Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DHCP, TCP/IP and Security Alert errors after virus infection


  • This topic is locked This topic is locked
23 replies to this topic

#1 mutex7

mutex7

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 17 March 2012 - 04:46 PM

Following are the DDS and GMER logs as requested.

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by David Gondek at 14:53:00 on 2012-03-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.617 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHJLDCS.EXE
C:\WINDOWS\system32\slpservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\slpmonx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\vsnp2rf.exe
C:\WINDOWS\tsnp2rf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Speckie: {8ce7f568-67fa-4432-ba39-f5afd68e7b8b} - c:\documents and settings\david gondek\application data\speckie\bin32\Speckie32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [atwtusb] atwtusb.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [snp2rf] c:\windows\vsnp2rf.exe
mRun: [tsnp2rf] c:\windows\tsnp2rf.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E6846530-6088-4AA3-932F-C6245CE59A4C} - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - c:\documents and settings\david gondek\application data\speckie\bin32\Speckie32.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{11C9F84F-98AA-44FA-8925-FD94F886A831} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl0c464802;MpKsl0c464802;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15836dbb-18cb-4d93-9af3-8decd98d5322}\MpKsl0c464802.sys [2012-3-17 29904]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2012-1-7 12184]
R2 OKI OPHJ DCS Loader;OKI OPHJ DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHJLDCS.EXE [2010-6-10 24576]
S1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2011-1-22 22528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [2009-6-7 227200]
S3 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2011-9-2 42648]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2011-9-2 12184]
S3 SNP2RF;USB2.0 PC Camera (SNP2RF);c:\windows\system32\drivers\snp2rf.sys [2012-2-18 3499392]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-17 18:54:57 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15836dbb-18cb-4d93-9af3-8decd98d5322}\MpKsl0c464802.sys
2012-03-16 17:06:47 2084 ----a-w- C:\itunes.reg
2012-03-16 16:22:47 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-03-16 16:22:47 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-03-16 16:21:46 -------- d-----w- c:\program files\iPod
2012-03-16 16:21:42 -------- d-----w- c:\program files\iTunes
2012-03-16 16:21:42 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-03-16 16:21:17 -------- d-----w- c:\documents and settings\david gondek\local settings\application data\Apple
2012-03-16 16:20:41 -------- d-----w- c:\program files\Bonjour
2012-03-16 14:55:18 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15836dbb-18cb-4d93-9af3-8decd98d5322}\mpengine.dll
2012-03-14 22:17:30 -------- d-----w- c:\program files\Microsoft Network Monitor 3
2012-03-14 02:14:01 1936 ----a-w- C:\java.reg
2012-03-13 16:03:10 40056 ----a-w- c:\windows\system32\NicInst.dll
2012-03-13 16:03:10 28272 ----a-w- c:\windows\system32\NicCo2.dll
2012-03-01 17:48:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-21 22:07:55 -------- d-----w- c:\program files\CCleaner
2012-02-18 18:26:25 662016 ----a-w- c:\windows\vsnp2rf.exe
2012-02-18 18:26:25 303616 ----a-w- c:\windows\system32\vsnp2rf.dll
2012-02-18 18:26:25 27136 ----a-w- c:\windows\system32\drivers\sncdrf.sys
2012-02-18 18:26:25 176128 ----a-w- c:\windows\system32\csnp2rf.dll
2012-02-18 18:26:24 3499392 ----a-w- c:\windows\system32\drivers\snp2rf.sys
2012-02-18 18:26:20 225280 ----a-w- c:\windows\system32\rsnp2rf.dll
2012-02-18 18:26:19 -------- d-----w- c:\program files\RFIconFiles
2012-02-18 18:26:15 321536 ----a-w- c:\windows\tsnp2rf.exe
2012-02-18 18:26:15 -------- d-----w- c:\program files\common files\SNP2RF
2012-02-18 01:57:05 94208 ----a-w- c:\windows\amcap.exe
2012-02-18 01:57:05 1724416 ----a-w- c:\windows\GdiPlus.dll
2012-02-18 01:28:50 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-02-18 01:28:50 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2012-02-18 01:28:41 20992 ----a-w- c:\windows\system32\dshowext.ax
2012-02-16 23:13:58 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M ====================
.
2012-03-01 17:48:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 17:16:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 02:26:32 1950 ----a-w- C:\msse.reg
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-08 01:29:31 1776 ----a-w- C:\logitech.reg
2012-01-08 01:12:50 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
.
============= FINISH: 14:53:36.12 ===============


GMER Log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-17 16:35:55
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD1600JS-56MHB1 rev.10.02E01
Running: 7t462g5w.exe; Driver: C:\DOCUME~1\DAVIDG~1\LOCALS~1\Temp\awroypow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7256340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012300, 0x234A20, 0xF8000020]
? C:\DOCUME~1\DAVIDG~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


Previous posts:

http://www.bleepingcomputer.com/forums/topic446229.html

http://www.bleepingcomputer.com/forums/topic446595.html


Thanks for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 mutex7

mutex7
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 17 March 2012 - 06:46 PM

After I ran DDS and GMER my computer got extremely slow and the sound got messed up (in media player the sound is jittery and distorted). I cleaned my temporary files with TFC, ran a chkdsk scan and then I stopped and restarted the 'explorer' process and now my computer is running better. I'm still having the trouble with the sound though.

Thinking about running system file checker but something is definitely goofy here.

I will try to wait until I hear back from you.

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:51 AM

Posted 19 March 2012 - 10:22 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Backup The Computer!!

If you have not done it yet spend a few minutes to backup the computer. Removing malware can be unpredictable and this may save you and me allot of grief later.

There is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the computer backed up you may do the following.


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do




Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 mutex7

mutex7
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 20 March 2012 - 12:19 PM

Okay, we are making progress. The DMA reset and Combofix scan both ran without problems. My sound now seems to be fixed and the computer boots up better and seems more responsive. The yellow highlighted message in IE security settings (Some settings are managed by your system administrator) is gone. However, I'm still getting the DHCP error in Event Viewer and it still takes about 10 seconds for the context menu to open when I right-click my hard drives in My Computer. I don't know about the security alert pop ups (or the TCP/IP warnings) because I haven't surfed the web yet and they happen sporadically. I've posted the Combofix log below. I just wanted to say thanks for your help and let you know that you guys are providing a great service that is very much appreciated. It is beyond me why the anti-virus companies can't create a bootup disk that can deal with these problems but thank God for Combofix at least! I will check back frequently for your next instructions.


