/26/2008 10:18 PM 185824]
S3 e36566;e36566;c:\windows\system32\e36566.sys [6/24/2011 12:42 PM 185824]
S3 Flash1;Flash1;c:\program files\SP35668\winphlash\FLASH1.sys [3/1/2006 5:54 PM 3456]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/14/2010 5:34 PM 13224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/28/2007 5:01 PM 42512]
S3 NRKCTL32;NRKCTL32;c:\program files\wcpuid\nrkctl32.sys [12/28/2006 6:31 PM 3968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [12/28/2009 1:56 PM 9040]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [12/28/2009 1:56 PM 19408]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [1/2/2012 9:16 PM 30368]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [10/18/2009 6:28 PM 332928]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 11:01 PM 994360]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/18/2009 6:27 PM 13532]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [10/10/2011 7:18 PM 155344]
S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [3/23/2011 5:20 PM 26112]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [1/2/2012 9:16 PM 16208]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 2:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [1/2/2012 9:16 PM 239472]
S4 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-12-24 17:50]
.
2012-03-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3599796677-2997021008-2328189849-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 00:02]
.
2012-03-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3599796677-2997021008-2328189849-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = https://camb-ssl2.forrester.com/
uInternet Settings,ProxyOverride = *.local
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_link
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_exclude
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_report
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: forrester.com\camb-ssl
Trusted Zone: forrester.com\camb-ssl2
Trusted Zone: secunia.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} - hxxps://camb-ssl2.forrester.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://camb-ssl2.forrester.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\fsyv3q6g.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-17 13:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3599796677-2997021008-2328189849-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3599796677-2997021008-2328189849-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-3599796677-2997021008-2328189849-1006)
@Allowed: (Read) (S-1-5-21-3599796677-2997021008-2328189849-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\WININET.dll
c:\program files\Ad Muncher\AM32-32700.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Box Sync\BoxIconOverlayHandler.dll
c:\program files\Box Sync\BoxUtils.dll
c:\program files\Box Sync\BoxData.dll
c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\SugarSync\SugarSyncShellExt.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Box Sync\BoxCopyHookHandler.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-17 13:25:27
ComboFix-quarantined-files.txt 2012-03-17 20:25
ComboFix2.txt 2012-02-05 18:44
ComboFix3.txt 2011-05-25 21:10
ComboFix4.txt 2011-05-25 19:03
ComboFix5.txt 2012-03-17 20:04
.
Pre-Run: 12,428,496,896 bytes free
Post-Run: 12,496,830,464 bytes free
.
- - End Of File - - 4475FA57942DD749466594E4C5F5328C

