Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think my brawser is hijacked!


  • This topic is locked This topic is locked
12 replies to this topic

#1 Mike Millz

Mike Millz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 21 March 2012 - 07:53 AM

Hello, and thanks for any help in advance. I have a gateway pc with windows xp pro. My computer was running fine until 2 days ago. Now my pc runs slower, and there's a delay to everything I do, where I didn't have this problem before. Whenever I open up IE, no matter what I click on, I get a popup IE window redirecting me to some rogue site.
Here is a copy of my HT logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:30:53 AM, on 3/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
\.\globalroot\C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office14\GROOVEEX.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MI1933~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
O18 - Protocol: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: NecUsb3Sevices - USB3Sw32.dll (file missing)
O20 - Winlogon Notify: USB3Sw32 - USB3Sw32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 5955 bytes

Edit: I wanted to add that whenever I click a link in IE I get a popup redirected to mevio.com.

Edited by Mike Millz, 21 March 2012 - 12:40 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:34 AM

Posted 22 March 2012 - 02:57 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Mike Millz

Mike Millz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 23 March 2012 - 06:58 AM

Hello Gringo, thanks for taking the time to help. Below is a copy of my DDS log you requested.
Basically, the problems I'm having is with IE browser. Whenever I click on a link, sometimes I will get redirected to some rogue site, or I will get a popup to some rogue site that usually says "advertisement" in the address bar. I have tried every fix imaginable before coming to this site. I have tried in "safe mode" as well with the same results.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Gateway E4500E at 7:48:22 on 2012-03-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.705 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5.1\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5.1\plugins\ieplugin\contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{94E57F1A-B843-4DA4-A848-9201BAEDAEBE} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2008-4-14 14336]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2011-10-4 20160]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.SYS [2004-10-27 22144]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-2-22 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-2-22 3072]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-3-21 25888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-21 40776]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 prwntdrv;prwntdrv;c:\windows\system32\prwntdrv.sys [2012-2-22 13064]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2012-2-13 1248256]
.
=============== Created Last 30 ================
.
2012-03-22 15:54:54 22032 ----a-w- c:\windows\DCEBoot.exe
2012-03-22 15:54:54 102400 ----a-w- c:\windows\RegBootClean.exe
2012-03-22 15:21:21 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-03-22 14:55:34 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-22 13:08:07 -------- d-----w- C:\_OTM
2012-03-21 17:39:02 25888 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-03-21 17:11:15 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-03-21 13:29:46 388096 ----a-r- c:\documents and settings\gateway e4500e\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-21 13:29:46 -------- d-----w- c:\program files\Trend Micro
2012-03-21 12:36:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-21 12:36:22 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 00:19:31 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-20 14:04:16 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-20 14:04:16 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-20 14:03:41 -------- d-----w- c:\documents and settings\gateway e4500e\application data\Windows Desktop Search
2012-03-19 11:51:56 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-03-09 15:42:01 -------- d-----w- c:\program files\common files\Macrovision Shared
2012-03-09 11:59:41 -------- d-----w- c:\documents and settings\all users\application data\ALM
2012-03-09 11:51:39 -------- d-----w- c:\documents and settings\gateway e4500e\Adobe Flash Builder 4.5
2012-03-08 15:41:29 -------- d-----w- c:\program files\Adobe Download Assistant
2012-03-08 14:22:59 -------- d-----w- c:\program files\My Company Name
2012-03-07 03:34:38 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe
2012-03-06 16:16:24 -------- d-----w- c:\documents and settings\gateway e4500e\application data\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-02-27 22:15:17 -------- d-----w- c:\documents and settings\gateway e4500e\local settings\application data\Nero_AG
2012-02-27 18:29:26 -------- d-----w- c:\documents and settings\gateway e4500e\local settings\application data\Nero
2012-02-24 23:30:47 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-02-24 23:30:11 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-02-24 23:30:11 -------- d-----w- c:\documents and settings\all users\Microsoft
2012-02-24 23:28:28 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-24 23:27:45 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-02-24 23:27:40 -------- d-----w- c:\windows\SHELLNEW
2012-02-24 23:27:30 -------- d-----w- c:\documents and settings\gateway e4500e\local settings\application data\Microsoft Help
2012-02-23 17:47:07 -------- d-----w- c:\documents and settings\gateway e4500e\application data\iZotope
2012-02-23 04:32:52 -------- d-----w- c:\documents and settings\gateway e4500e\local settings\application data\One Small Clue
2012-02-23 03:55:23 98696 ----a-w- c:\windows\system32\setupprwdrv03.exe
2012-02-23 03:55:23 13064 ----a-w- c:\windows\system32\prwntdrv.sys
2012-02-23 01:00:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-02-23 01:00:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-02-23 01:00:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-02-23 01:00:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-02-23 01:00:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-02-23 01:00:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-02-23 01:00:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-02-23 00:58:40 -------- d-----w- c:\documents and settings\gateway e4500e\local settings\application data\Apple
2012-02-23 00:58:13 -------- d-----w- c:\documents and settings\gateway e4500e\local settings\application data\Apple Computer
.
==================== Find3M ====================
.
2012-02-18 16:11:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 14:56:36 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-01-03 13:10:50 47512 ----a-w- c:\windows\system32\AdobePDF.dll
2012-01-03 13:10:48 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
.
============= FINISH: 7:48:55.15 ===============

Edit: I wanted to add that my scroll lock turns on when it feels like it. I don't know if this in relation me having a virus, or what. Thanks again for your time and patience!