ComboFix 12-03-20.01 - David Gondek 03/20/2012 11:21:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.687 [GMT -5:00]
Running from: c:\documents and settings\David Gondek\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\David Gondek\Application Data\Microsoft\AddIns\WordRMRComAddin.dll
c:\documents and settings\David Gondek\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\PowerToyReadme.htm
.
.
((((((((((((((((((((((((( Files Created from 2012-02-20 to 2012-03-20 )))))))))))))))))))))))))))))))
.
.
2012-03-20 16:13 . 2012-02-08 06:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C553264-7B6E-42C4-B857-1E595CAB8EBA}\mpengine.dll
2012-03-16 17:06 . 2012-03-16 17:06 2084 ----a-w- C:\itunes.reg
2012-03-16 16:22 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-03-16 16:22 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\program files\iPod
2012-03-16 16:21 . 2012-03-16 16:22 -------- d-----w- c:\program files\iTunes
2012-03-16 16:21 . 2012-03-16 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\documents and settings\David Gondek\Local Settings\Application Data\Apple
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\program files\Apple Software Update
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2012-03-16 16:20 . 2012-03-16 16:20 -------- d-----w- c:\program files\Bonjour
2012-03-16 16:20 . 2012-03-16 16:21 -------- d-----w- c:\program files\Common Files\Apple
2012-03-16 16:20 . 2012-03-16 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2012-03-14 22:17 . 2012-03-14 22:17 -------- d-----w- c:\program files\Microsoft Network Monitor 3
2012-03-14 02:14 . 2012-03-14 02:14 1936 ----a-w- C:\java.reg
2012-03-13 16:05 . 2012-03-13 16:05 -------- d-----w- c:\program files\Intel
2012-03-13 16:03 . 2007-11-29 03:38 40056 ----a-w- c:\windows\system32\NicInst.dll
2012-03-13 16:03 . 2007-08-07 05:28 28272 ----a-w- c:\windows\system32\NicCo2.dll
2012-03-01 17:48 . 2012-03-01 17:48 -------- d-----w- c:\program files\Common Files\Java
2012-03-01 17:48 . 2012-03-01 17:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-21 22:07 . 2012-02-21 22:08 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-01 17:48 . 2011-01-31 21:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 17:16 . 2011-07-27 21:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 02:26 . 2012-02-15 02:26 1950 ----a-w- C:\msse.reg
2012-02-08 06:03 . 2012-02-16 23:13 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2004-08-04 10:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2012-02-14 07:27 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-15 00:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-03-19 23:44 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-08 01:29 . 2012-01-08 01:29 1776 ----a-w- C:\logitech.reg
2012-01-08 01:13 . 2012-01-08 01:13 53248 ----a-r- c:\documents and settings\David Gondek\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-01-08 01:12 . 2012-01-08 01:12 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"snp2rf"="c:\windows\vsnp2rf.exe" [2010-07-09 662016]
"tsnp2rf"="c:\windows\tsnp2rf.exe" [2010-08-17 321536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"f:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Barnes & Noble\\NOOKstudy\\NOOKstudy.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:*:Disabled:FlipShareServer
"24727:TCP"= 24727:TCP:*:Disabled:FlipShareServer
.
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/7/2012 8:12 PM 12184]
R2 OKI OPHJ DCS Loader;OKI OPHJ DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHJLDCS.EXE [6/10/2010 7:44 PM 24576]
S1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [1/22/2011 12:55 PM 22528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [6/7/2009 6:38 PM 227200]
S3 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [5/6/2011 1:58 PM 1085440]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [9/2/2011 1:31 AM 42648]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [9/2/2011 1:31 AM 12184]
S3 SNP2RF;USB2.0 PC Camera (SNP2RF);c:\windows\system32\drivers\snp2rf.sys [2/18/2012 1:26 PM 3499392]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-20 11:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1547161642-1450960922-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:08,2f,ca,19,32,8a,82,81,63,e5,13,88,bf,0e,1c,28,a3,c1,b2,b9,3f,5b,dc,
fe,9b,45,95,e7,04,a4,21,71,12,26,69,41,94,42,1a,10,c3,b0,9d,d2,93,80,65,92,\
"??"=hex:1b,70,29,45,ca,a0,1e,13,9c,b9,67,be,4b,dc,ae,16
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2012-03-20 11:29:38
ComboFix-quarantined-files.txt 2012-03-20 16:29
.
Pre-Run: 123,884,703,744 bytes free
Post-Run: 123,837,276,160 bytes free
.
- - End Of File - - CFF079E96A0239B9EADBD08D9FA29D9F

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:51 AM

Posted 20 March 2012 - 12:55 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 mutex7

mutex7
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 20 March 2012 - 02:05 PM

Hi Gringo. Thanks for the quick response. I had done both of those scans prior to coming to bleepingcomputer.com so if you want to see those old logs I still have them.

Here are the new logs from the scans I did today:

13:12:17.0625 1480 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
13:12:18.0031 1480 ============================================================
13:12:18.0031 1480 Current date / time: 2012/03/20 13:12:18.0031
13:12:18.0031 1480 SystemInfo:
13:12:18.0031 1480
13:12:18.0031 1480 OS Version: 5.1.2600 ServicePack: 3.0
13:12:18.0031 1480 Product type: Workstation
13:12:18.0031 1480 ComputerName: SOFTMART
13:12:18.0031 1480 UserName: David Gondek
13:12:18.0031 1480 Windows directory: C:\WINDOWS
13:12:18.0031 1480 System windows directory: C:\WINDOWS
13:12:18.0031 1480 Processor architecture: Intel x86
13:12:18.0031 1480 Number of processors: 1
13:12:18.0031 1480 Page size: 0x1000
13:12:18.0031 1480 Boot type: Normal boot
13:12:18.0031 1480 ============================================================
13:12:19.0140 1480 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:12:19.0140 1480 Drive \Device\Harddisk1\DR1 - Size: 0x25233D6000 (148.55 Gb), SectorSize: 0x200, Cylinders: 0x4BC0, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:12:19.0140 1480 \Device\Harddisk0\DR0:
13:12:19.0140 1480 MBR used
13:12:19.0140 1480 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x7FAB00E
13:12:19.0140 1480 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xB, StartLBA 0x7FAB08C, BlocksNum 0x80340C
13:12:19.0140 1480 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x87AE498, BlocksNum 0x57E5329
13:12:19.0140 1480 \Device\Harddisk1\DR1:
13:12:19.0140 1480 MBR used
13:12:19.0140 1480 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12915CC0
13:12:19.0203 1480 Initialize success
13:12:19.0203 1480 ============================================================
13:12:25.0312 0936 ============================================================
13:12:25.0312 0936 Scan started
13:12:25.0312 0936 Mode: Manual;
13:12:25.0312 0936 ============================================================
13:12:25.0562 0936 Abiosdsk - ok
13:12:25.0593 0936 abp480n5 - ok
13:12:25.0656 0936 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:12:25.0656 0936 ACPI - ok
13:12:25.0703 0936 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:12:25.0703 0936 ACPIEC - ok
13:12:25.0734 0936 adpu160m - ok
13:12:25.0765 0936 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
13:12:25.0765 0936 aeaudio - ok
13:12:25.0812 0936 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:12:25.0812 0936 aec - ok
13:12:25.0859 0936 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:12:25.0859 0936 AFD - ok
13:12:25.0875 0936 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
13:12:25.0875 0936 agp440 - ok
13:12:25.0890 0936 Aha154x - ok
13:12:25.0906 0936 aic78u2 - ok
13:12:25.0921 0936 aic78xx - ok
13:12:25.0953 0936 aiptektp (14a9ba653838164a2ae148e362640197) C:\WINDOWS\system32\DRIVERS\aiptektp.sys
13:12:25.0953 0936 aiptektp - ok
13:12:25.0968 0936 AliIde - ok
13:12:25.0984 0936 amsint - ok
13:12:26.0000 0936 asc - ok
13:12:26.0015 0936 asc3350p - ok
13:12:26.0031 0936 asc3550 - ok
13:12:26.0078 0936 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:12:26.0078 0936 AsyncMac - ok
13:12:26.0093 0936 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:12:26.0093 0936 atapi - ok
13:12:26.0109 0936 Atdisk - ok
13:12:26.0140 0936 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:12:26.0140 0936 Atmarpc - ok
13:12:26.0171 0936 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:12:26.0171 0936 audstub - ok
13:12:26.0234 0936 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
13:12:26.0265 0936 BCMModem - ok
13:12:26.0312 0936 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:12:26.0312 0936 Beep - ok
13:12:26.0343 0936 BlueletAudio (04e84c8049ee93614a2ff6d676d1e247) C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
13:12:26.0343 0936 BlueletAudio - ok
13:12:26.0375 0936 BT (d1813668a0117ae05bc0b81c874f91d4) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
13:12:26.0375 0936 BT - ok
13:12:26.0406 0936 Btcsrusb (7304acc25455746912de37d7ded387ed) C:\WINDOWS\system32\Drivers\btcusb.sys
13:12:26.0406 0936 Btcsrusb - ok
13:12:26.0421 0936 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
13:12:26.0421 0936 BthEnum - ok
13:12:26.0453 0936 BTHidEnum (161969d2dd1d39cd2f1edbc60c61fa99) C:\WINDOWS\system32\DRIVERS\vbtenum.sys
13:12:26.0453 0936 BTHidEnum - ok
13:12:26.0468 0936 BTHidMgr (a9164c2a39bd917b9f42ae087560ac3d) C:\WINDOWS\system32\Drivers\BTHidMgr.sys
13:12:26.0468 0936 BTHidMgr - ok
13:12:26.0515 0936 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
13:12:26.0515 0936 BthPan - ok
13:12:26.0562 0936 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
13:12:26.0578 0936 BTHPORT - ok
13:12:26.0671 0936 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
13:12:26.0671 0936 BTHUSB - ok
13:12:26.0687 0936 btkrnl - ok
13:12:26.0703 0936 BTNetFilter (6b05fdc0cfc3753b520d2d4176cc32d0) C:\WINDOWS\system32\drivers\BTNetFilter.sys
13:12:26.0703 0936 BTNetFilter - ok
13:12:26.0796 0936 catchme - ok
13:12:26.0828 0936 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:12:26.0828 0936 cbidf2k - ok
13:12:26.0890 0936 CCCP106 (77696f95fd093735eff58e0461af5ec5) C:\WINDOWS\system32\DRIVERS\cccp106.sys
13:12:26.0890 0936 CCCP106 - ok
13:12:26.0921 0936 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
13:12:26.0921 0936 CCDECODE - ok
13:12:26.0937 0936 cd20xrnt - ok
13:12:26.0984 0936 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:12:26.0984 0936 Cdaudio - ok
13:12:27.0031 0936 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:12:27.0031 0936 Cdfs - ok
13:12:27.0078 0936 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:12:27.0078 0936 Cdrom - ok
13:12:27.0125 0936 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
13:12:27.0125 0936 cercsr6 - ok
13:12:27.0140 0936 Changer - ok
13:12:27.0171 0936 CmdIde - ok
13:12:27.0187 0936 Cpqarray - ok
13:12:27.0234 0936 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
13:12:27.0250 0936 ctsfm2k - ok
13:12:27.0265 0936 dac2w2k - ok
13:12:27.0265 0936 dac960nt - ok
13:12:27.0296 0936 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:12:27.0312 0936 Disk - ok
13:12:27.0343 0936 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
13:12:27.0343 0936 DLABOIOM - ok
13:12:27.0359 0936 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
13:12:27.0359 0936 DLACDBHM - ok
13:12:27.0390 0936 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
13:12:27.0390 0936 DLADResN - ok
13:12:27.0406 0936 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
13:12:27.0406 0936 DLAIFS_M - ok
13:12:27.0421 0936 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
13:12:27.0421 0936 DLAOPIOM - ok
13:12:27.0437 0936 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
13:12:27.0437 0936 DLAPoolM - ok
13:12:27.0453 0936 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
13:12:27.0453 0936 DLARTL_N - ok
13:12:27.0468 0936 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
13:12:27.0468 0936 DLAUDFAM - ok
13:12:27.0484 0936 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
13:12:27.0484 0936 DLAUDF_M - ok
13:12:27.0546 0936 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:12:27.0578 0936 dmboot - ok
13:12:27.0625 0936 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:12:27.0640 0936 dmio - ok
13:12:27.0656 0936 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:12:27.0656 0936 dmload - ok
13:12:27.0687 0936 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:12:27.0687 0936 DMusic - ok
13:12:27.0718 0936 dpti2o - ok
13:12:27.0765 0936 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:12:27.0765 0936 drmkaud - ok
13:12:27.0812 0936 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
13:12:27.0812 0936 DRVMCDB - ok
13:12:27.0828 0936 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
13:12:27.0828 0936 DRVNDDM - ok
13:12:27.0859 0936 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
13:12:27.0859 0936 E100B - ok