COMBOFIX LOG SECOND RUN
ComboFix 12-03-14.01 - Jonathan 03/17/2012 13:28:35.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1598 [GMT -7:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-17 to 2012-03-17 )))))))))))))))))))))))))))))))
.
.
2012-03-01 20:08 . 2012-03-01 20:08 449848 ----a-w- c:\program files\Windows Media Player\WebEx\1124\atgpcext.dll
2012-03-01 20:08 . 2012-03-01 20:08 113976 ----a-w- c:\program files\Windows Media Player\WebEx\1124\atgpcdec.dll
2012-02-25 05:11 . 2012-02-25 05:32 -------- d-----w- c:\program files\VS Revo Group
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-25 05:32 . 2010-04-18 22:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-25 05:32 . 2010-04-10 15:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-19 05:48 . 2011-05-20 15:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 21:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 18:48 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-04 21:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-07-21 23:45 . 2009-07-21 23:44 3481968 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-02-22 00:02 . 2007-02-22 00:02 8681984 ----a-w- c:\program files\tzmove.exe
2007-02-21 01:36 . 2007-02-21 01:34 7101440 ----a-w- c:\program files\PocketDivXEncoder_0.3.60.exe
2006-10-14 06:12 . 2006-10-14 06:12 959488 ----a-w- c:\program files\addremovecleaner.exe
2006-10-04 06:08 . 2006-10-04 06:08 1161608 ----a-w- c:\program files\offkeyd.exe
2006-01-12 06:31 . 2007-02-25 21:11 992399 ----a-w- c:\program files\JHymn.exe
2004-08-06 02:07 . 2004-08-06 02:07 77824 ----a-w- c:\program files\Metronome.exe
2012-02-17 18:13 . 2011-08-26 14:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}]
2012-02-09 07:39 582872 ----a-w- c:\program files\DoNotTrackPlus\ScriptHost.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopFileLocked]
@="{C253B817-3A00-475f-A5A3-6F2DD704B48D}"
[HKEY_CLASSES_ROOT\CLSID\{C253B817-3A00-475f-A5A3-6F2DD704B48D}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopNotSynced]
@="{19ACC806-F7AA-46AA-A80A-726A07CA6637}"
[HKEY_CLASSES_ROOT\CLSID\{19ACC806-F7AA-46AA-A80A-726A07CA6637}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopNotSyncedCollabs]
@="{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}"
[HKEY_CLASSES_ROOT\CLSID\{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopSynced]
@="{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}"
[HKEY_CLASSES_ROOT\CLSID\{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopSyncedCollab]
@="{9E48C232-F601-4E41-BB3E-16CBAF317AA4}"
[HKEY_CLASSES_ROOT\CLSID\{9E48C232-F601-4E41-BB3E-16CBAF317AA4}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-02-03 9401424]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2011-08-20 48618]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2012-02-19 405816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Dimension4"="c:\program files\D4\D4.exe" [2004-02-04 200704]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2011-06-11 540872]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-13 2219184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2011-5-27 25214]
Box Sync.lnk.disabled [2011-9-20 1637]
Chapura SyncManager.lnk - c:\program files\Chapura\Chapura SyncManager\SyncMgr.exe [2011-7-5 2182656]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk.disabled [2006-6-12 1703]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_1_0 -reboot 1
"Aim6"=
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"OfotoNow USB Detection"=c:\windows\system32\RunDLL32.exe c:\progra~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"Sony Ericsson PC Companion"="c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" /systray /nologon
"PTIM.exe"=c:\program files\WebEx\Productivity Tools\PTIM.exe
"PTOneClick"=c:\program files\WebEx\Productivity Tools\ptoneclk.exe /AutoRunning="2"
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" /Manual
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CitiVAN"=c:\program files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe"
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" -osboot
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"High Definition Audio Property Page Shortcut"=CHDAudPropShortcut.exe
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"ControlCenter3"=c:\program files\Brother\ControlCenter3\brctrcen.exe /autorun
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"igfxtray"=c:\windows\system32\igfxtray.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe"
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"BrMfcWnd"=c:\program files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
"Cpqset"=c:\program files\HPQ\Default Settings\cpqset.exe
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"WINZIPDUDriverUpdater"="c:\program files\WinZip Driver Updater\winzipdu.exe" /schedule
"Intellisync Handheld Launcher"="c:\program files\Intellisync Corporation\Intellisync Handheld Edition\ishhlauncher.exe" /logon
"BoxSyncHelper"="c:\program files\Box Sync\BoxSyncHelper.exe"
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" /R
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\D4\\D4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Intellisync Corporation\\Intellisync Handheld Edition\\ishhlauncher.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Jonathan\\Local Settings\\Application Data\\Microsoft Lync Attendee\\AttendeeCommunicator.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Chapura\\Chapura SyncManager\\SyncMgr.exe"=
"c:\\Program Files\\SugarSync\\SugarSyncManager.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Jonathan\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/25/2011 11:40 AM 28552]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [11/26/2011 5:25 PM 14776]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/28/2010 8:17 AM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/24/2010 9:27 AM 94872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 #UpdateService;Box Sync Auto-updater;c:\program files\Box Sync\UpdateService.exe [4/11/2011 6:10 PM 8704]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [12/9/2011 7:19 PM 494424]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [1/12/2011 5:41 PM 810144]
R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [7/1/2011 11:38 AM 298824]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [1/2/2012 9:15 PM 820568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/24/2009 7:52 AM 652872]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [3/15/2011 4:35 PM 61440]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [12/10/2007 6:15 PM 100728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2008 9:04 AM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/24/2009 7:52 AM 20464]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/2/2008 9:02 PM 47360]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [1/1/2006 10:20 PM 8576]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [5/14/2010 5:35 PM 27632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 IHA_MessageCenter;IHA_MessageCenter;"c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" --> c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [?]
S3 26c10F;26c10F;c:\windows\system32\26c10F.sys [1/26/2008 10:18 PM 185824]
S3 e36566;e36566;c:\windows\system32\e36566.sys [6/24/2011 12:42 PM 185824]
S3 Flash1;Flash1;c:\program files\SP35668\winphlash\FLASH1.sys [3/1/2006 5:54 PM 3456]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/14/2010 5:34 PM 13224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/28/2007 5:01 PM 42512]
S3 NRKCTL32;NRKCTL32;c:\program files\wcpuid\nrkctl32.sys [12/28/2006 6:31 PM 3968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [12/28/2009 1:56 PM 9040]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [12/28/2009 1:56 PM 19408]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [1/2/2012 9:16 PM 30368]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [10/18/2009 6:28 PM 332928]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 11:01 PM 994360]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/18/2009 6:27 PM 13532]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [10/10/2011 7:18 PM 155344]
S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [3/23/2011 5:20 PM 26112]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [1/2/2012 9:16 PM 16208]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 2:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [1/2/2012 9:16 PM 239472]
S4 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-12-24 17:50]
.
2012-03-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3599796677-2997021008-2328189849-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 00:02]
.
2012-03-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3599796677-2997021008-2328189849-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = https://camb-ssl2.forrester.com/
uInternet Settings,ProxyOverride = *.local
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_link
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_exclude
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_report
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: forrester.com\camb-ssl
Trusted Zone: forrester.com\camb-ssl2
Trusted Zone: secunia.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} - hxxps://camb-ssl2.forrester.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://camb-ssl2.forrester.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\fsyv3q6g.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-17 13:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3599796677-2997021008-2328189849-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3599796677-2997021008-2328189849-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-3599796677-2997021008-2328189849-1006)
@Allowed: (Read) (S-1-5-21-3599796677-2997021008-2328189849-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2284)
c:\windows\system32\WININET.dll
c:\program files\Ad Muncher\AM32-32700.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Box Sync\BoxIconOverlayHandler.dll
c:\program files\Box Sync\BoxUtils.dll
c:\program files\Box Sync\BoxData.dll
c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\SugarSync\SugarSyncShellExt.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Box Sync\BoxCopyHookHandler.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-17 13:39:38
ComboFix-quarantined-files.txt 2012-03-17 20:39
ComboFix2.txt 2012-03-17 20:25
ComboFix3.txt 2012-02-05 18:44
ComboFix4.txt 2011-05-25 21:10
ComboFix5.txt 2012-03-17 20:27
.
Pre-Run: 12,515,315,712 bytes free
Post-Run: 12,492,779,520 bytes free
.
- - End Of File - - 7A8B98F58946EC79954BD248F35ECB47

