Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FakeHDD Virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 Veisalgia

Veisalgia

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 19 March 2012 - 06:27 AM

EDIT:MOVED to Virus,Trojan and Malware Removal Logs ~~boopme


I was hit by a virus while casually browsing the net when suddenly all my browsers closed and avira popped up with TR/Crypt.XPACK.Gen3 Trojan. After that came multiple error screens about System32 though I don't quite remember the specifics. I panicked and restarted, only to have the error screens come again, with something that wasn't my virus scanner prompting me to scan, which I didn't do. My desktop was black with no icons and my start bar was empty. It ate up my ram and loading anything was difficult because of my desktop and start bar, and it ate up my memory too. After talking it through with my friend, I have it under semi control currently though not fully (it's no longer going crazy). Malwarebytes caught 2 Rogue.FakeHDD viruses and prompted me to "urgently" reboot to completely rid of them. Since then I have left the reboot notification screen up in fear of compromising my PC again.
**I edited to add more information

I also ran a quick combofix and it deleted these:

ComboFix 12-03-18.02 - Gakki 03/19/2012 1:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2732 [GMT -6:00]
Running from: c:\documents and settings\Gakki\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\ldmtqETJLYi.exe
c:\documents and settings\Gakki\Application Data\Local
c:\documents and settings\Gakki\Local Settings\Application Data\.#
c:\documents and settings\Gakki\My Documents\DPE.DUS
.
.
((((((((((((((((((((((((( Files Created from 2012-02-19 to 2012-03-19 )))))))))))))))))))))))))))))))
.
.
2012-03-19 06:28 . 2012-03-19 06:28 592824 ---ha-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 06:28 . 2012-03-19 06:28 44472 ---ha-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-05 23:40 . 2012-03-06 07:05 -------- d--h--w- c:\program files\HideIPEasy
2012-03-05 22:57 . 2012-03-05 22:57 -------- d--h--w- c:\documents and settings\Gakki\Application Data\HideIPEasy
2012-03-05 22:57 . 2012-03-05 22:57 -------- d--h--w- c:\documents and settings\All Users\Application Data\HideIPEasy
2012-03-03 09:12 . 2012-03-03 09:12 -------- d--h--w- c:\program files\Conduit
2012-03-03 09:12 . 2012-03-03 09:14 -------- d--h--w- c:\documents and settings\Gakki\Local Settings\Application Data\Conduit
2012-02-19 20:39 . 2012-02-19 20:39 -------- d--h--w- c:\program files\Bethesda Softworks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-09 06:22 . 2011-06-22 22:47 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2008-04-14 00:00 1859968 ---ha-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 21:49 3072 ---h--w- c:\windows\system32\iacenc.dll
2012-01-05 05:20 . 2012-01-05 05:20 53248 ---ha-r- c:\documents and settings\Gakki\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-03-19 06:28 . 2011-11-04 06:10 97208 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"PlusService"="c:\program files\Yuna Software\Messenger Plus!\PlusService.exe" [2011-10-24 801792]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKAIO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"1403:TCP"= 1403:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"57187:TCP"= 57187:TCP:Pando Media Booster
"57187:UDP"= 57187:UDP:Pando Media Booster
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"9322:TCP"= 9322:TCP:EKDiscovery
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/27/2011 4:36 PM 218688]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/29/2010 1:44 AM 136360]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [12/19/2011 5:32 PM 394672]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 3:26 AM 450848]
R3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 8:46 PM 22176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 11:07 AM 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-12-30 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=102876&gct=hp
uInternet Settings,ProxyServer = http=;ftp=;https=;
uSearchAssistant = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Gakki\Application Data\Mozilla\Firefox\Profiles\4s79cg68.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://bleephomepage.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Browser companion helper - c:\program files\BrowserCompanion\BCHelper.exe
HKLM-Run-ldmtqETJLYi.exe - c:\documents and settings\All Users\Application Data\ldmtqETJLYi.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-19 01:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-19 01:33:30
ComboFix-quarantined-files.txt 2012-03-19 07:33
.
Pre-Run: 7,885,135,872 bytes free
Post-Run: 9,244,393,472 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E74F703CFC770AAC885A585DA118E70E


Here are the other logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_29
Run by Gakki at 3:09:11 on 2012-03-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2649 [GMT -6:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=102876&gct=hp
uInternet Settings,ProxyServer = http=;ftp=;https=;
uSearchAssistant = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{ae07101b-46d4-4a98-af68-0333ea26e113}
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PlusService] c:\program files\yuna software\messenger plus!\PlusService.exe
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{DFA1DA0F-CCEB-4A17-BF57-23F59E017271} : DhcpNameServer = 192.168.0.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gakki\application data\mozilla\firefox\profiles\4s79cg68.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://bleephomepage.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-29 11608]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-2-27 218688]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-29 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-29 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-29 66616]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
R3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2010-11-9 22176]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-19 40776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys --> c:\windows\system32\drivers\appliand.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva383;XDva383;\??\c:\windows\system32\xdva383.sys --> c:\windows\system32\XDva383.sys [?]
.
=============== Created Last 30 ================
.
2012-03-19 08:28:44 54016 ----a-w- c:\windows\system32\drivers\vjepjm.sys
2012-03-19 07:41:13 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-19 07:26:20 -------- d-sha-r- C:\cmdcons
2012-03-19 07:25:12 98816 ----a-w- c:\windows\sed.exe
2012-03-19 07:25:12 518144 ----a-w- c:\windows\SWREG.exe
2012-03-19 07:25:12 256000 ----a-w- c:\windows\PEV.exe
2012-03-19 07:25:12 208896 ----a-w- c:\windows\MBR.exe
2012-03-19 06:28:29 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-19 06:28:29 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-05 23:40:01 -------- d-----w- c:\program files\HideIPEasy
2012-03-05 22:57:23 -------- d-----w- c:\documents and settings\gakki\application data\HideIPEasy
2012-03-05 22:57:23 -------- d-----w- c:\documents and settings\all users\application data\HideIPEasy
2012-03-03 09:12:49 -------- d-----w- c:\program files\Conduit
2012-03-03 09:12:48 -------- d-----w- c:\documents and settings\gakki\local settings\application data\Conduit
2012-02-19 20:39:30 -------- d-----w- c:\program files\Bethesda Softworks
.
==================== Find3M ====================
.
2012-03-19 08:17:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 3:09:28.40 ===============

Edited by boopme, 19 March 2012 - 03:35 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:22 PM

Posted 20 March 2012 - 11:36 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Veisalgia

Veisalgia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 20 March 2012 - 11:58 PM

Thank you! I'll get back to you after following your directions.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:22 PM