13:12:27.0890 0936 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:12:27.0890 0936 Fastfat - ok
13:12:27.0921 0936 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:12:27.0921 0936 Fdc - ok
13:12:27.0968 0936 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:12:27.0968 0936 Fips - ok
13:12:28.0015 0936 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:12:28.0015 0936 Flpydisk - ok
13:12:28.0031 0936 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:12:28.0031 0936 FltMgr - ok
13:12:28.0078 0936 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:12:28.0078 0936 Fs_Rec - ok
13:12:28.0093 0936 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:12:28.0093 0936 Ftdisk - ok
13:12:28.0109 0936 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
13:12:28.0109 0936 gameenum - ok
13:12:28.0140 0936 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:12:28.0156 0936 GEARAspiWDM - ok
13:12:28.0171 0936 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:12:28.0171 0936 Gpc - ok
13:12:28.0203 0936 HidBth (7bd2de4c85eb4241eed57672b16a7d8d) C:\WINDOWS\system32\DRIVERS\hidbth.sys
13:12:28.0203 0936 HidBth - ok
13:12:28.0234 0936 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:12:28.0234 0936 HidUsb - ok
13:12:28.0250 0936 hpn - ok
13:12:28.0296 0936 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:12:28.0296 0936 HTTP - ok
13:12:28.0328 0936 i2omgmt - ok
13:12:28.0328 0936 i2omp - ok
13:12:28.0343 0936 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:12:28.0359 0936 i8042prt - ok
13:12:28.0390 0936 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:12:28.0390 0936 Imapi - ok
13:12:28.0406 0936 ini910u - ok
13:12:28.0421 0936 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:12:28.0421 0936 IntelIde - ok
13:12:28.0437 0936 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:12:28.0453 0936 intelppm - ok
13:12:28.0468 0936 iomdisk (9d7069d72c0c72952f05e1688a5ae89d) C:\WINDOWS\system32\DRIVERS\iomdisk.sys
13:12:28.0468 0936 iomdisk - ok
13:12:28.0500 0936 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:12:28.0500 0936 Ip6Fw - ok
13:12:28.0531 0936 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:12:28.0531 0936 IpFilterDriver - ok
13:12:28.0578 0936 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:12:28.0578 0936 IpInIp - ok
13:12:28.0609 0936 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:12:28.0625 0936 IpNat - ok
13:12:28.0640 0936 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:12:28.0640 0936 IPSec - ok
13:12:28.0671 0936 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:12:28.0671 0936 IRENUM - ok
13:12:28.0687 0936 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:12:28.0687 0936 isapnp - ok
13:12:28.0703 0936 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:12:28.0703 0936 Kbdclass - ok
13:12:28.0718 0936 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:12:28.0718 0936 kbdhid - ok
13:12:28.0750 0936 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:12:28.0750 0936 kmixer - ok
13:12:28.0796 0936 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:12:28.0796 0936 KSecDD - ok
13:12:28.0843 0936 LBeepKE (be2dc24d403643a2d1d98f33c7087b38) C:\WINDOWS\system32\Drivers\LBeepKE.sys
13:12:28.0843 0936 LBeepKE - ok
13:12:28.0859 0936 lbrtfdc - ok
13:12:28.0890 0936 LEqdUsb (717e6714bca808f2a372e636aff3d15a) C:\WINDOWS\system32\Drivers\LEqdUsb.Sys
13:12:28.0890 0936 LEqdUsb - ok
13:12:28.0937 0936 LHidEqd (2786f7b4003adff88ce28bc1800b5407) C:\WINDOWS\system32\Drivers\LHidEqd.Sys
13:12:28.0937 0936 LHidEqd - ok
13:12:28.0968 0936 LHidFilt (01cc7fb6e790ef044b411377f3a1ff41) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
13:12:28.0968 0936 LHidFilt - ok
13:12:29.0031 0936 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:12:29.0031 0936 mnmdd - ok
13:12:29.0062 0936 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:12:29.0062 0936 Modem - ok
13:12:29.0109 0936 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
13:12:29.0109 0936 MODEMCSA - ok
13:12:29.0140 0936 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:12:29.0140 0936 Mouclass - ok
13:12:29.0171 0936 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:12:29.0171 0936 mouhid - ok
13:12:29.0203 0936 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:12:29.0203 0936 MountMgr - ok
13:12:29.0250 0936 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
13:12:29.0250 0936 MpFilter - ok
13:12:29.0265 0936 mraid35x - ok
13:12:29.0281 0936 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:12:29.0281 0936 MRxDAV - ok
13:12:29.0328 0936 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:12:29.0343 0936 MRxSmb - ok
13:12:29.0390 0936 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:12:29.0390 0936 Msfs - ok
13:12:29.0421 0936 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:12:29.0421 0936 MSKSSRV - ok
13:12:29.0453 0936 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:12:29.0453 0936 MSPCLOCK - ok
13:12:29.0468 0936 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:12:29.0468 0936 MSPQM - ok
13:12:29.0484 0936 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:12:29.0484 0936 mssmbios - ok
13:12:29.0515 0936 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
13:12:29.0515 0936 MSTEE - ok
13:12:29.0546 0936 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:12:29.0546 0936 Mup - ok
13:12:29.0593 0936 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
13:12:29.0593 0936 NABTSFEC - ok
13:12:29.0609 0936 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:12:29.0625 0936 NDIS - ok
13:12:29.0640 0936 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
13:12:29.0640 0936 NdisIP - ok
13:12:29.0671 0936 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:12:29.0671 0936 NdisTapi - ok
13:12:29.0687 0936 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:12:29.0703 0936 Ndisuio - ok
13:12:29.0718 0936 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:12:29.0718 0936 NdisWan - ok
13:12:29.0750 0936 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:12:29.0750 0936 NDProxy - ok
13:12:29.0750 0936 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:12:29.0765 0936 NetBIOS - ok
13:12:29.0796 0936 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:12:29.0812 0936 NetBT - ok
13:12:29.0875 0936 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
13:12:29.0875 0936 nm - ok
13:12:29.0890 0936 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:12:29.0890 0936 Npfs - ok
13:12:29.0937 0936 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:12:29.0937 0936 Ntfs - ok
13:12:29.0984 0936 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:12:29.0984 0936 Null - ok
13:12:30.0062 0936 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:12:30.0109 0936 nv - ok
13:12:30.0156 0936 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:12:30.0156 0936 NwlnkFlt - ok
13:12:30.0187 0936 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:12:30.0187 0936 NwlnkFwd - ok
13:12:30.0250 0936 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
13:12:30.0250 0936 OMCI - ok
13:12:30.0281 0936 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
13:12:30.0296 0936 ossrv - ok
13:12:30.0375 0936 P16X (f051107ff80f132882e71e3a5d302ec1) C:\WINDOWS\system32\drivers\P16X.sys
13:12:30.0406 0936 P16X - ok
13:12:30.0453 0936 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:12:30.0453 0936 Parport - ok
13:12:30.0468 0936 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:12:30.0468 0936 PartMgr - ok
13:12:30.0515 0936 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:12:30.0515 0936 ParVdm - ok
13:12:30.0562 0936 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:12:30.0562 0936 PCI - ok
13:12:30.0578 0936 PCIDump - ok
13:12:30.0609 0936 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
13:12:30.0609 0936 PCIIde - ok
