Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus/rootkit


  • This topic is locked This topic is locked
17 replies to this topic

#1 KayleeFirefly

KayleeFirefly

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 22 March 2012 - 02:33 PM

Looks like I also have the Google redirecting malware using IE. I installed Chrome, and don't have the problem with chrome which is what I'm using at the moment. Currently on my computer I have Windows Essentials, Malwarebytes Anti Malware, and Advanced SystemCare 5. None of those scans are finding the problems with my computer. ASC5 will sometimes find registry problems and claims that it fixes them, but if I run another scan the problems are right back again. And IE always redirects google searches to happli, gimmeanswers, etc. I've even had those sites pop up when I was on a restaurant's website trying to pull up the menu. Instead of the menu, it would take me to the fake virus search engine.


Here is the DDS Scan that I ran:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by copy1 at 14:04:48 on 2012-03-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2020.778 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\WOTraffic\WOTraffic.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\iMediaTouch\Production\MTP.exe
C:\Program Files\iMediaTouch\Production\OMTdb2x.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [pdfFactory Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [JobHisInit] c:\program files\rmclient\JobHisInit.exe
mRun: [MplSetUp] c:\program files\rmclient\MplSetUp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ISTray] "c:\program files\pc tools\pc tools security\pctsGui.exe" /hideGUI
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [cfgbin] c:\documents and settings\all users\cfgbin.exe
dRun: [dplaysvr] %APPDATA%\dplaysvr.exe
dRun: [Synclogon] c:\documents and settings\all users\Synclogon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1316813974765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc.cab
TCP: Interfaces\{DF5ED57E-36B1-43C5-B666-A1A3551000E6} : NameServer = 192.168.2.3,4.2.2.2,192.168.4.3
TCP: Interfaces\{F5320189-CCE8-4D64-970B-4DAD31BC3330} : DhcpNameServer = 10.1.10.1
Notify: igfxcui - igfxdev.dll
Hosts: 94.63.147.17 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-3-22 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-3-22 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-3-22 909728]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl8970073a;MpKsl8970073a;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b048488f-42e0-4708-914f-5f353f482b54}\MpKsl8970073a.sys [2012-3-22 29904]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-3-20 185560]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-3-9 913752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-3-22 550864]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2012-1-26 132768]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-1 652360]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-3-22 402336]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-3-22 1117624]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-9-23 2656280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-1 20464]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-3-22 56840]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-22 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-9-23 1691480]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c5132.sys [2011-9-23 174248]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-22 136176]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-9-23 45056]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
.
=============== Created Last 30 ================
.
2012-03-22 14:54:31 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b048488f-42e0-4708-914f-5f353f482b54}\MpKsl8970073a.sys
2012-03-22 14:54:14 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b048488f-42e0-4708-914f-5f353f482b54}\offreg.dll
2012-03-22 14:47:29 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b048488f-42e0-4708-914f-5f353f482b54}\mpengine.dll
2012-03-22 13:45:40 -------- d-----w- c:\documents and settings\copy1\local settings\application data\Google
2012-03-22 13:44:53 767952 ----a-w- c:\windows\BDTSupport.dll
2012-03-22 13:44:53 56840 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2012-03-22 13:44:52 2250704 ----a-w- c:\windows\PCTBDCore.dll
2012-03-22 13:44:52 1681360 ----a-w- c:\windows\PCTBDRes.dll
2012-03-22 13:44:52 149456 ----a-w- c:\windows\SGDetectionTool.dll
2012-03-22 13:44:15 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-03-22 13:44:15 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-03-22 13:44:14 253352 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-03-22 13:44:11 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-03-22 13:44:11 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-03-22 13:44:10 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-03-22 13:44:04 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-03-22 13:43:58 -------- d-----w- c:\program files\PC Tools
2012-03-22 13:26:48 -------- d-----w- c:\documents and settings\copy1\local settings\application data\Threat Expert
2012-03-20 21:35:45 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-03-20 21:35:42 -------- d-----w- c:\program files\common files\PC Tools
2012-03-20 21:35:08 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-03-20 21:35:06 -------- d-----w- c:\documents and settings\copy1\application data\TestApp
2012-03-20 21:28:51 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-19 16:20:45 602112 ----a-w- c:\windows\system32\SET1B6.tmp
2012-03-19 16:20:45 55296 ----a-w- c:\windows\system32\SET1B5.tmp
2012-03-19 16:20:45 105984 ----a-w- c:\windows\system32\SET1B0.tmp
2012-03-19 16:20:44 916992 ----a-w- c:\windows\system32\SET1AE.tmp
2012-03-19 16:20:44 247808 ------w- c:\program files\internet explorer\SET1C0.tmp
2012-03-19 16:20:44 2000384 ----a-w- c:\windows\system32\SET1BA.tmp
2012-03-19 16:20:44 12800 ------w- c:\program files\internet explorer\SET1BF.tmp
2012-03-19 16:20:43 184320 ----a-w- c:\windows\system32\SET1BB.tmp
2012-03-19 16:20:43 1212416 ----a-w- c:\windows\system32\SET1AF.tmp
2012-03-19 16:20:42 5979136 ----a-w- c:\windows\system32\SET1B4.tmp
2012-03-19 16:19:57 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-19 16:19:57 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-19 16:19:10 726528 ----a-w- c:\windows\system32\SET1A6.tmp
2012-03-19 16:18:34 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-03-13 18:51:02 -------- d-----w- c:\documents and settings\copy1\application data\webex
2012-03-13 17:58:48 366 ----a-w- C:\cc_20120313_135847.reg
2012-03-13 17:56:46 366 ----a-w- C:\cc_20120313_135644.reg
2012-03-13 17:50:04 366 ----a-w- C:\cc_20120313_135002.reg
2012-03-09 16:16:52 2284 ----a-w- C:\cc_20120309_111650.reg
2012-03-09 14:51:54 -------- d-----w- c:\windows\system32\winrm
2012-03-09 14:51:54 -------- d-----w- c:\windows\system32\GroupPolicy
2012-03-09 14:51:47 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-03-09 14:50:21 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-03-09 14:37:08 -------- d-----w- c:\documents and settings\all users\application data\IObit
2012-03-09 14:37:00 -------- d-----w- c:\documents and settings\copy1\application data\IObit
2012-03-09 14:36:52 -------- d-----w- c:\program files\IObit
2012-03-08 18:45:36 2433024 ------w- c:\windows\UNNMP.exe
2012-03-08 18:43:14 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2012-03-08 18:43:13 364544 ------w- c:\windows\system32\TwnLib4.dll
2012-03-08 18:43:12 476320 ------w- c:\windows\system32\ImagXpr7.dll
2012-03-08 18:43:12 471040 ------w- c:\windows\system32\ImagXRA7.dll
2012-03-08 18:43:12 262144 ------w- c:\windows\system32\ImagXR7.dll
2012-03-08 18:43:12 1568768 ------w- c:\windows\system32\ImagX7.dll
2012-03-08 18:43:10 38912 ------w- c:\windows\system32\picn20.dll
2012-03-08 18:43:04 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2012-03-08 18:41:43 6994 ----a-w- C:\cc_20120308_134142.reg
2012-03-08 18:41:30 65472 ----a-w- C:\cc_20120308_134128.reg
2012-03-08 17:59:49 -------- d-----w- c:\windows\pss
2012-03-08 17:56:10 684 ----a-w- C:\cc_20120308_125609.reg
2012-03-08 17:51:37 366 ----a-w- C:\cc_20120308_125135.reg
2012-03-08 15:42:40 332 ----a-w- C:\cc_20120308_104238.reg
2012-03-08 15:42:21 10818 ----a-w- C:\cc_20120308_104219.reg
2012-03-08 15:33:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-08 15:33:50 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2012-03-16 12:40:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-01 19:14:14 1170 ----a-w- C:\cc_20120201_141410.reg
2012-02-01 19:13:54 225580 ----a-w- C:\cc_20120201_141346.reg
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-26 19:32:38 8413 ----a-w- c:\windows\system32\drivers\osaio.sys
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 14:05:21.03 ===============



