Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.tdss.v3 removal help


  • This topic is locked This topic is locked
36 replies to this topic

#1 zakn

zakn

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 17 March 2012 - 04:42 PM

I've been battling this for over a week now. Ran spyware doctor, tdsskiller, and go most of stuff gone. Couldn't get rid of rootkit.tdss.v3 so I deleted the partition on my internal hard drive and reinstalled it from windows xp cd. Before I did the factory installation i ran several scans with spyware doctor to make sure the files and documents I need to make sure I get off of the computer and none of the files shown infection so I copied them over to an external hard drive. Just got done reinstalling and putting some documents back on pc.

Ran spyware doctor again and found out that I still have rootkit.tdss.v3 problem. Spyware Doctor says that the rootkit infected file is mbr.dat or something like that. Before I set my hard drive back to factory installation i deleted the mbr.dat in the registry and couldn't find it anywhere, but rootkit.tdss.v3 still remained.

A little while after I ran the Defogger, spyware doctor indicated that mbr.dat was trying to install a driver so i had it quarantined instead of allowing it. Then followed the rest of the steps of creating logs.

*edit* it didn't seem to attach the attach.txt, only the ark.txt. I'm gonna try to attach again.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Jonathon at 13:18:58 on 2012-03-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2459 [GMT -7:00]
.
AV: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\RocketFish\RF7.1\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe
C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/go/cs_systemreqs
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
mRun: [VolPanel] "c:\program files\rocketfish\rf7.1\volume panel\VolPanlu.exe" /r
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [ISTray] "c:\program files\pc tools\pc tools security\pctsGui.exe" /hideGUI
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel\zyxel g-202 wireless adapter utility\ZyXEL G-202.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1331937555312
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{F3636A72-A304-4C03-9246-3B301ED42473} : DhcpNameServer = 192.168.2.1 192.168.2.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jonathon\application data\mozilla\firefox\profiles\fyru972d.default\
FF - prefs.js: browser.search.selectedEngine - WOT Safe Search
.
============= SERVICES / DRIVERS ===============
.
R0 pctBTFix;PC Tools Boot Fix Driver;c:\windows\system32\drivers\pctBTFix.sys [2012-3-16 17848]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-3-16 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-3-16 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-3-16 909728]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2012-3-16 54328]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2012-3-16 574424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2012-3-16 253352]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-3-16 185560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-3-16 550864]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-3-16 402336]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-3-16 1117624]
R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2012-3-15 19072]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-3-16 232512]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-3-16 56840]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2012-3-16 70536]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2012-3-16 35264]
R3 ThreatFire;ThreatFire;c:\program files\pc tools\pc tools security\tfengine\tfservice.exe service --> c:\program files\pc tools\pc tools security\tfengine\TFService.exe service [?]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [2012-3-15 437760]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2012-3-15 79360]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2012-03-17 17:11:36 -------- d-----w- c:\program files\Runtime Software
2012-03-17 16:35:37 -------- d-----w- c:\windows\system32\Lang
2012-03-17 05:38:40 -------- d-----w- c:\windows\system32\xlive
2012-03-17 05:38:36 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2012-03-17 05:23:09 -------- d-----w- c:\windows\system32\RTCOM
2012-03-17 04:49:30 574424 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2012-03-17 04:49:30 54328 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2012-03-17 04:49:30 35264 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2012-03-17 04:48:40 767952 ----a-w- c:\windows\BDTSupport.dll
2012-03-17 04:48:40 56840 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2012-03-17 04:48:40 2250704 ----a-w- c:\windows\PCTBDCore.dll
2012-03-17 04:48:40 149456 ----a-w- c:\windows\SGDetectionTool.dll
2012-03-17 04:48:39 1681360 ----a-w- c:\windows\PCTBDRes.dll
2012-03-17 04:48:12 253352 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-03-17 04:48:09 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-03-17 04:48:04 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-03-17 04:47:59 -------- d-----w- c:\program files\PC Tools
2012-03-17 04:22:44 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-03-17 04:22:44 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-03-17 04:22:42 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-03-17 04:22:42 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-03-17 04:22:41 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-03-17 04:22:41 -------- d-----w- c:\program files\common files\PC Tools
2012-03-17 04:21:01 -------- d-----w- c:\documents and settings\jonathon\application data\TestApp
2012-03-17 04:21:01 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-03-17 03:52:40 -------- d--h--w- c:\program files\common files\EAInstaller
2012-03-17 03:26:34 -------- d-----w- c:\documents and settings\jonathon\application data\Sony Creative Software Inc
2012-03-17 02:49:49 -------- d-----w- c:\program files\Sony
2012-03-17 02:49:49 -------- d-----w- c:\documents and settings\jonathon\local settings\application data\Sony
2012-03-17 02:45:33 -------- d-----w- c:\windows\system32\LogFiles
2012-03-17 02:43:35 -------- d-----w- c:\windows\system32\XPSViewer
2012-03-17 02:43:18 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-03-17 02:43:04 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-03-17 02:43:04 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-03-17 02:43:04 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-03-17 02:43:04 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-03-17 02:43:04 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-03-17 02:43:04 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2012-03-17 02:43:04 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-03-17 02:43:04 117760 ------w- c:\windows\system32\prntvpt.dll
2012-03-17 00:32:30 -------- d-----w- c:\program files\common files\Steam
2012-03-16 23:58:16 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-03-16 23:57:55 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-03-16 23:56:51 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-03-16 23:56:05 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-03-16 23:55:52 532480 -c----w- c:\windows\system32\dllcache\mstime.dll
2012-03-16 23:55:52 449536 -c----w- c:\windows\system32\dllcache\mshtmled.dll
2012-03-16 23:55:52 37888 -c----w- c:\windows\system32\dllcache\url.dll
2012-03-16 23:50:43 852480 -c----w- c:\windows\system32\dllcache\vgx.dll
2012-03-16 22:52:13 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-03-16 22:50:10 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-03-16 22:49:53 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2012-03-16 22:49:07 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-03-16 22:49:07 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-03-16 22:49:00 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-03-16 22:44:47 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-03-16 22:44:07 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-03-16 22:44:07 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-03-16 22:44:04 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-03-16 22:43:34 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2012-03-16 22:43:34 -------- d-----w- c:\windows\system32\PreInstall
2012-03-16 22:39:48 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-03-16 22:39:48 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-03-16 22:39:48 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-03-16 22:39:47 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-03-16 22:39:47 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-03-16 22:29:56 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-03-16 22:29:55 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-16 22:29:55 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-16 22:29:41 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2012-03-16 22:29:08 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-03-16 22:29:06 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-03-16 22:19:04 -------- d-----w- c:\windows\system32\scripting
2012-03-16 22:19:04 -------- d-----w- c:\windows\l2schemas
2012-03-16 22:19:03 -------- d-----w- c:\windows\system32\en
2012-03-16 22:19:03 -------- d-----w- c:\windows\system32\bits
2012-03-16 22:17:15 -------- d-----w- c:\windows\network diagnostic
2012-03-16 22:16:22 -------- d-----w- c:\windows\system32\ReinstallBackups
2012-03-16 22:15:05 -------- d-----w- c:\windows\EHome
2012-03-16 20:27:58 -------- d-----w- c:\documents and settings\jonathon\local settings\application data\Spotify
2012-03-16 20:27:02 -------- d-----w- c:\documents and settings\jonathon\application data\Spotify
2012-03-16 18:53:34 443448 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-03-16 18:47:31 -------- d-----w- c:\documents and settings\all users\application data\ALM
2012-03-16 18:24:17 8704 ----a-w- c:\windows\system32\BHARegister.dll
2012-03-16 18:24:17 59488 ----a-w- c:\windows\system32\GenSvcInst.exe
2012-03-16 18:24:17 49152 ----a-w- c:\windows\system32\setupsvc.dll
2012-03-16 18:24:17 33408 ----a-w- c:\windows\system32\drivers\cdrbsdrv.sys
2012-03-16 18:24:17 145504 ----a-w- c:\windows\system32\bgsvcgen.exe
2012-03-16 18:23:00 -------- d-----w- c:\program files\Games
2012-03-16 18:09:24 18944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2012-03-16 18:09:24 17920 ----a-w- c:\windows\system32\mdimon.dll
2012-03-16 18:09:12 -------- d-----w- c:\program files\Microsoft ActiveSync
2012-03-16 18:09:07 -------- d-----w- c:\windows\SHELLNEW
2012-03-16 18:02:38 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-03-16 18:02:34 -------- d-----w- c:\program files\DAEMON Tools Pro
2012-03-16 18:02:22 -------- d-----w- c:\documents and settings\jonathon\application data\DAEMON Tools Pro
2012-03-16 18:02:22 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Pro
2012-03-16 17:45:38 -------- d-----w- c:\documents and settings\jonathon\local settings\application data\Apple Computer
2012-03-16 17:45:34 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-03-16 17:45:34 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-03-16 17:45:11 -------- d-----w- c:\program files\iPod
2012-03-16 17:45:09 -------- d-----w- c:\program files\iTunes
2012-03-16 17:45:09 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-03-16 17:44:59 -------- d-----w- c:\documents and settings\jonathon\local settings\application data\Apple
2012-03-16 17:44:20 -------- d-----w- c:\program files\Bonjour
2012-03-16 17:43:53 -------- d-----w- c:\program files\VideoLAN
2012-03-16 17:30:52 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe
2012-03-16 17:29:20 -------- d-----w- c:\documents and settings\jonathon\application data\DAEMON Tools Lite
2012-03-16 17:29:18 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite
2012-03-16 17:23:01 -------- d-----w- c:\documents and settings\jonathon\application data\URSoft
2012-03-16 17:16:49 -------- d-s---w- c:\documents and settings\jonathon\UserData
2012-03-16 17:14:39 -------- d-----w- c:\documents and settings\jonathon\local settings\application data\Adobe
2012-03-16 05:05:52 -------- d-----w- c:\program files\Guitar Pro 5
2012-03-16 05:03:48 -------- d---a-w- c:\program files\FinalBurner
2012-03-16 05:02:10 -------- d-----w- c:\program files\PowerISO
.
==================== Find3M ====================
.
2012-03-16 05:00:32 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-03-16 05:00:32 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-03-16 05:00:29 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-03-16 04:54:45 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2012-03-16 04:54:45 102400 ----a-w- c:\windows\system32\OpenAL32.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-19 08:53:33 667136 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 08:53:33 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-12-19 08:53:32 81920 ----a-w- c:\windows\system32\ieencode.dll
.
============= FINISH: 13:25:26.45 ===============

