Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting to hapilli and other sites...


  • This topic is locked This topic is locked
25 replies to this topic

#1 rbarlund

rbarlund

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 22 March 2012 - 10:03 AM

Ok, so like several others, I have been hit by the redirect to hapilli. Im not sure what I did, one minute it's fine, the next minute I am being redirected. I tried to run the GMER.exe prog, but every time when it gets towards the end I get a BSOD. Here is my DDS.txt log. I do not remember downloading anything in the last day or 2 before it happened. The only thing I do remember is Firefox went through an update, it is now at version 12.0.

So, let me know if you see anything odd in the dds text, I'll try running the GMER again and hope it makes it through.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Richard at 16:30:33 on 2012-03-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2034 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxducoms.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\FedEx\ShipManager\BIN\AdminService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FedEx\ShipManager\BIN\ShipEngineService.exe
C:\Program Files\FedEx\ShipManager\BIN\TransEngineService.exe
C:\Program Files\Comm100 Live Chat Visitor Monitor\Comm100 Live Chat Visitor Monitor.exe
C:\Program Files\SAGE\SAGE Supplier Center\SAGESuppCtr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aceproductsusa.com/
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [AdobeBridge]
uRun: [Google Update] "c:\documents and settings\richard.ace\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AIM for Windows] "c:\documents and settings\richard.ace\local settings\application data\aol\aim\aim.exe"
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [Update] rundll32.exe "c:\documents and settings\richard.ace\application data\dropbox\dropbox\zchvwceaw.dll",DllRegisterServer
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [<NO NAME>]
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [PeachtreePrefetcher.exe] c:\program files\sage\peachtree\PeachtreePrefetcher.exe /configfile:peachtreeprefetcher.winstart.config
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Update] rundll32.exe "c:\documents and settings\richard.ace\application data\dropbox\dropbox\zchvwceaw.dll",DllRegisterServer
StartupFolder: c:\docume~1\richard.ace\startm~1\programs\startup\comm10~1.lnk - c:\program files\comm100 live chat visitor monitor\Comm100 Live Chat Visitor Monitor.exe
StartupFolder: c:\docume~1\richard.ace\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{90120000-0030-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1285611200419
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285691850145
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: Interfaces\{D7E0A858-3AF3-4666-A8D6-51172CDC26CF} : NameServer = 192.168.0.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\richard.ace\application data\mozilla\firefox\profiles\c61rolwj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aceproductsusa.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\richard.ace\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\richard.ace\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\richard.ace\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-16 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-16 337880]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2011-12-12 13696]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-16 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-16 44768]
R2 FedExAdminService;FedEx Administration Service;c:\program files\fedex\shipmanager\bin\AdminService.exe [2011-11-23 24576]
R2 FedExLoggingService;FedEx Logging Service;c:\program files\fedex\shipmanager\bin\FedEx.Gsm.Common.LoggingService.exe [2011-11-23 7168]
R2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\fedex\shipmanager\sqlanywhere\bin32\dbsrv11.exe [2011-11-23 141176]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435496]
R3 FedExShipService;FedEx Shipping Engine;c:\program files\fedex\shipmanager\bin\ShipEngineService.exe [2011-11-23 5120]
R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\fedex\shipmanager\bin\TransEngineService.exe [2011-11-23 6656]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-9-27 50176]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-9-27 30392]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-9-27 2136224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 wntpport;wntpport; [x]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-3-20 129976]
S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
S3 Peachtree SmartPosting 2012;Peachtree SmartPosting 2012;c:\program files\sage\peachtree\SmartPostingService2012.exe [2011-4-7 43848]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [2011-11-2 13359]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0151;RsFx0151 Driver;c:\windows\system32\drivers\RsFx0151.sys [2011-6-17 240736]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2011-6-17 370016]
.
=============== Created Last 30 ================
.
2012-03-20 21:14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-03-20 21:14:31 145960 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-03-20 21:14:31 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-03-13 15:30:35 -------- d-----w- c:\program files\common files\Software Update Utility
2012-03-12 15:43:34 -------- d-----w- c:\program files\Comm100 Live Chat Visitor Monitor
2012-03-12 15:25:22 -------- d-----w- c:\documents and settings\richard.ace\application data\com.promomarketing.suppliers.si
2012-03-12 15:25:11 -------- d-----w- c:\program files\PMSupplierInterface3
2012-02-21 16:51:48 -------- d-----w- c:\documents and settings\richard.ace\local settings\application data\AIM
2012-02-21 16:51:44 -------- d-----w- c:\documents and settings\all users\application data\AIM
2012-02-21 16:51:40 -------- d-----w- c:\program files\AIM
2012-02-20 21:23:00 -------- d-----w- c:\program files\iPod
.
==================== Find3M ====================
.
2012-03-14 14:36:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 16:32:00.44 ===============

BC AdBot (Login to Remove)

 


#2 rbarlund

rbarlund
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 22 March 2012 - 03:11 PM

Same result with GMER.exe. I have run it 4 times, takes a few hours to finish. 3 of the 4 have ended in BSOD, the other time it ended with computer lock up. At the end of the run, an error message (unfortunately I didn't catch all of what it said) said something about not being able to save to $\Directory the information is lost. Shortly after comes the BSOD.

I noticed in my running processes, RunDLL32.exe running under my username, not under system or local service, so I terminated it. I do not get the redirect anymore. However, I am sure when I restart my computer the next time it will run again. So I need to get rid of it.

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:21 PM

Posted 23 March 2012 - 12:14 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 rbarlund

rbarlund
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 23 March 2012 - 11:29 AM

Hi Gringo,

Thanks for giving me a hand.

I followed the instructions. Combo fix was running, restarted the computer, got to stage 30 something, then BSOD. BSOD referenced the file aswsnx.sys. Should I make the attempt to run Combo Fix again? This is the same file that was causing problems when I tried to run GMER.exe. Any suggestions?

Thank you.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:21 PM

Posted 23 March 2012 - 03:30 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 rbarlund

rbarlund
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 23 March 2012 - 05:41 PM

Ok, that worked. Here is the log. I check Internet Explorer and Firefox and there was no redirecting this time. Also, the RunDLL32.exe that was running under my username in the task manager was not running after the restart this time. Let me know what is next.