Help, please?

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:55 AM

Posted 23 March 2012 - 12:31 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 KayleeFirefly

KayleeFirefly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 23 March 2012 - 08:12 AM

Okay I ran ComboFix... here is the log:

ComboFix 12-03-22.01 - copy1 03/23/2012 8:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2020.1330 [GMT -4:00]
Running from: c:\documents and settings\copy1\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\Internet Explorer\SET1BF.tmp
c:\program files\Internet Explorer\SET1C0.tmp
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\A651FDAT.DLL
c:\windows\system32\AF101DAT.dll
c:\windows\system32\AF120dat.dll
c:\windows\system32\Af15bdat.dll
c:\windows\system32\af180dat.dll
c:\windows\system32\AF201dat.dll
c:\windows\system32\af223dat.dll
c:\windows\system32\af320dat.dll
c:\windows\system32\af557dat.dll
c:\windows\system32\af800dat.dll
c:\windows\system32\af857dat.dll
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\SET1A6.tmp
c:\windows\system32\SET1AE.tmp
c:\windows\system32\SET1AF.tmp
c:\windows\system32\SET1B0.tmp
c:\windows\system32\SET1B4.tmp
c:\windows\system32\SET1B5.tmp
c:\windows\system32\SET1B6.tmp
c:\windows\system32\SET1BA.tmp
c:\windows\system32\SET1BB.tmp
c:\windows\system32\SET1BC.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-02-23 to 2012-03-23 )))))))))))))))))))))))))))))))
.
.
2012-03-23 12:51 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41EDA428-31CA-49A7-AB81-AF28B7456483}\mpengine.dll
2012-03-22 20:03 . 2012-03-22 20:04 10064 ----a-w- C:\cc_20120322_160356.reg
2012-03-22 13:50 . 2012-03-22 13:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2012-03-22 13:45 . 2012-03-22 13:46 -------- d-----w- c:\program files\Google
2012-03-20 21:35 . 2012-02-24 14:36 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-03-20 21:35 . 2012-03-23 12:40 -------- d-----w- c:\program files\Common Files\PC Tools
2012-03-20 21:35 . 2012-03-22 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-03-20 21:28 . 2012-03-20 21:28 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-19 16:19 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-19 16:19 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-19 16:18 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-03-13 17:58 . 2012-03-13 17:58 366 ----a-w- C:\cc_20120313_135847.reg
2012-03-13 17:56 . 2012-03-13 17:56 366 ----a-w- C:\cc_20120313_135644.reg
2012-03-13 17:50 . 2012-03-13 17:50 366 ----a-w- C:\cc_20120313_135002.reg
2012-03-12 21:11 . 2012-03-12 21:11 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2012-03-09 16:16 . 2012-03-09 16:16 2284 ----a-w- C:\cc_20120309_111650.reg
2012-03-09 14:51 . 2012-03-09 14:51 -------- d-----w- c:\windows\system32\winrm
2012-03-09 14:51 . 2012-03-09 14:51 -------- d-----w- c:\windows\system32\GroupPolicy
2012-03-09 14:51 . 2012-03-19 16:16 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-03-09 14:50 . 2012-02-23 18:25 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-03-09 14:43 . 2012-03-09 14:43 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2012-03-09 14:37 . 2012-03-09 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-03-09 14:36 . 2012-03-09 14:36 -------- d-----w- c:\program files\IObit
2012-03-08 18:45 . 2004-11-11 11:50 2433024 ------w- c:\windows\UNNMP.exe
2012-03-08 18:43 . 2000-06-26 15:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2012-03-08 18:43 . 2004-07-09 13:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2012-03-08 18:43 . 2004-07-20 21:24 476320 ------w- c:\windows\system32\ImagXpr7.dll
2012-03-08 18:43 . 2004-07-20 21:24 471040 ------w- c:\windows\system32\ImagXRA7.dll
2012-03-08 18:43 . 2004-07-20 21:24 262144 ------w- c:\windows\system32\ImagXR7.dll
2012-03-08 18:43 . 2004-07-20 21:24 1568768 ------w- c:\windows\system32\ImagX7.dll
2012-03-08 18:43 . 2001-06-26 12:15 38912 ------w- c:\windows\system32\picn20.dll
2012-03-08 18:43 . 2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2012-03-08 18:43 . 2012-03-08 18:45 -------- d-----w- c:\program files\Ahead
2012-03-08 18:41 . 2012-03-08 18:41 6994 ----a-w- C:\cc_20120308_134142.reg
2012-03-08 18:41 . 2012-03-08 18:41 65472 ----a-w- C:\cc_20120308_134128.reg
2012-03-08 17:56 . 2012-03-08 17:56 684 ----a-w- C:\cc_20120308_125609.reg
2012-03-08 17:51 . 2012-03-08 17:51 366 ----a-w- C:\cc_20120308_125135.reg
2012-03-08 15:42 . 2012-03-08 15:42 332 ----a-w- C:\cc_20120308_104238.reg
2012-03-08 15:42 . 2012-03-08 15:42 10818 ----a-w- C:\cc_20120308_104219.reg
2012-03-08 15:33 . 2012-03-08 15:33 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 15:21 . 2012-03-08 15:29 -------- d-s---w- c:\documents and settings\mts
2012-03-06 16:56 . 2012-03-06 16:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-16 12:40 . 2011-09-24 15:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 02:15 . 2012-02-02 19:53 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-01 19:14 . 2012-02-01 19:14 1170 ----a-w- C:\cc_20120201_141410.reg
2012-02-01 19:13 . 2012-02-01 19:13 225580 ----a-w- C:\cc_20120201_141346.reg
2012-01-31 12:44 . 2012-01-31 21:21 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-26 19:32 . 2012-01-26 19:32 8413 ----a-w- c:\windows\system32\drivers\osaio.sys
2012-01-09 16:20 . 2011-09-23 20:30 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2012-03-06 574296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RTHDCPL"="RTHDCPL.EXE" [2011-01-21 20026472]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-29 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-29 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-29 142360]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2010-03-18 614400]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2005-08-01 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2012-2-1 106560]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iMediaTouch\\LogTools\\MLT.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [3/9/2012 10:36 AM 913752]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [1/26/2012 2:12 PM 132768]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/1/2012 3:13 PM 652360]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [9/23/2011 5:07 PM 2656280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/1/2012 3:13 PM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2012 9:45 AM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/23/2011 5:06 PM 1691480]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c5132.sys [9/23/2011 5:09 PM 174248]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2012 9:45 AM 136176]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [9/23/2011 5:07 PM 45056]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 8:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-22 13:45]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-22 13:45]
.
2012-03-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-03-23 c:\windows\Tasks\User_Feed_Synchronization-{CA26728D-31DD-4E45-81E8-25384612A36D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{DF5ED57E-36B1-43C5-B666-A1A3551000E6}: NameServer = 192.168.2.3,4.2.2.2,192.168.4.3
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-cfgbin - c:\documents and settings\All Users\cfgbin.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\copy1\Application Data\dplaysvr.exe
HKU-Default-Run-Synclogon - c:\documents and settings\All Users\Synclogon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-23 09:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-23 09:02:25
ComboFix-quarantined-files.txt 2012-03-23 13:02
.
Pre-Run: 481,974,362,112 bytes free
Post-Run: 482,714,091,520 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A917CC454A5D5E9D8013FCD5EC7A6D4F