Attached Files


Edited by zakn, 17 March 2012 - 04:51 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:13 PM

Posted 20 March 2012 - 11:31 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 zakn

zakn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 21 March 2012 - 12:16 PM

Hello Gringo. No problems occurred during the scan. My computer is running a little better I think. Is it ok for me to turn my firewall and antivirus back on?

Here's the log

ComboFix 12-03-21.02 - Jonathon 03/21/2012 9:40.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2800 [GMT -7:00]
Running from: c:\documents and settings\Jonathon\Desktop\combofix\ComboFix.exe
AV: PC Tools Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\_000126_.tmp.dll
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\OLD67.tmp
c:\windows\system32\OLD96.tmp
c:\windows\system32\SET1A2.tmp
c:\windows\system32\SET1A5.tmp
c:\windows\system32\SET1AA.tmp
c:\windows\system32\SET1B2.tmp
c:\windows\system32\SET1B5.tmp
c:\windows\system32\tmpAC.tmp
c:\windows\system32\tmpAD.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-02-21 to 2012-03-21 )))))))))))))))))))))))))))))))
.
.
2012-03-16 18:07 . 2012-03-16 18:07 -------- d-----r- C:\MSOCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 04:39 . 2012-03-16 17:19 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 73728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\RocketFish\RF7.1\Volume Panel\VolPanlu.exe" [2008-11-25 237693]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-202 Wireless Adapter Utility.lnk - c:\program files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [2012-3-15 10878976]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ZyXEL\\ZyXEL G-202 Wireless Adapter Utility\\ZyXEL G-202.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Jonathon\\Application Data\\Spotify\\spotify.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Games\\Mass Effect 3\\Binaries\\Win32\\MassEffect3.exe"=
"c:\\Program Files\\Games\\Operation Flashpoint Red River\\RedRiver.exe"=
"c:\\Program Files\\Games\\Operation Flashpoint Red River\\RedRiverLauncher.exe"=
.
R0 pctBTFix;PC Tools Boot Fix Driver;c:\windows\system32\drivers\pctBTFix.sys [3/16/2012 9:48 PM 17848]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/16/2012 9:22 PM 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [3/16/2012 9:22 PM 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [3/16/2012 9:22 PM 909728]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [3/16/2012 9:49 PM 54328]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [3/16/2012 9:49 PM 574424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [3/16/2012 9:48 PM 253352]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [3/16/2012 9:22 PM 185560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [3/16/2012 9:48 PM 550864]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [3/16/2012 11:02 AM 232512]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [3/16/2012 9:48 PM 56840]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [3/16/2012 9:49 PM 35264]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/15/2012 9:53 PM 79360]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [3/16/2012 9:48 PM 70536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools\PC Tools Security\pctsAuxs.exe [3/16/2012 9:48 PM 402336]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools\PC Tools Security\TFEngine\TFService.exe service [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-16 c:\windows\Tasks\AdobeAAMUpdater-1.0-ODIN-Jonathon.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-03-16 11:44]
.
2012-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 01:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/go/cs_systemreqs
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Jonathon\Application Data\Mozilla\Firefox\Profiles\fyru972d.default\
FF - prefs.js: browser.search.selectedEngine - WOT Safe Search
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-21 09:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(624)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2012-03-21 10:02:30
ComboFix-quarantined-files.txt 2012-03-21 17:02
.
Pre-Run: 238,138,085,376 bytes free
Post-Run: 238,225,469,440 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 21C4AD5A19F0EA40037EAFC1B0CC801E

Attached Files

  • Attached File  log.txt   8.08KB   0 downloads

Edited by zakn, 21 March 2012 - 12:20 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:13 PM

Posted 21 March 2012 - 12:28 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 zakn

zakn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 21 March 2012 - 12:57 PM

No problems during scans.