Edited by Mike Millz, 23 March 2012 - 08:27 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:34 AM

Posted 23 March 2012 - 10:32 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Mike Millz

Mike Millz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 24 March 2012 - 01:50 PM

Hello Gringo,. my issue with my browser appears to be fixed. Here's a copy of combofix log as requested. Thanks a million!

ComboFix 12-03-22.01 - Gateway E4500E 03/24/2012 14:18:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.741 [GMT -5:00]
Running from: c:\documents and settings\Gateway E4500E\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB32455$
c:\windows\$NtUninstallKB32455$\1062241233
c:\windows\$NtUninstallKB32455$\2927546553\@
c:\windows\$NtUninstallKB32455$\2927546553\cfg.ini
c:\windows\$NtUninstallKB32455$\2927546553\Desktop.ini
c:\windows\$NtUninstallKB32455$\2927546553\L\inqeepqy
c:\windows\$NtUninstallKB32455$\2927546553\oemid
c:\windows\$NtUninstallKB32455$\2927546553\U\00000001.@
c:\windows\$NtUninstallKB32455$\2927546553\U\00000002.@
c:\windows\$NtUninstallKB32455$\2927546553\U\00000004.@
c:\windows\$NtUninstallKB32455$\2927546553\U\80000000.@
c:\windows\$NtUninstallKB32455$\2927546553\U\80000004.@
c:\windows\$NtUninstallKB32455$\2927546553\U\80000032.@
c:\windows\$NtUninstallKB32455$\2927546553\version
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\Device.dll
c:\windows\system32\VC4CB104.dll
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{3515F186-303F-4610-BA71-65C0DEE58EA7}\RP91\A0027937.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ifxspmgtsrv
-------\Service_ifxspmgtsrv
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2012-03-23 15:53 . 2012-03-23 15:53 172032 ----a-w- c:\windows\system32\ssiResizeWizard.ocx
2012-03-23 15:53 . 2012-03-23 15:53 249856 ------w- c:\windows\Setup1.exe
2012-03-23 15:53 . 2012-03-23 15:53 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-03-22 15:54 . 2012-03-22 16:55 22032 ----a-w- c:\windows\DCEBoot.exe
2012-03-22 15:54 . 2012-03-22 16:55 102400 ----a-w- c:\windows\RegBootClean.exe
2012-03-22 15:21 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-03-22 14:55 . 2012-03-22 14:55 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-22 13:08 . 2012-03-22 13:08 -------- d-----w- C:\_OTM
2012-03-21 17:39 . 2012-03-21 17:39 25888 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-03-21 17:11 . 2012-03-21 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-03-21 13:29 . 2012-03-21 13:29 388096 ----a-r- c:\documents and settings\Gateway E4500E\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-21 13:29 . 2012-03-21 13:29 -------- d-----w- c:\program files\Trend Micro
2012-03-21 12:36 . 2012-03-21 12:46 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-21 12:36 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 02:33 . 2012-03-21 02:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-03-20 14:04 . 2012-03-20 14:04 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-20 14:03 . 2012-03-20 14:03 -------- d-----w- c:\documents and settings\Gateway E4500E\Application Data\Windows Desktop Search
2012-03-20 02:01 . 2012-03-20 02:01 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-20 00:17 . 2012-03-20 00:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-03-19 11:51 . 2012-03-19 16:41 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-03-09 22:25 . 2012-03-09 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2012-03-09 15:48 . 2012-03-09 15:48 -------- d-----w- c:\program files\Adobe Media Player
2012-03-09 15:42 . 2012-03-09 15:42 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2012-03-09 11:59 . 2012-03-09 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2012-03-09 11:51 . 2012-03-09 11:51 -------- d-----w- c:\documents and settings\Gateway E4500E\Adobe Flash Builder 4.5
2012-03-08 15:58 . 2012-03-08 15:58 -------- d-----w- c:\documents and settings\Gateway E4500E\Application Data\NCH Swift Sound
2012-03-08 15:41 . 2012-03-08 15:41 -------- d-----w- c:\program files\Adobe Download Assistant
2012-03-08 14:22 . 2012-03-08 14:22 -------- d-----w- c:\program files\My Company Name
2012-03-07 03:34 . 2012-03-09 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2012-03-06 16:16 . 2012-03-06 16:16 -------- d-----w- c:\documents and settings\Gateway E4500E\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-03-05 01:13 . 2012-03-05 01:13 -------- d-----w- c:\documents and settings\Gateway E4500E\Application Data\Apple Computer
2012-02-27 18:29 . 2012-03-12 00:53 -------- d-----w- c:\documents and settings\Gateway E4500E\Local Settings\Application Data\Nero
2012-02-24 23:30 . 2012-02-24 23:30 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-02-24 23:30 . 2012-02-24 23:30 -------- d-----w- c:\program files\Microsoft Sync Framework
2012-02-24 23:30 . 2012-02-24 23:30 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-02-24 23:30 . 2012-02-24 23:30 -------- d-----w- c:\documents and settings\All Users\Microsoft
2012-02-24 23:28 . 2012-02-24 23:28 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-24 23:27 . 2012-02-24 23:27 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-02-24 23:27 . 2012-02-24 23:30 -------- d-----w- c:\windows\SHELLNEW
2012-02-24 23:27 . 2012-02-24 23:27 -------- d-----w- c:\documents and settings\Gateway E4500E\Local Settings\Application Data\Microsoft Help
2012-02-24 23:27 . 2012-02-25 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2012-02-24 23:27 . 2012-02-24 23:27 -------- d-----r- C:\MSOCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-18 16:11 . 2011-10-04 18:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 14:56 . 2012-02-15 14:56 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-01-03 13:10 . 2012-01-03 13:10 47512 ----a-w- c:\windows\system32\AdobePDF.dll
2012-01-03 13:10 . 2012-01-03 13:10 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Intuit Data Protect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk
backup=c:\windows\pss\Intuit Data Protect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
backup=c:\windows\pss\QuickBooks_Standard_21.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gateway E4500E^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Gateway E4500E\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2012-01-03 13:10 815512 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2012-01-03 13:10 36760 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-30 13:46 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 12:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-01-21 22:22 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 23:05 143360 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 16:46 159744 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-15 16:46 135168 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2011-06-14 10:18 1527128 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2010-04-03 06:27 1234216 ----a-w- c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-15 16:46 131072 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 18:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-03-12 16:53 483422 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"QBVSS"=3 (0x3)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=3 (0x3)
"NMIndexingService"=3 (0x3)
"idsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash Builder 4.5\\FlashBuilder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"7935:TCP"= 7935:TCP:Adobe Flash Builder 4.5
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [4/14/2008 5:42 AM 14336]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [10/4/2011 10:37 AM 20160]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.SYS [10/27/2004 3:05 PM 22144]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2/22/2012 4:39 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2/22/2012 4:39 PM 3072]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [3/21/2012 12:39 PM 25888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/21/2012 7:36 AM 40776]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 prwntdrv;prwntdrv;c:\windows\system32\prwntdrv.sys [2/22/2012 10:55 PM 13064]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2/13/2012 1:52 PM 1248256]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
prfldsvc
bwmservice
bthport
AmeLanPc
sbhooksvc
nvedavt
NCPro
symantecantibotdriver
intelroam
captureservice
pdlnatdl
btnetfilter
vpcnfltr
aswlsvc
ifxspmgtsrv
thinkpadmodemservice
mssqlserver
useraccess7
db2licd
AGV
ql2100
OneCareMP
vwlogger
SE2Cbus
VC4CB104
eamon
aaksrv
zebrmdfl
RDID1027
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-10 c:\windows\Tasks\AdobeAAMUpdater-1.0-GATEWAY-AF38C10-Gateway E4500E.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-03-09 13:46]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-51062218.sys
MSConfigStartUp-UIUCU - c:\docume~1\GATEWA~1\LOCALS~1\Temp\UIUCU.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-24 14:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswlsvc]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\thinkpadmodemservice]
"ServiceDll"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(108)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-24 14:37:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-24 19:37
.
Pre-Run: 75,305,975,808 bytes free
Post-Run: 75,914,641,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /sos
.
- - End Of File - - 9C40446F8A37EBF598CE48F8DDD49ADF