13:12:30.0640 0936 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:12:30.0640 0936 Pcmcia - ok
13:12:30.0656 0936 PDCOMP - ok
13:12:30.0671 0936 PDFRAME - ok
13:12:30.0687 0936 PDRELI - ok
13:12:30.0687 0936 PDRFRAME - ok
13:12:30.0703 0936 perc2 - ok
13:12:30.0718 0936 perc2hib - ok
13:12:30.0781 0936 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
13:12:30.0781 0936 PfModNT - ok
13:12:30.0812 0936 Point32 (e4910ce9d882bf825979fcf4636a9bd8) C:\WINDOWS\system32\DRIVERS\point32.sys
13:12:30.0812 0936 Point32 - ok
13:12:30.0843 0936 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:12:30.0843 0936 PptpMiniport - ok
13:12:30.0875 0936 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:12:30.0875 0936 Ptilink - ok
13:12:30.0906 0936 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:12:30.0906 0936 PxHelp20 - ok
13:12:30.0921 0936 ql1080 - ok
13:12:30.0937 0936 Ql10wnt - ok
13:12:30.0953 0936 ql12160 - ok
13:12:30.0968 0936 ql1240 - ok
13:12:30.0984 0936 ql1280 - ok
13:12:31.0000 0936 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:12:31.0015 0936 RasAcd - ok
13:12:31.0031 0936 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:12:31.0031 0936 Rasl2tp - ok
13:12:31.0062 0936 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:12:31.0062 0936 RasPppoe - ok
13:12:31.0078 0936 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:12:31.0078 0936 Raspti - ok
13:12:31.0093 0936 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:12:31.0093 0936 Rdbss - ok
13:12:31.0125 0936 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:12:31.0125 0936 RDPCDD - ok
13:12:31.0140 0936 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:12:31.0156 0936 rdpdr - ok
13:12:31.0187 0936 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
13:12:31.0203 0936 RDPWD - ok
13:12:31.0234 0936 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:12:31.0234 0936 redbook - ok
13:12:31.0281 0936 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
13:12:31.0281 0936 RFCOMM - ok
13:12:31.0312 0936 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
13:12:31.0328 0936 ROOTMODEM - ok
13:12:31.0375 0936 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:12:31.0375 0936 Secdrv - ok
13:12:31.0421 0936 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:12:31.0421 0936 serenum - ok
13:12:31.0437 0936 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:12:31.0437 0936 Serial - ok
13:12:31.0500 0936 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
13:12:31.0500 0936 Sfloppy - ok
13:12:31.0515 0936 Simbad - ok
13:12:31.0546 0936 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
13:12:31.0546 0936 SLIP - ok
13:12:31.0640 0936 smwdm (39f9595d2f6f7eb93f45a466789a6f49) C:\WINDOWS\system32\drivers\smwdm.sys
13:12:31.0656 0936 smwdm - ok
13:12:31.0828 0936 SNP2RF (d84ed64ea114536b49eec61d78afa6e4) C:\WINDOWS\system32\DRIVERS\snp2rf.sys
13:12:31.0921 0936 SNP2RF - ok
13:12:31.0953 0936 Sparrow - ok
13:12:32.0015 0936 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:12:32.0031 0936 splitter - ok
13:12:32.0062 0936 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:12:32.0062 0936 sr - ok
13:12:32.0109 0936 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:12:32.0125 0936 Srv - ok
13:12:32.0156 0936 StMp3Rec (c3791eca57c7b1a04b4ed022762605f2) C:\WINDOWS\system32\Drivers\StMp3Rec.sys
13:12:32.0187 0936 StMp3Rec - ok
13:12:32.0343 0936 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
13:12:32.0343 0936 streamip - ok
13:12:32.0359 0936 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:12:32.0359 0936 swenum - ok
13:12:32.0406 0936 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:12:32.0406 0936 swmidi - ok
13:12:32.0437 0936 symc810 - ok
13:12:32.0453 0936 symc8xx - ok
13:12:32.0453 0936 sym_hi - ok
13:12:32.0468 0936 sym_u3 - ok
13:12:32.0500 0936 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:12:32.0500 0936 sysaudio - ok
13:12:32.0562 0936 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:12:32.0578 0936 Tcpip - ok
13:12:32.0625 0936 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:12:32.0625 0936 TDPIPE - ok
13:12:32.0687 0936 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:12:32.0687 0936 TDTCP - ok
13:12:32.0718 0936 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:12:32.0718 0936 TermDD - ok
13:12:32.0750 0936 TosIde - ok
13:12:32.0796 0936 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:12:32.0796 0936 Udfs - ok
13:12:32.0828 0936 ultra - ok
13:12:32.0875 0936 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:12:32.0875 0936 Update - ok
13:12:32.0937 0936 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
13:12:32.0937 0936 usbaudio - ok
13:12:33.0000 0936 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:12:33.0000 0936 usbccgp - ok
13:12:33.0031 0936 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:12:33.0031 0936 usbehci - ok
13:12:33.0062 0936 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:12:33.0062 0936 usbhub - ok
13:12:33.0078 0936 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:12:33.0078 0936 usbprint - ok
13:12:33.0125 0936 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:12:33.0125 0936 usbscan - ok
13:12:33.0140 0936 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:12:33.0140 0936 USBSTOR - ok
13:12:33.0171 0936 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:12:33.0171 0936 usbuhci - ok
13:12:33.0218 0936 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
13:12:33.0218 0936 usbvideo - ok
13:12:33.0265 0936 VComm (9ebee4a060c5364a31aeaa04eac2af1e) C:\WINDOWS\system32\DRIVERS\VComm.sys
13:12:33.0265 0936 VComm - ok
13:12:33.0281 0936 VcommMgr (630bbdbf5490f8f57abe650da63661a0) C:\WINDOWS\system32\Drivers\VcommMgr.sys
13:12:33.0281 0936 VcommMgr - ok
13:12:33.0296 0936 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:12:33.0296 0936 VgaSave - ok
13:12:33.0312 0936 ViaIde - ok
13:12:33.0343 0936 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:12:33.0343 0936 VolSnap - ok
13:12:33.0375 0936 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:12:33.0375 0936 Wanarp - ok
13:12:33.0421 0936 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
13:12:33.0437 0936 Wdf01000 - ok
13:12:33.0453 0936 WDICA - ok
13:12:33.0484 0936 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:12:33.0484 0936 wdmaud - ok
13:12:33.0593 0936 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
13:12:33.0609 0936 WS2IFSL - ok
13:12:33.0671 0936 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
13:12:33.0671 0936 WSTCODEC - ok
13:12:33.0703 0936 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:12:33.0703 0936 WudfPf - ok
13:12:33.0765 0936 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:12:33.0765 0936 WudfRd - ok
13:12:33.0812 0936 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:12:33.0921 0936 \Device\Harddisk0\DR0 - ok
13:12:33.0937 0936 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
13:12:34.0031 0936 \Device\Harddisk1\DR1 - ok
13:12:34.0046 0936 Boot (0x1200) (0ec5b450a3e2e325295d3157c5f0790d) \Device\Harddisk0\DR0\Partition0
13:12:34.0046 0936 \Device\Harddisk0\DR0\Partition0 - ok
13:12:34.0046 0936 Boot (0x1200) (237157eea6457c30619df121c4094423) \Device\Harddisk0\DR0\Partition1
13:12:34.0046 0936 \Device\Harddisk0\DR0\Partition1 - ok
13:12:34.0062 0936 Boot (0x1200) (6ecb4790d7fcc9a407c000afd3c30a45) \Device\Harddisk0\DR0\Partition2
13:12:34.0062 0936 \Device\Harddisk0\DR0\Partition2 - ok
13:12:34.0062 0936 Boot (0x1200) (d664fa21dda6aefd74eed9ab2caa9d26) \Device\Harddisk1\DR1\Partition0
13:12:34.0062 0936 \Device\Harddisk1\DR1\Partition0 - ok
13:12:34.0078 0936 ============================================================
13:12:34.0078 0936 Scan finished
13:12:34.0078 0936 ============================================================
13:12:34.0093 2380 Detected object count: 0
13:12:34.0093 2380 Actual detected object count: 0
13:13:14.0250 0860 Deinitialize success




aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-20 13:14:11
-----------------------------
13:14:11.296 OS Version: Windows 5.1.2600 Service Pack 3
13:14:11.296 Number of processors: 1 586 0x209
13:14:11.296 ComputerName: SOFTMART UserName:
13:14:11.640 Initialize success
13:28:39.390 AVAST engine defs: 12032000
13:30:22.421 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:30:22.421 Disk 0 Vendor: WDC_WD1200JB-00CRA1 17.07W17 Size: 114473MB BusType: 3
13:30:22.421 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-e
13:30:22.421 Disk 1 Vendor: WDC_WD1600JS-56MHB1 10.02E01 Size: 152115MB BusType: 3
13:30:22.437 Disk 1 MBR read successfully
13:30:22.437 Disk 1 MBR scan
13:30:22.468 Disk 1 Windows XP default MBR code
13:30:22.468 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152107 MB offset 63
13:30:22.468 Disk 1 scanning sectors +311516415
13:30:22.531 Disk 1 scanning C:\WINDOWS\system32\drivers
13:30:33.171 Service scanning
13:30:47.140 Modules scanning
13:30:51.312 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
13:30:52.562 Disk 1 trace - called modules:
13:30:52.562 ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
13:30:52.562 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x86fd5030]
13:30:52.562 3 CLASSPNP.SYS[f762ffd7] -> nt!IofCallDriver -> [0x86f40d78]
13:30:52.562 5 iomdisk.sys[f788fbc3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x86f78b00]
13:30:53.031 AVAST engine scan C:\WINDOWS
13:31:05.390 AVAST engine scan C:\WINDOWS\system32
13:33:42.734 AVAST engine scan C:\WINDOWS\system32\drivers
13:34:00.234 AVAST engine scan C:\Documents and Settings\David Gondek
13:41:56.109 AVAST engine scan C:\Documents and Settings\All Users
13:58:13.484 Scan finished successfully
14:00:37.421 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\David Gondek\Desktop\MBR.dat"
14:00:37.421 The log file has been saved successfully to "C:\Documents and Settings\David Gondek\Desktop\aswMBR.txt"