I didn't have any error messages come up, other than ComboFix prompting me to create a restore point. I did disable MSE, but turned it back on when I got back on the internet. Most of the issues I was having was whenever I was using IE and Google. I just tried googling something random, and it actually took me to the correct page, and that's the first time that's happened.

The only other "issue" that I've been having with my computer is that it's been unbearably slow, but it usually doesn't happen until later in the day so it's hard for me to tell now if that problem is fixed. And sometimes when I run the one computer I use for work (it's an audio-storing system) I get a Win32 error message, but it doesn't happen all the time. The error message pops up 5 or 6 times in a row. Now, I have no idea if that's part of whatever virus I have (had?) or if it's something wrong with the program itself, which is entirely possible.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:55 AM

Posted 23 March 2012 - 10:31 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 KayleeFirefly

KayleeFirefly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 23 March 2012 - 11:00 AM

TDSSkiller report:

11:59:07.0406 3116 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
11:59:07.0640 3116 ============================================================
11:59:07.0640 3116 Current date / time: 2012/03/23 11:59:07.0640
11:59:07.0640 3116 SystemInfo:
11:59:07.0640 3116
11:59:07.0640 3116 OS Version: 5.1.2600 ServicePack: 3.0
11:59:07.0640 3116 Product type: Workstation
11:59:07.0640 3116 ComputerName: COPYONE
11:59:07.0640 3116 UserName: copy1
11:59:07.0640 3116 Windows directory: C:\WINDOWS
11:59:07.0640 3116 System windows directory: C:\WINDOWS
11:59:07.0640 3116 Processor architecture: Intel x86
11:59:07.0640 3116 Number of processors: 2
11:59:07.0640 3116 Page size: 0x1000
11:59:07.0640 3116 Boot type: Normal boot
11:59:07.0640 3116 ============================================================
11:59:09.0093 3116 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:59:09.0109 3116 \Device\Harddisk0\DR0:
11:59:09.0109 3116 MBR used
11:59:09.0109 3116 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41
11:59:09.0125 3116 Initialize success
11:59:09.0125 3116 ============================================================
11:59:10.0609 3912 ============================================================
11:59:10.0609 3912 Scan started
11:59:10.0609 3912 Mode: Manual;
11:59:10.0609 3912 ============================================================
11:59:11.0421 3912 Abiosdsk - ok
11:59:11.0421 3912 abp480n5 - ok
11:59:11.0468 3912 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:59:11.0468 3912 ACPI - ok
11:59:11.0515 3912 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:59:11.0515 3912 ACPIEC - ok
11:59:11.0515 3912 adpu160m - ok
11:59:11.0609 3912 AdvancedSystemCareService5 (b11c71b29fa69e4586f9b65560e6604d) C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
11:59:11.0609 3912 AdvancedSystemCareService5 - ok
11:59:11.0625 3912 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:59:11.0625 3912 aec - ok
11:59:11.0671 3912 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:59:11.0671 3912 AFD - ok
11:59:11.0687 3912 Aha154x - ok
11:59:11.0687 3912 aic78u2 - ok
11:59:11.0687 3912 aic78xx - ok
11:59:11.0734 3912 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
11:59:11.0734 3912 Alerter - ok
11:59:11.0750 3912 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
11:59:11.0750 3912 ALG - ok
11:59:11.0765 3912 AliIde - ok
11:59:11.0828 3912 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
11:59:11.0843 3912 Ambfilt - ok
11:59:11.0843 3912 amsint - ok
11:59:11.0875 3912 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
11:59:11.0875 3912 AppMgmt - ok
11:59:11.0890 3912 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:59:11.0890 3912 Arp1394 - ok
11:59:11.0906 3912 asc - ok
11:59:11.0906 3912 asc3350p - ok
11:59:11.0906 3912 asc3550 - ok
11:59:11.0984 3912 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
11:59:11.0984 3912 aspnet_state - ok
11:59:12.0000 3912 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:59:12.0000 3912 AsyncMac - ok
11:59:12.0015 3912 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:59:12.0015 3912 atapi - ok
11:59:12.0031 3912 Atdisk - ok
11:59:12.0046 3912 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:59:12.0046 3912 Atmarpc - ok
11:59:12.0093 3912 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
11:59:12.0093 3912 AudioSrv - ok
11:59:12.0125 3912 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:59:12.0125 3912 audstub - ok
11:59:12.0156 3912 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:59:12.0156 3912 Beep - ok
11:59:12.0203 3912 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
11:59:12.0203 3912 BITS - ok
11:59:12.0218 3912 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
11:59:12.0218 3912 Browser - ok
11:59:12.0343 3912 catchme - ok
11:59:12.0390 3912 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:59:12.0390 3912 cbidf2k - ok
11:59:12.0390 3912 cd20xrnt - ok
11:59:12.0421 3912 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:59:12.0421 3912 Cdaudio - ok
11:59:12.0453 3912 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:59:12.0453 3912 Cdfs - ok
11:59:12.0484 3912 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:59:12.0484 3912 Cdrom - ok
11:59:12.0484 3912 Changer - ok
11:59:12.0531 3912 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
11:59:12.0531 3912 CiSvc - ok
11:59:12.0531 3912 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
11:59:12.0531 3912 ClipSrv - ok
11:59:12.0625 3912 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:59:12.0625 3912 clr_optimization_v2.0.50727_32 - ok
11:59:12.0625 3912 CmdIde - ok
11:59:12.0625 3912 COMSysApp - ok
11:59:12.0640 3912 Cpqarray - ok
11:59:12.0656 3912 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
11:59:12.0656 3912 CryptSvc - ok
11:59:12.0656 3912 dac2w2k - ok
11:59:12.0671 3912 dac960nt - ok
11:59:12.0718 3912 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
11:59:12.0718 3912 DcomLaunch - ok
11:59:12.0765 3912 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
11:59:12.0765 3912 Dhcp - ok
11:59:12.0796 3912 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:59:12.0796 3912 Disk - ok
11:59:12.0812 3912 dmadmin - ok
11:59:12.0859 3912 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:59:12.0859 3912 dmboot - ok
11:59:12.0859 3912 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:59:12.0875 3912 dmio - ok
11:59:12.0875 3912 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:59:12.0875 3912 dmload - ok
11:59:12.0906 3912 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
11:59:12.0906 3912 dmserver - ok
11:59:12.0921 3912 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:59:12.0921 3912 DMusic - ok
11:59:12.0937 3912 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
11:59:12.0937 3912 Dnscache - ok
11:59:12.0968 3912 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
11:59:12.0968 3912 Dot3svc - ok
11:59:12.0968 3912 dpti2o - ok
11:59:12.0984 3912 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:59:12.0984 3912 drmkaud - ok