ComboFix 12-03-22.01 - Richard 03/23/2012 15:13:57.2.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2978 [GMT -7:00]
Running from: c:\documents and settings\Richard.ACE\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Richard.ACE\Application Data\Dropbox\Dropbox\zchvwceaw.dll
c:\windows\system32\Cache
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\SET18E.tmp
c:\windows\system32\SET18F.tmp
c:\windows\system32\SET190.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-02-23 to 2012-03-23 )))))))))))))))))))))))))))))))
.
.
2012-03-23 16:16 . 2012-03-23 16:16 -------- d-----w- C:\avast! sandbox
2012-03-21 14:55 . 2012-03-21 14:55 -------- d-----w- c:\program files\iPod
2012-03-21 14:55 . 2012-03-21 14:56 -------- d-----w- c:\program files\iTunes
2012-03-20 21:14 . 2012-03-23 19:05 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-03-20 21:14 . 2012-03-23 19:05 145960 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-03-20 21:14 . 2012-03-23 19:05 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-03-13 15:30 . 2012-03-13 15:30 -------- d-----w- c:\program files\Common Files\Software Update Utility
2012-03-12 15:43 . 2012-03-12 15:43 -------- d-----w- c:\program files\Comm100 Live Chat Visitor Monitor
2012-03-12 15:25 . 2012-03-12 15:25 -------- d-----w- c:\documents and settings\Richard.ACE\Application Data\com.promomarketing.suppliers.si
2012-03-12 15:25 . 2012-03-12 15:25 -------- d-----w- c:\program files\PMSupplierInterface3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 14:36 . 2011-05-24 18:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 23:15 . 2011-05-16 16:34 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-05-16 16:34 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:03 . 2011-05-16 16:34 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03 . 2011-05-16 16:34 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:02 . 2011-05-16 16:34 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-06 23:01 . 2011-05-16 16:34 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-05-16 16:34 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-06 23:01 . 2011-05-16 16:34 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-06 23:01 . 2011-05-16 16:34 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 22:58 . 2011-05-16 16:34 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-02-15 18:01 . 2011-10-18 17:00 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 18:01 . 2011-10-18 17:00 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22 . 2004-08-04 10:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-16 00:41 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-09-27 16:48 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-23 19:05 . 2011-05-18 22:27 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"Aim"="c:\program files\AIM\aim.exe" [2012-02-29 4321112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-09-28 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"PeachtreePrefetcher.exe"="c:\program files\SAGE\Peachtree\PeachtreePrefetcher.exe" [2011-12-27 30024]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
c:\documents and settings\Richard\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Richard\Application Data\lpuninstall.exe [2011-5-11 5855432]
.
c:\documents and settings\Richard.ACE\Start Menu\Programs\Startup\
Comm100 Live Chat Visitor Monitor.lnk - c:\program files\Comm100 Live Chat Visitor Monitor\Comm100 Live Chat Visitor Monitor.exe [2012-3-12 142336]
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2010-9-27 845584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UPS WorldShip Messaging Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk
backup=c:\windows\pss\UPS WorldShip Messaging Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UPS WorldShip PLD Reminder Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
backup=c:\windows\pss\UPS WorldShip PLD Reminder Utility.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2012-01-03 16:23 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2012-01-04 06:50 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2010-07-06 08:00 33753712 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-07 02:05 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NA1Messenger]
2010-12-09 23:40 24576 ----a-w- c:\ups\WSTD\UPSNA1Msgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeachtreePrefetcher.exe]
2011-12-27 20:05 30024 ----a-r- c:\program files\SAGE\Peachtree\PeachtreePrefetcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 22:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 21:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxducoms.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS5\\Dreamweaver.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
.
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [9/27/2010 9:59 AM 50176]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [9/27/2010 3:28 PM 30392]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/16/2011 9:34 AM 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/16/2011 9:34 AM 337880]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/12/2011 11:51 AM 13696]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/16/2011 9:34 AM 20696]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 FedExAdminService;FedEx Administration Service;c:\program files\FedEx\ShipManager\BIN\AdminService.exe [11/23/2011 4:30 PM 24576]
S2 FedExLoggingService;FedEx Logging Service;c:\program files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe [11/23/2011 4:28 PM 7168]
S2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe [11/23/2011 4:24 PM 141176]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
S2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 2:03 PM 435496]
S2 wntpport;wntpport; [x]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]
S3 FedExShipService;FedEx Shipping Engine;c:\program files\FedEx\ShipManager\BIN\ShipEngineService.exe [11/23/2011 4:32 PM 5120]
S3 FedExTransactionService;FedEx Transaction Engine;c:\program files\FedEx\ShipManager\BIN\TransEngineService.exe [11/23/2011 4:29 PM 6656]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [3/20/2012 2:14 PM 129976]
S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
S3 Peachtree SmartPosting 2012;Peachtree SmartPosting 2012;c:\program files\SAGE\Peachtree\SmartPostingService2012.exe [4/7/2011 6:21 AM 43848]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [11/2/2011 3:44 PM 13359]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [9/27/2010 3:24 PM 2136224]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 3:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 11:56 AM 44896]
S4 RsFx0151;RsFx0151 Driver;c:\windows\system32\drivers\RsFx0151.sys [6/17/2011 9:28 PM 240736]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [6/17/2011 10:19 PM 370016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-23 c:\windows\Tasks\AdobeAAMUpdater-1.0-ACE-Richard.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-09-28 10:44]
.
2012-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-03-02 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2004-08-04 10:00]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4209273957-4110383426-3296215054-1124Core.job
- c:\documents and settings\Richard.ACE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-16 16:27]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4209273957-4110383426-3296215054-1124UA.job
- c:\documents and settings\Richard.ACE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-16 16:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aceproductsusa.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{D7E0A858-3AF3-4666-A8D6-51172CDC26CF}: NameServer = 192.168.0.2
FF - ProfilePath - c:\documents and settings\Richard.ACE\Application Data\Mozilla\Firefox\Profiles\c61rolwj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aceproductsusa.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-AIM for Windows - c:\documents and settings\Richard.ACE\Local Settings\Application Data\AOL\AIM\aim.exe
HKU-Default-Run-Update - c:\documents and settings\Richard.ACE\Application Data\Dropbox\Dropbox\zchvwceaw.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-23 15:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5BE3D010-3EF3-EA3A-19EA72F7729702DF}\{352FFD75-9B70-D323-D2F13A6467AA3E3D}\{81CD47E4-7EF3-579C-2C259DBE42414B54}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EC7A25C-208B-259B-D0F10B7D70121E6A}\{B30129B8-8481-85C6-1CF8CC8FAFB9C5A4}\{9F5D8B19-EFCA-EE59-2A819F5112EEBB2A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,e0,7b,d7,
81,94,35,5e,2a,95,bd,77,08,7e,ca,83,a0,1b,60,1a,35,a1,d5,de,43,bb,14,c3,8a,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:a1,96,f3,ab,d6,f9,13,0b,76,fd,99,02,0b,37,7e,da,66,7b,00,59,c7,
f2,cb,d3,43,aa,71,36,38,2e,24,9c,a2,d6,15,b0,e3,88,8a,18,b8,05,60,4f,d5,24,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C3E67C84-FF81-4ACD-401BD333BA56E9EA}\{F4E9985F-0D7B-FE76-62CD8C76B0126B78}\{BB457FA5-4647-F88E-4919FBC3754B9322}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EA20B5D7-213B-BF6A-A687F1F5E27AC26F}\{EEE35091-0AEA-CF92-BEFE1061EF739928}\{47B248DC-A6E0-641B-BA973614FEEFC865}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,e0,7b,d7,
81,94,35,5e,2a,95,bd,77,08,7e,ca,83,a0,1b,60,1a,35,a1,d5,de,43,bb,14,c3,8a,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:a1,96,f3,ab,d6,f9,13,0b,76,fd,99,02,0b,37,7e,da,66,7b,00,59,c7,
f2,cb,d3,43,aa,71,36,38,2e,24,9c,a2,d6,15,b0,e3,88,8a,18,b8,05,60,4f,d5,24,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2012-03-23 15:29:49
ComboFix-quarantined-files.txt 2012-03-23 22:29
.
Pre-Run: 471,215,280,128 bytes free
Post-Run: 471,721,242,624 bytes free
.
- - End Of File - - 93A5AC4A7A9EA5D95831669798CD5C39