Here's the tdsskiller log:

10:44:34.0890 3820 TDSS rootkit removing tool 2.7.21.0 Mar 21 2012 09:06:51
10:44:34.0906 3820 ============================================================
10:44:34.0906 3820 Current date / time: 2012/03/21 10:44:34.0906
10:44:34.0906 3820 SystemInfo:
10:44:34.0906 3820
10:44:34.0906 3820 OS Version: 5.1.2600 ServicePack: 3.0
10:44:34.0906 3820 Product type: Workstation
10:44:34.0906 3820 ComputerName: ODIN
10:44:34.0906 3820 UserName: Jonathon
10:44:34.0906 3820 Windows directory: C:\WINDOWS
10:44:34.0906 3820 System windows directory: C:\WINDOWS
10:44:34.0906 3820 Processor architecture: Intel x86
10:44:34.0906 3820 Number of processors: 2
10:44:34.0906 3820 Page size: 0x1000
10:44:34.0906 3820 Boot type: Normal boot
10:44:34.0906 3820 ============================================================
10:44:36.0046 3820 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:44:36.0046 3820 Drive \Device\Harddisk5\DR14 - Size: 0x3D800000 (0.96 Gb), SectorSize: 0x200, Cylinders: 0x7D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
10:44:36.0046 3820 \Device\Harddisk0\DR0:
10:44:36.0046 3820 MBR used
10:44:36.0046 3820 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x254297C1
10:44:36.0046 3820 \Device\Harddisk5\DR14:
10:44:36.0046 3820 MBR used
10:44:36.0046 3820 \Device\Harddisk5\DR14\Partition0: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x1EBFE0
10:44:36.0062 3820 Initialize success
10:44:36.0062 3820 ============================================================
10:44:41.0578 0264 ============================================================
10:44:41.0578 0264 Scan started
10:44:41.0578 0264 Mode: Manual;
10:44:41.0578 0264 ============================================================
10:44:43.0078 0264 Abiosdsk - ok
10:44:44.0015 0264 abp480n5 - ok
10:44:44.0968 0264 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:44:44.0968 0264 ACPI - ok
10:44:46.0140 0264 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:44:46.0140 0264 ACPIEC - ok
10:44:47.0078 0264 adpu160m - ok
10:44:48.0046 0264 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:44:48.0046 0264 aec - ok
10:44:49.0000 0264 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:44:49.0000 0264 AFD - ok
10:44:49.0953 0264 Aha154x - ok
10:44:50.0875 0264 aic78u2 - ok
10:44:51.0796 0264 aic78xx - ok
10:44:52.0937 0264 AliIde - ok
10:44:53.0921 0264 amsint - ok
10:44:54.0890 0264 asc - ok
10:44:55.0796 0264 asc3350p - ok
10:44:56.0718 0264 asc3550 - ok
10:44:57.0718 0264 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:44:57.0718 0264 AsyncMac - ok
10:44:58.0671 0264 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:44:58.0671 0264 atapi - ok
10:44:59.0593 0264 Atdisk - ok
10:45:00.0562 0264 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:45:00.0562 0264 Atmarpc - ok
10:45:01.0500 0264 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:45:01.0500 0264 audstub - ok
10:45:02.0656 0264 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:45:02.0656 0264 Beep - ok
10:45:02.0718 0264 catchme - ok
10:45:03.0671 0264 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:45:03.0671 0264 cbidf2k - ok
10:45:04.0625 0264 cd20xrnt - ok
10:45:05.0578 0264 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:45:05.0578 0264 Cdaudio - ok
10:45:06.0531 0264 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:45:06.0531 0264 Cdfs - ok
10:45:07.0500 0264 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
10:45:07.0500 0264 cdrbsdrv - ok
10:45:08.0453 0264 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:45:08.0453 0264 Cdrom - ok
10:45:09.0375 0264 Changer - ok
10:45:10.0312 0264 CmdIde - ok
10:45:11.0250 0264 Cpqarray - ok
10:45:12.0437 0264 ctsfm2k (fcbb8ea6fe935d2c531d3a4dee9f985b) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
10:45:12.0437 0264 ctsfm2k - ok
10:45:13.0406 0264 CTUSFSYN (12a7b253f9128b3b68a9979827047b76) C:\WINDOWS\system32\drivers\ctusfsyn.sys
10:45:13.0406 0264 CTUSFSYN - ok
10:45:14.0343 0264 dac2w2k - ok
10:45:15.0265 0264 dac960nt - ok
10:45:16.0218 0264 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:45:16.0234 0264 Disk - ok
10:45:17.0187 0264 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:45:17.0203 0264 dmboot - ok
10:45:18.0171 0264 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:45:18.0171 0264 dmio - ok
10:45:19.0109 0264 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:45:19.0109 0264 dmload - ok
10:45:20.0046 0264 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:45:20.0046 0264 DMusic - ok
10:45:21.0000 0264 dpti2o - ok
10:45:21.0953 0264 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:45:21.0953 0264 drmkaud - ok
10:45:22.0890 0264 dtsoftbus01 (c8eb60a182bee9afd6b394c0145a1732) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
10:45:22.0890 0264 dtsoftbus01 - ok
10:45:24.0187 0264 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:45:24.0187 0264 Fastfat - ok
10:45:25.0156 0264 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
10:45:25.0171 0264 Fdc - ok
10:45:26.0203 0264 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:45:26.0203 0264 Fips - ok
10:45:27.0156 0264 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
10:45:27.0156 0264 Flpydisk - ok
10:45:28.0125 0264 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:45:28.0125 0264 FltMgr - ok
10:45:29.0078 0264 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:45:29.0078 0264 Fs_Rec - ok
10:45:30.0031 0264 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:45:30.0031 0264 Ftdisk - ok
10:45:30.0968 0264 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
10:45:30.0968 0264 GEARAspiWDM - ok
10:45:31.0984 0264 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:45:31.0984 0264 Gpc - ok
10:45:33.0109 0264 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:45:33.0125 0264 HDAudBus - ok
10:45:34.0109 0264 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:45:34.0109 0264 hidusb - ok
10:45:35.0109 0264 hpn - ok
10:45:36.0062 0264 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:45:36.0078 0264 HTTP - ok
10:45:37.0046 0264 i2omgmt - ok
10:45:37.0968 0264 i2omp - ok
10:45:38.0953 0264 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
10:45:38.0953 0264 i8042prt - ok
10:45:39.0921 0264 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:45:39.0921 0264 Imapi - ok
10:45:40.0843 0264 ini910u - ok
10:45:41.0875 0264 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
10:45:41.0921 0264 IntcAzAudAddService - ok
10:45:43.0078 0264 IntelIde - ok
10:45:44.0046 0264 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:45:44.0062 0264 Ip6Fw - ok
10:45:45.0015 0264 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:45:45.0015 0264 IpFilterDriver - ok
10:45:45.0953 0264 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:45:45.0953 0264 IpInIp - ok
10:45:46.0937 0264 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:45:46.0937 0264 IpNat - ok
10:45:47.0906 0264 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:45:47.0906 0264 IPSec - ok
10:45:48.0875 0264 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:45:48.0875 0264 IRENUM - ok
10:45:49.0859 0264 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:45:49.0859 0264 isapnp - ok
10:45:50.0828 0264 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:45:50.0828 0264 Kbdclass - ok
10:45:51.0796 0264 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:45:51.0796 0264 kbdhid - ok
10:45:52.0781 0264 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:45:52.0781 0264 kmixer - ok
10:45:54.0000 0264 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:45:54.0000 0264 KSecDD - ok
10:45:54.0937 0264 lbrtfdc - ok
10:45:55.0953 0264 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:45:55.0953 0264 mnmdd - ok
10:45:56.0921 0264 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:45:56.0921 0264 Modem - ok
10:45:57.0859 0264 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:45:57.0875 0264 Mouclass - ok
10:45:58.0843 0264 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:45:58.0843 0264 mouhid - ok
10:45:59.0781 0264 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:45:59.0781 0264 MountMgr - ok
10:46:00.0718 0264 mraid35x - ok
10:46:01.0671 0264 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:46:01.0671 0264 MRxDAV - ok
10:46:02.0859 0264 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:46:02.0859 0264 MRxSmb - ok
10:46:03.0859 0264 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:46:03.0859 0264 Msfs - ok
10:46:04.0843 0264 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:46:04.0843 0264 MSKSSRV - ok
10:46:05.0796 0264 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:46:06.0031 0264 MSPCLOCK - ok
10:46:07.0531 0264 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:46:07.0562 0264 MSPQM - ok
10:46:08.0562 0264 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:46:08.0562 0264 mssmbios - ok
10:46:09.0562 0264 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:46:09.0562 0264 Mup - ok
10:46:10.0515 0264 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:46:10.0515 0264 NDIS - ok
10:46:11.0562 0264 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:46:11.0562 0264 NdisTapi - ok
10:46:12.0937 0264 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:46:12.0937 0264 Ndisuio - ok
10:46:13.0921 0264 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:46:13.0921 0264 NdisWan - ok
10:46:14.0921 0264 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:46:14.0921 0264 NDProxy - ok