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:34 AM

Posted 24 March 2012 - 01:56 PM

Greetings

Things are looking very good but I want to check some other things while we are here



I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Mike Millz

Mike Millz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 26 March 2012 - 05:22 PM

Good morning. Here are the logs as requested:

08:40:01.0515 3688 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
08:40:01.0765 3688 ============================================================
08:40:01.0781 3688 Current date / time: 2012/03/26 08:40:01.0765
08:40:01.0781 3688 SystemInfo:
08:40:01.0781 3688
08:40:01.0781 3688 OS Version: 5.1.2600 ServicePack: 3.0
08:40:01.0781 3688 Product type: Workstation
08:40:01.0781 3688 ComputerName: GATEWAY-AF38C10
08:40:01.0781 3688 UserName: Gateway E4500E
08:40:01.0781 3688 Windows directory: C:\WINDOWS
08:40:01.0781 3688 System windows directory: C:\WINDOWS
08:40:01.0781 3688 Processor architecture: Intel x86
08:40:01.0781 3688 Number of processors: 1
08:40:01.0781 3688 Page size: 0x1000
08:40:01.0781 3688 Boot type: Normal boot
08:40:01.0781 3688 ============================================================
08:40:03.0093 3688 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:40:03.0093 3688 \Device\Harddisk0\DR0:
08:40:03.0093 3688 MBR used
08:40:03.0093 3688 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
08:40:03.0109 3688 Initialize success
08:40:03.0109 3688 ============================================================
08:40:05.0312 3812 ============================================================
08:40:05.0312 3812 Scan started
08:40:05.0312 3812 Mode: Manual;
08:40:05.0312 3812 ============================================================
08:40:05.0921 3812 Abiosdsk - ok
08:40:05.0953 3812 abp480n5 - ok
08:40:05.0984 3812 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:40:05.0984 3812 ACPI - ok
08:40:06.0015 3812 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:40:06.0015 3812 ACPIEC - ok
08:40:06.0046 3812 ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
08:40:06.0046 3812 ADM8511 - ok
08:40:06.0093 3812 ADM851X (18b9e3affff9a3e65c4bce114fca297c) C:\WINDOWS\system32\DRIVERS\ADM851X.SYS
08:40:06.0093 3812 ADM851X - ok
08:40:06.0109 3812 adpu160m - ok
08:40:06.0156 3812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:40:06.0156 3812 aec - ok
08:40:06.0187 3812 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:40:06.0187 3812 AFD - ok
08:40:06.0203 3812 Aha154x - ok
08:40:06.0218 3812 aic78u2 - ok
08:40:06.0218 3812 aic78xx - ok
08:40:06.0250 3812 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
08:40:06.0250 3812 Alerter - ok
08:40:06.0265 3812 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
08:40:06.0281 3812 ALG - ok
08:40:06.0281 3812 AliIde - ok
08:40:06.0296 3812 amsint - ok
08:40:06.0328 3812 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
08:40:06.0328 3812 AppMgmt - ok
08:40:06.0343 3812 asc - ok
08:40:06.0343 3812 asc3350p - ok
08:40:06.0359 3812 asc3550 - ok
08:40:06.0437 3812 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
08:40:06.0437 3812 aspnet_state - ok
08:40:06.0484 3812 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:40:06.0500 3812 AsyncMac - ok
08:40:06.0562 3812 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:40:06.0562 3812 atapi - ok
08:40:06.0593 3812 Atdisk - ok
08:40:06.0609 3812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:40:06.0609 3812 Atmarpc - ok
08:40:06.0625 3812 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
08:40:06.0625 3812 AudioSrv - ok
08:40:06.0656 3812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:40:06.0656 3812 audstub - ok
08:40:06.0687 3812 b57w2k (48bf91cffbcdd12a710207f2a08fec4d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
08:40:06.0687 3812 b57w2k - ok
08:40:06.0718 3812 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:40:06.0718 3812 Beep - ok
08:40:06.0765 3812 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
08:40:06.0796 3812 BITS - ok
08:40:06.0828 3812 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
08:40:06.0843 3812 Browser - ok
08:40:06.0843 3812 catchme - ok
08:40:06.0859 3812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:40:06.0859 3812 cbidf2k - ok
08:40:06.0875 3812 cd20xrnt - ok
08:40:06.0890 3812 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:40:06.0890 3812 Cdaudio - ok
08:40:06.0921 3812 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:40:06.0921 3812 Cdfs - ok
08:40:06.0937 3812 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:40:06.0953 3812 Cdrom - ok
08:40:06.0953 3812 Changer - ok
08:40:06.0968 3812 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
08:40:06.0968 3812 CiSvc - ok
08:40:06.0984 3812 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
08:40:07.0000 3812 ClipSrv - ok
08:40:07.0062 3812 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
08:40:07.0062 3812 clr_optimization_v2.0.50727_32 - ok
08:40:07.0109 3812 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
08:40:07.0125 3812 clr_optimization_v4.0.30319_32 - ok
08:40:07.0187 3812 CmdIde - ok
08:40:07.0203 3812 COMSysApp - ok
08:40:07.0218 3812 Cpqarray - ok
08:40:07.0265 3812 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
08:40:07.0265 3812 cpudrv - ok
08:40:07.0296 3812 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
08:40:07.0296 3812 CryptSvc - ok
08:40:07.0312 3812 dac2w2k - ok
08:40:07.0312 3812 dac960nt - ok
08:40:07.0359 3812 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
08:40:07.0375 3812 DcomLaunch - ok
08:40:07.0406 3812 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