Posted 21 March 2012 - 12:11 AM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Veisalgia

Veisalgia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 21 March 2012 - 08:19 PM

About a day after I got my virus, I had another attack with the same exact thing: first, a pop up from avira warning me about TR/Crypt.XPACK.Gen3 Trojan then came multiple error screens about system 32 failing, another separate pop up asking me whether I'd like to scan my computer (which I didn't do), hidden desktop and a hidden start bar. Luckily msn was working and my friend got me links for rkill which I immediately used and followed with combofix. The log from that day is as follows (and the current log you asked me to complete is after this one, just giving more information):

ComboFix 12-03-18.04 - Gakki 03/19/2012 20:16:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2860 [GMT -6:00]
Running from: c:\documents and settings\Gakki\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\QkMNyhGuJTxqPg.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-20 to 2012-03-20 )))))))))))))))))))))))))))))))
.
.
2012-03-19 07:41 . 2012-03-19 07:41 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-19 06:28 . 2012-03-13 04:39 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-19 06:28 . 2012-03-13 04:39 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-05 23:40 . 2012-03-06 07:05 -------- d-----w- c:\program files\HideIPEasy
2012-03-05 22:57 . 2012-03-05 22:57 -------- d-----w- c:\documents and settings\Gakki\Application Data\HideIPEasy
2012-03-05 22:57 . 2012-03-05 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HideIPEasy
2012-03-03 09:12 . 2012-03-03 09:12 -------- d-----w- c:\program files\Conduit
2012-03-03 09:12 . 2012-03-03 09:14 -------- d-----w- c:\documents and settings\Gakki\Local Settings\Application Data\Conduit
2012-02-19 20:39 . 2012-02-19 20:39 -------- d-----w- c:\program files\Bethesda Softworks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 08:17 . 2011-06-22 22:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2008-04-14 00:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 21:49 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-05 05:20 . 2012-01-05 05:20 53248 ----a-r- c:\documents and settings\Gakki\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-03-13 04:39 . 2011-11-04 06:10 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-19_07.30.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-20 02:09 . 2012-03-20 02:09 16384 c:\windows\Temp\Perflib_Perfdata_570.dat
- 2001-08-23 11:00 . 2012-03-19 07:18 86952 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2012-03-20 02:13 86952 c:\windows\system32\perfc009.dat
- 2011-05-07 01:31 . 2011-12-10 22:24 20464 c:\windows\system32\drivers\mbam.sys
+ 2011-05-07 01:31 . 2011-12-10 21:24 20464 c:\windows\system32\drivers\mbam.sys
- 2001-08-23 11:00 . 2012-03-19 07:18 500942 c:\windows\system32\perfh009.dat
+ 2001-08-23 11:00 . 2012-03-20 02:13 500942 c:\windows\system32\perfh009.dat
+ 2012-03-19 08:17 . 2012-03-19 08:17 250528 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
+ 2012-03-19 08:17 . 2012-03-19 08:17 335520 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"PlusService"="c:\program files\Yuna Software\Messenger Plus!\PlusService.exe" [2011-10-24 801792]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKAIO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"1403:TCP"= 1403:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"57187:TCP"= 57187:TCP:Pando Media Booster
"57187:UDP"= 57187:UDP:Pando Media Booster
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"9322:TCP"= 9322:TCP:EKDiscovery
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/27/2011 4:36 PM 218688]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/29/2010 1:44 AM 136360]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [12/19/2011 5:32 PM 394672]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 3:26 AM 450848]
R3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 8:46 PM 22176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/19/2012 1:41 AM 40776]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 11:07 AM 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-12-30 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=102876&gct=hp
uInternet Settings,ProxyServer = http=;ftp=;https=;
uSearchAssistant = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Gakki\Application Data\Mozilla\Firefox\Profiles\4s79cg68.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://bleephomepage.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QkMNyhGuJTxqPg.exe - c:\documents and settings\All Users\Application Data\QkMNyhGuJTxqPg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-19 20:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-19 20:22:09
ComboFix-quarantined-files.txt 2012-03-20 02:22
.
Pre-Run: 9,027,137,536 bytes free
Post-Run: 9,056,403,456 bytes free
.
- - End Of File - - A345DC9D3D3CAA8B839AD2E494DCB84D




After I did that, I used malwarebytes and it found the same two Rogue.FakeHDD that I never got rid of. This time I did. Since then I've had no problems, but I'm unsure that I'm in the clear. I've followed your directions today, backing up my data and doing another combofix. Log is as follows:

ComboFix 12-03-21.02 - Gakki 03/21/2012 18:56:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2948 [GMT -6:00]
Running from: c:\documents and settings\Gakki\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-22 to 2012-03-22 )))))))))))))))))))))))))))))))
.
.
2012-03-19 06:28 . 2012-03-13 04:39 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-19 06:28 . 2012-03-13 04:39 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-05 23:40 . 2012-03-06 07:05 -------- d-----w- c:\program files\HideIPEasy
2012-03-05 22:57 . 2012-03-05 22:57 -------- d-----w- c:\documents and settings\Gakki\Application Data\HideIPEasy
2012-03-05 22:57 . 2012-03-05 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HideIPEasy
2012-03-03 09:12 . 2012-03-03 09:12 -------- d-----w- c:\program files\Conduit
2012-03-03 09:12 . 2012-03-03 09:14 -------- d-----w- c:\documents and settings\Gakki\Local Settings\Application Data\Conduit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 08:17 . 2011-06-22 22:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2008-04-14 00:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 21:49 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-12-29 04:41 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-05 05:20 . 2012-01-05 05:20 53248 ----a-r- c:\documents and settings\Gakki\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-03-13 04:39 . 2011-11-04 06:10 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-19_07.30.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-21 23:55 . 2012-03-21 23:55 16384 c:\windows\Temp\Perflib_Perfdata_564.dat
+ 2001-08-23 11:00 . 2012-03-21 23:59 86952 c:\windows\system32\perfc009.dat
- 2001-08-23 11:00 . 2012-03-19 07:18 86952 c:\windows\system32\perfc009.dat
+ 2011-05-07 01:31 . 2011-12-10 21:24 20464 c:\windows\system32\drivers\mbam.sys
- 2011-05-07 01:31 . 2011-12-10 22:24 20464 c:\windows\system32\drivers\mbam.sys
+ 2011-01-04 00:29 . 2012-03-21 16:20 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2001-08-23 11:00 . 2012-03-19 07:18 500942 c:\windows\system32\perfh009.dat
+ 2001-08-23 11:00 . 2012-03-21 23:59 500942 c:\windows\system32\perfh009.dat
+ 2012-03-19 08:17 . 2012-03-19 08:17 250528 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
+ 2012-03-19 08:17 . 2012-03-19 08:17 335520 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.dll
- 2010-12-28 21:34 . 2012-02-16 21:21 270984 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-28 21:34 . 2012-03-21 23:54 270984 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-29 04:41 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
- 2011-01-04 00:29 . 2012-03-02 16:00 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-04-14 00:00 . 2012-02-03 09:22 1860096 c:\windows\system32\dllcache\win32k.sys
+ 2012-03-01 05:45 . 2012-03-01 05:45 4989440 c:\windows\Installer\7d5652.msp
+ 2011-01-04 00:29 . 2012-03-21 16:20 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"PlusService"="c:\program files\Yuna Software\Messenger Plus!\PlusService.exe" [2011-10-24 801792]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKAIO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"1403:TCP"= 1403:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"57187:TCP"= 57187:TCP:Pando Media Booster
"57187:UDP"= 57187:UDP:Pando Media Booster
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"9322:TCP"= 9322:TCP:EKDiscovery
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/27/2011 4:36 PM 218688]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/29/2010 1:44 AM 136360]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [12/19/2011 5:32 PM 394672]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 3:26 AM 450848]
R3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 8:46 PM 22176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 11:07 AM 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-12-30 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=102876&gct=hp
uInternet Settings,ProxyServer = http=;ftp=;https=;
uSearchAssistant = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Gakki\Application Data\Mozilla\Firefox\Profiles\4s79cg68.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://bleephomepage.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-21 19:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-21 19:03:47
ComboFix-quarantined-files.txt 2012-03-22 01:03
.
Pre-Run: 8,435,888,128 bytes free
Post-Run: 8,422,998,016 bytes free
.
- - End Of File - - A33906E30AC652E81CCBF02BAF71C186