10:46:15.0890 0264 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:46:15.0890 0264 NetBIOS - ok
10:46:16.0859 0264 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:46:16.0859 0264 NetBT - ok
10:46:17.0843 0264 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:46:17.0843 0264 Npfs - ok
10:46:18.0812 0264 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:46:18.0812 0264 Ntfs - ok
10:46:19.0781 0264 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:46:19.0781 0264 Null - ok
10:46:21.0015 0264 nv (18c9b152da7bea76b2f9e4b6412e0aaf) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:46:21.0312 0264 nv - ok
10:46:22.0531 0264 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:46:22.0531 0264 NwlnkFlt - ok
10:46:23.0468 0264 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:46:23.0468 0264 NwlnkFwd - ok
10:46:24.0437 0264 ossrv (3649eefa90990249267dd6c7808cbc86) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
10:46:24.0437 0264 ossrv - ok
10:46:25.0421 0264 P17xfi (e63bf4fba8224289d5e8a4858d6587f6) C:\WINDOWS\system32\drivers\P17xfi.sys
10:46:25.0437 0264 P17xfi - ok
10:46:26.0468 0264 p17xfilt (ca1f9d50f508ef8ad37061791fd85e02) C:\WINDOWS\system32\drivers\p17xfilt.sys
10:46:26.0484 0264 p17xfilt - ok
10:46:27.0437 0264 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:46:27.0437 0264 Parport - ok
10:46:28.0390 0264 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:46:28.0390 0264 PartMgr - ok
10:46:29.0328 0264 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:46:29.0328 0264 ParVdm - ok
10:46:30.0281 0264 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:46:30.0281 0264 PCI - ok
10:46:31.0203 0264 PCIDump - ok
10:46:32.0328 0264 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:46:32.0343 0264 PCIIde - ok
10:46:33.0421 0264 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:46:33.0453 0264 Pcmcia - ok
10:46:34.0453 0264 PCTBD (3a0262b85b5bb4d4cfc096ea00ed610b) C:\WINDOWS\system32\Drivers\PCTBD.sys
10:46:34.0453 0264 PCTBD - ok
10:46:35.0421 0264 pctBTFix (7466e60eb713396e168a2e2c9b4594c2) C:\WINDOWS\system32\Drivers\pctBTFix.sys
10:46:35.0453 0264 pctBTFix - ok
10:46:36.0406 0264 PCTCore (0edb74bd0d52d6d94cf862322e48b94e) C:\WINDOWS\system32\drivers\PCTCore.sys
10:46:36.0421 0264 PCTCore - ok
10:46:37.0406 0264 pctDS (8734f7346b39a710491e0ddb136da2a3) C:\WINDOWS\system32\drivers\pctDS.sys
10:46:37.0421 0264 pctDS - ok
10:46:38.0375 0264 pctEFA (653d8079cc000ec454789740a07b84a8) C:\WINDOWS\system32\drivers\pctEFA.sys
10:46:38.0390 0264 pctEFA - ok
10:46:39.0406 0264 pctgntdi (cee55a1df92cb30f87280b6a04aadce8) C:\WINDOWS\system32\drivers\pctgntdi.sys
10:46:39.0406 0264 pctgntdi - ok
10:46:40.0421 0264 pctplsg (061b86fd64a61ad187efc788d6c408b0) C:\WINDOWS\system32\drivers\pctplsg.sys
10:46:40.0421 0264 pctplsg - ok
10:46:41.0421 0264 PCTSD (eb98f7514dcf1b922b318e6182d836b1) C:\WINDOWS\system32\Drivers\PCTSD.sys
10:46:41.0421 0264 PCTSD - ok
10:46:42.0656 0264 PDCOMP - ok
10:46:43.0609 0264 PDFRAME - ok
10:46:44.0562 0264 PDRELI - ok
10:46:45.0500 0264 PDRFRAME - ok
10:46:46.0437 0264 perc2 - ok
10:46:47.0375 0264 perc2hib - ok
10:46:48.0328 0264 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:46:48.0328 0264 PptpMiniport - ok
10:46:49.0265 0264 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
10:46:49.0265 0264 Processor - ok
10:46:50.0218 0264 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:46:50.0218 0264 PSched - ok
10:46:51.0203 0264 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:46:51.0203 0264 Ptilink - ok
10:46:52.0312 0264 ql1080 - ok
10:46:53.0328 0264 Ql10wnt - ok
10:46:54.0312 0264 ql12160 - ok
10:46:55.0265 0264 ql1240 - ok
10:46:56.0203 0264 ql1280 - ok
10:46:57.0156 0264 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:46:57.0156 0264 RasAcd - ok
10:46:58.0140 0264 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:46:58.0140 0264 Rasl2tp - ok
10:46:59.0109 0264 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:46:59.0109 0264 RasPppoe - ok
10:47:00.0078 0264 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:47:00.0078 0264 Raspti - ok
10:47:01.0015 0264 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:47:01.0015 0264 Rdbss - ok
10:47:01.0968 0264 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:47:01.0968 0264 RDPCDD - ok
10:47:03.0156 0264 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
10:47:03.0156 0264 RDPWD - ok
10:47:04.0125 0264 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:47:04.0125 0264 redbook - ok
10:47:05.0109 0264 SCDEmu (ee7a1b6e155258288d99be61190e1112) C:\WINDOWS\system32\drivers\SCDEmu.sys
10:47:05.0125 0264 SCDEmu - ok
10:47:06.0078 0264 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:47:06.0078 0264 Secdrv - ok
10:47:07.0046 0264 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:47:07.0046 0264 serenum - ok
10:47:08.0000 0264 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:47:08.0000 0264 Serial - ok
10:47:08.0937 0264 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:47:08.0937 0264 Sfloppy - ok
10:47:09.0921 0264 Simbad - ok
10:47:10.0843 0264 Sparrow - ok
10:47:11.0812 0264 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:47:11.0812 0264 splitter - ok
10:47:12.0062 0264 sptd - ok
10:47:13.0390 0264 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:47:13.0390 0264 sr - ok
10:47:14.0437 0264 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:47:14.0437 0264 Srv - ok
10:47:15.0406 0264 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:47:15.0406 0264 swenum - ok
10:47:16.0375 0264 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:47:16.0375 0264 swmidi - ok
10:47:17.0328 0264 symc810 - ok
10:47:18.0312 0264 symc8xx - ok
10:47:19.0265 0264 sym_hi - ok
10:47:20.0203 0264 sym_u3 - ok
10:47:21.0171 0264 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:47:21.0171 0264 sysaudio - ok
10:47:22.0187 0264 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:47:22.0187 0264 Tcpip - ok
10:47:23.0312 0264 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:47:23.0312 0264 TDPIPE - ok
10:47:24.0281 0264 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:47:24.0281 0264 TDTCP - ok
10:47:25.0250 0264 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:47:25.0250 0264 TermDD - ok
10:47:26.0203 0264 TfFsMon (754f8fd78ea7fa2b9a0cb8a69e0f0822) C:\WINDOWS\system32\drivers\TfFsMon.sys
10:47:26.0203 0264 TfFsMon - ok
10:47:27.0156 0264 TfNetMon (697f66899b4f0c2d8ae3e7473b4b6244) C:\WINDOWS\system32\drivers\TfNetMon.sys
10:47:27.0156 0264 TfNetMon - ok
10:47:28.0171 0264 TFSysMon (e02f47b841be86bfdf4d7269ed0b95e4) C:\WINDOWS\system32\drivers\TfSysMon.sys
10:47:28.0171 0264 TFSysMon - ok
10:47:29.0125 0264 TosIde - ok
10:47:30.0125 0264 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:47:30.0125 0264 Udfs - ok
10:47:31.0062 0264 ultra - ok
10:47:32.0031 0264 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:47:32.0031 0264 Update - ok
10:47:33.0296 0264 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:47:33.0296 0264 usbccgp - ok
10:47:34.0281 0264 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:47:34.0281 0264 usbehci - ok
10:47:35.0234 0264 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:47:35.0250 0264 usbhub - ok
10:47:36.0218 0264 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
10:47:36.0218 0264 usbohci - ok
10:47:37.0218 0264 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:47:37.0218 0264 usbstor - ok
10:47:38.0203 0264 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:47:38.0203 0264 VgaSave - ok
10:47:39.0125 0264 ViaIde - ok
10:47:40.0078 0264 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:47:40.0078 0264 VolSnap - ok
10:47:41.0062 0264 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:47:41.0062 0264 Wanarp - ok
10:47:42.0015 0264 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
10:47:42.0046 0264 WDC_SAM - ok
10:47:43.0250 0264 WDICA - ok
10:47:44.0234 0264 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:47:44.0234 0264 wdmaud - ok
10:47:45.0218 0264 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
10:47:45.0218 0264 WS2IFSL - ok
10:47:46.0187 0264 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:47:46.0187 0264 WudfPf - ok
10:47:47.0156 0264 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:47:47.0171 0264 WudfRd - ok
10:47:48.0062 0264 ZDCNDIS5 (1d63df81b4b11faa7ae2d84820f3ae9b) C:\WINDOWS\system32\ZDCNDIS5.SYS
10:47:48.0062 0264 ZDCNDIS5 - ok
10:47:49.0000 0264 ZDPSp50 (00ae175b903d45ed4a62384d3315dc2a) C:\WINDOWS\system32\Drivers\ZDPSp50.sys
10:47:49.0000 0264 ZDPSp50 - ok
10:47:49.0968 0264 ZY202_XP (6d0b121fe665626d266678ea97c75622) C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys
10:47:49.0968 0264 ZY202_XP - ok
10:47:50.0000 0264 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:47:50.0109 0264 \Device\Harddisk0\DR0 - ok
10:47:50.0109 0264 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk5\DR14
10:47:50.0546 0264 \Device\Harddisk5\DR14 - ok
10:47:50.0546 0264 Boot (0x1200) (a62e100bb3181b839f7cb4816a67b2c5) \Device\Harddisk0\DR0\Partition0
10:47:50.0546 0264 \Device\Harddisk0\DR0\Partition0 - ok
10:47:50.0546 0264 Boot (0x1200) (f57119e957ec60eab09c84508821feac) \Device\Harddisk5\DR14\Partition0
10:47:50.0546 0264 \Device\Harddisk5\DR14\Partition0 - ok
10:47:50.0546 0264 ============================================================
10:47:50.0546 0264 Scan finished
10:47:50.0546 0264 ============================================================
10:47:50.0562 1008 Detected object count: 0
10:47:50.0562 1008 Actual detected object count: 0