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:51 AM

Posted 20 March 2012 - 03:13 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 mutex7

mutex7
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 20 March 2012 - 03:53 PM

After running ComboFix with the CFScript file the DHCP error message in Event Viewer appears to be gone. The only issues left are the right-click context menu for my hard drives still takes about 10 seconds to open and the security alert pop ups for non-https sites. It also seems to take a little longer for my Desktop icons to show up when I reboot the computer or the first time they need to be refreshed after opening a window. I just checked and it turns out I still get the MrxSMB (The redirector failed to determine the connection type.) warning in Event Viewer. It's too soon to tell whether the "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts." warning is gone as that is sporadic.

Here is the latest ComboFix log:

ComboFix 12-03-20.01 - David Gondek 03/20/2012 15:24:05.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.597 [GMT -5:00]
Running from: c:\documents and settings\David Gondek\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David Gondek\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\jestertb.dll
c:\windows\system32\dllcache\dlimport.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-20 to 2012-03-20 )))))))))))))))))))))))))))))))
.
.
2012-03-20 20:21 . 2012-03-20 20:21 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A969A0F5-CF2B-44BF-8F4C-8F228A758891}\MpKsld9caa7c9.sys
2012-03-20 19:00 . 2012-02-08 06:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A969A0F5-CF2B-44BF-8F4C-8F228A758891}\mpengine.dll
2012-03-16 17:06 . 2012-03-16 17:06 2084 ----a-w- C:\itunes.reg
2012-03-16 16:22 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-03-16 16:22 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\program files\iPod
2012-03-16 16:21 . 2012-03-16 16:22 -------- d-----w- c:\program files\iTunes
2012-03-16 16:21 . 2012-03-16 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\documents and settings\David Gondek\Local Settings\Application Data\Apple
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\program files\Apple Software Update
2012-03-16 16:21 . 2012-03-16 16:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2012-03-16 16:20 . 2012-03-16 16:20 -------- d-----w- c:\program files\Bonjour
2012-03-16 16:20 . 2012-03-16 16:21 -------- d-----w- c:\program files\Common Files\Apple
2012-03-16 16:20 . 2012-03-16 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2012-03-14 22:17 . 2012-03-14 22:17 -------- d-----w- c:\program files\Microsoft Network Monitor 3
2012-03-14 02:14 . 2012-03-14 02:14 1936 ----a-w- C:\java.reg
2012-03-13 16:05 . 2012-03-13 16:05 -------- d-----w- c:\program files\Intel
2012-03-13 16:03 . 2007-11-29 03:38 40056 ----a-w- c:\windows\system32\NicInst.dll
2012-03-13 16:03 . 2007-08-07 05:28 28272 ----a-w- c:\windows\system32\NicCo2.dll
2012-03-01 17:48 . 2012-03-01 17:48 -------- d-----w- c:\program files\Common Files\Java
2012-03-01 17:48 . 2012-03-01 17:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-21 22:07 . 2012-02-21 22:08 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-01 17:48 . 2011-01-31 21:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 17:16 . 2011-07-27 21:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 02:26 . 2012-02-15 02:26 1950 ----a-w- C:\msse.reg
2012-02-08 06:03 . 2012-02-16 23:13 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2004-08-04 10:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2012-02-14 07:27 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-15 00:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-03-19 23:44 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-08 01:29 . 2012-01-08 01:29 1776 ----a-w- C:\logitech.reg
2012-01-08 01:13 . 2012-01-08 01:13 53248 ----a-r- c:\documents and settings\David Gondek\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-01-08 01:12 . 2012-01-08 01:12 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-20_16.27.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-30 16:05 . 2012-03-20 16:57 222441 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"snp2rf"="c:\windows\vsnp2rf.exe" [2010-07-09 662016]
"tsnp2rf"="c:\windows\tsnp2rf.exe" [2010-08-17 321536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"f:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Barnes & Noble\\NOOKstudy\\NOOKstudy.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:*:Disabled:FlipShareServer
"24727:TCP"= 24727:TCP:*:Disabled:FlipShareServer
.
R1 MpKsld9caa7c9;MpKsld9caa7c9;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A969A0F5-CF2B-44BF-8F4C-8F228A758891}\MpKsld9caa7c9.sys [3/20/2012 3:21 PM 29904]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/7/2012 8:12 PM 12184]
R2 OKI OPHJ DCS Loader;OKI OPHJ DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHJLDCS.EXE [6/10/2010 7:44 PM 24576]
S1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [1/22/2011 12:55 PM 22528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [6/7/2009 6:38 PM 227200]
S3 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [5/6/2011 1:58 PM 1085440]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [9/2/2011 1:31 AM 42648]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [9/2/2011 1:31 AM 12184]
S3 SNP2RF;USB2.0 PC Camera (SNP2RF);c:\windows\system32\drivers\snp2rf.sys [2/18/2012 1:26 PM 3499392]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 20960191
*NewlyCreated* - 51088071
*NewlyCreated* - MPKSLD9CAA7C9
*NewlyCreated* - WS2IFSL
*Deregistered* - 20960191
*Deregistered* - 51088071
*Deregistered* - aswMBR
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-20 15:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1547161642-1450960922-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:08,2f,ca,19,32,8a,82,81,63,e5,13,88,bf,0e,1c,28,a3,c1,b2,b9,3f,5b,dc,
fe,9b,45,95,e7,04,a4,21,71,12,26,69,41,94,42,1a,10,c3,b0,9d,d2,93,80,65,92,\
"??"=hex:1b,70,29,45,ca,a0,1e,13,9c,b9,67,be,4b,dc,ae,16
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2012-03-20 15:32:45
ComboFix-quarantined-files.txt 2012-03-20 20:32
ComboFix2.txt 2012-03-20 16:29
.
Pre-Run: 123,703,320,576 bytes free
Post-Run: 123,740,254,208 bytes free
.
- - End Of File - - 47095FBE5F9EBC5E8C55537204B183B3

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:51 AM

Posted 20 March 2012 - 08:12 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 mutex7

mutex7
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 21 March 2012 - 10:57 AM

Okay, I uninstalled Adobe Acrobat and ran CCleaner, Malwarebytes and HJT and the logs are below. The DHCP error is back. It apparently only shows up in Event Viewer when I shut down the computer and reboot (not on a restart). I still have the right-click context menu problem with my hard drives (all other right-click context menus show up fine). My Desktop icons still seem slow to refresh. Actually any folder that has a lot of icons is slow to display them. It's like there is a slight delayed reaction. I never had anti-virus software before this incident so I guess that could be causing it. I have been on the Internet since 1994 (and I am on almost constantly) and never needed to install anti-virus software before. I await your next instructions.

I almost forgot...I got an error message the first time I ran HJT so I reran it and it ran fine the 2nd time. The error message said something about being unable to access something in the registry.


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.17.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
David Gondek :: SOFTMART [administrator]

3/21/2012 10:05:37 AM
mbam-log-2012-03-21 (10-05-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 215627
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:14:10 AM, on 3/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHJLDCS.EXE
C:\WINDOWS\system32\slpservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\slpmonx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\vsnp2rf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Speckie - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Documents and Settings\David Gondek\Application Data\Speckie\bin32\Speckie32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [snp2rf] C:\WINDOWS\vsnp2rf.exe
O4 - HKLM\..\Run: [tsnp2rf] C:\WINDOWS\tsnp2rf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E6846530-6088-4AA3-932F-C6245CE59A4C} - C:\Documents and Settings\David Gondek\Application Data\Speckie\bin32\Speckie32.dll
O9 - Extra 'Tools' menuitem: Specki&e Settings - {E6846530-6088-4AA3-932F-C6245CE59A4C} - C:\Documents and Settings\David Gondek\Application Data\Speckie\bin32\Speckie32.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: FlipShare Server (FlipShareServer) - Unknown owner - C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OKI OPHJ DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHJLDCS.EXE
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\system32\slpservice.exe

--
End of file - 6109 bytes

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:51 AM

Posted 21 March 2012 - 01:19 PM

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [snp2rf] C:\WINDOWS\vsnp2rf.exe
      O4 - HKLM\..\Run: [tsnp2rf] C:\WINDOWS\tsnp2rf.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 mutex7

mutex7
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 21 March 2012 - 07:15 PM

O4 - HKLM\..\Run: [snp2rf] C:\WINDOWS\vsnp2rf.exe
O4 - HKLM\..\Run: [tsnp2rf] C:\WINDOWS\tsnp2rf.exe

Those two files are drivers for a camera of mine. I temporarily disabled them in msconfig but it didn't change anything.