#7 rbarlund

rbarlund
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 23 March 2012 - 05:43 PM

Gringo, as an FYI, this is my work computer. I am leaving work in about 2 hours and won't be back in until Monday morning about 8 PST. So if you don't get a response out of me, that should be why.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:21 PM

Posted 23 March 2012 - 06:30 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:21 PM

Posted 26 March 2012 - 08:55 AM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 rbarlund

rbarlund
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 26 March 2012 - 11:19 AM

Good morning, Gringo, I just got in to work and will run the next few tests. I'll post the logs when they are done.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:21 PM

Posted 26 March 2012 - 11:29 AM

OK I will be in and out today so check back often


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 rbarlund

rbarlund
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 26 March 2012 - 11:33 AM

09:18:27.0267 4332 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
09:18:27.0832 4332 ============================================================
09:18:27.0832 4332 Current date / time: 2012/03/26 09:18:27.0832
09:18:27.0832 4332 SystemInfo:
09:18:27.0832 4332
09:18:27.0832 4332 OS Version: 5.1.2600 ServicePack: 3.0
09:18:27.0832 4332 Product type: Workstation
09:18:27.0832 4332 ComputerName: DESIGN
09:18:27.0832 4332 UserName: Richard
09:18:27.0832 4332 Windows directory: C:\WINDOWS
09:18:27.0832 4332 System windows directory: C:\WINDOWS
09:18:27.0832 4332 Processor architecture: Intel x86
09:18:27.0832 4332 Number of processors: 4
09:18:27.0832 4332 Page size: 0x1000
09:18:27.0832 4332 Boot type: Normal boot
09:18:27.0832 4332 ============================================================
09:18:29.0747 4332 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
09:18:29.0763 4332 \Device\Harddisk0\DR0:
09:18:29.0763 4332 MBR used
09:18:29.0763 4332 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x57541401
09:18:29.0794 4332 Initialize success
09:18:29.0794 4332 ============================================================
09:18:35.0287 5484 ============================================================
09:18:35.0287 5484 Scan started
09:18:35.0287 5484 Mode: Manual;
09:18:35.0287 5484 ============================================================
09:18:35.0663 5484 Aavmker4 (473f97edc5a5312f3665ab2921196c0c) C:\WINDOWS\system32\drivers\Aavmker4.sys
09:18:35.0663 5484 Aavmker4 - ok
09:18:35.0663 5484 Abiosdsk - ok
09:18:35.0679 5484 abp480n5 - ok
09:18:35.0710 5484 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:18:35.0710 5484 ACPI - ok
09:18:35.0757 5484 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:18:35.0757 5484 ACPIEC - ok
09:18:35.0773 5484 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\WINDOWS\system32\drivers\adfs.sys
09:18:35.0773 5484 adfs - ok
09:18:35.0899 5484 Adobe Version Cue CS4 (9444a3530c2e88b7ed96a566ff9ccc13) C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
09:18:35.0899 5484 Adobe Version Cue CS4 - ok
09:18:35.0914 5484 adpu160m - ok
09:18:35.0946 5484 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:18:35.0946 5484 aec - ok
09:18:35.0961 5484 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:18:35.0961 5484 AFD - ok
09:18:35.0961 5484 Aha154x - ok
09:18:35.0961 5484 aic78u2 - ok
09:18:35.0977 5484 aic78xx - ok
09:18:35.0993 5484 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
09:18:35.0993 5484 Alerter - ok
09:18:36.0024 5484 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
09:18:36.0024 5484 ALG - ok
09:18:36.0024 5484 AliIde - ok
09:18:36.0071 5484 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
09:18:36.0071 5484 AmdPPM - ok
09:18:36.0071 5484 amsint - ok
09:18:36.0134 5484 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
09:18:36.0134 5484 Apple Mobile Device - ok
09:18:36.0150 5484 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
09:18:36.0165 5484 AppMgmt - ok
09:18:36.0165 5484 asc - ok
09:18:36.0165 5484 asc3350p - ok
09:18:36.0181 5484 asc3550 - ok
09:18:36.0275 5484 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
09:18:36.0275 5484 aspnet_state - ok
09:18:36.0307 5484 aswFsBlk (0ae43c6c411254049279c2ee55630f95) C:\WINDOWS\system32\drivers\aswFsBlk.sys
09:18:36.0307 5484 aswFsBlk - ok
09:18:36.0322 5484 aswMon2 (8c30b7ddd2f1d8d138ebe40345af2b11) C:\WINDOWS\system32\drivers\aswMon2.sys
09:18:36.0322 5484 aswMon2 - ok
09:18:36.0322 5484 aswRdr (da12626fd9a67f4e917e2f2fbe1e1764) C:\WINDOWS\system32\drivers\aswRdr.sys
09:18:36.0322 5484 aswRdr - ok
09:18:36.0338 5484 aswSnx (dcb199b967375753b5019ec15f008f53) C:\WINDOWS\system32\drivers\aswSnx.sys
09:18:36.0338 5484 aswSnx - ok
09:18:36.0354 5484 aswSP (b32873e5a1443c0a1e322266e203bf10) C:\WINDOWS\system32\drivers\aswSP.sys
09:18:36.0354 5484 aswSP - ok
09:18:36.0354 5484 aswTdi (6ff544175a9180c5d88534d3d9c9a9f7) C:\WINDOWS\system32\drivers\aswTdi.sys
09:18:36.0354 5484 aswTdi - ok
09:18:36.0369 5484 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:18:36.0369 5484 AsyncMac - ok
09:18:36.0369 5484 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:18:36.0369 5484 atapi - ok
09:18:36.0385 5484 Atdisk - ok
09:18:36.0432 5484 Ati HotKey Poller (d80a3fd3db6f999f6d1c6d23a293851b) C:\WINDOWS\system32\Ati2evxx.exe
09:18:36.0448 5484 Ati HotKey Poller - ok
09:18:36.0605 5484 ati2mtag (c832bf76f003999d2e91e5115583c69e) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
09:18:36.0652 5484 ati2mtag - ok
09:18:36.0699 5484 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys
09:18:36.0699 5484 AtiHdmiService - ok
09:18:36.0715 5484 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:18:36.0715 5484 Atmarpc - ok
09:18:36.0730 5484 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
09:18:36.0730 5484 AudioSrv - ok
09:18:36.0793 5484 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:18:36.0793 5484 audstub - ok
09:18:36.0997 5484 avast! Antivirus (4041d31508a2a084dfb42c595854090f) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
09:18:36.0997 5484 avast! Antivirus - ok
09:18:37.0185 5484 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:18:37.0185 5484 Beep - ok
09:18:37.0232 5484 BIOS (be5d50529799b9bab6be879ec768b6cf) C:\WINDOWS\system32\drivers\BIOS.sys
09:18:37.0232 5484 BIOS - ok
09:18:37.0280 5484 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
09:18:37.0280 5484 BITS - ok
09:18:37.0327 5484 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
09:18:37.0342 5484 Bonjour Service - ok
09:18:37.0358 5484 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
09:18:37.0358 5484 Browser - ok
09:18:37.0499 5484 catchme - ok
09:18:37.0515 5484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:18:37.0515 5484 cbidf2k - ok
09:18:37.0531 5484 cd20xrnt - ok
09:18:37.0578 5484 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:18:37.0578 5484 Cdaudio - ok
09:18:37.0593 5484 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:18:37.0593 5484 Cdfs - ok
09:18:37.0609 5484 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:18:37.0609 5484 Cdrom - ok
09:18:37.0625 5484 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
09:18:37.0625 5484 cercsr6 - ok
09:18:37.0640 5484 Changer - ok
09:18:37.0672 5484 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
09:18:37.0672 5484 CiSvc - ok
09:18:37.0672 5484 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
09:18:37.0672 5484 ClipSrv - ok
09:18:37.0735 5484 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
09:18:37.0782 5484 clr_optimization_v2.0.50727_32 - ok
09:18:37.0844 5484 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
09:18:38.0049 5484 clr_optimization_v4.0.30319_32 - ok
09:18:38.0080 5484 CmdIde - ok
09:18:38.0096 5484 COMSysApp - ok
09:18:38.0205 5484 Cpqarray - ok
09:18:38.0221 5484 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
09:18:38.0221 5484 CryptSvc - ok
09:18:38.0237 5484 dac2w2k - ok
09:18:38.0253 5484 dac960nt - ok
09:18:38.0300 5484 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
09:18:38.0300 5484 DcomLaunch - ok
09:18:38.0331 5484 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
09:18:38.0347 5484 Dhcp - ok
09:18:38.0378 5484 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:18:38.0378 5484 Disk - ok
09:18:38.0394 5484 dmadmin - ok
09:18:38.0441 5484 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:18:38.0457 5484 dmboot - ok