Here's the aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-21 10:51:11
-----------------------------
10:51:11.406 OS Version: Windows 5.1.2600 Service Pack 3
10:51:11.406 Number of processors: 2 586 0x4303
10:51:11.406 ComputerName: ODIN UserName:
10:51:12.203 Initialize success
10:51:17.265 AVAST engine download error: 0
10:51:32.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:51:32.562 Disk 0 Vendor: Hitachi_HDT725032VLA360 V54OA7EA Size: 305245MB BusType: 3
10:51:32.562 Disk 0 MBR read successfully
10:51:32.562 Disk 0 MBR scan
10:51:32.562 Disk 0 Windows XP default MBR code
10:51:32.562 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
10:51:32.578 Disk 0 scanning sectors +625121280
10:51:32.625 Disk 0 scanning C:\WINDOWS\system32\drivers
10:51:37.359 Service scanning
10:51:48.078 Modules scanning
10:51:55.421 Disk 0 trace - called modules:
10:51:55.437 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:51:55.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aeaeab8]
10:51:55.937 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> [0x8ae53c10]
10:51:55.937 5 PCTCore.sys[b7e68407] -> nt!IofCallDriver -> \Device\00000069[0x8aed4ea0]
10:51:55.937 7 ACPI.sys[b7f5f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ae53940]
10:51:55.937 Scan finished successfully
10:55:48.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jonathon\Desktop\MBR.dat"
10:55:48.078 The log file has been saved successfully to "C:\Documents and Settings\Jonathon\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:13 PM

Posted 21 March 2012 - 02:44 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 zakn

zakn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 21 March 2012 - 04:34 PM

No problems running it again. My computer seems to be running good i think.