Here is the Eset log:

C:\Documents and Settings\All Users\Documents\backup\tools\kratz\SmitfraudFix.zip multiple threats
C:\Documents and Settings\All Users\Documents\fixes\SDFix.exe Win32/PrcView application
C:\Documents and Settings\All Users\Documents\fixes\kratz\SmitfraudFix.zip multiple threats
C:\Documents and Settings\All Users\Documents\toshiba\ssd benchmark software\CrystalDiskMark3_0_1b-en.exe Win32/OpenCandy application
C:\Documents and Settings\David Gondek\Desktop\new tools\battery care\SetupBatteryCare.zip Win32/OpenCandy application
C:\Documents and Settings\David Gondek\Desktop\reference\software\free software\downloaders\OrbitSetup4.1.02.exe Win32/OpenCandy application
C:\Documents and Settings\David Gondek\Desktop\reference\software\free software\downloaders\YouTubeDownloaderSetup34.exe a variant of Win32/Toolbar.Widgi application
C:\Documents and Settings\David Gondek\Desktop\reference\ssd and flash\sd card speed tests\CrystalDiskInfo4_1_3-en.exe Win32/OpenCandy application
C:\Documents and Settings\David Gondek\Desktop\reference\ssd and flash\sd card speed tests\CrystalDiskMark3_0_1b-en.exe Win32/OpenCandy application
C:\Documents and Settings\David Gondek\Desktop\reference\winxp\KeyFinderInstaller.exe Win32/OpenCandy application
C:\TDSSKiller_Quarantine\14.02.2012_01.11.34\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\14.02.2012_01.11.34\mbr0000\tdlfs0000\tsk0004.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\14.02.2012_01.11.34\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AE trojan
F:\Documents and Settings\David Gondek\Desktop\malware\SDFix.exe Win32/PrcView application
F:\Documents and Settings\David Gondek\Desktop\tools\kratz\SmitfraudFix.zip multiple threats
F:\Program Files\911 CD Builder\modules\911cd\mnuutils.cab Rebootpc.B trojan
H:\Desktop\new tools\battery care\SetupBatteryCare.zip Win32/OpenCandy application
H:\Desktop\reference\software\free software\downloaders\OrbitSetup4.1.02.exe Win32/OpenCandy application
H:\Desktop\reference\software\free software\downloaders\YouTubeDownloaderSetup34.exe a variant of Win32/Toolbar.Widgi application
H:\Desktop\reference\ssd and flash\sd card speed tests\CrystalDiskInfo4_1_3-en.exe Win32/OpenCandy application
H:\Desktop\reference\ssd and flash\sd card speed tests\CrystalDiskMark3_0_1b-en.exe Win32/OpenCandy application
H:\Desktop\reference\winxp\KeyFinderInstaller.exe Win32/OpenCandy application


What next?

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:51 AM

Posted 21 March 2012 - 08:51 PM

Hello

The Eset scan only showed somw minor things in it and I am sure they would not be causing the problems you are having.

the other scans we have run also has not shown anything - so at this point I don't think the problems you are having are from malware and would advice you to check in the windows forum and see if they would have an idea


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Documents and Settings\All Users\Documents\backup\tools\kratz\SmitfraudFix.zip"
    del /f /s /q "C:\Documents and Settings\All Users\Documents\fixes\SDFix.exe"
    del /f /s /q "C:\Documents and Settings\All Users\Documents\fixes\kratz\SmitfraudFix.zip"
    del /f /s /q "C:\Documents and Settings\All Users\Documents\toshiba\ssd benchmark software\CrystalDiskMark3_0_1b-en.exe"
    del /f /s /q "C:\Documents and Settings\David Gondek\Desktop\new tools\battery care\SetupBatteryCare.zip"
    del /f /s /q "C:\Documents and Settings\David Gondek\Desktop\reference\software\free software\downloaders\OrbitSetup4.1.02.exe"
    del /f /s /q "C:\Documents and Settings\David Gondek\Desktop\reference\software\free software\downloaders\YouTubeDownloaderSetup34.exe"
    del /f /s /q "C:\Documents and Settings\David Gondek\Desktop\reference\ssd and flash\sd card speed tests\CrystalDiskInfo4_1_3-en.exe"
    del /f /s /q "C:\Documents and Settings\David Gondek\Desktop\reference\ssd and flash\sd card speed tests\CrystalDiskMark3_0_1b-en.exe"
    del /f /s /q "C:\Documents and Settings\David Gondek\Desktop\reference\winxp\KeyFinderInstaller.exe"
    del /f /s /q "F:\Documents and Settings\David Gondek\Desktop\malware\SDFix.exe"
    del /f /s /q "F:\Documents and Settings\David Gondek\Desktop\tools\kratz\SmitfraudFix.zip"
    del /f /s /q "F:\Program Files\911 CD Builder\modules\911cd\mnuutils.cab"
    del /f /s /q "H:\Desktop\new tools\battery care\SetupBatteryCare.zip"
    del /f /s /q "H:\Desktop\reference\software\free software\downloaders\OrbitSetup4.1.02.exe"
    del /f /s /q "H:\Desktop\reference\software\free software\downloaders\YouTubeDownloaderSetup34.exe"
    del /f /s /q "H:\Desktop\reference\ssd and flash\sd card speed tests\CrystalDiskInfo4_1_3-en.exe"
    del /f /s /q "H:\Desktop\reference\ssd and flash\sd card speed tests\CrystalDiskMark3_0_1b-en.exe"
    del /f /s /q "H:\Desktop\reference\winxp\KeyFinderInstaller.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop.

:DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 mutex7

mutex7
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 22 March 2012 - 10:54 AM

Gringo, I have to admit that I am extremely frustrated with this process. I realize you are a volunteer and that this is a free service but after spending untold hours running redundant and/or duplicate scans I still have all of the problems I stated in my initial post. I grudgingly followed all of your instructions hoping we would eventually get to the point where my issues were addressed. Now after a long list of generic, 'one size fits all', suggestions you advise me to start over in the windows forum.

I would like to hear your evaluation of the help you've provided me.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:51 AM

Posted 22 March 2012 - 04:15 PM

Gringo, I have to admit that I am extremely frustrated with this process. I realize you are a volunteer and that this is a free service but after spending untold hours running redundant and/or duplicate scans I still have all of the problems I stated in my initial post. I grudgingly followed all of your instructions hoping we would eventually get to the point where my issues were addressed. Now after a long list of generic, 'one size fits all', suggestions you advise me to start over in the windows forum.

I would like to hear your evaluation of the help you've provided me.


I am a malware removal specialist working in a malware removal part of the forum. I have ran a wide variety of scans and spent a few hours analyzing these reports looking for even a hint that it might be malware related and ran redundant scans in hopes of finding something

when I started this thread you had

slow computer - fixed

slow bootup - fixed

sound problems - fixed

DHCP error in Event Viewer - Not fixed

takes about 10 seconds for the context menu to open when I right-click my hard drives - Not fixed


now the last two items is not coming from malware as your scans are coming back clean

I am telling you now that it would be faster and safer to ask in the windows forum as they will go about things in a different way
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users