09:18:38.0457 5484 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:18:38.0472 5484 dmio - ok
09:18:38.0488 5484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:18:38.0488 5484 dmload - ok
09:18:38.0519 5484 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
09:18:38.0519 5484 dmserver - ok
09:18:38.0566 5484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:18:38.0566 5484 DMusic - ok
09:18:38.0582 5484 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
09:18:38.0582 5484 Dnscache - ok
09:18:38.0645 5484 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
09:18:38.0645 5484 Dot3svc - ok
09:18:38.0645 5484 dpti2o - ok
09:18:38.0661 5484 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:18:38.0661 5484 drmkaud - ok
09:18:38.0676 5484 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
09:18:38.0676 5484 EapHost - ok
09:18:38.0692 5484 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
09:18:38.0708 5484 ERSvc - ok
09:18:38.0770 5484 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
09:18:38.0786 5484 Eventlog - ok
09:18:38.0802 5484 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
09:18:38.0817 5484 EventSystem - ok
09:18:38.0833 5484 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:18:38.0833 5484 Fastfat - ok
09:18:38.0880 5484 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
09:18:38.0880 5484 FastUserSwitchingCompatibility - ok
09:18:38.0927 5484 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
09:18:38.0943 5484 Fax - ok
09:18:38.0990 5484 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
09:18:38.0990 5484 Fdc - ok
09:18:39.0241 5484 FedExAdminService (4336e78e5631477c860239c7cb758e0e) C:\Program Files\FedEx\ShipManager\BIN\AdminService.exe
09:18:39.0241 5484 FedExAdminService - ok
09:18:39.0273 5484 FedExLoggingService (9a8442e41db1284cf0ef44d605e7e49e) C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
09:18:39.0273 5484 FedExLoggingService - ok
09:18:39.0320 5484 FedExShipnetDBService (bb60972e2eb2d5cf1f1979c4032c2eec) C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
09:18:39.0320 5484 FedExShipnetDBService - ok
09:18:39.0335 5484 FedExShipService (683f4e91fc038b2659540b0113475259) C:\Program Files\FedEx\ShipManager\BIN\ShipEngineService.exe
09:18:39.0351 5484 FedExShipService - ok
09:18:39.0367 5484 FedExTransactionService (188ec8068734dfc898952d20b8f92616) C:\Program Files\FedEx\ShipManager\BIN\TransEngineService.exe
09:18:39.0367 5484 FedExTransactionService - ok
09:18:39.0398 5484 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:18:39.0398 5484 Fips - ok
09:18:39.0461 5484 FLEXnet Licensing Service (1f63900e2eb00101b9aca2b7a870704e) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
09:18:39.0477 5484 FLEXnet Licensing Service - ok
09:18:39.0477 5484 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
09:18:39.0477 5484 Flpydisk - ok
09:18:39.0508 5484 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
09:18:39.0508 5484 FltMgr - ok
09:18:39.0602 5484 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
09:18:39.0602 5484 FontCache3.0.0.0 - ok
09:18:39.0634 5484 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:18:39.0634 5484 Fs_Rec - ok
09:18:39.0681 5484 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:18:39.0681 5484 Ftdisk - ok
09:18:39.0712 5484 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
09:18:39.0728 5484 GEARAspiWDM - ok
09:18:39.0759 5484 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:18:39.0759 5484 Gpc - ok
09:18:39.0775 5484 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:18:39.0775 5484 HDAudBus - ok
09:18:39.0822 5484 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
09:18:39.0822 5484 helpsvc - ok
09:18:39.0869 5484 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
09:18:39.0869 5484 HidServ - ok
09:18:39.0916 5484 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:18:39.0916 5484 HidUsb - ok
09:18:39.0979 5484 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
09:18:39.0994 5484 hkmsvc - ok
09:18:40.0010 5484 hpn - ok
09:18:40.0073 5484 HSFHWBS2 (6db36593abdda54c505b77a4f135d5f3) C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys
09:18:40.0104 5484 HSFHWBS2 - ok
09:18:40.0308 5484 HSF_DPV (01dc6300bd5b4eaa3de6fc3fa4adb82a) C:\WINDOWS\system32\DRIVERS\USR_MDMV.sys
09:18:40.0324 5484 HSF_DPV - ok
09:18:40.0402 5484 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:18:40.0402 5484 HTTP - ok
09:18:40.0434 5484 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
09:18:40.0434 5484 HTTPFilter - ok
09:18:40.0450 5484 i2omgmt - ok
09:18:40.0450 5484 i2omp - ok
09:18:40.0465 5484 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:18:40.0465 5484 i8042prt - ok
09:18:40.0575 5484 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
09:18:40.0575 5484 IDriverT - ok
09:18:40.0826 5484 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
09:18:40.0873 5484 idsvc - ok
09:18:40.0920 5484 IISADMIN (db3c22745c0da4666f3be31f1af36b2f) C:\WINDOWS\system32\inetsrv\inetinfo.exe
09:18:40.0920 5484 IISADMIN - ok
09:18:40.0936 5484 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:18:40.0936 5484 Imapi - ok
09:18:40.0983 5484 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
09:18:40.0983 5484 ImapiService - ok
09:18:41.0156 5484 ini910u - ok
09:18:41.0281 5484 IntelIde - ok
09:18:41.0344 5484 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
09:18:41.0344 5484 Ip6Fw - ok
09:18:41.0360 5484 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:18:41.0375 5484 IpFilterDriver - ok
09:18:41.0375 5484 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:18:41.0375 5484 IpInIp - ok
09:18:41.0407 5484 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:18:41.0407 5484 IpNat - ok
09:18:41.0485 5484 iPod Service (ce004777b92dea56fe14ec900d20baa4) C:\Program Files\iPod\bin\iPodService.exe
09:18:41.0532 5484 iPod Service - ok
09:18:41.0579 5484 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:18:41.0579 5484 IPSec - ok
09:18:41.0595 5484 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:18:41.0595 5484 IRENUM - ok
09:18:41.0627 5484 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:18:41.0627 5484 isapnp - ok
09:18:41.0736 5484 JavaQuickStarterService (5e06a9d23727daf96faa796f1135fdcd) C:\Program Files\Java\jre6\bin\jqs.exe
09:18:41.0752 5484 JavaQuickStarterService - ok
09:18:41.0799 5484 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:18:41.0815 5484 Kbdclass - ok
09:18:41.0831 5484 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:18:41.0831 5484 kbdhid - ok
09:18:41.0893 5484 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:18:41.0909 5484 kmixer - ok
09:18:41.0940 5484 KMWDFILTER (566c5fd480fdbce3ba5cf9fbcffaea9a) C:\WINDOWS\system32\DRIVERS\KMWDFILTER.sys
09:18:41.0940 5484 KMWDFILTER - ok
09:18:41.0987 5484 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:18:41.0987 5484 KSecDD - ok
09:18:42.0191 5484 L1c (62f96e23a70ce0197017ffd990513c27) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
09:18:42.0191 5484 L1c - ok
09:18:42.0364 5484 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
09:18:42.0364 5484 lanmanserver - ok
09:18:42.0411 5484 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
09:18:42.0411 5484 lanmanworkstation - ok
09:18:42.0443 5484 lbrtfdc - ok
09:18:42.0474 5484 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
09:18:42.0474 5484 LmHosts - ok
09:18:42.0490 5484 lxdu_device - ok
09:18:42.0521 5484 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
09:18:42.0521 5484 mdmxsdk - ok
09:18:42.0552 5484 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
09:18:42.0552 5484 Messenger - ok
09:18:42.0647 5484 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
09:18:42.0647 5484 Microsoft Office Groove Audit Service - ok
09:18:42.0678 5484 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:18:42.0678 5484 mnmdd - ok
09:18:42.0709 5484 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
09:18:42.0725 5484 mnmsrvc - ok
09:18:42.0756 5484 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:18:42.0756 5484 Modem - ok
09:18:42.0772 5484 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:18:42.0788 5484 Mouclass - ok
09:18:42.0835 5484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:18:42.0835 5484 mouhid - ok
09:18:42.0851 5484 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:18:42.0851 5484 MountMgr - ok
09:18:43.0337 5484 MozillaMaintenance (65f455520aeaaccfb1bdf47f8ab308ee) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