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 18 March 2012 - 08:44 AM

I need more information on these 2 files in bold.

S3 26c10F;26c10F;c:\windows\system32\26c10F.sys
S3 e36566;e36566;c:\windows\system32\e36566.sys

>>> Run Jotti's malware scan: Please copy each line from the following (in bold):
S3 26c10F;26c10F;c:\windows\system32\26c10F.sys
S3 e36566;e36566;c:\windows\system32\e36566.sys
button,
[*]A window will open, right-click in the File name field and choose Paste.
[*]Click the Submit button and let the scan run uninterrupted.
[*]At the end right-click the Permalink button and choose "Copy the link". Posted Image
[*]Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
If more then one file submitted, return to the "Jotti's malware scan" window and click the "Next file" button to continue with the rest.[/list]Please copy and paste these Permalinks in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

If you know what they are it would also help.

Do you have any difficulties with this computer?

#8 jlips

jlips
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 18 March 2012 - 01:01 PM

In your instructions you said to copy in each bold line. I copied the entire line, but Jotti could not find a file because of the pieces before the semicolon. So, I copied only the file pathway pieces. Permalinks are below. I have no idea what the files are for. The one 26c10f.sys shows a create date of 1/26/2008 and the e36566.sys of June 24, 2011. I noticed that the first link which was for the 26c10f.sys file also shows as e36566.sys . I ran this several times to make sure it was not an error on my part.

http://virusscan.jotti.org/en/scanresult/6c8ee56b8506f5058109594833fc1575ceef5f90/0803a97c8387d8c9c1b967bf5e5d7058b3eb6665

http://virusscan.jotti.org/en/scanresult/6c8ee56b8506f5058109594833fc1575ceef5f90/1dc1613bb14ae80d4036fdf79136d081c4d1d543

My computer was behaving strangely a few weeks ago. A lot of system error codes and errors when booting, services not loading. That lead to slow boot times and I would get an alert that the Windows Firewall was not on. That alert would go away after a couple of minutes when the boot process completed. I believed (maybe wrongly) that the cause was registry issues when I researched in on the web. I found some discussion on reputable sites (I don't remember which) and made some fixes to my registries. That fixed the problem. Otherwise, the computer seems normal now. As I mentioned at the start of the thread, I had my bank account details stolen and one of the peculiarities of the incident indicates either my email was compromise, my computer was compromised, or an inside job at the bank. So, in addition to cleaning my computer I really need to determine if the infection could include a keylogger or some other way for a person to see what is on/in my computer.