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:22 PM

Posted 21 March 2012 - 08:29 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Veisalgia

Veisalgia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 21 March 2012 - 11:23 PM

I've followed your directions for both TDSSKiller and aswMBR and ran into no issues. Reports are as follows:

20:11:42.0953 3552 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
20:11:43.0593 3552 ============================================================
20:11:43.0593 3552 Current date / time: 2012/03/21 20:11:43.0593
20:11:43.0593 3552 SystemInfo:
20:11:43.0593 3552
20:11:43.0593 3552 OS Version: 5.1.2600 ServicePack: 3.0
20:11:43.0593 3552 Product type: Workstation
20:11:43.0593 3552 ComputerName: BEE
20:11:43.0593 3552 UserName: Gakki
20:11:43.0593 3552 Windows directory: C:\WINDOWS
20:11:43.0593 3552 System windows directory: C:\WINDOWS
20:11:43.0593 3552 Processor architecture: Intel x86
20:11:43.0593 3552 Number of processors: 2
20:11:43.0593 3552 Page size: 0x1000
20:11:43.0593 3552 Boot type: Normal boot
20:11:43.0593 3552 ============================================================
20:11:44.0593 3552 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
20:11:44.0593 3552 \Device\Harddisk0\DR0:
20:11:44.0593 3552 MBR used
20:11:44.0593 3552 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
20:11:44.0609 3552 Initialize success
20:11:44.0609 3552 ============================================================
20:11:45.0968 1480 ============================================================
20:11:45.0968 1480 Scan started
20:11:45.0968 1480 Mode: Manual;
20:11:45.0968 1480 ============================================================
20:11:46.0390 1480 Abiosdsk - ok
20:11:46.0406 1480 abp480n5 - ok
20:11:46.0421 1480 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:11:46.0437 1480 ACPI - ok
20:11:46.0453 1480 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:11:46.0468 1480 ACPIEC - ok
20:11:46.0468 1480 ADIDTSFiltService - ok
20:11:46.0500 1480 ADIHdAudAddService (0158f4027c0808ff65ed3b3d683339c9) C:\WINDOWS\system32\drivers\ADIHdAud.sys
20:11:46.0500 1480 ADIHdAudAddService - ok
20:11:46.0515 1480 adpu160m - ok
20:11:46.0531 1480 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
20:11:46.0531 1480 AEAudio - ok
20:11:46.0578 1480 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:11:46.0593 1480 aec - ok
20:11:46.0640 1480 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:11:46.0640 1480 AFD - ok
20:11:46.0656 1480 Aha154x - ok
20:11:46.0656 1480 aic78u2 - ok
20:11:46.0671 1480 aic78xx - ok
20:11:46.0687 1480 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
20:11:46.0687 1480 Alerter - ok
20:11:46.0734 1480 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
20:11:46.0750 1480 ALG - ok
20:11:46.0750 1480 AliIde - ok
20:11:46.0765 1480 amsint - ok
20:11:46.0843 1480 AntiVirSchedulerService (b4837fe56d76b2e9ea90e5365cf6a2be) C:\Program Files\Avira\AntiVir Desktop\sched.exe
20:11:46.0843 1480 AntiVirSchedulerService - ok
20:11:46.0875 1480 AntiVirService (df5a3016052755c910a206058b4a1729) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
20:11:46.0875 1480 AntiVirService - ok
20:11:46.0890 1480 appliandMP - ok
20:11:46.0906 1480 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
20:11:46.0921 1480 AppMgmt - ok
20:11:46.0937 1480 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:11:46.0937 1480 Arp1394 - ok
20:11:46.0953 1480 asc - ok
20:11:46.0953 1480 asc3350p - ok
20:11:46.0968 1480 asc3550 - ok
20:11:47.0046 1480 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
20:11:47.0046 1480 aspnet_state - ok
20:11:47.0062 1480 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:11:47.0062 1480 AsyncMac - ok
20:11:47.0093 1480 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:11:47.0093 1480 atapi - ok
20:11:47.0093 1480 Atdisk - ok
20:11:47.0125 1480 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:11:47.0140 1480 Atmarpc - ok
20:11:47.0156 1480 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
20:11:47.0156 1480 AudioSrv - ok
20:11:47.0171 1480 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:11:47.0171 1480 audstub - ok
20:11:47.0234 1480 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
20:11:47.0250 1480 avgio - ok
20:11:47.0250 1480 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
20:11:47.0265 1480 avgntflt - ok
20:11:47.0281 1480 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
20:11:47.0281 1480 avipbb - ok
20:11:47.0312 1480 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:11:47.0312 1480 Beep - ok
20:11:47.0343 1480 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
20:11:47.0359 1480 BITS - ok
20:11:47.0453 1480 Bonjour Service (f2060a34c8a75bc24a9222eb4f8c07bd) C:\Program Files\Bonjour\mDNSResponder.exe
20:11:47.0453 1480 Bonjour Service - ok
20:11:47.0484 1480 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
20:11:47.0500 1480 Browser - ok
20:11:47.0593 1480 catchme - ok
20:11:47.0625 1480 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:11:47.0625 1480 cbidf2k - ok
20:11:47.0656 1480 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:11:47.0656 1480 CCDECODE - ok
20:11:47.0656 1480 cd20xrnt - ok
20:11:47.0703 1480 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:11:47.0703 1480 Cdaudio - ok
20:11:47.0750 1480 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:11:47.0765 1480 Cdfs - ok
20:11:47.0781 1480 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:11:47.0781 1480 Cdrom - ok
20:11:47.0796 1480 Changer - ok
20:11:47.0812 1480 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
20:11:47.0812 1480 CiSvc - ok
20:11:47.0812 1480 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
20:11:47.0828 1480 ClipSrv - ok
20:11:47.0890 1480 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:11:47.0906 1480 clr_optimization_v2.0.50727_32 - ok
20:11:47.0953 1480 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
20:11:47.0953 1480 clr_optimization_v4.0.30319_32 - ok
20:11:47.0968 1480 CmdIde - ok
20:11:48.0000 1480 CompFilter (bc6b87086ff0d99f87fe8af9a919a1e7) C:\WINDOWS\system32\DRIVERS\lvbusflt.sys
20:11:48.0015 1480 CompFilter - ok
20:11:48.0015 1480 COMSysApp - ok
20:11:48.0031 1480 Cpqarray - ok
20:11:48.0046 1480 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
20:11:48.0062 1480 CryptSvc - ok
20:11:48.0062 1480 dac2w2k - ok
20:11:48.0078 1480 dac960nt - ok
20:11:48.0109 1480 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
20:11:48.0125 1480 DcomLaunch - ok
20:11:48.0125 1480 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
20:11:48.0140 1480 Dhcp - ok
20:11:48.0156 1480 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:11:48.0156 1480 Disk - ok
20:11:48.0171 1480 dmadmin - ok
20:11:48.0203 1480 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:11:48.0203 1480 dmboot - ok
20:11:48.0218 1480 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:11:48.0234 1480 dmio - ok
20:11:48.0250 1480 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:11:48.0250 1480 dmload - ok
20:11:48.0265 1480 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
20:11:48.0265 1480 dmserver - ok
20:11:48.0296 1480 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:11:48.0312 1480 DMusic - ok
20:11:48.0343 1480 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
20:11:48.0343 1480 Dnscache - ok
20:11:48.0359 1480 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
20:11:48.0375 1480 Dot3svc - ok
20:11:48.0375 1480 dpti2o - ok
20:11:48.0406 1480 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:11:48.0406 1480 drmkaud - ok
20:11:48.0453 1480 dtsoftbus01 (555e54ac2f601a8821cef58961653991) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