09:18:43.0368 5484 MozillaMaintenance - ok
09:18:43.0368 5484 mraid35x - ok
09:18:43.0431 5484 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:18:43.0431 5484 MRxDAV - ok
09:18:43.0463 5484 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:18:43.0463 5484 MRxSmb - ok
09:18:43.0510 5484 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
09:18:43.0510 5484 MSDTC - ok
09:18:43.0604 5484 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:18:43.0604 5484 Msfs - ok
09:18:43.0604 5484 MSICDSetup - ok
09:18:43.0620 5484 MSIServer - ok
09:18:43.0667 5484 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:18:43.0667 5484 MSKSSRV - ok
09:18:43.0714 5484 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:18:43.0714 5484 MSPCLOCK - ok
09:18:43.0729 5484 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:18:43.0729 5484 MSPQM - ok
09:18:43.0776 5484 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:18:43.0776 5484 mssmbios - ok
09:18:43.0902 5484 MSSQL$SQLEXPRESS - ok
09:18:44.0028 5484 MSSQLServerADHelper100 (8e8e74c953eb0c4f8828d99d6f27fd6f) c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE
09:18:44.0028 5484 MSSQLServerADHelper100 - ok
09:18:44.0090 5484 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:18:44.0090 5484 Mup - ok
09:18:44.0294 5484 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
09:18:44.0310 5484 napagent - ok
09:18:44.0389 5484 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:18:44.0420 5484 NDIS - ok
09:18:44.0436 5484 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:18:44.0436 5484 NdisTapi - ok
09:18:44.0467 5484 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:18:44.0467 5484 Ndisuio - ok
09:18:44.0545 5484 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:18:44.0545 5484 NdisWan - ok
09:18:44.0561 5484 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:18:44.0561 5484 NDProxy - ok
09:18:44.0608 5484 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:18:44.0608 5484 NetBIOS - ok
09:18:44.0671 5484 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:18:44.0687 5484 NetBT - ok
09:18:44.0734 5484 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
09:18:44.0749 5484 NetDDE - ok
09:18:44.0749 5484 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
09:18:44.0749 5484 NetDDEdsdm - ok
09:18:44.0812 5484 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
09:18:44.0812 5484 Netlogon - ok
09:18:44.0828 5484 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
09:18:44.0828 5484 Netman - ok
09:18:44.0938 5484 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
09:18:45.0032 5484 NetTcpPortSharing - ok
09:18:45.0267 5484 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
09:18:45.0267 5484 Nla - ok
09:18:45.0330 5484 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:18:45.0330 5484 Npfs - ok
09:18:45.0409 5484 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:18:45.0471 5484 Ntfs - ok
09:18:45.0597 5484 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
09:18:45.0613 5484 NtLmSsp - ok
09:18:45.0644 5484 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
09:18:45.0691 5484 NtmsSvc - ok
09:18:45.0722 5484 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:18:45.0722 5484 Null - ok
09:18:45.0738 5484 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:18:45.0754 5484 NwlnkFlt - ok
09:18:45.0754 5484 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:18:45.0770 5484 NwlnkFwd - ok
09:18:45.0879 5484 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
09:18:45.0895 5484 odserv - ok
09:18:46.0005 5484 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
09:18:46.0052 5484 ose - ok
09:18:46.0083 5484 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
09:18:46.0083 5484 Parport - ok
09:18:46.0099 5484 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:18:46.0099 5484 PartMgr - ok
09:18:46.0115 5484 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:18:46.0115 5484 ParVdm - ok
09:18:46.0130 5484 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:18:46.0130 5484 PCI - ok
09:18:46.0162 5484 PCIDump - ok
09:18:46.0162 5484 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:18:46.0162 5484 PCIIde - ok
09:18:46.0193 5484 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:18:46.0193 5484 Pcmcia - ok
09:18:46.0209 5484 PDCOMP - ok
09:18:46.0240 5484 PDFRAME - ok
09:18:46.0256 5484 PDRELI - ok
09:18:46.0256 5484 PDRFRAME - ok
09:18:46.0350 5484 Peachtree SmartPosting 2012 (d87c58dd652df387c4e9a0f9ce595d69) C:\Program Files\SAGE\Peachtree\SmartPostingService2012.exe
09:18:46.0586 5484 Peachtree SmartPosting 2012 - ok
09:18:46.0601 5484 perc2 - ok
09:18:46.0617 5484 perc2hib - ok
09:18:46.0680 5484 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
09:18:46.0680 5484 PlugPlay - ok
09:18:46.0727 5484 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
09:18:46.0742 5484 PolicyAgent - ok
09:18:46.0774 5484 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:18:46.0774 5484 PptpMiniport - ok
09:18:46.0805 5484 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
09:18:46.0805 5484 Processor - ok
09:18:46.0821 5484 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
09:18:46.0821 5484 ProtectedStorage - ok
09:18:46.0852 5484 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:18:46.0852 5484 PSched - ok
09:18:46.0994 5484 psqlWGE (bb05bba187e49e978c3e9dc2c979667e) C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
09:18:46.0994 5484 psqlWGE - ok
09:18:47.0025 5484 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:18:47.0041 5484 Ptilink - ok
09:18:47.0088 5484 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
09:18:47.0088 5484 PxHelp20 - ok
09:18:47.0103 5484 ql1080 - ok
09:18:47.0119 5484 Ql10wnt - ok
09:18:47.0135 5484 ql12160 - ok
09:18:47.0166 5484 ql1240 - ok
09:18:47.0182 5484 ql1280 - ok
09:18:47.0213 5484 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:18:47.0213 5484 RasAcd - ok
09:18:47.0260 5484 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
09:18:47.0276 5484 RasAuto - ok
09:18:47.0307 5484 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:18:47.0307 5484 Rasl2tp - ok
09:18:47.0355 5484 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
09:18:47.0370 5484 RasMan - ok
09:18:47.0417 5484 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:18:47.0417 5484 RasPppoe - ok
09:18:47.0449 5484 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:18:47.0449 5484 Raspti - ok
09:18:47.0511 5484 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:18:47.0511 5484 Rdbss - ok
09:18:47.0543 5484 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:18:47.0543 5484 RDPCDD - ok
09:18:47.0574 5484 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:18:47.0606 5484 rdpdr - ok
09:18:47.0731 5484 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
09:18:47.0731 5484 RDPWD - ok
09:18:47.0778 5484 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
09:18:47.0794 5484 RDSessMgr - ok
09:18:47.0810 5484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:18:47.0810 5484 redbook - ok
09:18:47.0857 5484 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
09:18:47.0857 5484 RemoteAccess - ok
09:18:47.0888 5484 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
09:18:47.0904 5484 RemoteRegistry - ok
09:18:47.0998 5484 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
09:18:47.0998 5484 ROOTMODEM - ok
09:18:48.0014 5484 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
09:18:48.0029 5484 RpcLocator - ok
09:18:48.0092 5484 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
09:18:48.0092 5484 RpcSs - ok
09:18:48.0155 5484 RsFx0151 (66a54bf20084400a7dd5e3b69e008799) C:\WINDOWS\system32\DRIVERS\RsFx0151.sys
09:18:48.0155 5484 RsFx0151 - ok
09:18:48.0186 5484 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
09:18:48.0202 5484 RSVP - ok
09:18:48.0249 5484 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
09:18:48.0249 5484 SamSs - ok
09:18:48.0296 5484 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
09:18:48.0312 5484 SCardSvr - ok
09:18:48.0343 5484 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
09:18:48.0359 5484 Schedule - ok
09:18:48.0406 5484 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:18:48.0406 5484 Secdrv - ok
09:18:48.0437 5484 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
09:18:48.0437 5484 seclogon - ok
09:18:48.0469 5484 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
09:18:48.0469 5484 SENS - ok