Thanks.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 19 March 2012 - 08:01 AM

In your instructions you said to copy in each bold line. I copied the entire line, but Jotti could not find a file because of the pieces before the semicolon. So, I copied only the file pathway pieces.

Sorry my mistake.

The files checked at jotti were possibly some left over from a previous infection. Will remove the with the Script for ComboFix.

c:\windows\system32\26c10F.sys
c:\windows\system32\e36566.sys



Open notepad and copy/paste the text in the quote box below into it:

File::
c:\windows\system32\26c10F.sys
c:\windows\system32\e36566.sys

Driver::
26c10F
e36566

ClearJavaCache::


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Nothing else is identified as suspicious on your log.
I suggest you run this ESET Scan
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please post the logs for my review.

#10 jlips

jlips
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 20 March 2012 - 03:47 PM

The ESET online scanner did not find anything, so there was no log to attach.

Here is the CFScript log. When I tried running it, I got a message about ComboFix being expired and running in reduced functionality mode. If that is not sufficient, let me know and I'll run again. thanks, -jon

ComboFix 12-03-14.01 - Jonathan 03/19/2012 16:59:10.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1711 [GMT -7:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jonathan\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\windows\system32\26c10F.sys"
"c:\windows\system32\e36566.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\26c10F.sys
c:\windows\system32\e36566.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-02-20 to 2012-03-20 )))))))))))))))))))))))))))))))
.
.
2012-03-18 04:49 . 2012-03-18 04:49 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-18 04:49 . 2012-03-18 04:49 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-01 20:08 . 2012-03-01 20:08 449848 ----a-w- c:\program files\Windows Media Player\WebEx\1124\atgpcext.dll
2012-03-01 20:08 . 2012-03-01 20:08 113976 ----a-w- c:\program files\Windows Media Player\WebEx\1124\atgpcdec.dll
2012-02-25 05:11 . 2012-02-25 05:32 -------- d-----w- c:\program files\VS Revo Group
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-25 05:32 . 2010-04-18 22:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-25 05:32 . 2010-04-10 15:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-19 05:48 . 2011-05-20 15:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 21:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 18:48 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-04 21:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-07-21 23:45 . 2009-07-21 23:44 3481968 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-02-22 00:02 . 2007-02-22 00:02 8681984 ----a-w- c:\program files\tzmove.exe
2007-02-21 01:36 . 2007-02-21 01:34 7101440 ----a-w- c:\program files\PocketDivXEncoder_0.3.60.exe
2006-10-14 06:12 . 2006-10-14 06:12 959488 ----a-w- c:\program files\addremovecleaner.exe
2006-10-04 06:08 . 2006-10-04 06:08 1161608 ----a-w- c:\program files\offkeyd.exe
2006-01-12 06:31 . 2007-02-25 21:11 992399 ----a-w- c:\program files\JHymn.exe
2004-08-06 02:07 . 2004-08-06 02:07 77824 ----a-w- c:\program files\Metronome.exe
2012-03-18 04:49 . 2011-08-26 14:57 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-17_20.21.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-19 15:46 . 2012-03-19 15:46 16384 c:\windows\temp\Perflib_Perfdata_798.dat
+ 2012-03-19 15:46 . 2012-03-19 15:46 16384 c:\windows\temp\Perflib_Perfdata_3d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}]
2012-02-09 07:39 582872 ----a-w- c:\program files\DoNotTrackPlus\ScriptHost.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopFileLocked]
@="{C253B817-3A00-475f-A5A3-6F2DD704B48D}"
[HKEY_CLASSES_ROOT\CLSID\{C253B817-3A00-475f-A5A3-6F2DD704B48D}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopNotSynced]
@="{19ACC806-F7AA-46AA-A80A-726A07CA6637}"
[HKEY_CLASSES_ROOT\CLSID\{19ACC806-F7AA-46AA-A80A-726A07CA6637}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopNotSyncedCollabs]
@="{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}"
[HKEY_CLASSES_ROOT\CLSID\{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopSynced]
@="{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}"
[HKEY_CLASSES_ROOT\CLSID\{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BoxDesktopSyncedCollab]
@="{9E48C232-F601-4E41-BB3E-16CBAF317AA4}"
[HKEY_CLASSES_ROOT\CLSID\{9E48C232-F601-4E41-BB3E-16CBAF317AA4}]
2010-03-18 17:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Jonathan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-02-03 18:47 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-02-03 9401424]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2011-08-20 48618]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2012-02-19 405816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Dimension4"="c:\program files\D4\D4.exe" [2004-02-04 200704]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2011-06-11 540872]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-13 2219184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2011-5-27 25214]
Box Sync.lnk.disabled [2011-9-20 1637]
Chapura SyncManager.lnk - c:\program files\Chapura\Chapura SyncManager\SyncMgr.exe [2011-7-5 2182656]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk.disabled [2006-6-12 1703]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_1_0 -reboot 1
"Aim6"=
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"OfotoNow USB Detection"=c:\windows\system32\RunDLL32.exe c:\progra~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"Sony Ericsson PC Companion"="c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" /systray /nologon
"PTIM.exe"=c:\program files\WebEx\Productivity Tools\PTIM.exe
"PTOneClick"=c:\program files\WebEx\Productivity Tools\ptoneclk.exe /AutoRunning="2"
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" /Manual
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CitiVAN"=c:\program files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe"
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" -osboot