Here's the log:

ComboFix 12-03-21.02 - Jonathon 03/21/2012 14:09:00.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2802 [GMT -7:00]
Running from: c:\documents and settings\Jonathon\Desktop\combofix\ComboFix.exe
Command switches used :: c:\documents and settings\Jonathon\Desktop\combofix\CFScript.txt
AV: PC Tools Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-02-21 to 2012-03-21 )))))))))))))))))))))))))))))))
.
.
2012-03-16 18:07 . 2012-03-16 18:07 -------- d-----r- C:\MSOCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 04:39 . 2012-03-16 17:19 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-21_16.55.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-16 22:43 . 2009-01-08 01:21 26144 c:\windows\system32\spupdsvc.exe
+ 2012-03-17 04:06 . 2009-01-08 01:20 16928 c:\windows\system32\spmsg.dll
+ 2006-02-28 12:00 . 2009-03-08 11:31 46592 c:\windows\system32\pngfilt.dll
- 2006-02-28 12:00 . 2012-03-21 15:53 67484 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2012-03-21 21:06 67484 c:\windows\system32\perfc009.dat
+ 2009-01-08 01:20 . 2009-01-08 01:20 23552 c:\windows\system32\normaliz.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 24576 c:\windows\system32\nlsdl.dll
+ 2006-02-28 12:00 . 2009-03-08 11:31 48128 c:\windows\system32\mshtmler.dll
+ 2006-02-28 12:00 . 2009-03-08 11:31 66560 c:\windows\system32\mshtmled.dll
+ 2006-02-28 12:00 . 2009-03-08 11:31 45568 c:\windows\system32\mshta.exe
+ 2009-03-08 11:31 . 2009-03-08 11:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-08 11:31 . 2009-03-08 11:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-02-28 12:00 . 2009-03-08 11:34 43008 c:\windows\system32\licmgr10.dll
+ 2006-02-28 12:00 . 2009-03-08 11:33 25600 c:\windows\system32\jsproxy.dll
+ 2006-02-28 12:00 . 2009-03-08 11:32 94720 c:\windows\system32\inseng.dll
+ 2006-02-28 12:00 . 2009-03-08 11:31 34816 c:\windows\system32\imgutil.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 36864 c:\windows\system32\ieudinit.exe
+ 2006-02-28 12:00 . 2009-03-08 11:32 71680 c:\windows\system32\iesetup.dll
+ 2006-02-28 12:00 . 2009-03-08 11:32 55808 c:\windows\system32\iernonce.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 26112 c:\windows\system32\idndl.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 59904 c:\windows\system32\icardie.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2012-03-16 23:55 . 2009-03-08 11:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-03-08 11:34 . 2009-03-08 11:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2009-03-08 11:24 . 2009-03-08 11:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2006-02-28 12:00 . 2009-03-08 11:33 18944 c:\windows\system32\corpol.dll
+ 2006-02-28 12:00 . 2009-03-08 11:32 72704 c:\windows\system32\admparse.dll
+ 2012-03-21 19:21 . 2012-03-21 19:28 16844 c:\windows\SoftwareDistribution\EventCache\{42127F4A-EE6D-448F-9CD2-B88588B57597}.bin
+ 2012-03-18 23:54 . 2012-03-21 19:20 25292 c:\windows\SoftwareDistribution\EventCache\{109260CE-0D4F-4C48-B315-7030A1DB3C39}.bin
- 2012-03-16 18:09 . 2012-03-17 22:57 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-23 02:05 . 2007-03-23 02:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2012-03-21 19:26 . 2011-12-19 08:53 37888 c:\windows\ie8\url.dll
+ 2012-03-21 19:26 . 2009-03-08 21:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2012-03-21 19:26 . 2008-04-14 00:12 39424 c:\windows\ie8\pngfilt.dll
+ 2012-03-21 19:26 . 2008-04-14 00:12 96256 c:\windows\ie8\occache.dll
+ 2012-03-21 19:26 . 2008-04-13 16:26 56832 c:\windows\ie8\mshtmler.dll
+ 2012-03-21 19:26 . 2008-04-14 00:12 29184 c:\windows\ie8\mshta.exe
+ 2012-03-21 19:26 . 2008-04-14 00:11 22016 c:\windows\ie8\licmgr10.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 15872 c:\windows\ie8\jsproxy.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 96256 c:\windows\ie8\inseng.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 35840 c:\windows\ie8\imgutil.dll
+ 2012-03-21 19:26 . 2008-04-14 00:12 93184 c:\windows\ie8\iexplore.exe
+ 2012-03-21 19:26 . 2008-04-14 00:11 62976 c:\windows\ie8\iesetup.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 48640 c:\windows\ie8\iernonce.dll
+ 2012-03-21 19:26 . 2011-12-19 08:53 81920 c:\windows\ie8\ieencode.dll
+ 2012-03-21 19:26 . 2008-04-14 00:12 34304 c:\windows\ie8\ie4uinit.exe
+ 2012-03-21 19:26 . 2008-04-14 00:11 38912 c:\windows\ie8\hmmapi.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 35328 c:\windows\ie8\corpol.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 99840 c:\windows\ie8\advpack.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 61440 c:\windows\ie8\admparse.dll
+ 2012-03-16 18:09 . 2012-03-21 19:28 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-04-14 00:12 . 2009-01-08 01:21 121856 c:\windows\system32\xmllite.dll
- 2008-04-14 00:12 . 2008-04-14 00:12 121856 c:\windows\system32\xmllite.dll
+ 2006-02-28 12:00 . 2009-03-08 11:34 914944 c:\windows\system32\wininet.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2006-02-28 12:00 . 2009-03-08 11:34 236544 c:\windows\system32\webcheck.dll
+ 2006-02-28 12:00 . 2009-03-08 11:33 420352 c:\windows\system32\vbscript.dll
+ 2006-02-28 12:00 . 2009-03-08 11:34 105984 c:\windows\system32\url.dll
+ 2006-02-28 12:00 . 2012-03-21 21:06 432708 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2012-03-21 15:53 432708 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2009-03-08 11:34 109568 c:\windows\system32\occache.dll
+ 2006-02-28 12:00 . 2009-03-08 11:32 611840 c:\windows\system32\mstime.dll
+ 2006-02-28 12:00 . 2009-03-08 11:34 193536 c:\windows\system32\msrating.dll
+ 2006-02-28 12:00 . 2009-03-08 11:22 156160 c:\windows\system32\msls31.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 265720 c:\windows\system32\msdbg2.dll
+ 2006-02-28 12:00 . 2009-03-08 11:33 726528 c:\windows\system32\jscript.dll
+ 2009-03-08 11:22 . 2009-03-08 11:22 164352 c:\windows\system32\ieui.dll
+ 2006-02-28 12:00 . 2009-03-08 11:31 183808 c:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2009-03-08 21:09 391536 c:\windows\system32\iedkcs32.dll
+ 2009-03-08 11:11 . 2009-03-08 11:11 445952 c:\windows\system32\ieapfltr.dll
+ 2006-02-28 12:00 . 2009-03-08 11:32 163840 c:\windows\system32\ieakui.dll
+ 2006-02-28 12:00 . 2009-03-08 11:33 229376 c:\windows\system32\ieaksie.dll
+ 2006-02-28 12:00 . 2009-03-08 11:33 125952 c:\windows\system32\ieakeng.dll
+ 2006-02-28 12:00 . 2009-03-08 11:32 173056 c:\windows\system32\ie4uinit.exe
+ 2006-02-28 12:00 . 2009-03-08 11:31 216064 c:\windows\system32\dxtrans.dll
+ 2006-02-28 12:00 . 2009-03-08 11:31 348160 c:\windows\system32\dxtmsft.dll
+ 2010-04-16 16:09 . 2009-03-08 11:34 914944 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2012-03-16 23:50 . 2009-03-08 11:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2011-03-04 06:45 . 2009-03-08 11:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2012-03-16 23:55 . 2009-03-08 11:34 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 109568 c:\windows\system32\dllcache\occache.dll
+ 2012-03-16 23:55 . 2009-03-08 11:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2006-02-28 12:00 . 2009-03-08 11:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2011-03-04 06:45 . 2009-03-08 11:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 21:09 . 2009-03-08 21:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2010-04-16 16:09 . 2009-03-08 11:31 183808 c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 21:09 . 2009-03-08 21:09 391536 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-02-28 12:00 . 2009-03-08 11:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 11:31 . 2009-03-08 11:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2006-02-28 12:00 . 2009-03-08 11:32 128512 c:\windows\system32\advpack.dll
+ 2009-09-09 22:40 . 2009-09-09 22:40 632320 c:\windows\Installer\c13e9d.msp
+ 2008-07-28 21:59 . 2008-07-28 21:59 180736 c:\windows\Installer\c13d71.msp
+ 2010-11-12 18:08 . 2010-11-12 18:08 889344 c:\windows\Installer\c13d5d.msp
- 2012-03-16 18:09 . 2012-03-17 22:57 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2012-03-16 18:09 . 2012-03-21 19:28 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2012-03-16 18:09 . 2012-03-17 22:57 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-04-19 21:01 . 2007-04-19 21:01 238424 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSCDM.DLL