08:40:07.0406 3812 Dhcp - ok
08:40:07.0437 3812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:40:07.0437 3812 Disk - ok
08:40:07.0453 3812 dmadmin - ok
08:40:07.0500 3812 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:40:07.0515 3812 dmboot - ok
08:40:07.0546 3812 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:40:07.0546 3812 dmio - ok
08:40:07.0562 3812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:40:07.0562 3812 dmload - ok
08:40:07.0593 3812 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
08:40:07.0593 3812 dmserver - ok
08:40:07.0625 3812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:40:07.0625 3812 DMusic - ok
08:40:07.0656 3812 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
08:40:07.0656 3812 Dnscache - ok
08:40:07.0921 3812 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
08:40:07.0921 3812 Dot3svc - ok
08:40:07.0953 3812 dpti2o - ok
08:40:07.0968 3812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:40:07.0968 3812 drmkaud - ok
08:40:07.0984 3812 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
08:40:08.0000 3812 EapHost - ok
08:40:08.0031 3812 epmntdrv (57cc1bf06c159dfbb989f5783c0e6a50) C:\WINDOWS\system32\epmntdrv.sys
08:40:08.0031 3812 epmntdrv - ok
08:40:08.0046 3812 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
08:40:08.0046 3812 ERSvc - ok
08:40:08.0078 3812 EuGdiDrv (5f779f5edab787f2d090c71a9051f365) C:\WINDOWS\system32\EuGdiDrv.sys
08:40:08.0078 3812 EuGdiDrv - ok
08:40:08.0125 3812 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
08:40:08.0125 3812 Eventlog - ok
08:40:08.0156 3812 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
08:40:08.0156 3812 EventSystem - ok
08:40:08.0203 3812 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:40:08.0203 3812 Fastfat - ok
08:40:08.0234 3812 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
08:40:08.0234 3812 FastUserSwitchingCompatibility - ok
08:40:08.0265 3812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
08:40:08.0265 3812 Fdc - ok
08:40:08.0296 3812 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:40:08.0312 3812 Fips - ok
08:40:08.0375 3812 FLEXnet Licensing Service (1f63900e2eb00101b9aca2b7a870704e) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
08:40:08.0406 3812 FLEXnet Licensing Service - ok
08:40:08.0453 3812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
08:40:08.0453 3812 Flpydisk - ok
08:40:08.0500 3812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:40:08.0500 3812 FltMgr - ok
08:40:08.0546 3812 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
08:40:08.0562 3812 FontCache3.0.0.0 - ok
08:40:08.0578 3812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:40:08.0578 3812 Fs_Rec - ok
08:40:08.0593 3812 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:40:08.0593 3812 Ftdisk - ok
08:40:08.0625 3812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:40:08.0625 3812 Gpc - ok
08:40:08.0640 3812 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:40:08.0640 3812 HDAudBus - ok
08:40:08.0656 3812 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
08:40:08.0656 3812 helpsvc - ok
08:40:08.0671 3812 HidServ - ok
08:40:08.0703 3812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:40:08.0703 3812 HidUsb - ok
08:40:08.0750 3812 hitmanpro35 (11e085834b3876af95ca11ce3b948b5c) C:\WINDOWS\system32\drivers\hitmanpro36.sys
08:40:08.0750 3812 hitmanpro35 - ok
08:40:08.0781 3812 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
08:40:08.0781 3812 hkmsvc - ok
08:40:08.0796 3812 hpn - ok
08:40:08.0828 3812 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
08:40:08.0828 3812 HTTP - ok
08:40:08.0890 3812 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
08:40:08.0890 3812 HTTPFilter - ok
08:40:08.0906 3812 i2omgmt - ok
08:40:08.0921 3812 i2omp - ok
08:40:08.0953 3812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:40:08.0953 3812 i8042prt - ok
08:40:09.0000 3812 ialm (d95eb1c9b3a5c2f6fdeab05dd03736fe) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
08:40:09.0015 3812 ialm - ok
08:40:09.0156 3812 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
08:40:09.0187 3812 idsvc - ok
08:40:09.0234 3812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:40:09.0234 3812 Imapi - ok
08:40:09.0265 3812 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
08:40:09.0265 3812 ImapiService - ok
08:40:09.0296 3812 ini910u - ok
08:40:09.0312 3812 IntelIde - ok
08:40:09.0328 3812 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:40:09.0328 3812 intelppm - ok
08:40:09.0343 3812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:40:09.0343 3812 Ip6Fw - ok
08:40:09.0375 3812 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:40:09.0375 3812 IpFilterDriver - ok
08:40:09.0390 3812 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:40:09.0390 3812 IpInIp - ok
08:40:09.0421 3812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:40:09.0421 3812 IpNat - ok
08:40:09.0468 3812 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:40:09.0468 3812 IPSec - ok
08:40:09.0500 3812 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
08:40:09.0515 3812 irda - ok
08:40:09.0531 3812 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:40:09.0531 3812 IRENUM - ok
08:40:09.0546 3812 Irmon (49cc4533ce897cb2e93c1e84a818fde5) C:\WINDOWS\System32\irmon.dll
08:40:09.0562 3812 Irmon - ok
08:40:09.0578 3812 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
08:40:09.0578 3812 irsir - ok
08:40:09.0609 3812 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:40:09.0609 3812 isapnp - ok
08:40:09.0640 3812 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:40:09.0640 3812 Kbdclass - ok