09:18:48.0516 5484 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:18:48.0516 5484 serenum - ok
09:18:48.0547 5484 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:18:48.0547 5484 Serial - ok
09:18:48.0594 5484 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:18:48.0594 5484 Sfloppy - ok
09:18:48.0626 5484 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
09:18:48.0641 5484 SharedAccess - ok
09:18:48.0688 5484 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
09:18:48.0688 5484 ShellHWDetection - ok
09:18:48.0720 5484 Simbad - ok
09:18:48.0736 5484 Sparrow - ok
09:18:48.0783 5484 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:18:48.0783 5484 splitter - ok
09:18:48.0845 5484 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
09:18:48.0861 5484 Spooler - ok
09:18:49.0049 5484 SQLAgent$SQLEXPRESS (230c6aa1091190d2fdb40766cbd3dbbd) c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE
09:18:49.0081 5484 SQLAgent$SQLEXPRESS - ok
09:18:49.0222 5484 SQLBrowser (7d67c07c63796775cc5492bcfeaff125) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
09:18:49.0253 5484 SQLBrowser - ok
09:18:49.0285 5484 SQLWriter (8e6e5cfa06769a417b03fd6faa29e010) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
09:18:49.0285 5484 SQLWriter - ok
09:18:49.0332 5484 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:18:49.0332 5484 sr - ok
09:18:49.0379 5484 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
09:18:49.0379 5484 srservice - ok
09:18:49.0442 5484 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:18:49.0473 5484 Srv - ok
09:18:49.0504 5484 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
09:18:49.0520 5484 SSDPSRV - ok
09:18:49.0552 5484 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
09:18:49.0567 5484 stisvc - ok
09:18:49.0614 5484 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:18:49.0614 5484 swenum - ok
09:18:49.0771 5484 SwitchBoard (f577910a133a592234ebaad3f3afa258) C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
09:18:49.0771 5484 SwitchBoard - ok
09:18:49.0818 5484 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:18:49.0818 5484 swmidi - ok
09:18:49.0834 5484 SwPrv - ok
09:18:49.0865 5484 SydexFDD (9b2bdd7a8629a9c5a55cd5635ddf136f) C:\WINDOWS\system32\Drivers\sydexfdd.sys
09:18:49.0865 5484 SydexFDD - ok
09:18:49.0881 5484 symc810 - ok
09:18:49.0897 5484 symc8xx - ok
09:18:49.0912 5484 sym_hi - ok
09:18:49.0912 5484 sym_u3 - ok
09:18:49.0960 5484 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:18:49.0960 5484 sysaudio - ok
09:18:49.0975 5484 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
09:18:49.0975 5484 SysmonLog - ok
09:18:50.0022 5484 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
09:18:50.0054 5484 TapiSrv - ok
09:18:50.0101 5484 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:18:50.0101 5484 Tcpip - ok
09:18:50.0132 5484 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:18:50.0132 5484 TDPIPE - ok
09:18:50.0164 5484 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:18:50.0179 5484 TDTCP - ok
09:18:50.0211 5484 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:18:50.0211 5484 TermDD - ok
09:18:50.0242 5484 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
09:18:50.0258 5484 TermService - ok
09:18:50.0289 5484 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
09:18:50.0289 5484 Themes - ok
09:18:50.0305 5484 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
09:18:50.0352 5484 TlntSvr - ok
09:18:50.0430 5484 TosIde - ok
09:18:50.0446 5484 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
09:18:50.0446 5484 TrkWks - ok
09:18:50.0462 5484 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:18:50.0462 5484 Udfs - ok
09:18:50.0462 5484 ultra - ok
09:18:50.0493 5484 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:18:50.0509 5484 Update - ok
09:18:50.0525 5484 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
09:18:50.0525 5484 upnphost - ok
09:18:50.0540 5484 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
09:18:50.0540 5484 UPS - ok
09:18:50.0556 5484 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
09:18:50.0556 5484 USBAAPL - ok
09:18:50.0572 5484 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:18:50.0572 5484 usbccgp - ok
09:18:50.0587 5484 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:18:50.0587 5484 usbehci - ok
09:18:50.0603 5484 usbfilter (e5b14557793164db879ee56f5b59c3e2) C:\WINDOWS\system32\DRIVERS\usbfilter.sys
09:18:50.0603 5484 usbfilter - ok
09:18:50.0603 5484 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:18:50.0603 5484 usbhub - ok
09:18:50.0634 5484 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
09:18:50.0634 5484 usbohci - ok
09:18:50.0650 5484 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:18:50.0650 5484 usbprint - ok
09:18:50.0650 5484 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:18:50.0650 5484 usbscan - ok
09:18:50.0666 5484 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:18:50.0666 5484 USBSTOR - ok
09:18:50.0666 5484 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:18:50.0666 5484 VgaSave - ok
09:18:50.0760 5484 VIAHdAudAddService (cbc1ce0a1fce0deed4f6f093be91d132) C:\WINDOWS\system32\drivers\viahduaa.sys
09:18:50.0760 5484 VIAHdAudAddService - ok
09:18:50.0776 5484 ViaIde - ok
09:18:50.0791 5484 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:18:50.0791 5484 VolSnap - ok
09:18:50.0823 5484 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
09:18:50.0823 5484 VSS - ok
09:18:50.0854 5484 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
09:18:50.0854 5484 W32Time - ok
09:18:50.0901 5484 W3SVC (db3c22745c0da4666f3be31f1af36b2f) C:\WINDOWS\system32\inetsrv\inetinfo.exe
09:18:50.0901 5484 W3SVC - ok
09:18:50.0917 5484 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:18:50.0917 5484 Wanarp - ok
09:18:50.0917 5484 WDICA - ok
09:18:50.0980 5484 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:18:50.0980 5484 wdmaud - ok
09:18:51.0011 5484 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
09:18:51.0011 5484 WebClient - ok
09:18:51.0074 5484 winachsf (35104d888a90ebc18f71fdc2374d2bb9) C:\WINDOWS\system32\DRIVERS\HSF_USR.sys
09:18:51.0184 5484 winachsf - ok
09:18:51.0262 5484 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
09:18:51.0262 5484 winmgmt - ok
09:18:51.0341 5484 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
09:18:51.0466 5484 WinRM - ok
09:18:51.0513 5484 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
09:18:51.0513 5484 WmdmPmSN - ok
09:18:51.0576 5484 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
09:18:51.0576 5484 Wmi - ok
09:18:51.0623 5484 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
09:18:51.0623 5484 WmiAcpi - ok
09:18:51.0639 5484 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
09:18:51.0654 5484 WmiApSrv - ok
09:18:51.0780 5484 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
09:18:51.0858 5484 WMPNetworkSvc - ok
09:18:51.0858 5484 wntpport - ok
09:18:52.0031 5484 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
09:18:52.0062 5484 WPFFontCache_v0400 - ok
09:18:52.0141 5484 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:18:52.0141 5484 WS2IFSL - ok
09:18:52.0157 5484 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
09:18:52.0172 5484 wscsvc - ok
09:18:52.0188 5484 WSearch - ok
09:18:52.0219 5484 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
09:18:52.0219 5484 wuauserv - ok
09:18:52.0251 5484 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:18:52.0266 5484 WudfPf - ok
09:18:52.0314 5484 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
09:18:52.0314 5484 WudfRd - ok
09:18:52.0439 5484 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
09:18:52.0455 5484 WudfSvc - ok
09:18:52.0502 5484 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
09:18:52.0518 5484 WZCSVC - ok
09:18:52.0580 5484 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
09:18:52.0596 5484 xmlprov - ok
09:18:52.0612 5484 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:18:53.0443 5484 \Device\Harddisk0\DR0 - ok
09:18:53.0443 5484 Boot (0x1200) (cf2d8356ad312e6829826978c426b481) \Device\Harddisk0\DR0\Partition0
09:18:53.0443 5484 \Device\Harddisk0\DR0\Partition0 - ok
09:18:53.0443 5484 ============================================================
09:18:53.0443 5484 Scan finished
09:18:53.0443 5484 ============================================================
09:18:53.0459 4172 Detected object count: 0
09:18:53.0459 4172 Actual detected object count: 0




aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-26 09:22:15
-----------------------------
09:22:15.056 OS Version: Windows 5.1.2600 Service Pack 3
09:22:15.056 Number of processors: 4 586 0x403
09:22:15.056 ComputerName: DESIGN UserName:
09:22:17.215 Initialize success
09:22:17.278 AVAST engine defs: 12032601
09:22:25.431 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:22:25.447 Disk 0 Vendor: WDC_WD7501AALS-00J7B0 05.00K05 Size: 715404MB BusType: 3
09:22:25.447 Disk 0 MBR read successfully
09:22:25.447 Disk 0 MBR scan
09:22:25.447 Disk 0 Windows XP default MBR code
09:22:25.447 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 715394 MB offset 63
09:22:25.447 Disk 0 scanning sectors +1465128000
09:22:25.509 Disk 0 scanning C:\WINDOWS\system32\drivers
09:22:29.750 Service scanning
09:22:33.632 Service MSICDSetup D:\CDriver.sys **LOCKED** 21
09:22:38.874 Modules scanning
09:22:42.067 Disk 0 trace - called modules:
09:22:42.098 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:22:42.098 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac57ab8]
09:22:42.098 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006d[0x8ac699e8]
09:22:42.098 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ac69d98]
09:22:43.334 AVAST engine scan C:\WINDOWS
09:22:48.749 AVAST engine scan C:\WINDOWS\system32
09:25:45.135 AVAST engine scan C:\WINDOWS\system32\drivers
09:25:59.266 AVAST engine scan C:\Documents and Settings\Richard.ACE
09:27:49.775 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Richard.ACE\Desktop\MBR.dat"
09:27:49.775 The log file has been saved successfully to "C:\Documents and Settings\Richard.ACE\Desktop\aswMBR.txt"