20:11:48.0468 1480 dtsoftbus01 - ok
20:11:48.0484 1480 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
20:11:48.0484 1480 EapHost - ok
20:11:48.0500 1480 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
20:11:48.0500 1480 ERSvc - ok
20:11:48.0546 1480 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
20:11:48.0562 1480 Eventlog - ok
20:11:48.0593 1480 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
20:11:48.0593 1480 EventSystem - ok
20:11:48.0609 1480 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:11:48.0609 1480 Fastfat - ok
20:11:48.0687 1480 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:11:48.0687 1480 FastUserSwitchingCompatibility - ok
20:11:48.0734 1480 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:11:48.0734 1480 Fdc - ok
20:11:48.0765 1480 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:11:48.0781 1480 Fips - ok
20:11:48.0781 1480 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:11:48.0796 1480 Flpydisk - ok
20:11:48.0828 1480 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:11:48.0828 1480 FltMgr - ok
20:11:48.0890 1480 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
20:11:48.0906 1480 FontCache3.0.0.0 - ok
20:11:48.0921 1480 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:11:48.0921 1480 Fs_Rec - ok
20:11:48.0937 1480 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:11:48.0937 1480 Ftdisk - ok
20:11:48.0968 1480 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:11:48.0968 1480 Gpc - ok
20:11:49.0015 1480 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
20:11:49.0015 1480 hamachi - ok
20:11:49.0046 1480 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:11:49.0046 1480 HDAudBus - ok
20:11:49.0093 1480 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
20:11:49.0109 1480 helpsvc - ok
20:11:49.0156 1480 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
20:11:49.0156 1480 HidServ - ok
20:11:49.0187 1480 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:11:49.0187 1480 hidusb - ok
20:11:49.0203 1480 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
20:11:49.0218 1480 hkmsvc - ok
20:11:49.0281 1480 hpn - ok
20:11:49.0312 1480 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
20:11:49.0312 1480 HPZid412 - ok
20:11:49.0328 1480 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
20:11:49.0343 1480 HPZipr12 - ok
20:11:49.0359 1480 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
20:11:49.0359 1480 HPZius12 - ok
20:11:49.0390 1480 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:11:49.0390 1480 HTTP - ok
20:11:49.0421 1480 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
20:11:49.0437 1480 HTTPFilter - ok
20:11:49.0437 1480 i2omgmt - ok
20:11:49.0453 1480 i2omp - ok
20:11:49.0468 1480 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:11:49.0484 1480 i8042prt - ok
20:11:49.0578 1480 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
20:11:49.0578 1480 IDriverT - ok
20:11:49.0671 1480 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
20:11:49.0703 1480 idsvc - ok
20:11:49.0718 1480 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:11:49.0718 1480 Imapi - ok
20:11:49.0750 1480 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
20:11:49.0750 1480 ImapiService - ok
20:11:49.0765 1480 ini910u - ok
20:11:49.0781 1480 IntelIde - ok
20:11:49.0796 1480 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:11:49.0796 1480 Ip6Fw - ok
20:11:49.0828 1480 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:11:49.0843 1480 IpFilterDriver - ok
20:11:49.0859 1480 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:11:49.0859 1480 IpInIp - ok
20:11:49.0890 1480 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:11:49.0890 1480 IpNat - ok
20:11:49.0906 1480 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:11:49.0921 1480 IPSec - ok
20:11:49.0937 1480 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:11:49.0953 1480 IRENUM - ok
20:11:50.0000 1480 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:11:50.0000 1480 isapnp - ok
20:11:50.0156 1480 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
20:11:50.0156 1480 JavaQuickStarterService - ok
20:11:50.0171 1480 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:11:50.0171 1480 Kbdclass - ok
20:11:50.0218 1480 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:11:50.0218 1480 kbdhid - ok
20:11:50.0250 1480 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:11:50.0265 1480 kmixer - ok
20:11:50.0343 1480 Kodak AiO Network Discovery Service (27277a11db52fefae5b01dc8fb570b28) C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
20:11:50.0359 1480 Kodak AiO Network Discovery Service - ok
20:11:50.0390 1480 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:11:50.0390 1480 KSecDD - ok
20:11:50.0421 1480 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
20:11:50.0437 1480 LanmanServer - ok
20:11:50.0468 1480 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
20:11:50.0468 1480 lanmanworkstation - ok
20:11:50.0484 1480 lbrtfdc - ok
20:11:50.0515 1480 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
20:11:50.0531 1480 LmHosts - ok
20:11:50.0546 1480 lusbaudio (7029afd96c4a0c9be264bcb51f03eab7) C:\WINDOWS\system32\drivers\lvsound2.sys
20:11:50.0562 1480 lusbaudio - ok
20:11:50.0578 1480 LVBulk (085a2eeacb0dacb77b9b1ed65a4ab910) C:\WINDOWS\system32\DRIVERS\LVBulk.sys
20:11:50.0578 1480 LVBulk - ok
20:11:50.0625 1480 LVRS (7521c0c58ee91be90b6cc33e792d10c7) C:\WINDOWS\system32\DRIVERS\lvrs.sys
20:11:50.0640 1480 LVRS - ok
20:11:50.0750 1480 LVUVC (37e57c48af530df01cdd4e8a2ad77b51) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
20:11:50.0781 1480 LVUVC - ok
20:11:50.0828 1480 LVVI500A (6abba82ac2d32cd793e78406b5ba239e) C:\WINDOWS\system32\DRIVERS\lvvi500a.sys
20:11:50.0843 1480 LVVI500A - ok
20:11:50.0875 1480 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
20:11:50.0875 1480 Messenger - ok
20:11:50.0906 1480 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:11:50.0906 1480 mnmdd - ok
20:11:50.0937 1480 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
20:11:50.0937 1480 mnmsrvc - ok
20:11:50.0953 1480 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:11:50.0968 1480 Modem - ok
20:11:50.0984 1480 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:11:51.0000 1480 Mouclass - ok
20:11:51.0031 1480 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:11:51.0031 1480 mouhid - ok
20:11:51.0031 1480 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:11:51.0046 1480 MountMgr - ok
20:11:51.0046 1480 mraid35x - ok
20:11:51.0062 1480 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:11:51.0078 1480 MRxDAV - ok
20:11:51.0125 1480 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:11:51.0140 1480 MRxSmb - ok
20:11:51.0187 1480 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
20:11:51.0187 1480 MSDTC - ok
20:11:51.0203 1480 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:11:51.0203 1480 Msfs - ok
20:11:51.0203 1480 MSIServer - ok
20:11:51.0234 1480 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:11:51.0234 1480 MSKSSRV - ok
20:11:51.0265 1480 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:11:51.0265 1480 MSPCLOCK - ok
20:11:51.0265 1480 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:11:51.0265 1480 MSPQM - ok
20:11:51.0296 1480 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:11:51.0312 1480 mssmbios - ok
20:11:51.0343 1480 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
20:11:51.0343 1480 MSTEE - ok
20:11:51.0359 1480 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
20:11:51.0359 1480 MTsensor - ok
20:11:51.0375 1480 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:11:51.0390 1480 Mup - ok