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"High Definition Audio Property Page Shortcut"=CHDAudPropShortcut.exe
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"ControlCenter3"=c:\program files\Brother\ControlCenter3\brctrcen.exe /autorun
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"igfxtray"=c:\windows\system32\igfxtray.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe"
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"BrMfcWnd"=c:\program files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
"Cpqset"=c:\program files\HPQ\Default Settings\cpqset.exe
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"WINZIPDUDriverUpdater"="c:\program files\WinZip Driver Updater\winzipdu.exe" /schedule
"Intellisync Handheld Launcher"="c:\program files\Intellisync Corporation\Intellisync Handheld Edition\ishhlauncher.exe" /logon
"BoxSyncHelper"="c:\program files\Box Sync\BoxSyncHelper.exe"
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" /R
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\D4\\D4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Intellisync Corporation\\Intellisync Handheld Edition\\ishhlauncher.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Jonathan\\Local Settings\\Application Data\\Microsoft Lync Attendee\\AttendeeCommunicator.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Chapura\\Chapura SyncManager\\SyncMgr.exe"=
"c:\\Program Files\\SugarSync\\SugarSyncManager.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Jonathan\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/25/2011 11:40 AM 28552]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [11/26/2011 5:25 PM 14776]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/28/2010 8:17 AM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/24/2010 9:27 AM 94872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 #UpdateService;Box Sync Auto-updater;c:\program files\Box Sync\UpdateService.exe [4/11/2011 6:10 PM 8704]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [12/9/2011 7:19 PM 494424]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [1/12/2011 5:41 PM 810144]
R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [7/1/2011 11:38 AM 298824]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [1/2/2012 9:15 PM 820568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/24/2009 7:52 AM 652872]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [3/15/2011 4:35 PM 61440]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [12/10/2007 6:15 PM 100728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2008 9:04 AM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/24/2009 7:52 AM 20464]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/2/2008 9:02 PM 47360]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [1/1/2006 10:20 PM 8576]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [5/14/2010 5:35 PM 27632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 IHA_MessageCenter;IHA_MessageCenter;"c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" --> c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [?]
S3 26c10F;26c10F;\??\c:\windows\system32\26c10F.sys --> c:\windows\system32\26c10F.sys [?]
S3 e36566;e36566;\??\c:\windows\system32\e36566.sys --> c:\windows\system32\e36566.sys [?]
S3 Flash1;Flash1;c:\program files\SP35668\winphlash\FLASH1.sys [3/1/2006 5:54 PM 3456]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/14/2010 5:34 PM 13224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/28/2007 5:01 PM 42512]
S3 NRKCTL32;NRKCTL32;c:\program files\wcpuid\nrkctl32.sys [12/28/2006 6:31 PM 3968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [12/28/2009 1:56 PM 9040]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [12/28/2009 1:56 PM 19408]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [1/2/2012 9:16 PM 30368]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [10/18/2009 6:28 PM 332928]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 11:01 PM 994360]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/18/2009 6:27 PM 13532]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [10/10/2011 7:18 PM 155344]
S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [3/23/2011 5:20 PM 26112]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [1/2/2012 9:16 PM 16208]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 2:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [1/2/2012 9:16 PM 239472]
S4 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-12-24 17:50]
.
2012-03-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3599796677-2997021008-2328189849-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 00:02]
.
2012-03-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3599796677-2997021008-2328189849-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = https://camb-ssl2.forrester.com/
uInternet Settings,ProxyOverride = *.local
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_link
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_exclude
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=Z965557U&id=menu_ie_report
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: forrester.com\camb-ssl
Trusted Zone: forrester.com\camb-ssl2
Trusted Zone: secunia.com
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} - hxxps://camb-ssl2.forrester.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://camb-ssl2.forrester.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\fsyv3q6g.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-19 17:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3599796677-2997021008-2328189849-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3599796677-2997021008-2328189849-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-3599796677-2997021008-2328189849-1006)
@Allowed: (Read) (S-1-5-21-3599796677-2997021008-2328189849-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-03-19 17:07:08
ComboFix-quarantined-files.txt 2012-03-20 00:07
ComboFix2.txt 2012-03-17 20:39
ComboFix3.txt 2012-03-17 20:25
ComboFix4.txt 2012-02-05 18:44
ComboFix5.txt 2012-03-19 23:55
.
Pre-Run: 12,163,645,440 bytes free
Post-Run: 12,272,680,960 bytes free
.
- - End Of File - - 58031EF665BC05040EF6D0499741C7C9