08:40:09.0671 3812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:40:09.0671 3812 kmixer - ok
08:40:09.0687 3812 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
08:40:09.0703 3812 KSecDD - ok
08:40:09.0718 3812 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
08:40:09.0718 3812 LanmanServer - ok
08:40:09.0750 3812 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
08:40:09.0750 3812 lanmanworkstation - ok
08:40:09.0765 3812 lbrtfdc - ok
08:40:09.0796 3812 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
08:40:09.0796 3812 LmHosts - ok
08:40:09.0828 3812 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
08:40:09.0843 3812 MBAMSwissArmy - ok
08:40:09.0875 3812 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
08:40:09.0875 3812 Messenger - ok
08:40:09.0937 3812 Microsoft SharePoint Workspace Audit Service - ok
08:40:10.0000 3812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:40:10.0000 3812 mnmdd - ok
08:40:10.0031 3812 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
08:40:10.0031 3812 mnmsrvc - ok
08:40:10.0078 3812 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:40:10.0078 3812 Modem - ok
08:40:10.0093 3812 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:40:10.0093 3812 Mouclass - ok
08:40:10.0125 3812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:40:10.0125 3812 mouhid - ok
08:40:10.0156 3812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:40:10.0156 3812 MountMgr - ok
08:40:10.0171 3812 mraid35x - ok
08:40:10.0187 3812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:40:10.0187 3812 MRxDAV - ok
08:40:10.0234 3812 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:40:10.0234 3812 MRxSmb - ok
08:40:10.0265 3812 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
08:40:10.0265 3812 MSDTC - ok
08:40:10.0296 3812 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:40:10.0296 3812 Msfs - ok
08:40:10.0296 3812 MSIServer - ok
08:40:10.0328 3812 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:40:10.0328 3812 MSKSSRV - ok
08:40:10.0343 3812 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:40:10.0343 3812 MSPCLOCK - ok
08:40:10.0359 3812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:40:10.0359 3812 MSPQM - ok
08:40:10.0421 3812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:40:10.0421 3812 mssmbios - ok
08:40:10.0453 3812 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
08:40:10.0468 3812 Mup - ok
08:40:10.0500 3812 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
08:40:10.0515 3812 napagent - ok
08:40:10.0515 3812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:40:10.0531 3812 NDIS - ok
08:40:10.0562 3812 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:40:10.0562 3812 NdisTapi - ok
08:40:10.0593 3812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:40:10.0593 3812 Ndisuio - ok
08:40:10.0609 3812 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:40:10.0609 3812 NdisWan - ok
08:40:10.0625 3812 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:40:10.0625 3812 NDProxy - ok
08:40:10.0640 3812 NecUsb3 - ok
08:40:10.0656 3812 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:40:10.0656 3812 NetBIOS - ok
08:40:10.0687 3812 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:40:10.0687 3812 NetBT - ok
08:40:10.0734 3812 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
08:40:10.0734 3812 NetDDE - ok
08:40:10.0734 3812 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
08:40:10.0750 3812 NetDDEdsdm - ok
08:40:10.0765 3812 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:40:10.0765 3812 Netlogon - ok
08:40:10.0781 3812 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
08:40:10.0781 3812 Netman - ok
08:40:10.0843 3812 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
08:40:10.0859 3812 NetTcpPortSharing - ok
08:40:10.0890 3812 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
08:40:10.0906 3812 Nla - ok
08:40:10.0953 3812 NMIndexingService (c4ebbbd7165be535f0bfd06b80601d91) C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
08:40:10.0968 3812 NMIndexingService - ok
08:40:11.0015 3812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:40:11.0015 3812 Npfs - ok
08:40:11.0062 3812 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:40:11.0062 3812 Ntfs - ok
08:40:11.0078 3812 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:40:11.0078 3812 NtLmSsp - ok
08:40:11.0125 3812 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
08:40:11.0140 3812 NtmsSvc - ok
08:40:11.0171 3812 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:40:11.0171 3812 Null - ok
08:40:11.0203 3812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:40:11.0203 3812 NwlnkFlt - ok
08:40:11.0218 3812 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:40:11.0218 3812 NwlnkFwd - ok
08:40:11.0265 3812 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
08:40:11.0265 3812 ose - ok
08:40:11.0406 3812 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
08:40:11.0515 3812 osppsvc - ok
08:40:11.0546 3812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:40:11.0562 3812 Parport - ok
08:40:11.0562 3812 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:40:11.0562 3812 PartMgr - ok
08:40:11.0593 3812 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:40:11.0593 3812 ParVdm - ok
08:40:11.0640 3812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:40:11.0640 3812 PCI - ok
08:40:11.0656 3812 PCIDump - ok
08:40:11.0671 3812 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:40:11.0671 3812 PCIIde - ok
08:40:11.0703 3812 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:40:11.0718 3812 Pcmcia - ok