20:11:51.0406 1480 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:11:51.0406 1480 NABTSFEC - ok
20:11:51.0453 1480 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
20:11:51.0453 1480 napagent - ok
20:11:51.0500 1480 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:11:51.0500 1480 NDIS - ok
20:11:51.0546 1480 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:11:51.0546 1480 NdisIP - ok
20:11:51.0578 1480 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:11:51.0578 1480 NdisTapi - ok
20:11:51.0593 1480 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:11:51.0609 1480 Ndisuio - ok
20:11:51.0656 1480 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:11:51.0656 1480 NdisWan - ok
20:11:51.0687 1480 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:11:51.0687 1480 NDProxy - ok
20:11:51.0718 1480 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:11:51.0718 1480 NetBIOS - ok
20:11:51.0765 1480 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:11:51.0765 1480 NetBT - ok
20:11:51.0796 1480 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
20:11:51.0796 1480 NetDDE - ok
20:11:51.0812 1480 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
20:11:51.0812 1480 NetDDEdsdm - ok
20:11:51.0828 1480 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:11:51.0843 1480 Netlogon - ok
20:11:51.0859 1480 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
20:11:51.0875 1480 Netman - ok
20:11:51.0937 1480 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
20:11:51.0937 1480 NetTcpPortSharing - ok
20:11:51.0968 1480 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:11:51.0968 1480 NIC1394 - ok
20:11:52.0015 1480 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
20:11:52.0015 1480 Nla - ok
20:11:52.0046 1480 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
20:11:52.0062 1480 NPF - ok
20:11:52.0078 1480 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:11:52.0078 1480 Npfs - ok
20:11:52.0093 1480 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:11:52.0109 1480 Ntfs - ok
20:11:52.0140 1480 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:11:52.0140 1480 NtLmSsp - ok
20:11:52.0171 1480 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
20:11:52.0187 1480 NtmsSvc - ok
20:11:52.0218 1480 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:11:52.0218 1480 Null - ok
20:11:52.0437 1480 nv (b9b1bb146eb9a83dcf0f5635b09d3d43) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:11:52.0500 1480 nv - ok
20:11:52.0531 1480 NVENETFD (45ba510db13a0496db1cd16826519e03) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
20:11:52.0531 1480 NVENETFD - ok
20:11:52.0546 1480 nvgts (a117466b0acb13288deee4f2e936e67f) C:\WINDOWS\system32\DRIVERS\nvgts.sys
20:11:52.0546 1480 nvgts - ok
20:11:52.0562 1480 nvnetbus (57cbdb934fb1afb7e03b413d151a6152) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
20:11:52.0562 1480 nvnetbus - ok
20:11:52.0578 1480 nvsvc (cc4f8220ead1f6a38d51679708f435b9) C:\WINDOWS\system32\nvsvc32.exe
20:11:52.0593 1480 nvsvc - ok
20:11:52.0609 1480 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:11:52.0625 1480 NwlnkFlt - ok
20:11:52.0625 1480 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:11:52.0640 1480 NwlnkFwd - ok
20:11:52.0734 1480 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
20:11:52.0750 1480 odserv - ok
20:11:52.0812 1480 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:11:52.0828 1480 ohci1394 - ok
20:11:52.0843 1480 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:11:52.0859 1480 ose - ok
20:11:52.0875 1480 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:11:52.0890 1480 Parport - ok
20:11:52.0890 1480 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:11:52.0906 1480 PartMgr - ok
20:11:52.0921 1480 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:11:52.0921 1480 ParVdm - ok
20:11:52.0921 1480 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:11:52.0937 1480 PCI - ok
20:11:52.0937 1480 PCIDump - ok
20:11:52.0953 1480 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:11:52.0968 1480 PCIIde - ok
20:11:52.0984 1480 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:11:52.0984 1480 Pcmcia - ok
20:11:53.0000 1480 PDCOMP - ok
20:11:53.0000 1480 PDFRAME - ok
20:11:53.0015 1480 PDRELI - ok
20:11:53.0031 1480 PDRFRAME - ok
20:11:53.0031 1480 perc2 - ok
20:11:53.0046 1480 perc2hib - ok
20:11:53.0093 1480 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
20:11:53.0093 1480 PlugPlay - ok
20:11:53.0125 1480 Pml Driver HPZ12 (5c1cadd1cb67c0b9d8a84ec6e4d6b5cc) C:\WINDOWS\system32\HPZipm12.exe
20:11:53.0140 1480 Pml Driver HPZ12 - ok
20:11:53.0156 1480 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:11:53.0156 1480 PolicyAgent - ok
20:11:53.0171 1480 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:11:53.0171 1480 PptpMiniport - ok
20:11:53.0187 1480 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
20:11:53.0203 1480 Processor - ok
20:11:53.0203 1480 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:11:53.0203 1480 ProtectedStorage - ok
20:11:53.0218 1480 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:11:53.0234 1480 PSched - ok
20:11:53.0250 1480 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:11:53.0250 1480 Ptilink - ok
20:11:53.0265 1480 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:11:53.0281 1480 PxHelp20 - ok
20:11:53.0281 1480 ql1080 - ok
20:11:53.0296 1480 Ql10wnt - ok
20:11:53.0296 1480 ql12160 - ok
20:11:53.0312 1480 ql1240 - ok
20:11:53.0328 1480 ql1280 - ok
20:11:53.0328 1480 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:11:53.0343 1480 RasAcd - ok
20:11:53.0359 1480 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
20:11:53.0359 1480 RasAuto - ok
20:11:53.0375 1480 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:11:53.0390 1480 Rasl2tp - ok
20:11:53.0406 1480 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
20:11:53.0421 1480 RasMan - ok
20:11:53.0421 1480 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:11:53.0437 1480 RasPppoe - ok
20:11:53.0437 1480 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:11:53.0453 1480 Raspti - ok
20:11:53.0453 1480 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:11:53.0468 1480 Rdbss - ok
20:11:53.0484 1480 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:11:53.0484 1480 RDPCDD - ok
20:11:53.0531 1480 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:11:53.0531 1480 rdpdr - ok
20:11:53.0593 1480 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
20:11:53.0593 1480 RDPWD - ok
20:11:53.0609 1480 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
20:11:53.0625 1480 RDSessMgr - ok
20:11:53.0640 1480 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:11:53.0656 1480 redbook - ok
20:11:53.0687 1480 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
20:11:53.0703 1480 RemoteAccess - ok
20:11:53.0750 1480 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
20:11:53.0750 1480 RemoteRegistry - ok
20:11:53.0796 1480 rpcapd (b60f58f175de20a6739194e85b035178) C:\Program Files\WinPcap\rpcapd.exe
20:11:53.0812 1480 rpcapd - ok
20:11:53.0828 1480 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
20:11:53.0843 1480 RpcLocator - ok
20:11:53.0890 1480 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
20:11:53.0890 1480 RpcSs - ok
20:11:53.0921 1480 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
20:11:53.0921 1480 RSVP - ok
20:11:53.0968 1480 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:11:53.0968 1480 SamSs - ok
20:11:54.0000 1480 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
20:11:54.0000 1480 SCardSvr - ok
20:11:54.0062 1480 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
20:11:54.0078 1480 Schedule - ok