11:59:13.0015 3912 e1cexpress (f1ebf5b469f38379285e79b043527cfd) C:\WINDOWS\system32\DRIVERS\e1c5132.sys
11:59:13.0015 3912 e1cexpress - ok
11:59:13.0062 3912 e1express (1cd824a565dd4d3a33341f08a7ce44d9) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
11:59:13.0062 3912 e1express - ok
11:59:13.0078 3912 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
11:59:13.0078 3912 EapHost - ok
11:59:13.0125 3912 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
11:59:13.0125 3912 ERSvc - ok
11:59:13.0171 3912 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:59:13.0171 3912 Eventlog - ok
11:59:13.0234 3912 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
11:59:13.0234 3912 EventSystem - ok
11:59:13.0281 3912 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:59:13.0281 3912 Fastfat - ok
11:59:13.0296 3912 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:59:13.0312 3912 FastUserSwitchingCompatibility - ok
11:59:13.0328 3912 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
11:59:13.0328 3912 Fdc - ok
11:59:13.0359 3912 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:59:13.0359 3912 Fips - ok
11:59:13.0375 3912 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:59:13.0375 3912 Flpydisk - ok
11:59:13.0421 3912 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:59:13.0421 3912 FltMgr - ok
11:59:13.0515 3912 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
11:59:13.0515 3912 FontCache3.0.0.0 - ok
11:59:13.0515 3912 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:59:13.0515 3912 Fs_Rec - ok
11:59:13.0531 3912 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:59:13.0531 3912 Ftdisk - ok
11:59:13.0562 3912 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:59:13.0562 3912 Gpc - ok
11:59:13.0640 3912 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
11:59:13.0640 3912 gupdate - ok
11:59:13.0656 3912 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
11:59:13.0656 3912 gupdatem - ok
11:59:13.0671 3912 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:59:13.0671 3912 HDAudBus - ok
11:59:13.0734 3912 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:59:13.0734 3912 helpsvc - ok
11:59:13.0781 3912 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
11:59:13.0781 3912 HidServ - ok
11:59:13.0796 3912 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:59:13.0796 3912 hidusb - ok
11:59:13.0921 3912 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
11:59:13.0921 3912 hkmsvc - ok
11:59:14.0031 3912 hpn - ok
11:59:14.0125 3912 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:59:14.0125 3912 HTTP - ok
11:59:14.0171 3912 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
11:59:14.0171 3912 HTTPFilter - ok
11:59:14.0171 3912 i2omgmt - ok
11:59:14.0187 3912 i2omp - ok
11:59:14.0218 3912 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:59:14.0218 3912 i8042prt - ok
11:59:14.0281 3912 ialm (c5db546f9028cd00e64335091860d8f3) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:59:14.0296 3912 ialm - ok
11:59:14.0421 3912 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:59:14.0421 3912 idsvc - ok
11:59:14.0453 3912 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:59:14.0453 3912 Imapi - ok
11:59:14.0484 3912 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
11:59:14.0484 3912 ImapiService - ok
11:59:14.0484 3912 ini910u - ok
11:59:14.0625 3912 IntcAzAudAddService (921f2452a8d3a10083ddd824fc8c267f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:59:14.0656 3912 IntcAzAudAddService - ok
11:59:14.0687 3912 Intel® PROSet Monitoring Service (386f3f1ad783f3312c057fb8699ae09b) C:\WINDOWS\system32\IProsetMonitor.exe
11:59:14.0687 3912 Intel® PROSet Monitoring Service - ok
11:59:14.0703 3912 IntelIde - ok
11:59:14.0718 3912 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:59:14.0718 3912 intelppm - ok
11:59:14.0734 3912 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:59:14.0734 3912 Ip6Fw - ok
11:59:14.0750 3912 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:59:14.0750 3912 IpFilterDriver - ok
11:59:14.0765 3912 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:59:14.0765 3912 IpInIp - ok
11:59:14.0796 3912 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:59:14.0796 3912 IpNat - ok
11:59:14.0812 3912 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:59:14.0812 3912 IPSec - ok
11:59:14.0828 3912 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:59:14.0828 3912 IRENUM - ok
11:59:14.0875 3912 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:59:14.0875 3912 isapnp - ok
11:59:14.0984 3912 JavaQuickStarterService (91061352084424820ac6268808cb8ee3) C:\Program Files\Java\jre6\bin\jqs.exe
11:59:14.0984 3912 JavaQuickStarterService - ok
11:59:15.0000 3912 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:59:15.0000 3912 Kbdclass - ok
11:59:15.0015 3912 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:59:15.0015 3912 kbdhid - ok
11:59:15.0031 3912 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:59:15.0031 3912 kmixer - ok
11:59:15.0062 3912 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:59:15.0078 3912 KSecDD - ok
11:59:15.0093 3912 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
11:59:15.0093 3912 lanmanserver - ok
11:59:15.0125 3912 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
11:59:15.0125 3912 lanmanworkstation - ok
11:59:15.0140 3912 lbrtfdc - ok
11:59:15.0187 3912 LightScribeService (559c9b7800fac92fc515cd0003d7c631) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
11:59:15.0187 3912 LightScribeService - ok
11:59:15.0234 3912 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
11:59:15.0234 3912 LmHosts - ok
11:59:15.0296 3912 LMS (50c7ce53ef461870410355f1f2e7d515) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
11:59:15.0296 3912 LMS - ok
11:59:15.0343 3912 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
11:59:15.0343 3912 MBAMProtector - ok
11:59:15.0359 3912 MBAMService (056b19651bd7b7ce5f89a3ac46dbdc08) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
11:59:15.0375 3912 MBAMService - ok
11:59:15.0406 3912 MEI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
11:59:15.0406 3912 MEI - ok
11:59:15.0437 3912 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
11:59:15.0437 3912 Messenger - ok
11:59:15.0468 3912 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:59:15.0468 3912 mnmdd - ok
11:59:15.0515 3912 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
11:59:15.0515 3912 mnmsrvc - ok
11:59:15.0562 3912 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:59:15.0562 3912 Modem - ok
11:59:15.0625 3912 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
11:59:15.0625 3912 Monfilt - ok
11:59:15.0640 3912 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:59:15.0640 3912 Mouclass - ok
11:59:15.0671 3912 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:59:15.0671 3912 mouhid - ok
11:59:15.0687 3912 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:59:15.0687 3912 MountMgr - ok
11:59:15.0718 3912 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
11:59:15.0718 3912 MpFilter - ok
11:59:15.0828 3912 MpKsl4bb3d24a (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62FA7537-1E11-4FA8-8238-59449EF45268}\MpKsl4bb3d24a.sys