+ 2007-04-19 21:09 . 2007-04-19 21:09 167256 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IETAG.DLL
+ 2003-07-15 11:18 . 2003-07-15 11:18 141360 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\ATP.DLL
+ 2012-03-21 19:26 . 2011-12-19 08:53 667136 c:\windows\ie8\wininet.dll
+ 2012-03-21 19:26 . 2008-04-14 00:12 276480 c:\windows\ie8\webcheck.dll
+ 2012-03-21 19:26 . 2011-04-29 19:07 852480 c:\windows\ie8\vgx.dll
+ 2012-03-21 19:26 . 2011-03-04 06:45 434176 c:\windows\ie8\vbscript.dll
+ 2012-03-21 19:26 . 2011-12-19 08:53 633344 c:\windows\ie8\urlmon.dll
+ 2012-03-21 19:26 . 2009-01-08 01:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2012-03-21 19:26 . 2009-01-08 01:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2012-03-21 19:26 . 2011-12-19 08:53 532480 c:\windows\ie8\mstime.dll
+ 2012-03-21 19:26 . 2008-04-14 00:12 146432 c:\windows\ie8\msrating.dll
+ 2012-03-21 19:26 . 2006-02-28 12:00 146432 c:\windows\ie8\msls31.dll
+ 2012-03-21 19:26 . 2011-12-19 08:53 449536 c:\windows\ie8\mshtmled.dll
+ 2012-03-21 19:26 . 2011-03-04 06:45 512000 c:\windows\ie8\jscript.dll
+ 2012-03-21 19:26 . 2011-12-19 08:53 251904 c:\windows\ie8\iepeers.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 323584 c:\windows\ie8\iedkcs32.dll
+ 2012-03-21 19:26 . 2006-02-28 12:00 221184 c:\windows\ie8\ieakui.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 216576 c:\windows\ie8\ieaksie.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 143360 c:\windows\ie8\ieakeng.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 205312 c:\windows\ie8\dxtrans.dll
+ 2012-03-21 19:26 . 2008-04-14 00:11 357888 c:\windows\ie8\dxtmsft.dll
+ 2006-02-28 12:00 . 2009-03-08 11:34 1206784 c:\windows\system32\urlmon.dll
+ 2006-02-28 12:00 . 2009-03-08 11:41 5937152 c:\windows\system32\mshtml.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 1985024 c:\windows\system32\iertutil.dll
+ 2009-02-07 04:07 . 2009-02-07 04:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2009-08-05 02:52 . 2009-08-05 02:52 1193832 c:\windows\system32\FM20.DLL
+ 2010-04-16 16:09 . 2009-03-08 11:34 1206784 c:\windows\system32\dllcache\urlmon.dll
+ 2010-04-16 16:09 . 2009-03-08 11:41 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2010-08-05 17:57 . 2010-08-05 17:57 4066304 c:\windows\Installer\c13eef.msp
+ 2009-10-17 01:07 . 2009-10-17 01:07 6115328 c:\windows\Installer\c13edb.msp
+ 2010-10-22 22:45 . 2010-10-22 22:45 8444928 c:\windows\Installer\c13ec6.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\c13e89.msp
+ 2010-06-12 00:55 . 2010-06-12 00:55 1827328 c:\windows\Installer\c13e73.msp
+ 2009-07-01 20:21 . 2009-07-01 20:21 8891904 c:\windows\Installer\c13e5c.msp
+ 2010-08-24 00:09 . 2010-08-24 00:09 7673344 c:\windows\Installer\c13e45.msp
+ 2008-01-14 23:53 . 2008-01-14 23:53 5213696 c:\windows\Installer\c13e30.msp
+ 2011-05-18 01:28 . 2011-05-18 01:28 6862848 c:\windows\Installer\c13e1c.msp
+ 2011-04-29 20:04 . 2011-04-29 20:04 5053440 c:\windows\Installer\c13e07.msp
+ 2009-12-17 05:58 . 2009-12-17 05:58 5382144 c:\windows\Installer\c13df0.msp
+ 2011-10-30 06:10 . 2011-10-30 06:10 6824960 c:\windows\Installer\c13dd9.msp
+ 2008-10-25 16:15 . 2008-10-25 16:15 6227456 c:\windows\Installer\c13dc4.msp
+ 2011-10-31 19:37 . 2011-10-31 19:37 4146688 c:\windows\Installer\c13daf.msp
+ 2009-09-29 16:08 . 2009-09-29 16:08 6747648 c:\windows\Installer\c13d9b.msp
+ 2011-05-23 21:15 . 2011-05-23 21:15 3617792 c:\windows\Installer\c13d86.msp
+ 2010-08-26 00:06 . 2010-08-26 00:06 6479360 c:\windows\Installer\c13d44.msp
+ 2010-03-30 19:34 . 2010-03-30 19:34 3826688 c:\windows\Installer\c13d2f.msp
+ 2007-05-10 00:19 . 2007-05-10 00:19 2585936 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2007-04-19 20:49 . 2007-04-19 20:49 1661280 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PPTVIEW.EXE
+ 2007-05-31 20:35 . 2007-05-31 20:35 6420320 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\POWERPNT.EXE
+ 2007-05-10 20:45 . 2007-05-10 20:45 8069464 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OWC11.DLL
+ 2007-04-19 21:09 . 2007-04-19 21:09 1061720 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OMFC.DLL
+ 2007-06-06 17:53 . 2007-06-06 17:53 1195888 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\FM20.DLL
+ 2012-03-21 19:26 . 2011-12-19 08:53 3087360 c:\windows\ie8\mshtml.dll
+ 2009-03-08 11:39 . 2009-03-08 11:39 11063808 c:\windows\system32\ieframe.dll
+ 2011-07-26 23:33 . 2011-07-26 23:33 10984448 c:\windows\Installer\c13eb2.msp
+ 2010-06-12 00:52 . 2010-06-12 00:52 45542912 c:\windows\Installer\c13e74.msp
+ 2009-07-01 20:19 . 2009-07-01 20:19 10607104 c:\windows\Installer\c13e5d.msp
+ 2007-05-31 20:37 . 2007-05-31 20:37 12310368 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\WINWORD.EXE
+ 2007-06-19 00:16 . 2007-06-19 00:16 12259160 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSO.DLL
+ 2007-05-31 20:41 . 2007-05-31 20:41 10352472 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\EXCEL.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 73728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\RocketFish\RF7.1\Volume Panel\VolPanlu.exe" [2008-11-25 237693]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-202 Wireless Adapter Utility.lnk - c:\program files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [2012-3-15 10878976]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ZyXEL\\ZyXEL G-202 Wireless Adapter Utility\\ZyXEL G-202.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Jonathon\\Application Data\\Spotify\\spotify.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Games\\Mass Effect 3\\Binaries\\Win32\\MassEffect3.exe"=
"c:\\Program Files\\Games\\Operation Flashpoint Red River\\RedRiver.exe"=
"c:\\Program Files\\Games\\Operation Flashpoint Red River\\RedRiverLauncher.exe"=
.
R0 pctBTFix;PC Tools Boot Fix Driver;c:\windows\system32\drivers\pctBTFix.sys [3/16/2012 9:48 PM 17848]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/16/2012 9:22 PM 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [3/16/2012 9:22 PM 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [3/16/2012 9:22 PM 909728]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [3/16/2012 9:49 PM 54328]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [3/16/2012 9:49 PM 574424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [3/16/2012 9:48 PM 253352]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [3/16/2012 9:22 PM 185560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [3/16/2012 9:48 PM 550864]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [3/16/2012 11:02 AM 232512]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [3/16/2012 9:48 PM 56840]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [3/16/2012 9:49 PM 35264]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/15/2012 9:53 PM 79360]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [3/16/2012 9:48 PM 70536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools\PC Tools Security\pctsAuxs.exe [3/16/2012 9:48 PM 402336]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools\PC Tools Security\TFEngine\TFService.exe service [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-16 c:\windows\Tasks\AdobeAAMUpdater-1.0-ODIN-Jonathon.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-03-16 11:44]
.
2012-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 01:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/go/cs_systemreqs
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Jonathon\Application Data\Mozilla\Firefox\Profiles\fyru972d.default\
FF - prefs.js: browser.search.selectedEngine - WOT Safe Search
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-21 14:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(624)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(1968)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-21 14:23:10
ComboFix-quarantined-files.txt 2012-03-21 21:23
ComboFix2.txt 2012-03-21 17:02
.
Pre-Run: 237,770,641,408 bytes free
Post-Run: 237,749,702,656 bytes free
.
- - End Of File - - C63985EF5F33A291FE7C17D5A4C04AA9