08:40:11.0718 3812 PDCOMP - ok
08:40:11.0734 3812 PDFRAME - ok
08:40:11.0750 3812 PDRELI - ok
08:40:11.0765 3812 PDRFRAME - ok
08:40:11.0765 3812 perc2 - ok
08:40:11.0781 3812 perc2hib - ok
08:40:11.0828 3812 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
08:40:11.0828 3812 PlugPlay - ok
08:40:11.0859 3812 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:40:11.0859 3812 PolicyAgent - ok
08:40:11.0875 3812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:40:11.0875 3812 PptpMiniport - ok
08:40:11.0906 3812 prfldsvc - ok
08:40:11.0906 3812 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:40:11.0921 3812 ProtectedStorage - ok
08:40:11.0937 3812 prwntdrv (c590535d68fd6c84707dc1debd2afd68) C:\WINDOWS\system32\prwntdrv.sys
08:40:11.0937 3812 prwntdrv - ok
08:40:11.0953 3812 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:40:11.0953 3812 PSched - ok
08:40:11.0984 3812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:40:11.0984 3812 Ptilink - ok
08:40:12.0015 3812 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:40:12.0015 3812 PxHelp20 - ok
08:40:12.0093 3812 QBCFMonitorService (c6df3ff18d6acb913c78c865dded17d3) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
08:40:12.0093 3812 QBCFMonitorService - ok
08:40:12.0140 3812 QBFCService (6bee1814470dc12fa20c53dfc3c97ebb) C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
08:40:12.0140 3812 QBFCService - ok
08:40:12.0234 3812 QBVSS (78afb70dbe365bd6140e6740792ac3ea) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
08:40:12.0265 3812 QBVSS - ok
08:40:12.0328 3812 ql1080 - ok
08:40:12.0343 3812 Ql10wnt - ok
08:40:12.0359 3812 ql12160 - ok
08:40:12.0359 3812 ql1240 - ok
08:40:12.0375 3812 ql1280 - ok
08:40:12.0390 3812 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:40:12.0390 3812 RasAcd - ok
08:40:12.0421 3812 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
08:40:12.0437 3812 RasAuto - ok
08:40:12.0468 3812 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
08:40:12.0468 3812 Rasirda - ok
08:40:12.0468 3812 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:40:12.0484 3812 Rasl2tp - ok
08:40:12.0500 3812 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
08:40:12.0500 3812 RasMan - ok
08:40:12.0515 3812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:40:12.0531 3812 RasPppoe - ok
08:40:12.0531 3812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:40:12.0531 3812 Raspti - ok
08:40:12.0562 3812 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:40:12.0562 3812 Rdbss - ok
08:40:12.0578 3812 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:40:12.0578 3812 RDPCDD - ok
08:40:12.0609 3812 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:40:12.0625 3812 rdpdr - ok
08:40:12.0671 3812 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
08:40:12.0671 3812 RDPWD - ok
08:40:12.0718 3812 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
08:40:12.0718 3812 RDSessMgr - ok
08:40:12.0750 3812 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:40:12.0750 3812 redbook - ok
08:40:12.0781 3812 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
08:40:12.0796 3812 RemoteAccess - ok
08:40:12.0812 3812 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
08:40:12.0828 3812 RemoteRegistry - ok
08:40:12.0859 3812 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
08:40:12.0875 3812 RpcLocator - ok
08:40:12.0921 3812 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
08:40:12.0921 3812 RpcSs - ok
08:40:12.0937 3812 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
08:40:12.0937 3812 RSVP - ok
08:40:12.0968 3812 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:40:12.0968 3812 SamSs - ok
08:40:13.0015 3812 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
08:40:13.0015 3812 SCardSvr - ok
08:40:13.0046 3812 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
08:40:13.0062 3812 Schedule - ok
08:40:13.0093 3812 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:40:13.0093 3812 Secdrv - ok
08:40:13.0109 3812 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
08:40:13.0109 3812 seclogon - ok
08:40:13.0125 3812 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
08:40:13.0125 3812 SENS - ok
08:40:13.0156 3812 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:40:13.0156 3812 serenum - ok
08:40:13.0171 3812 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
08:40:13.0187 3812 Serial - ok
08:40:13.0234 3812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:40:13.0234 3812 Sfloppy - ok
08:40:13.0265 3812 sfng32 (5fe18fff6fbcf218290042009eab023d) C:\WINDOWS\system32\drivers\sfng32.sys
08:40:13.0281 3812 sfng32 - ok
08:40:13.0296 3812 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
08:40:13.0312 3812 SharedAccess - ok
08:40:13.0343 3812 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
08:40:13.0343 3812 ShellHWDetection - ok
08:40:13.0359 3812 Simbad - ok
08:40:13.0375 3812 Sparrow - ok
08:40:13.0406 3812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:40:13.0406 3812 splitter - ok
08:40:13.0421 3812 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
08:40:13.0421 3812 Spooler - ok
08:40:13.0453 3812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:40:13.0453 3812 sr - ok
08:40:13.0515 3812 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
08:40:13.0515 3812 srservice - ok
08:40:13.0546 3812 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
08:40:13.0546 3812 Srv - ok
08:40:13.0578 3812 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
08:40:13.0578 3812 SSDPSRV - ok
08:40:13.0640 3812 STacSV (c5003d42cc88c1f5d54ed9af28d6ed7b) c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