20:11:54.0093 1480 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:11:54.0093 1480 Secdrv - ok
20:11:54.0109 1480 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
20:11:54.0109 1480 seclogon - ok
20:11:54.0156 1480 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
20:11:54.0156 1480 SenFiltService - ok
20:11:54.0171 1480 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
20:11:54.0187 1480 SENS - ok
20:11:54.0203 1480 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:11:54.0203 1480 serenum - ok
20:11:54.0218 1480 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:11:54.0218 1480 Serial - ok
20:11:54.0250 1480 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:11:54.0250 1480 Sfloppy - ok
20:11:54.0281 1480 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
20:11:54.0296 1480 SharedAccess - ok
20:11:54.0343 1480 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:11:54.0343 1480 ShellHWDetection - ok
20:11:54.0343 1480 Simbad - ok
20:11:54.0390 1480 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:11:54.0390 1480 SLIP - ok
20:11:54.0406 1480 Sparrow - ok
20:11:54.0437 1480 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:11:54.0437 1480 splitter - ok
20:11:54.0484 1480 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
20:11:54.0484 1480 Spooler - ok
20:11:54.0515 1480 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:11:54.0515 1480 sr - ok
20:11:54.0531 1480 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
20:11:54.0546 1480 srservice - ok
20:11:54.0578 1480 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:11:54.0578 1480 Srv - ok
20:11:54.0625 1480 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
20:11:54.0625 1480 SSDPSRV - ok
20:11:54.0656 1480 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
20:11:54.0671 1480 ssmdrv - ok
20:11:54.0703 1480 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
20:11:54.0718 1480 stisvc - ok
20:11:54.0750 1480 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:11:54.0750 1480 streamip - ok
20:11:54.0765 1480 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:11:54.0765 1480 swenum - ok
20:11:54.0796 1480 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:11:54.0796 1480 swmidi - ok
20:11:54.0812 1480 SwPrv - ok
20:11:54.0812 1480 symc810 - ok
20:11:54.0828 1480 symc8xx - ok
20:11:54.0828 1480 sym_hi - ok
20:11:54.0843 1480 sym_u3 - ok
20:11:54.0875 1480 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:11:54.0875 1480 sysaudio - ok
20:11:54.0921 1480 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
20:11:54.0937 1480 SysmonLog - ok
20:11:54.0953 1480 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
20:11:54.0968 1480 TapiSrv - ok
20:11:55.0000 1480 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:11:55.0015 1480 Tcpip - ok
20:11:55.0031 1480 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:11:55.0046 1480 TDPIPE - ok
20:11:55.0062 1480 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:11:55.0062 1480 TDTCP - ok
20:11:55.0093 1480 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:11:55.0093 1480 TermDD - ok
20:11:55.0125 1480 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
20:11:55.0140 1480 TermService - ok
20:11:55.0187 1480 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:11:55.0187 1480 Themes - ok
20:11:55.0218 1480 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
20:11:55.0234 1480 TlntSvr - ok
20:11:55.0234 1480 TosIde - ok
20:11:55.0265 1480 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
20:11:55.0265 1480 TrkWks - ok
20:11:55.0296 1480 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:11:55.0296 1480 Udfs - ok
20:11:55.0296 1480 ultra - ok
20:11:55.0406 1480 UMVPFSrv (927754abf077aeb5504be4e0f2c60c1b) C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
20:11:55.0421 1480 UMVPFSrv - ok
20:11:55.0453 1480 UMWdf (ab0a7ca90d9e3d6a193905dc1715ded0) C:\WINDOWS\system32\wdfmgr.exe
20:11:55.0468 1480 UMWdf - ok
20:11:55.0500 1480 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:11:55.0515 1480 Update - ok
20:11:55.0531 1480 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
20:11:55.0546 1480 upnphost - ok
20:11:55.0546 1480 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
20:11:55.0546 1480 UPS - ok
20:11:55.0562 1480 USBAAPL - ok
20:11:55.0593 1480 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
20:11:55.0593 1480 usbaudio - ok
20:11:55.0625 1480 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:11:55.0625 1480 usbccgp - ok
20:11:55.0640 1480 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:11:55.0656 1480 usbehci - ok
20:11:55.0656 1480 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:11:55.0671 1480 usbhub - ok
20:11:55.0687 1480 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
20:11:55.0687 1480 usbohci - ok
20:11:55.0718 1480 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:11:55.0718 1480 usbprint - ok
20:11:55.0734 1480 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:11:55.0750 1480 usbscan - ok
20:11:55.0765 1480 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:11:55.0765 1480 USBSTOR - ok
20:11:55.0812 1480 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
20:11:55.0828 1480 usbvideo - ok
20:11:55.0859 1480 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:11:55.0859 1480 VgaSave - ok
20:11:55.0875 1480 ViaIde - ok
20:11:55.0890 1480 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:11:55.0890 1480 VolSnap - ok
20:11:55.0921 1480 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
20:11:55.0921 1480 VSS - ok
20:11:55.0953 1480 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
20:11:55.0953 1480 W32Time - ok
20:11:56.0000 1480 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:11:56.0000 1480 Wanarp - ok
20:11:56.0015 1480 WDICA - ok
20:11:56.0062 1480 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:11:56.0062 1480 wdmaud - ok
20:11:56.0093 1480 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
20:11:56.0109 1480 WebClient - ok
20:11:56.0171 1480 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
20:11:56.0171 1480 winmgmt - ok
20:11:56.0218 1480 WmdmPmSN (140ef97b64f560fd78643cae2cdad838) C:\WINDOWS\system32\MsPMSNSv.dll
20:11:56.0218 1480 WmdmPmSN - ok
20:11:56.0250 1480 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
20:11:56.0265 1480 Wmi - ok
20:11:56.0296 1480 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
20:11:56.0296 1480 WmiApSrv - ok
20:11:56.0390 1480 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
20:11:56.0406 1480 WPFFontCache_v0400 - ok
20:11:56.0421 1480 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:11:56.0437 1480 WS2IFSL - ok
20:11:56.0453 1480 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
20:11:56.0468 1480 wscsvc - ok
20:11:56.0484 1480 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:11:56.0484 1480 WSTCODEC - ok
20:11:56.0515 1480 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
20:11:56.0515 1480 wuauserv - ok
20:11:56.0546 1480 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
20:11:56.0546 1480 WZCSVC - ok
20:11:56.0562 1480 XDva383 - ok
20:11:56.0578 1480 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
20:11:56.0593 1480 xmlprov - ok
20:11:56.0625 1480 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:11:56.0750 1480 \Device\Harddisk0\DR0 - ok
20:11:56.0750 1480 Boot (0x1200) (6eb3667b1ea5dc9a39cc17bb1ec55d44) \Device\Harddisk0\DR0\Partition0
20:11:56.0750 1480 \Device\Harddisk0\DR0\Partition0 - ok
20:11:56.0765 1480 ============================================================
20:11:56.0765 1480 Scan finished
20:11:56.0765 1480 ============================================================
20:11:56.0765 0332 Detected object count: 0
20:11:56.0765 0332 Actual detected object count: 0




aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-21 20:13:53
-----------------------------
20:13:53.687 OS Version: Windows 5.1.2600 Service Pack 3
20:13:53.687 Number of processors: 2 586 0x6B02
20:13:53.687 ComputerName: BEE UserName:
20:13:54.171 Initialize success
20:16:50.171 AVAST engine defs: 12032000
20:43:41.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port4Path0Target0Lun0
20:43:41.828 Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 1
20:43:41.843 Disk 0 MBR read successfully
20:43:41.859 Disk 0 MBR scan
20:43:41.906 Disk 0 Windows XP default MBR code
20:43:41.921 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
20:43:41.921 Disk 0 scanning sectors +312560640
20:43:42.000 Disk 0 scanning C:\WINDOWS\system32\drivers
20:43:49.890 Service scanning
20:44:03.265 Modules scanning
20:44:07.265 Disk 0 trace - called modules:
20:44:07.265 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
20:44:07.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad1a030]
20:44:07.265 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8ad1b920]
20:44:07.265 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port4Path0Target0Lun0[0x8ad1ba38]
20:44:07.875 AVAST engine scan C:\WINDOWS
20:44:21.046 AVAST engine scan C:\WINDOWS\system32
20:48:01.421 AVAST engine scan C:\WINDOWS\system32\drivers
20:48:13.484 AVAST engine scan C:\Documents and Settings\Gakki
21:19:22.171 AVAST engine scan C:\Documents and Settings\All Users
21:20:19.906 Scan finished successfully
22:21:44.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gakki\Desktop\MBR.dat"
22:21:44.812 The log file has been saved successfully to "C:\Documents and Settings\Gakki\Desktop\aswMBR.txt"