11:59:15.0828 3912 MpKsl4bb3d24a - ok
11:59:15.0843 3912 mraid35x - ok
11:59:15.0859 3912 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:59:15.0859 3912 MRxDAV - ok
11:59:15.0890 3912 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:59:15.0890 3912 MRxSmb - ok
11:59:15.0921 3912 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
11:59:15.0921 3912 MSDTC - ok
11:59:15.0937 3912 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:59:15.0937 3912 Msfs - ok
11:59:15.0953 3912 MSIServer - ok
11:59:15.0968 3912 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:59:15.0968 3912 MSKSSRV - ok
11:59:16.0062 3912 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
11:59:16.0062 3912 MsMpSvc - ok
11:59:16.0062 3912 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:59:16.0062 3912 MSPCLOCK - ok
11:59:16.0078 3912 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:59:16.0078 3912 MSPQM - ok
11:59:16.0109 3912 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:59:16.0109 3912 mssmbios - ok
11:59:16.0125 3912 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:59:16.0140 3912 Mup - ok
11:59:16.0156 3912 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
11:59:16.0171 3912 napagent - ok
11:59:16.0171 3912 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:59:16.0171 3912 NDIS - ok
11:59:16.0218 3912 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:59:16.0218 3912 NdisTapi - ok
11:59:16.0218 3912 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:59:16.0218 3912 Ndisuio - ok
11:59:16.0234 3912 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:59:16.0234 3912 NdisWan - ok
11:59:16.0250 3912 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:59:16.0250 3912 NDProxy - ok
11:59:16.0265 3912 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:59:16.0265 3912 NetBIOS - ok
11:59:16.0281 3912 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:59:16.0281 3912 NetBT - ok
11:59:16.0328 3912 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:59:16.0328 3912 NetDDE - ok
11:59:16.0328 3912 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:59:16.0328 3912 NetDDEdsdm - ok
11:59:16.0343 3912 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:59:16.0343 3912 Netlogon - ok
11:59:16.0406 3912 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
11:59:16.0406 3912 Netman - ok
11:59:16.0515 3912 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:59:16.0515 3912 NetTcpPortSharing - ok
11:59:16.0546 3912 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:59:16.0546 3912 NIC1394 - ok
11:59:16.0593 3912 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
11:59:16.0593 3912 Nla - ok
11:59:16.0609 3912 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:59:16.0609 3912 Npfs - ok
11:59:16.0625 3912 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:59:16.0625 3912 Ntfs - ok
11:59:16.0687 3912 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:59:16.0687 3912 NtLmSsp - ok
11:59:16.0703 3912 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
11:59:16.0703 3912 NtmsSvc - ok
11:59:16.0734 3912 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:59:16.0734 3912 Null - ok
11:59:16.0781 3912 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:59:16.0781 3912 NwlnkFlt - ok
11:59:16.0781 3912 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:59:16.0781 3912 NwlnkFwd - ok
11:59:16.0812 3912 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:59:16.0812 3912 ohci1394 - ok
11:59:16.0843 3912 osaio (6ec2c93fe378eed5b3e069c303bd7848) C:\WINDOWS\system32\drivers\osaio.sys
11:59:16.0843 3912 osaio - ok
11:59:16.0921 3912 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:59:16.0921 3912 ose - ok
11:59:16.0968 3912 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:59:16.0968 3912 Parport - ok
11:59:16.0968 3912 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:59:16.0984 3912 PartMgr - ok
11:59:16.0984 3912 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:59:16.0984 3912 ParVdm - ok
11:59:16.0984 3912 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:59:17.0000 3912 PCI - ok
11:59:17.0000 3912 PCIDump - ok
11:59:17.0000 3912 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:59:17.0000 3912 PCIIde - ok
11:59:17.0015 3912 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:59:17.0015 3912 Pcmcia - ok
11:59:17.0015 3912 PDCOMP - ok
11:59:17.0031 3912 PDFRAME - ok
11:59:17.0031 3912 PDRELI - ok
11:59:17.0046 3912 PDRFRAME - ok
11:59:17.0046 3912 perc2 - ok
11:59:17.0046 3912 perc2hib - ok
11:59:17.0093 3912 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:59:17.0093 3912 PlugPlay - ok
11:59:17.0125 3912 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:59:17.0125 3912 PolicyAgent - ok
11:59:17.0156 3912 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:59:17.0156 3912 PptpMiniport - ok
11:59:17.0156 3912 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:59:17.0156 3912 ProtectedStorage - ok
11:59:17.0171 3912 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:59:17.0171 3912 PSched - ok
11:59:17.0171 3912 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:59:17.0171 3912 Ptilink - ok
11:59:17.0187 3912 ql1080 - ok
11:59:17.0187 3912 Ql10wnt - ok
11:59:17.0187 3912 ql12160 - ok
11:59:17.0203 3912 ql1240 - ok
11:59:17.0203 3912 ql1280 - ok
11:59:17.0218 3912 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:59:17.0218 3912 RasAcd - ok
11:59:17.0234 3912 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
11:59:17.0250 3912 RasAuto - ok
11:59:17.0250 3912 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:59:17.0250 3912 Rasl2tp - ok
11:59:17.0265 3912 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
11:59:17.0281 3912 RasMan - ok
11:59:17.0281 3912 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:59:17.0281 3912 RasPppoe - ok
11:59:17.0281 3912 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:59:17.0281 3912 Raspti - ok
11:59:17.0296 3912 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:59:17.0296 3912 Rdbss - ok
11:59:17.0296 3912 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:59:17.0296 3912 RDPCDD - ok
11:59:17.0312 3912 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:59:17.0312 3912 rdpdr - ok
11:59:17.0359 3912 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
11:59:17.0359 3912 RDPWD - ok
11:59:17.0375 3912 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
11:59:17.0375 3912 RDSessMgr - ok
11:59:17.0390 3912 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:59:17.0390 3912 redbook - ok
11:59:17.0406 3912 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
11:59:17.0406 3912 RemoteAccess - ok
11:59:17.0437 3912 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
11:59:17.0437 3912 RemoteRegistry - ok
11:59:17.0437 3912 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
11:59:17.0437 3912 RpcLocator - ok
11:59:17.0484 3912 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
11:59:17.0484 3912 RpcSs - ok
11:59:17.0515 3912 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
11:59:17.0515 3912 RSVP - ok
11:59:17.0531 3912 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:59:17.0531 3912 SamSs - ok
11:59:17.0546 3912 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
11:59:17.0546 3912 SCardSvr - ok