Here are the next 2 logs. Let me know what you see.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:21 PM

Posted 26 March 2012 - 12:10 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5BE3D010-3EF3-EA3A-19EA72F7729702DF}\{352FFD75-9B70-D323-D2F13A6467AA3E3D}\{81CD47E4-7EF3-579C-2C259DBE42414B54}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EC7A25C-208B-259B-D0F10B7D70121E6A}\{B30129B8-8481-85C6-1CF8CC8FAFB9C5A4}\{9F5D8B19-EFCA-EE59-2A819F5112EEBB2A}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C3E67C84-FF81-4ACD-401BD333BA56E9EA}\{F4E9985F-0D7B-FE76-62CD8C76B0126B78}\{BB457FA5-4647-F88E-4919FBC3754B9322}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EA20B5D7-213B-BF6A-A687F1F5E27AC26F}\{EEE35091-0AEA-CF92-BEFE1061EF739928}\{47B248DC-A6E0-641B-BA973614FEEFC865}*]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 rbarlund

rbarlund
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 26 March 2012 - 01:08 PM

Saved the script, dropped it on the Combo Fix icon, it started to run and my antivirus started going haywire. I shut off the antivirus, ran it again, but the antivirus was still going off. Combo fix was running and it said it detected the rootkit virus and it started to fix it like it did the first time. An error message popped up and then BSOD. I restarted in safemode to run the combo fix, but I will have to do this in a bit. Unfortunately I am on my work computer and I still need to work.

I'll run it again in a few hours and post the log back here. Do you see anything in the previous logs that indicate the virus is still there? The redirect is not happening anymore, however, if the virus is still there then I need to remove it.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:21 PM

Posted 26 March 2012 - 02:47 PM

no but it may be picking up the backups


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users