Edited by Veisalgia, 21 March 2012 - 11:24 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:22 PM

Posted 22 March 2012 - 12:00 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
Folder::
c:\program files\Conduit
c:\documents and settings\Gakki\Local Settings\Application Data\Conduit

DDS::
uStart Page = hxxp://www.ask.com/?l=dis&o=102876&gct=hp

FireFox::
FF - ProfilePath - c:\documents and settings\Gakki\Application Data\Mozilla\Firefox\Profiles\4s79cg68.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Veisalgia

Veisalgia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 22 March 2012 - 12:40 AM

I used the CFScript and ran ComboFix again. I had no issues and my PC is still doing alright. Log is as follows:

ComboFix 12-03-21.02 - Gakki 03/21/2012 23:10:10.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2770 [GMT -6:00]
Running from: c:\documents and settings\Gakki\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gakki\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gakki\Local Settings\Application Data\Conduit
c:\program files\Conduit
c:\program files\Conduit\Community Alerts\Alert.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-22 to 2012-03-22 )))))))))))))))))))))))))))))))
.
.
2012-03-19 06:28 . 2012-03-13 04:39 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-19 06:28 . 2012-03-13 04:39 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-05 23:40 . 2012-03-06 07:05 -------- d-----w- c:\program files\HideIPEasy
2012-03-05 22:57 . 2012-03-05 22:57 -------- d-----w- c:\documents and settings\Gakki\Application Data\HideIPEasy
2012-03-05 22:57 . 2012-03-05 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HideIPEasy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 08:17 . 2011-06-22 22:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2008-04-14 00:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 21:49 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-12-29 04:41 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-05 05:20 . 2012-01-05 05:20 53248 ----a-r- c:\documents and settings\Gakki\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-03-13 04:39 . 2011-11-04 06:10 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-19_07.30.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-22 05:15 . 2012-03-22 05:15 16384 c:\windows\temp\Perflib_Perfdata_35c.dat
+ 2001-08-23 11:00 . 2012-03-21 23:59 86952 c:\windows\system32\perfc009.dat
- 2001-08-23 11:00 . 2012-03-19 07:18 86952 c:\windows\system32\perfc009.dat
+ 2011-05-07 01:31 . 2011-12-10 21:24 20464 c:\windows\system32\drivers\mbam.sys
- 2011-05-07 01:31 . 2011-12-10 22:24 20464 c:\windows\system32\drivers\mbam.sys
+ 2011-01-04 00:29 . 2012-03-21 16:20 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2001-08-23 11:00 . 2012-03-19 07:18 500942 c:\windows\system32\perfh009.dat
+ 2001-08-23 11:00 . 2012-03-21 23:59 500942 c:\windows\system32\perfh009.dat
+ 2012-03-19 08:17 . 2012-03-19 08:17 250528 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
+ 2012-03-19 08:17 . 2012-03-19 08:17 335520 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.dll
- 2010-12-28 21:34 . 2012-02-16 21:21 270984 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-28 21:34 . 2012-03-21 23:54 270984 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-29 04:41 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
- 2011-01-04 00:29 . 2012-03-02 16:00 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-04-14 00:00 . 2012-02-03 09:22 1860096 c:\windows\system32\dllcache\win32k.sys
+ 2012-03-01 05:45 . 2012-03-01 05:45 4989440 c:\windows\Installer\7d5652.msp
+ 2011-01-04 00:29 . 2012-03-21 16:20 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-01-04 00:29 . 2012-03-21 16:20 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2011-01-04 00:29 . 2012-03-02 16:00 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"PlusService"="c:\program files\Yuna Software\Messenger Plus!\PlusService.exe" [2011-10-24 801792]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKAIO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"1403:TCP"= 1403:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"57187:TCP"= 57187:TCP:Pando Media Booster
"57187:UDP"= 57187:UDP:Pando Media Booster
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"9322:TCP"= 9322:TCP:EKDiscovery
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/27/2011 4:36 PM 218688]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/29/2010 1:44 AM 136360]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [12/19/2011 5:32 PM 394672]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 3:26 AM 450848]
R3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 8:46 PM 22176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 11:07 AM 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-12-30 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=;ftp=;https=;
uSearchAssistant = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Gakki\Application Data\Mozilla\Firefox\Profiles\4s79cg68.default\
FF - prefs.js: browser.startup.homepage - hxxp://bleephomepage.com/
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-21 23:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2012-03-21 23:18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-22 05:18
ComboFix2.txt 2012-03-22 01:03
.
Pre-Run: 8,837,455,872 bytes free
Post-Run: 8,971,804,672 bytes free
.
- - End Of File - - C533F57245F098F21C4E846A2608A505

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:22 PM

Posted 22 March 2012 - 01:52 AM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Veisalgia

Veisalgia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 22 March 2012 - 01:59 AM

Report:

µTorrent
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2)
Adobe Shockwave Player 11.6
aioscnnr
Anki
ArtRage 2
Avira AntiVir Personal - Free Antivirus
Bonjour
C4USelfUpdater
CameraHelperMsi
center
Combined Community Codec Pack 2010-10-10
DAEMON Tools Lite
DivX Setup
erLT
essentials
flashripbasic
Fotosizer 1.31
Hide IP Easy
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Japanese Fonts Support For Adobe Reader X
Java Auto Updater
Java™ 6 Update 29
K-Lite Codec Pack 7.2.0 (Full)
KeyHoleTV
Kodak AIO Printer
KODAK AiO Software
Logitech QuickCam
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes Anti-Malware version 1.60.1.1000
Media Player Classic - Home Cinema v1.4.2499.0
Messenger Plus! 5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Morrowind
Mozilla Firefox 11.0 (x86 en-US)
Mp3tag v2.48
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
NVIDIA Control Panel 260.99
NVIDIA Drivers
NVIDIA Graphics Driver 260.99
NVIDIA Install Application
NVIDIA nView 135.36
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
Pando Media Booster
PreReq
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2530548)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2586448)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618444)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647516)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Skype™ 5.5
SoundMAX
SUPER © v2011.build.48 (April 23, 2011) version v2011.build.48
swMSM
TES Construction Set
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.1.10
WebFldrs XP
Winamp
WinDjView 1.0.3
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
WinPcap 4.1.2
WinRAR 4.00 beta 3 (32-bit)
Xvid 1.3.0
Yahoo! Detect
Zoner Photo Studio 14 FREE

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:22 PM

Posted 22 March 2012 - 02:20 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
Java™ 6 Update 29
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Veisalgia

Veisalgia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 22 March 2012 - 11:04 AM

I ran MBAM and Hijack This and have had no problems. PC is running OK. Logs are as followed:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.22.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Gakki :: BEE [administrator]

3/22/2012 9:34:42 AM
mbam-log-2012-03-22 (09-34-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 176632
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:02:37 AM, on 3/22/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=;ftp=;https=;
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DivX Download Manager] "C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PlusService] C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe
O4 - HKLM\..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKAIO2StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 8080 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:22 PM

Posted 22 March 2012 - 04:19 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
      O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
      O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
      O4 - HKLM\..\Run: [DivX Download Manager] "C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" start
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [PlusService] C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe
      O4 - HKLM\..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Veisalgia

Veisalgia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 22 March 2012 - 09:51 PM

I did the eset scanner and it gave me no log. However, it did say that there are no threats found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users