11:59:17.0562 3912 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
11:59:17.0562 3912 Schedule - ok
11:59:17.0578 3912 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:59:17.0578 3912 Secdrv - ok
11:59:17.0593 3912 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
11:59:17.0593 3912 seclogon - ok
11:59:17.0625 3912 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
11:59:17.0625 3912 SENS - ok
11:59:17.0656 3912 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:59:17.0656 3912 serenum - ok
11:59:17.0671 3912 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:59:17.0671 3912 Serial - ok
11:59:17.0687 3912 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:59:17.0687 3912 Sfloppy - ok
11:59:17.0703 3912 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
11:59:17.0703 3912 SharedAccess - ok
11:59:17.0750 3912 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:59:17.0750 3912 ShellHWDetection - ok
11:59:17.0765 3912 Simbad - ok
11:59:17.0796 3912 SMBios (d72a21424ca66c7a745bd995eca6a710) C:\WINDOWS\system32\DRIVERS\SMBios.sys
11:59:17.0796 3912 SMBios - ok
11:59:17.0843 3912 smbusp (e3c49b5bb2ffa13ac1c0485233c4607d) C:\WINDOWS\system32\DRIVERS\intelsmb.sys
11:59:17.0843 3912 smbusp - ok
11:59:17.0843 3912 Sparrow - ok
11:59:17.0906 3912 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:59:17.0906 3912 splitter - ok
11:59:17.0968 3912 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
11:59:17.0968 3912 Spooler - ok
11:59:17.0968 3912 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:59:17.0968 3912 sr - ok
11:59:18.0015 3912 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
11:59:18.0015 3912 srservice - ok
11:59:18.0046 3912 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:59:18.0046 3912 Srv - ok
11:59:18.0078 3912 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
11:59:18.0078 3912 SSDPSRV - ok
11:59:18.0109 3912 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
11:59:18.0109 3912 stisvc - ok
11:59:18.0125 3912 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:59:18.0125 3912 swenum - ok
11:59:18.0125 3912 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:59:18.0125 3912 swmidi - ok
11:59:18.0140 3912 SwPrv - ok
11:59:18.0140 3912 symc810 - ok
11:59:18.0140 3912 symc8xx - ok
11:59:18.0156 3912 sym_hi - ok
11:59:18.0156 3912 sym_u3 - ok
11:59:18.0171 3912 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:59:18.0171 3912 sysaudio - ok
11:59:18.0203 3912 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
11:59:18.0203 3912 SysmonLog - ok
11:59:18.0218 3912 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
11:59:18.0218 3912 TapiSrv - ok
11:59:18.0265 3912 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:59:18.0265 3912 Tcpip - ok
11:59:18.0281 3912 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:59:18.0281 3912 TDPIPE - ok
11:59:18.0296 3912 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:59:18.0296 3912 TDTCP - ok
11:59:18.0312 3912 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:59:18.0312 3912 TermDD - ok
11:59:18.0375 3912 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
11:59:18.0375 3912 TermService - ok
11:59:18.0421 3912 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:59:18.0421 3912 Themes - ok
11:59:18.0468 3912 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
11:59:18.0468 3912 TlntSvr - ok
11:59:18.0484 3912 TosIde - ok
11:59:18.0500 3912 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
11:59:18.0500 3912 TrkWks - ok
11:59:18.0515 3912 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:59:18.0515 3912 Udfs - ok
11:59:18.0546 3912 ultra - ok
11:59:18.0593 3912 UMWdf (c81b8635dee0d3ef5f64b3dd643023a5) C:\WINDOWS\system32\wdfmgr.exe
11:59:18.0593 3912 UMWdf - ok
11:59:18.0703 3912 UNS (374ebda379a8f38e0cfc2211611e7167) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
11:59:18.0718 3912 UNS - ok
11:59:18.0734 3912 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:59:18.0734 3912 Update - ok
11:59:18.0765 3912 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
11:59:18.0765 3912 upnphost - ok
11:59:18.0765 3912 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
11:59:18.0765 3912 UPS - ok
11:59:18.0812 3912 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:59:18.0812 3912 usbccgp - ok
11:59:18.0875 3912 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:59:18.0875 3912 usbehci - ok
11:59:18.0890 3912 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:59:18.0890 3912 usbhub - ok
11:59:18.0906 3912 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:59:18.0906 3912 USBSTOR - ok
11:59:18.0921 3912 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:59:18.0921 3912 usbuhci - ok
11:59:18.0968 3912 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:59:18.0984 3912 VgaSave - ok
11:59:18.0984 3912 ViaIde - ok
11:59:18.0984 3912 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:59:18.0984 3912 VolSnap - ok
11:59:19.0015 3912 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
11:59:19.0015 3912 VSS - ok
11:59:19.0046 3912 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
11:59:19.0046 3912 W32Time - ok
11:59:19.0062 3912 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:59:19.0062 3912 Wanarp - ok
11:59:19.0062 3912 WDICA - ok
11:59:19.0078 3912 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:59:19.0078 3912 wdmaud - ok
11:59:19.0093 3912 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
11:59:19.0109 3912 WebClient - ok
11:59:19.0156 3912 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
11:59:19.0156 3912 winmgmt - ok
11:59:19.0203 3912 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
11:59:19.0218 3912 WinRM - ok
11:59:19.0296 3912 WinVNC4 (bda11f9ab8629313950cef60ec1dbe1d) C:\Program Files\RealVNC\VNC4\WinVNC4.exe
11:59:19.0296 3912 WinVNC4 - ok
11:59:19.0343 3912 WmdmPmSN (a477391b7a8b0a0daabadb17cf533a4b) C:\WINDOWS\system32\MsPMSNSv.dll
11:59:19.0343 3912 WmdmPmSN - ok
11:59:19.0390 3912 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
11:59:19.0406 3912 Wmi - ok
11:59:19.0437 3912 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:59:19.0437 3912 WmiApSrv - ok
11:59:19.0500 3912 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:59:19.0500 3912 WS2IFSL - ok
11:59:19.0531 3912 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
11:59:19.0531 3912 wscsvc - ok
11:59:19.0578 3912 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
11:59:19.0578 3912 wuauserv - ok
11:59:19.0640 3912 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
11:59:19.0640 3912 WZCSVC - ok
11:59:19.0671 3912 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
11:59:19.0671 3912 xmlprov - ok
11:59:19.0687 3912 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:59:19.0796 3912 \Device\Harddisk0\DR0 - ok
11:59:19.0796 3912 Boot (0x1200) (008e62ef55dc98c528c7565157974d92) \Device\Harddisk0\DR0\Partition0
11:59:19.0796 3912 \Device\Harddisk0\DR0\Partition0 - ok
11:59:19.0796 3912 ============================================================
11:59:19.0796 3912 Scan finished
11:59:19.0796 3912 ============================================================
11:59:19.0812 2892 Detected object count: 0
11:59:19.0812 2892 Actual detected object count: 0