08:40:13.0656 3812 STacSV - ok
08:40:13.0734 3812 STHDA (228519217a88c2f6b0cf8c022e6d669c) C:\WINDOWS\system32\drivers\sthda.sys
08:40:13.0750 3812 STHDA - ok
08:40:13.0796 3812 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
08:40:13.0812 3812 stisvc - ok
08:40:13.0843 3812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:40:13.0843 3812 swenum - ok
08:40:13.0921 3812 SwitchBoard (f577910a133a592234ebaad3f3afa258) C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
08:40:13.0937 3812 SwitchBoard - ok
08:40:14.0000 3812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:40:14.0000 3812 swmidi - ok
08:40:14.0015 3812 SwPrv - ok
08:40:14.0031 3812 symc810 - ok
08:40:14.0046 3812 symc8xx - ok
08:40:14.0046 3812 sym_hi - ok
08:40:14.0062 3812 sym_u3 - ok
08:40:14.0093 3812 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:40:14.0093 3812 sysaudio - ok
08:40:14.0125 3812 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
08:40:14.0125 3812 SysmonLog - ok
08:40:14.0171 3812 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
08:40:14.0171 3812 TapiSrv - ok
08:40:14.0218 3812 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:40:14.0234 3812 Tcpip - ok
08:40:14.0281 3812 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:40:14.0281 3812 TDPIPE - ok
08:40:14.0296 3812 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:40:14.0296 3812 TDTCP - ok
08:40:14.0312 3812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:40:14.0312 3812 TermDD - ok
08:40:14.0343 3812 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
08:40:14.0375 3812 TermService - ok
08:40:14.0390 3812 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
08:40:14.0390 3812 Themes - ok
08:40:14.0421 3812 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
08:40:14.0421 3812 TlntSvr - ok
08:40:14.0437 3812 TosIde - ok
08:40:14.0453 3812 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
08:40:14.0453 3812 TrkWks - ok
08:40:14.0500 3812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:40:14.0500 3812 Udfs - ok
08:40:14.0562 3812 ultra - ok
08:40:14.0609 3812 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:40:14.0625 3812 Update - ok
08:40:14.0656 3812 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
08:40:14.0656 3812 upnphost - ok
08:40:14.0703 3812 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
08:40:14.0703 3812 UPS - ok
08:40:14.0734 3812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:40:14.0734 3812 usbehci - ok
08:40:14.0765 3812 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:40:14.0765 3812 usbhub - ok
08:40:14.0812 3812 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:40:14.0812 3812 USBSTOR - ok
08:40:14.0843 3812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:40:14.0843 3812 usbuhci - ok
08:40:14.0859 3812 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:40:14.0859 3812 VgaSave - ok
08:40:14.0875 3812 ViaIde - ok
08:40:14.0890 3812 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:40:14.0890 3812 VolSnap - ok
08:40:14.0937 3812 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
08:40:14.0937 3812 VSS - ok
08:40:14.0984 3812 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
08:40:14.0984 3812 W32Time - ok
08:40:15.0015 3812 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:40:15.0015 3812 Wanarp - ok
08:40:15.0015 3812 WDICA - ok
08:40:15.0046 3812 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:40:15.0046 3812 wdmaud - ok
08:40:15.0078 3812 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
08:40:15.0078 3812 WebClient - ok
08:40:15.0109 3812 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
08:40:15.0109 3812 winmgmt - ok
08:40:15.0234 3812 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
08:40:15.0265 3812 WinRM - ok
08:40:15.0328 3812 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\MsPMSNSv.dll
08:40:15.0328 3812 WmdmPmSN - ok
08:40:15.0390 3812 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
08:40:15.0421 3812 Wmi - ok
08:40:15.0437 3812 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
08:40:15.0437 3812 WmiApSrv - ok
08:40:15.0562 3812 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
08:40:15.0593 3812 WPFFontCache_v0400 - ok
08:40:15.0640 3812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
08:40:15.0640 3812 WS2IFSL - ok
08:40:15.0671 3812 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
08:40:15.0671 3812 wscsvc - ok
08:40:15.0687 3812 WSearch - ok
08:40:15.0718 3812 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
08:40:15.0734 3812 wuauserv - ok
08:40:15.0765 3812 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:40:15.0765 3812 WudfPf - ok
08:40:15.0828 3812 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:40:15.0828 3812 WudfRd - ok
08:40:15.0859 3812 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
08:40:15.0875 3812 WudfSvc - ok
08:40:15.0890 3812 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
08:40:15.0906 3812 WZCSVC - ok
08:40:15.0937 3812 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
08:40:15.0937 3812 xmlprov - ok
08:40:15.0968 3812 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:40:16.0234 3812 \Device\Harddisk0\DR0 - ok
08:40:16.0234 3812 Boot (0x1200) (8387f530ae9a5fc1b5c7286a85201be1) \Device\Harddisk0\DR0\Partition0
08:40:16.0234 3812 \Device\Harddisk0\DR0\Partition0 - ok
08:40:16.0250 3812 ============================================================
08:40:16.0250 3812 Scan finished
08:40:16.0250 3812 ============================================================
08:40:16.0250 3808 Detected object count: 0
08:40:16.0250 3808 Actual detected object count: 0