Here is the Security Checkup log


Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET NOD32 Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:

Out of date Spybot installed!
Out of date HijackThis installed!
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.6
Spybot - Search & Destroy
SUPERAntiSpyware
Windows Defender Signatures
Norton Ghost 10.0
Secunia PSI (2.0.0.4003)
Gmer
HijackThis 1.99.1
CCleaner (remove only)
TweakNow RegCleaner 2011
TweakNow RegCleaner Standard
TweakNow RegCleaner
Wise Disk Cleaner 5.81
Wise Registry Cleaner 5.9.4
Java™ 6 Update 31
Adobe Flash Player 11.1.102.62
Adobe Reader X (10.1.2)
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

WinPatrol winpatrol.exe is disabled!
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
IObit IObit Malware Fighter IMFsrv.exe
``````````End of Log````````````

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 21 March 2012 - 07:19 AM

My script worked.

Any remaining issues?

#12 jlips

jlips
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 21 March 2012 - 12:13 PM

Do you think I am fully clean now (at least my computer)? I would like your opinion on if what I was infected with would be likely to allow someone to have seen my screen, steal files, keylog, or anything else like that which could have contributed to stealing my bank details? I'm trying to figure out how my bank account was compromised.

Thanks for all your help. jon

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 22 March 2012 - 07:47 AM

We have no way of knowing how your computer was compromised.

I can only suggest you change all your passwords.

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#14 jlips

jlips
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 22 March 2012 - 08:07 PM

Here is the log. So it is safe now to change my passwords? Thanks for all your help.

Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET NOD32 Antivirus
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Out of date Spybot installed!
Out of date HijackThis installed!
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.6
Spybot - Search & Destroy
SUPERAntiSpyware
Windows Defender Signatures
Norton Ghost 10.0
Secunia PSI (2.0.0.4003)
Gmer
HijackThis 1.99.1
CCleaner (remove only)
TweakNow RegCleaner 2011
TweakNow RegCleaner Standard
TweakNow RegCleaner
Wise Disk Cleaner 5.81
Wise Registry Cleaner 5.9.4
Java™ 6 Update 31
Adobe Flash Player 11.1.102.62
Adobe Reader X (10.1.2)
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

WinPatrol winpatrol.exe is disabled!
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
IObit IObit Malware Fighter IMFsrv.exe
``````````End of Log````````````

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 23 March 2012 - 09:04 AM

Out of date Spybot installed!

If you are not going to update this tool remove it using the Add/Remove Programs list.
===

You have this old version of HijackThis 1.99.1 Most forum will now ask to see a DDS log.
I would remove it also using the Add/Remove option.
===

So it is safe now to change my passwords?

Yes.
===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users