Here is the report from aswMBR:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-23 11:46:31
-----------------------------
11:46:31.250 OS Version: Windows 5.1.2600 Service Pack 3
11:46:31.250 Number of processors: 2 586 0x1706
11:46:31.250 ComputerName: COPYONE UserName: copy1
11:46:31.890 Initialize success
11:46:51.593 AVAST engine defs: 12032301
11:46:54.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-14
11:46:54.968 Disk 0 Vendor: ST3500413AS JC4B Size: 476940MB BusType: 3
11:46:54.984 Disk 0 MBR read successfully
11:46:54.984 Disk 0 MBR scan
11:46:55.015 Disk 0 Windows XP default MBR code
11:46:55.015 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
11:46:55.015 Disk 0 scanning sectors +976752000
11:46:55.093 Disk 0 scanning C:\WINDOWS\system32\drivers
11:47:05.312 Service scanning
11:47:13.250 Service MpKsl4bb3d24a c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62FA7537-1E11-4FA8-8238-59449EF45268}\MpKsl4bb3d24a.sys **LOCKED** 32
11:47:21.515 Modules scanning
11:47:24.218 Disk 0 trace - called modules:
11:47:24.218 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:47:24.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a321ab8]
11:47:24.234 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000066[0x8a3703b8]
11:47:24.234 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-14[0x8a38fb00]
11:47:31.875 AVAST engine scan C:\WINDOWS
11:47:38.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\copy1\Desktop\MBR.dat"
11:47:38.109 The log file has been saved successfully to "C:\Documents and Settings\copy1\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-23 11:46:31
-----------------------------
11:46:31.250 OS Version: Windows 5.1.2600 Service Pack 3
11:46:31.250 Number of processors: 2 586 0x1706
11:46:31.250 ComputerName: COPYONE UserName: copy1
11:46:31.890 Initialize success
11:46:51.593 AVAST engine defs: 12032301
11:46:54.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-14
11:46:54.968 Disk 0 Vendor: ST3500413AS JC4B Size: 476940MB BusType: 3
11:46:54.984 Disk 0 MBR read successfully
11:46:54.984 Disk 0 MBR scan
11:46:55.015 Disk 0 Windows XP default MBR code
11:46:55.015 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
11:46:55.015 Disk 0 scanning sectors +976752000
11:46:55.093 Disk 0 scanning C:\WINDOWS\system32\drivers
11:47:05.312 Service scanning
11:47:13.250 Service MpKsl4bb3d24a c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62FA7537-1E11-4FA8-8238-59449EF45268}\MpKsl4bb3d24a.sys **LOCKED** 32
11:47:21.515 Modules scanning
11:47:24.218 Disk 0 trace - called modules:
11:47:24.218 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:47:24.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a321ab8]
11:47:24.234 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000066[0x8a3703b8]
11:47:24.234 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-14[0x8a38fb00]
11:47:31.875 AVAST engine scan C:\WINDOWS
11:47:38.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\copy1\Desktop\MBR.dat"
11:47:38.109 The log file has been saved successfully to "C:\Documents and Settings\copy1\Desktop\aswMBR.txt"
11:47:45.312 AVAST engine scan C:\WINDOWS\system32
11:50:51.718 AVAST engine scan C:\WINDOWS\system32\drivers
11:51:17.250 AVAST engine scan C:\Documents and Settings\copy1
11:52:40.171 AVAST engine scan C:\Documents and Settings\All Users
11:52:54.296 Scan finished successfully
11:56:03.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\copy1\Desktop\MBR.dat"
11:56:03.078 The log file has been saved successfully to "C:\Documents and Settings\copy1\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:55 AM