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-26 16:56:07
-----------------------------
16:56:07.218 OS Version: Windows 5.1.2600 Service Pack 3
16:56:07.218 Number of processors: 1 586 0x602
16:56:07.218 ComputerName: GATEWAY-AF38C10 UserName: Gateway E4500E
16:56:08.296 Initialize success
16:56:19.015 AVAST engine defs: 12032601
16:56:20.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:56:20.609 Disk 0 Vendor: WDC_WD1600JS-22MHB0 02.01C03 Size: 152627MB BusType: 3
16:56:20.671 Disk 0 MBR read successfully
16:56:20.671 Disk 0 MBR scan
16:56:20.703 Disk 0 Windows XP default MBR code
16:56:20.718 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
16:56:20.750 Disk 0 scanning sectors +312560640
16:56:21.031 Disk 0 scanning C:\WINDOWS\system32\drivers
16:56:49.437 Service scanning
16:57:02.546 Modules scanning
16:57:41.140 Disk 0 trace - called modules:
16:57:41.187 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
16:57:41.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86550ab8]
16:57:41.531 3 CLASSPNP.SYS[f762efd7] -> nt!IofCallDriver -> \Device\00000063[0x86580310]
16:57:41.531 5 ACPI.sys[f74c5620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8658dd98]
16:57:42.234 AVAST engine scan C:\WINDOWS
16:59:04.609 AVAST engine scan C:\WINDOWS\system32
17:10:07.718 AVAST engine scan C:\WINDOWS\system32\drivers
17:11:31.281 AVAST engine scan C:\Documents and Settings\Gateway E4500E
17:39:48.875 AVAST engine scan C:\Documents and Settings\All Users
17:42:18.015 Scan finished successfully
18:21:02.843 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gateway E4500E\Desktop\MBR.dat"
18:21:02.859 The log file has been saved successfully to "C:\Documents and Settings\Gateway E4500E\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:34 AM

Posted 26 March 2012 - 07:50 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Mike Millz

Mike Millz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 27 March 2012 - 09:00 AM

Hello Gringo... I tried to run combofix and I get a message that says: Current date is 2012-03-27. Combofix has expired
Click 'Yes' to run in REDUCED FUNCTIONALITY mode
Click 'No' to exit

Although I don't get the redirect and popups anymore, my internet (I have DSL) keeps disconnecting from the internet and rebooting. I tried to run ipconfig and I got a message: ipconfig is not recognized as an internal or external command.....etc.

Thanks!

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:34 AM

Posted 27 March 2012 - 09:31 AM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:34 AM

Posted 29 March 2012 - 11:19 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:34 AM

Posted 01 April 2012 - 11:21 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:34 AM

Posted 05 April 2012 - 01:03 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users