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:13 PM

Posted 21 March 2012 - 09:17 PM

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 zakn

zakn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 21 March 2012 - 10:00 PM

No problems running the programs. I thought my computer was doing well, but after I posted the logs and quit firefox my computer froze I think. The mouse was able to move, but nothing seemed to respond. The task manager didn't even show up after I pressed ctrl+alt+del. I waited for a few minutes with nothing happening, so I had to do a hard shutdown (hold the on button until it shut off <- in case I got the term wrong).

MBAM log:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.21.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jonathon :: ODIN [administrator]

Protection: Enabled

3/21/2012 7:49:23 PM
mbam-log-2012-03-21 (19-49-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 175357
Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:56:19 PM, on 3/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\RocketFish\RF7.1\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe
C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/go/cs_systemreqs
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: PC Tools Browser Defender - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Defender - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\RocketFish\RF7.1\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe" /hideGUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe

--
End of file - 8030 bytes

Edited by zakn, 21 March 2012 - 10:10 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:13 PM

Posted 21 March 2012 - 10:20 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
      O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
      O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 zakn

zakn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 22 March 2012 - 12:21 AM

Here's the log:

C:\Program Files\DAEMON Tools Pro\Daemon Tools Pro Advanced 4.41_Patch.exe a variant of Win32/HackTool.Patcher.U application
C:\Program Files\Games\Starpoint Gemini\SKIDROW.dll a variant of Win32/Packed.VMProtect.AAA trojan
C:\System Volume Information\_restore{CB02C247-33AF-46FA-BD58-7A8766740480}\RP11\A0002932.exe Win32/OpenCandy application
C:\System Volume Information\_restore{CB02C247-33AF-46FA-BD58-7A8766740480}\RP11\A0002983.exe a variant of MSIL/Injector.SY trojan
C:\System Volume Information\_restore{CB02C247-33AF-46FA-BD58-7A8766740480}\RP11\A0002985.exe a variant of MSIL/TrojanDropper.Agent.DK trojan

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:13 PM

Posted 22 March 2012 - 01:51 AM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Program Files\DAEMON Tools Pro\Daemon Tools Pro Advanced 4.41_Patch.exe"
    del /f /s /q "C:\Program Files\Games\Starpoint Gemini\SKIDROW.dll"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop.

:DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 zakn

zakn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 22 March 2012 - 01:00 PM

I deleted the files, ran Defogger, uninstalled combofix, and got to the OTCleanIt step and had to restart my computer because it asked to. My antivirus program runs a scan at every start up and it found the Rootkit.TDSS.v3 infection when it started up again. I am sooo confused on why its still there. I tell Spyware Doctor with Antivirus to fix it, it says it does and asks for the computer to be restarted. I restart the computer and the same infection, Rootkit.TDSS.v3, shows up again. Could the infection be hiding in one of my external hard drives? During the process I didn't have them plugged in or attach to the computer. What should we do?

(I have 2 external hard drives, well 3 counting the portable one)

*edit* well I ran the ESET online scanner again and it didn't find anything. Could my antivirus be wrong? I don't know. it's puzzling.

Edited by zakn, 22 March 2012 - 04:35 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:13 PM

Posted 23 March 2012 - 01:03 AM

what is the location that it is finding it?

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 zakn

zakn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 23 March 2012 - 12:21 PM

On the intelliscan, which is basically a quick scan, the part it scans is the startup scanner part and when the scan is finished it says that there is one infection, the Rootkit.TDSS.v3 infection. During a full system scan, it did a brief mbr scan after a couple of other scans, like browser scanner or registry scanner, and it immediately finds the Rootkit.TDSS.v3 infection. After the scan finds it, it immediately starts scanning C:\documents and settings\ folders.

I don't know if that helps, but I couldn't seem to find what area it was scanning to find the infection. I even did the screenshot thing, but I guess I always press it late because It always shows the C:\documents and settings\..."whatever folder its scanning." I'll run the scan a couple more times to try to hopefully get lucky and manage to catch what directory or where it's scanning.

*edit*
Well I got the order in which it scans stuff: Browser scanner, Known Files scanner, Registry scanner, Process scanner, Startup scanner, brief (very brief, not even a second) MBR scanner, File scanner. The infection is always found after the brief MBR scanner. It doesn't seem to give a directory that is scanned though.

Then I select fix selected, the computer has to restart in order to "remove" it. Once the computer is restarted, the infection is in the quarantined. There are about 7 separate Rootkit.TDSS.v3 items in the quarantine, plus the behavior guard detection of the mbr thing with 7 items in that 1 entry (the mbr process that I blocked right after I ran the defogger.

Just trying to give you as much information as I can so hopefully I can help you out while you help me, I guess.

Edited by zakn, 23 March 2012 - 12:38 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users