Posted 23 March 2012 - 11:25 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 KayleeFirefly

KayleeFirefly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 23 March 2012 - 11:43 AM

ComboFix 12-03-22.01 - copy1 03/23/2012 12:36:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2020.1063 [GMT -4:00]
Running from: c:\documents and settings\copy1\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\copy1\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-23 to 2012-03-23 )))))))))))))))))))))))))))))))
.
.
2012-03-23 15:45 . 2012-03-23 15:45 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62FA7537-1E11-4FA8-8238-59449EF45268}\MpKsl4bb3d24a.sys
2012-03-23 13:07 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62FA7537-1E11-4FA8-8238-59449EF45268}\mpengine.dll
2012-03-22 20:03 . 2012-03-22 20:04 10064 ----a-w- C:\cc_20120322_160356.reg
2012-03-22 13:50 . 2012-03-22 13:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2012-03-22 13:45 . 2012-03-22 13:46 -------- d-----w- c:\program files\Google
2012-03-20 21:35 . 2012-02-24 14:36 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-03-20 21:35 . 2012-03-23 12:40 -------- d-----w- c:\program files\Common Files\PC Tools
2012-03-20 21:35 . 2012-03-22 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-03-20 21:28 . 2012-03-20 21:28 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-19 16:19 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-19 16:19 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-19 16:18 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-03-13 17:58 . 2012-03-13 17:58 366 ----a-w- C:\cc_20120313_135847.reg
2012-03-13 17:56 . 2012-03-13 17:56 366 ----a-w- C:\cc_20120313_135644.reg
2012-03-13 17:50 . 2012-03-13 17:50 366 ----a-w- C:\cc_20120313_135002.reg
2012-03-12 21:11 . 2012-03-12 21:11 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2012-03-09 16:16 . 2012-03-09 16:16 2284 ----a-w- C:\cc_20120309_111650.reg
2012-03-09 14:51 . 2012-03-09 14:51 -------- d-----w- c:\windows\system32\winrm
2012-03-09 14:51 . 2012-03-09 14:51 -------- d-----w- c:\windows\system32\GroupPolicy
2012-03-09 14:51 . 2012-03-19 16:16 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-03-09 14:50 . 2012-02-23 18:25 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-03-09 14:43 . 2012-03-09 14:43 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2012-03-09 14:37 . 2012-03-09 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-03-09 14:36 . 2012-03-09 14:36 -------- d-----w- c:\program files\IObit
2012-03-08 18:45 . 2004-11-11 11:50 2433024 ------w- c:\windows\UNNMP.exe
2012-03-08 18:43 . 2000-06-26 15:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2012-03-08 18:43 . 2004-07-09 13:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2012-03-08 18:43 . 2004-07-20 21:24 476320 ------w- c:\windows\system32\ImagXpr7.dll
2012-03-08 18:43 . 2004-07-20 21:24 471040 ------w- c:\windows\system32\ImagXRA7.dll
2012-03-08 18:43 . 2004-07-20 21:24 262144 ------w- c:\windows\system32\ImagXR7.dll
2012-03-08 18:43 . 2004-07-20 21:24 1568768 ------w- c:\windows\system32\ImagX7.dll
2012-03-08 18:43 . 2001-06-26 12:15 38912 ------w- c:\windows\system32\picn20.dll
2012-03-08 18:43 . 2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2012-03-08 18:43 . 2012-03-08 18:45 -------- d-----w- c:\program files\Ahead
2012-03-08 18:41 . 2012-03-08 18:41 6994 ----a-w- C:\cc_20120308_134142.reg
2012-03-08 18:41 . 2012-03-08 18:41 65472 ----a-w- C:\cc_20120308_134128.reg
2012-03-08 17:56 . 2012-03-08 17:56 684 ----a-w- C:\cc_20120308_125609.reg
2012-03-08 17:51 . 2012-03-08 17:51 366 ----a-w- C:\cc_20120308_125135.reg
2012-03-08 15:42 . 2012-03-08 15:42 332 ----a-w- C:\cc_20120308_104238.reg
2012-03-08 15:42 . 2012-03-08 15:42 10818 ----a-w- C:\cc_20120308_104219.reg
2012-03-08 15:33 . 2012-03-08 15:33 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 15:21 . 2012-03-08 15:29 -------- d-s---w- c:\documents and settings\mts
2012-03-06 16:56 . 2012-03-06 16:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-16 12:40 . 2011-09-24 15:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 02:15 . 2012-02-02 19:53 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-01 19:14 . 2012-02-01 19:14 1170 ----a-w- C:\cc_20120201_141410.reg
2012-02-01 19:13 . 2012-02-01 19:13 225580 ----a-w- C:\cc_20120201_141346.reg
2012-01-31 12:44 . 2012-01-31 21:21 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-26 19:32 . 2012-01-26 19:32 8413 ----a-w- c:\windows\system32\drivers\osaio.sys
2012-01-09 16:20 . 2011-09-23 20:30 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2012-03-06 574296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RTHDCPL"="RTHDCPL.EXE" [2011-01-21 20026472]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-29 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-29 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-29 142360]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2010-03-18 614400]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2005-08-01 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2012-2-1 106560]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iMediaTouch\\LogTools\\MLT.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 MpKsl4bb3d24a;MpKsl4bb3d24a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62FA7537-1E11-4FA8-8238-59449EF45268}\MpKsl4bb3d24a.sys [3/23/2012 11:45 AM 29904]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [3/9/2012 10:36 AM 913752]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [1/26/2012 2:12 PM 132768]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/1/2012 3:13 PM 652360]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [9/23/2011 5:07 PM 2656280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/1/2012 3:13 PM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2012 9:45 AM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/23/2011 5:06 PM 1691480]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c5132.sys [9/23/2011 5:09 PM 174248]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2012 9:45 AM 136176]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [9/23/2011 5:07 PM 45056]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 8:00 AM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 04464506
*NewlyCreated* - 28497260
*NewlyCreated* - MPKSL4BB3D24A
*Deregistered* - 04464506
*Deregistered* - 28497260
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-22 13:45]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-22 13:45]
.
2012-03-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-03-23 c:\windows\Tasks\User_Feed_Synchronization-{CA26728D-31DD-4E45-81E8-25384612A36D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{DF5ED57E-36B1-43C5-B666-A1A3551000E6}: NameServer = 192.168.2.3,4.2.2.2,192.168.4.3
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-23 12:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3780)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-03-23 12:39:15
ComboFix-quarantined-files.txt 2012-03-23 16:39
ComboFix2.txt 2012-03-23 13:02
.
Pre-Run: 482,613,514,240 bytes free
Post-Run: 482,657,902,592 bytes free
.
- - End Of File - - E92C69ECF572DF01FA4B8166EF426031



Didn't have any problems... no rebooting, no error messages, etc.

Computer seems to be running okay. My MSE shortkey is flashing orange, however, saying that I am potentially unprotected. This could possibly be because I had the Real-time protection shut off. Also usually this time of day is when things start to slow to a crawl, and I'm not having much of that at all.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:55 AM

Posted 23 March 2012 - 03:55 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 KayleeFirefly

KayleeFirefly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 23 March 2012 - 03:57 PM

Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.2)
Adobe Shockwave Player 11.6
Advanced SystemCare 5
CCleaner
Cisco WebEx Meetings
Compatibility Pack for the 2007 Office system
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
iMediaTouch Log Tools 2.6.5
iMediaTouch Production 2.6.7
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Components
Intel® Management Engine Interface
Intel® Network Connections 16.8.46.0
Intel® Processor Graphics
Intel® SMBus
Java Auto Updater
Java™ 6 Update 27
Kyocera Product Library
Kyocera TWAIN Driver
LightScribe 1.4.136.1
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office File Validation Add-In
Microsoft Office Small Business Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
Nero Suite
pdfFactory
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB923789)
SmartDeviceMonitor for Client
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
VLC media player 1.1.11
VNC Free Edition 4.1.2
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format Runtime
Windows XP Service Pack 3
WinZip
WOTraffic Version 4.6.0.3 build20090506a GA1
XML Paper Specification Shared Components Pack 1.0

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:55 AM

Posted 23 March 2012 - 04:41 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 27 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 KayleeFirefly

KayleeFirefly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 23 March 2012 - 06:07 PM

After I ran MBAM it didn't give me the option to "show results" and instead just the txt report popped up, I suppose because it didn't find anything?

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.23.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
copy1 :: COPYONE [administrator]

Protection: Enabled

3/23/2012 6:55:13 PM
mbam-log-2012-03-23 (18-55-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222243
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:03:02 PM, on 3/23/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASC.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 5] "C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF5ED57E-36B1-43C5-B666-A1A3551000E6}: NameServer = 192.168.2.3,4.2.2.2,192.168.4.3
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Advanced SystemCare Service 5 (AdvancedSystemCareService5) - IObit - C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® PROSet Monitoring Service - Intel Corporation - C:\WINDOWS\system32\IProsetMonitor.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6575 bytes



When I uninstalled Java, I forgot to turn off MSE, and it started to scan after a window slid up on the bottom right of my screen saying that Java would be unable to do updates, but other than that I didn't have any problems.

Computer appears to be running fine.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:55 AM

Posted 23 March 2012 - 08:52 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:55 AM

Posted 26 March 2012 - 08:55 AM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 KayleeFirefly

KayleeFirefly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 26 March 2012 - 08:58 AM

Scanning now. I didn't have internet access over the weekend.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:55 AM

Posted 26 March 2012 - 08:59 AM

no problem That is why I was just checking on you


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users